Table of Contents | ||||
---|---|---|---|---|
|
...
Note |
---|
You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits. |
Action | Steps | |||
1 | Register and configure the application |
| ||
2 | Grant the required permissions |
| ||
3 | Obtain the requires credentials for the collector |
|
...
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro |
---|
Rw tab | ||
---|---|---|
|
Rw tab | ||
---|---|---|
|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
Code Block |
---|
<any_directory> └── devo-collectors/ └── <product_name>/ ├── certs/ │ ├── chain.crt │ ├── <your_domain>.key │ └── <your_domain>.crt ├── state/ └── config/ └── config.yaml |
Note |
---|
Replace |
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/
. Learn more about security credentials in Devo here.
Note |
---|
Replace |
Editing the config.yaml file
Code Block |
---|
globals: debug: <debug_status> id: <short_unique_id> name: <collector_name> persistence: type: filesystem config: directory_name: state outputs: devo_1: type: devo_platform config: address: <devo_address> port: 443 type: SSL chain: <chain_filename> cert: <cert_filename> key: <key_filename> inputs: microsoft_graph: id: <input_id> enabled: <run_service> request_per_second: <request_per_second> credentials: tenant_id: <tenant_id_value> client_id: <client_id_value> client_secret: <client_secret_value> services: secure_score_control_profile: tag_version: v2 request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> alerts: tag_version: v2 request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> secure_scores: tag_version: v2 request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> audit: request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> provisioning: request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> signIn: request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> signIn_nonInteractive: request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> signIn_servicePrincipal: request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> signIn_managedIdentity: request_period_in_seconds: <request_period_in_seconds_value> start_time: <start_time_value> |
Info |
---|
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Replace the placeholders with your required values following the description table below:
Parameter | Data type | Type | Value range / Format | Details | ||||
---|---|---|---|---|---|---|---|---|
|
|
|
| If the value is | ||||
|
|
| Minimum length: | Use this param to give a unique id to this collector. | ||||
|
|
| Minimum length: | Use this param to give a valid name to this collector, like | ||||
|
|
|
| Use this param to identify the Devo Cloud where the events will be sent. | ||||
|
|
| Minimum length: | Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | ||||
|
|
| Minimum length: | Use this param to identify the | ||||
|
|
| Minimum length: | Use this param to identify the | ||||
|
|
| Minimum length: | Use this param to give a unique id to this input service.
| ||||
|
|
|
| Use this param to enable or disable the given input logic when running the collector. If the value is | ||||
|
|
| Minimum value: | Customize the maximum number of API requests per second. If not used, the default setting will be used:
| ||||
|
|
| UUID format | This is the Tenant’s ID you created in Azure AD. You can obtain it from the Overview page in your registered application. | ||||
|
|
| UUID format | This is the Tenant’s ID you created in Azure AD. You can obtain it from the Overview page in your registered application. | ||||
|
|
| Any non-whitespace character | This is the Client’s secret you created in Azure AD. You can obtain it from the Certificates & secrets page in your registered application. | ||||
|
|
| Minimum value: | The amount (in seconds) in which the service’s collection is scheduled.
| ||||
|
|
| For the secure_scores service: For the rest of the services: | This will allow you to start from a specific date in case you want to ingest historic events. If not set, it will start at the current time.
| ||||
|
|
| Only accepts | The
The detailed table destination depending on the
|
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Collector Docker image | SHA-256 hash |
---|---|
|
Use the following command to add the Docker image to the system:
Code Block |
---|
gunzip -c <collector-ms-graph-collector-if-docker-image>-<1.2.0>.tgz | docker load |
Note |
---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Code Block |
---|
docker run --name collector-<product_name> --volume $PWD/certs:/devo-collector/certs --volume $PWD/config:/devo-collector/config --volume $PWD/state:/devo-collector/state --env CONFIG_FILE=config.yaml --rm --interactive --tty <image_name>:<version> |
Note |
---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/
directory.
Code Block |
---|
version: '3' services: collector-<product_name>: image: <image_name>:${IMAGE_VERSION:-latest} container_name: collector-<product_name> volumes: - ./certs:/devo-collector/certs - ./config:/devo-collector/config - ./credentials:/devo-collector/credentials - ./state:/devo-collector/state environment: - CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/
directory:
Code Block |
---|
IMAGE_VERSION=<version> docker-compose up -d |
Note |
---|
Replace |
Rw tab | ||
---|---|---|
|
We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
Collector services detail
...