Devo
Integration version: 8.0
Product Permission
Devo provides several authentication methods described in the Security credentials document available within the Devo documentation.
Google Security Operations SOAR integration supports either authentication tokens or access keys for authentication.
It is recommended to configure token-based authentication:
- Go to the Authentication tokens document available within the Devo documentation.
- Follow steps on how to create a token, on step 3 select Query data using REST API.
- On step 4, for the target table, specify "siem.logtrust.alert.info".
Finish the creation process according to the documentation to get a token.
API
For more information on API, see the API reference document available within the Devo documentation.
Configure Devo integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API URL | String | https://apiv2-us.devo.com | Yes | Specify API root for the target Devo instance. |
| API Token | Password | N/A | No | If a token-based authentication is used, specify the API token for the target Devo instance. If both Token and Access Keys are provided, integration works on API token and ignores Access Keys. |
| API Key | Password | N/A | No | If an access keys authentication is used, specify the API key for the target Devo instance. |
| API Secret | Password | N/A | No | If an access keys authentication is used, specify the API secret for the target Devo instance. |
| Verify SSL | Checkbox | Checked | No | If enabled, the Google Security Operations SOAR server checks the certificate configured for API root. |
Use Cases
- Devo can be used as a source of alerts for Google Security Operations SOAR to process.
- Devo can be queried from Google Security Operations SOAR to enrich Google Security Operations SOAR alert context.
Actions
Ping
Description
Test connectivity to the Devo instance with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
If "siem.logtrust.alert.info" is not granted for the generated access token, the Ping action fails even if the token is valid. For more information, see the Product Permission section.
Parameters
N/A
Use Case
The action is used to test connectivity at the integration configuration page in the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Devo instance with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the LogRhythm server! Error is {0}".format(exception.stacktrace) |
General |
Advanced Query
Description
Execute an advanced query based on the provided parameters. Note that action is not working on Google Security Operations SOAR entities. To query a table other than siem.logtrust.alert.info, create an additional token for that table following the Authentication tokens document available within the Devo documentation and specify it on the integration configuration page.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Query | String | N/A | Yes | Specify a query to execute against Devo instance. Example: "from siem.logtrust.alert.info". |
| Time Frame | DDL | Last Hour Possible Values:
|
No | Specify a time frame for the results. If "Custom" is selected, you also need to provide the "Start Time" parameter. |
| Start Time | String | N/A | No | Specify the start time for the query. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601 Example: 2021-08-05T05:18:42Z |
| End Time | String | N/A | No | Specify the end time for the query. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time. Format: ISO 8601 Example: 2021-08-05T05:18:42Z |
| Max Rows to Return | Integer | 50 | No | Specify the maximum number of rows the action should return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"msg": "",
"timestamp": 1630483519438,
"cid": "01a5d92a25ba",
"status": 0,
"object": [
{
"eventdate": 1619452643049,
"alertHost": "backoffice",
"domain": "siemplify",
"priority": 7.0,
"context": "my.alert.siemplify.500",
"category": "my.context",
"status": 0,
"alertId": "22797077",
"srcIp": null,
"srcPort": null,
"srcHost": "",
"dstIp": null,
"dstPort": null,
"dstHost": "",
"protocol": "",
"username": "user@siemplify.co",
"application": "",
"engine": "pil01-pro-custom-us-aws",
"extraData": "{\"count\":\"13\",\"eventdate\":\"2021-04-26+15%3A56%3A30.0\"}"
}
]
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If found at least some data (is_success=true): "Successfully retrieved results for the provided query in Devo." If no results are found (is_success=false): "No results found for the provided query in Devo." The action should fail and stop a playbook execution: If errors are reported in the query: "Error executing action "Advanced Search". Reason: {message}''.format(error.Stacktrace) If the "Start Time" parameter is empty and the "Time Frame" parameter is set to "Custom" (fail): "Error executing action "". Reason: "Start Time" should be provided, when "Custom" is selected in the "Time Frame" parameter." If value of the "Start Time" parameter is greater than value of the "End Time" parameter (fail): "Error executing action "". Reason: "End Time" should be later than "Start Time". If a negative value or 0 is set for the "Max Rows to Return" parameter: "Error executing action "". Reason: "Max Rows to Return" should be positive, non-zero number." If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Advanced Query". Reason: {0}''.format(error.Stacktrace) |
General |
| Table | Table Name: Advanced Query Results Table Columns: All of the columns returned from the response. |
General |
Simple Query
Description
Execute a simple query based on the provided parameters. Note that action is not working on Google Security Operations SOAR entities. To query a table other than siem.logtrust.alert.info, create an additional token for that table following the Authentication tokens document available within the Devo documentation and specify it on the integration configuration page.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Table Name | String | siem.logtrust.alert.info | Yes | Specify the table that should be queried. |
| Fields To Return | CSV | N/A | No | Specify the fields to return. If nothing is provided, the action returns all fields. |
| Where Filter | String | N/A | No | Specify the Where filter for the query that needs to be executed. |
| Time Frame | DDL | Last Hour Possible Values: Last Hour Last 6 Hours Last 24 Hours Last Week Last Month Custom |
No | Specify a time frame for the results. If "Custom" is selected, you also need to provide the "Start Time" parameter. |
| Start Time | String | N/A | No | Specify the start time for the query. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601 Example: 2021-08-05T05:18:42Z |
| End Time | String | N/A | No | Specify the end time for the query. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time. Format: ISO 8601 Example: 2021-08-05T05:18:42Z |
| Max Rows to Return | Integer | 50 | No | Specify the maximum number of rows the action should return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"msg": "",
"timestamp": 1630483519438,
"cid": "01a5d92a25ba",
"status": 0,
"object": [
{
"eventdate": 1619452643049,
"alertHost": "backoffice",
"domain": "siemplify",
"priority": 7.0,
"context": "my.alert.siemplify.500",
"category": "my.context",
"status": 0,
"alertId": "22797077",
"srcIp": null,
"srcPort": null,
"srcHost": "",
"dstIp": null,
"dstPort": null,
"dstHost": "",
"protocol": "",
"username": "user@siemplify.co",
"application": "",
"engine": "pil01-pro-custom-us-aws",
"extraData": "{\"count\":\"13\",\"eventdate\":\"2021-04-26+15%3A56%3A30.0\"}"
}
]
}
Entity Enrichment
N/A
Insights
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If found at least some data (is_success=true): "Successfully retrieved results for the query: "{constructed query}" in Devo." If no results are found (is_success=false): "No results found for the query {constructed query} in Devo". The action should fail and stop a playbook execution: If errors are reported in the query: "Error executing action "Simple Search". Reason: {message}''.format(error.Stacktrace) If the "Start Time" parameter is empty and the "Time Frame" parameter is set "Custom" (fail): "Error executing action "". Reason: "Start Time" should be provided, when "Custom" is selected in the "Time Frame" parameter." If vale of the "Start Time" parameter is greater than the value of the "End Time" parameter (fail): "Error executing action "". Reason: "End Time" should be later than "Start Time". If a negative value or 0 is set for the "Max Rows to Return" parameter: "Error executing action "". Reason: "Max Rows to Return" should be positive, non-zero number." If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Simple Query". Reason: {0}''.format(error.Stacktrace) |
General |
| Table | Table Name: Simple Query Results Table Columns: All of the columns returned from the response |
General |
Connectors
Devo Alerts Connector
Description
Connector can be used to fetch alert records from the siem.logtrust.alert.info table from Devo. Connector whitelist can be used to ingest only specific types of alerts based on the alert context value.
Configure Devo Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Devo | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | "context" | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field through regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| API URL | String | https://apiv2-us.devo.com | Yes | Specify API URL for the target Devo instance. |
| API Token | Password | N/A | No | If a token-based authentication is used, specify the API token for the target Devo instance. |
| API Key | Password | N/A | No | If an access keys authentication is used, specify the API key for the target Devo instance. |
| API Secret | Password | N/A | No | If an access keys authentication is used, specify the API secret for the target Devo instance. |
| Verify SSL | Checkbox | Checked | No | If enabled, Google Security Operations SOAR server checks the certificate configured for API root. |
| Offset time in hours | Integer | 24 | Yes | Fetch alerts from X hours backwards. |
| Max Alerts Per Cycle | Integer | 30 | Yes | Number of alerts that should be processed during one connector run. |
| Minimum Priority to Fetch | String | Normal | Yes | Minimum priority of the alert to be ingested to Google Security Operations SOAR, for example, Low or Medium. Possible Values: Very Low, Low, Normal, High, Very High |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist is used as a blacklist. |
Connector Rules
Proxy Support
The connector supports Proxy.