Skip to content

Interpres Application - Devo SIEM

  • Type: SIEM/Data Lake
  • Vendor: Devo

The Devo SIEM is a cloud SIEM platform with the ability to ingest any type of data into their cloud database offering. This integration will get detections, alerts and telemetry from the Devo platform.

Vendor setup

  1. Before beginning make sure you have administrator privileges in the Devo platform.
  2. Navigate to the Devo Platform and login to the domain you wish to configure. Currently if you have multiple domains you must setup multiple Interpres integrations.

  3. Navigate to the following page in Devo UI: Administration -> Credentials ->Tokens

  4. Create the following tokens

    1. Alert API Token
      1. Please enter in any name, authorize user.
      2. For target tables select *.** (All user tables)
      3. For type please select Alert API (Create and manager alerts using the API)
      4. After creating please click into the new token and copy down the Token code
    2. Query API Token
      1. Please enter in any name, authorize user.
      2. The token will need access to the following tables:
        • siem.logtrust.collector.counter
        • my.lookuplist.SecOpsAlertDescription
        • box.all.win: only if Windows logs are being ingested in the Devo domain
        • cloud.aws.cloudtrail: only if Cloudtrail logs are being ingested in the Devo domain
      3. For type please select Query API (Query data and manage all domain jobs)
      4. After creating please click into the new token and copy down the Token code
  5. Please note down which Devo region you are logging into, more information can be found here: Link to Devo regions
    1. For the corresponding region please look up the following API endpoints and note them down:
      1. Alerts API
      2. Query API

Once finished you should have the following information

  • Devo UI URL : step 5
  • Base Alert URL: step 5.1.1
  • Base Query URL: step 5.1.2
  • Alert Token: step 4.1.4
  • Query Token: step 4.2.4

App Configuration

App Parameters:

  • Base Query URL: Base URL for query API. Please find your endpoint here: Query API Endpoints

  • Base Alert URL: Base URL for alerts API. Please find your endpoint here: Alerts API

  • Query Token: Query token used to make requests against query

  • Alert Token: Alert token used to make requests against alerts

App Validation

If configured correctly this integration will pull down all detections defined in the Devo platform and periodically pull in all triggered alerts from Devo. It will also periodically check for available telemetry.

App Functionality

Implemented Actions

  • Get Alerts: Gets the latest alerts using the Devo Alert API.

  • Get Available Telemetry: Returns a list of telemetry identifiers with their current status. It queries the table siem.logtrust.collector.counter

  • Get Detections: Returns a list of detections using the Devo Alert API.