Versions Compared

Old Version 4

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Nikhil Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rw ui tabs macro
Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

image-20240402-104530.png
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: cyberark_identity_collector
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: <your-ingestion-endpoint>
      port: 443
      type: SSL
      chain: chain.crt
      cert: <your_domain>.crt
      key: <your_domain>.key
inputs:
  cyberark_identity:
    id: <short_unique_id>
    enabled: <input_status>
    credentials:
      tenant: <tenant_value>
      client_id: <client_id_value>
      client_secret: <client_secret_value>
      app_id: <app_id_value>
    services:
       <cyberark_identity_event_type_value>:   # The service name must be an existing EventType
         types: [<types_value>]
         start_time_in_utc: <start_time_in_utc_value>
         extra_fields: [<extra_field_name_values>]
         override_page_size: <override_page_size_value>
         request_period_in_seconds: <request_period_in_seconds>
         override_tag: <override_devo_tag>
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

<short_unique_id>

int

Mandatory

Minimum Lenght 5

Use this param to give a unique id to this input service.

Note

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

<tenant_value>

str

Mandatory

Minimum Length 1

Tenant ID for Cyberark Identity

<client_id_value>

str

Mandatory

Minimum Length 1

This configuration helps to get the required client ID

<client_secret_value>

str

Mandatory

Minimum Length 1

This configuration helps to get the required client secret

<start_time_in_utc_value>

str

Mandatory

Minimum length: 1

Start time in utc format

<override_page_size>

str

Optional

A devo Tag

This parameter allows to define a custom devo tag.

<extra_fields_value>

array

Optional

Minimum length: 

Extra Field for Cyberark Identity

<types_value>

array

Optional

Minimum Length 1

Types of the service events

<override_tag>

str

Optional

A devo tag

This parameter allows defining a custom devo tag.

<override_base_url>

str

Optional

Base Url

This parameter allows overriding the base url

<override_token_url>

str

Optional

Token Url

This parameter allows overriding the token url

<override_scope_value>

str

Optional

Scope 

This parameter allows overriding the scope value

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-cyberark_identity-docker-image-1.12.30

828f6ad08acef7b435d0d1373fa3a4f3be33c09205a2323f5b4755ce502b1cf051f36b2fb708e2e40a0bc374d6720b1a190c40f15b261d1f5285e929b4983730

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

...

Please contact developer if this error occurs
Expand
titleTroubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error

type

Type

Error

ID

Id

Error

message

Message

Cause

Solution

SetupError

InitVariablesError

499

Error occurred while Making request from Cyberark Redrock API

 

Error Details will provided in this case

Contact team in this case

PullError

495

Value Error occurred because parsing the response failed to the required format

This error happens when the collector tries to parse the response to the provided 

In this error you will find the Value error code and content it is being parsed to as well as 

496

Connection Timeout Error occurred while retrieving events from Cyberark server : {Exception}

Connection timeout exceptions occurred while making the API request.

Please check if endpoint and URL parameter are correct.

497

Retry Exceptions  

Retry exceptions. We get reason for the exceptions occurred

Please contact developer if this error occurs

498

Max retries error. It provides the reason for this error.

Reason is provided for getting such error

1

Invalid start_time_in_utc: {ini_start_str}. Must be in parseable datetime format.

The configured start_time_in_utc parameter is a non-parseable format.

Update the start_time_in_utc value to have the recommended format as indicated in the guide.

InitVariablesError

2

Invalid start_time_in_utc: {ini_start_str}. Must be in the past.

The configured start_time_in_utc parameter is a future date.

Update the start_time_in_utc value to a past datetime.

ApiError

401

Error during API call to [API provider HTML error response here]

The server returned an HTTP 401 response.

Ensure that the provided credentials are correct and provide read access to the targeted data.

ApiError

499

Error during API call to [API provider HTML error response here]

The server returned an unsuccessful response. This can also occur when a user attempts to perform a Redrock query that is malformed or otherwise incorrect (e.g. selecting a non-existent field)..

Review the error message to determine the cause/solution of the error. In the event of Redrock query API errors, the message will indicate the malformed query.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

...

Release

Released on

Release type

Details

Recommendations

v1.2.0

Status
colourGreen
titleIMPROVEMENT

Status
colourRed
titleFixes

Improvements

  • Updated the DCSDK from 1.11.1 to 1.13.1

  • upgraded dcsdk-docker-base-image to 1.3.1

Fixes

  • Fixed the user config and schemas to allow overrides.

Recommended version

v1.1.3

Status
colourRedGreen
titleIMPROVEMENT

Updated the tag and removed the usage of tag_mapper

Recommended versionUpgrade

v1.1.2

Status
colourPurple
titleFIRST RELEASE

Released the first version of the Cyberark Identity collector.

Initial version