Devo
App Vendor: Devo
App Category: Analytics & SIEM
Connector Version: 1.2.1
API Version: 1.0.0
About App
Devo is a cloud-native logging and security analytics solution that delivers real-time visibility for security and operations teams. The Devo app is designed to enable data access across an enterprise that enables security analysts to run queries on Devo tables, retrieve alert definitions, create alert definition, and delete an alert definition.
The Devo app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Run Query | This action runs a query against the Devo tables. You can use the query code editor in the data search tab for assistance in writing queries. |
Get Alert Definitions | This action retrieves all alert definitions and filters them based on user criteria. |
Create Alert Definition | This action creates an alert definition. |
Delete Alert Definition | This action deletes an alert definition. |
Close Investigation | This action closes an investigation on Devo. |
Update Alert Status | This action updates the status of an alert. |
Get Alerts List | This action retrieves a list of triggered alerts in your domain. |
Get Alerts Details | This action retrieves the details of an alert. |
List Jobs | This action retrieves the currently running jobs (queries) with their status. |
Get Query Status | This action retrieves the current status of a query. |
Stop Query Job | This action stops a currently running job (query). |
Restart Query Job | This action restarts a job (query) that was previously stopped. |
Generic Action | This is a generic action to perform any additional use case on Devo. |
Configuration Parameters
The following configuration parameters are required for the Devo app to communicate with the Devo enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Token | Enter the Oauth token. | Text | Required | The token can be retrieved from Devo > Admin > Credentials > Authentication token. |
Region | Enter the region for your Devo instance. Example: US | Text | Required | Allowed values: US, EU, SPAIN, VDC, GOV |
Action: Run Query
This action runs a query against the Devo tables. You can use the query code editor in the data search tab for assistance in writing queries.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter a query to execute. Example: "from demo.ecommerce.data" | Text | Required | |
From Epoch | Enter an epoch date or relative time. Example: "today", "1635173552" or "2h" | Text | Required | |
To Epoch | Enter an epoch date or relative time. Example: "today", "1635173552" or "2h" | Text | Optional | |
Limit | Enter the maximum number of results to return. Example: 100 | Integer | Optional | Default value: 100 |
Offset | Enter the number of results to skip, which is usually used for pagination. Example: 0 | Integer | Optional | Default value: 0 |
Example Request
[
{
"limit": 10,
"query": "from demo.ecommerce.data",
"from_epoch": "1635173552"
}
]Action: Get Alert Definitions
This action retrieves all the alert definitions and filters them based on the specified user criteria.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name filter | Enter the name of the filter which filters alerts by names. You will receive only those alerts that contains the terms specified in their names. The filter is case insensitive. Example: "security" | Text | Optional | |
ID filter | Enter the filter ID which indicates an alert definition ID to retrieve only that specific alert. Example: 1098 | Integer | Optional | You can retrieve the filter ID based on the Create Alert Definition action. |
Page | Enter the page of results to return. Example: 1 | Integer | Optional | Default value: 0 |
Size | Enter the maximum number of results to return. Example: 100 | Integer | Optional | Default value: 100 |
Example Request
[
{
"size": 100,
"name_filter": "security"
}
]Action: Create Alert Definition
This action creates an alert definition.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the alert. Example: "Test Alert from Orchestrate" | Text | Required | |
Message | Enter a short message to identify the alert condition. Example: "Test Alerts" | Text | Required | |
Description | Enter the description of the alert. Example: "Test Alert from Orchestrate" | Text | Required | |
Subcategory | Enter a subcategory for the alert. Example: "Orchestrate" | Text | Required | |
Alert correlation context | Enter an object describing the alert parameters. | Key Value | Required | For more information, see docs.devo.com Supported keys:
|
Example Request
[
{
"name": "Test Alert from Orchestrate",
"message": "Test Alerts",
"description": "Test Alert from Orchestrate",
"subcategory": "Orchestrate",
"alert_correlation_context": {
"priority": "5",
"querySourceCode": "from demo.ecommerce.data where statusCode = 404",
"correlationTrigger": {
"kind": "each"
}
}
}
]Action: Delete Alert Definition
This action deletes an alert definition.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to delete. Example: "165191" | Text | Required | You can retrieve the Alert ID using Create Alert Definition action. |
Example Request
[
{
"alert_id": "165191"
}
]Action: Close Investigation
This action closes an investigation on Devo based on the investigation ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Investigation ID | Enter the investigation ID to close. Example: "863764" | Text | Required | |
User name | Enter the username to update the investigation as. Example: "JohnDoe" | Text | Required | |
User email | Enter the email to update the investigation as. Example: "john.doe@sampledomain.com" | Text | Required | |
Timestamp | Enter the timestamp (epoch) to update the investigation. Example: "1625843754000" | Text | Required | |
Action | Enter the Devo action to take to close the investigation. Example: "FALSE_POSITIVE" | Text | Required | Allowed values:
|
Resolution status | Enter the Devo resolution status to mark to close the incident. Example: "FALSE_NEGATIVE" | Text | Required | Allowed values:
|
Comment | Enter the comment to add to the investigation. Example: "Close as false positive" | Text | Required |
Example Request
[
{
"investigation_id": "863764",
"user_email":"john.doe@sampledomain.com",
"user_name":"JohnDoe",
"timestamp":"1625843754000",
"action":"FALSE_NEGATIVE",
"resolution_status":"FALSE_NEGATIVE",
"comment":"Close as false positive"
}
]Action: Update Alert Status
This action updates the status of an alert based on the alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to update the status of. Example: 165191 | Text | Required | |
Alert Status | Choose the status to update the alert into. Example: 0 | Text | Required | Allowed values:
|
Example Request
[
{
"alert_id": 165191,
"alert_status": 0
}
]Action: Get Alerts List
This action retrieves a list of triggered alerts in your domain.
Action Input Parameters
Parameter | Description | Field Type | Mandatory/Optional | Comments |
|---|---|---|---|---|
Start Time | Enter the start time to filter all the alerts triggered after this date. This must by an epoch time in milliseconds. Example: 1654008600000 | Text | Required | |
End Time | Enter the end time to filter all the alerts triggered before this date. This must by an epoch time in milliseconds. Example: 1654008630000 | Text | Required | |
Limit | Enter the limit to set the number of elements returned in the response. Example: 100 | Text | Optional | Default value: 100 |
Offset | Enter the offset to set the position of the first element in the returned list. | Text | Optional | Default value: 0 |
Order By | Enter to order by sorting the alerts by a specific field. | Text | Optional | Allowed values:
|
Ascending Order | Set this parameter to true to retrieve the alert list in ascending order. | Boolean | Optional | Default value: False |
Show All | Set this parameter to true to retrieve all the triggered alerts, including the ones with false positive and closed status. | Text | Optional | Default value: False |
Action: Get Alert Details
This action retrieves the details of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to retrieve the details. Example: "165191" | Text | Required | |
Tags | Set this to true to include the alert tags in the response. Example: false | Boolean | Optional | Default value: true Allowed values:
|
Annotation | Set this to true to include the alert annotations in the response. Example: false | Boolean | Optional | Default value: true Allowed values:
|
Example Request
[
{
"alert_id": "165191",
"tags": false,
"annotation": false
}
]Action: List Jobs
This action retrieves the currently running jobs (queries) with their status.
Action Input Parameters
This action does not require any action input parameter.
Action: Get Query Status
This action retrieves the current status of a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Job ID | Enter the job ID to retrieve the status. Example: "3f6002a9-69cb-4495-9745-d47216fc58bf" | Text | Required |
Example Request
[
{
"job_id":"3f6002a9-69cb-4495-9745-d47216fc58bf"
}
]Action: Stop Query Job
This action stops a currently running job (query).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Job ID | Enter the job ID to stop the job. Example: "3f6002a9-69cb-4495-9745-d47216fc58bf" | Text | Required |
Example Request
[
{
"job_id":"3f6002a9-69cb-4495-9745-d47216fc58bf"
}
]Action: Restart Query Job
This action restarts a job (query) that was previously stopped.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Job ID | Enter the job ID to restart the job. Example: "3f6002a9-69cb-4495-9745-d47216fc58bf" | Text | Required |
Example Request
[
{
"job_id":"3f6002a9-69cb-4495-9745-d47216fc58bf"
}
]Action: Generic Action
This is a generic action to perform any additional use case on Devo.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method to initiate a request. Example: • "GET" • "POST" | Text | Required | |
Endpoint | Enter the endpoint to initiate a request. Example: "/v1/alerts/list" | Text | Required | |
Payload | Enter the payload to pass to the API. Example: $JSON[{"investigation_id":"123"}] | Any | Optional | |
Query Params | Enter the query parameters to filter results in JSON format. Example: $JSON[{"limit": 10}] | Any | Optional |
Example Request
[
{
"method":"GET",
"endpoint":"v1/alerts/list/",
"payload":{"investigation_id":"123"},
"query_params":{"limit":10}
}
]