Versions Compared

Old Version 27

changes.mady.by.user Former user

Saved on

compared with

New Version 28

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

Note

You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits.

Action

Steps

1

Register and configure the application

  1. Go to Azure portal and click on Azure Active Directory.

  2. Click on App registration on the left-menu side. Then click on + New registration.

  3. On the Register and Application page:

    1. Name the application.

    2. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) in Supported Accounts type.

    3. In Redirect URI (optional) leave it as default (blank).

    4. Click Register.

  4. App registration page will open. Click on your app to configure it and give it permissions. You will see your app’s dashboard with information (docs, endpoints, etc.) when clicking it.

  5. Click Authentication on the left-menu side, then choose + Add a platform and select Mobile and desktop application.

  6. Select the three redirects URIs:

    • https://login.microsoftonline.com/common/oauth2/nativeclient

    • https://login.live.com/oauth20_desktop.srf

    • msale36f3a02-3eef-437b-874e-8a0aa29a2bf0://auth

  7. Click Configure.

2

Grant the required permissions

  1. Go to API permissions on the left-menu side.

  2. Click + Add permission in case you don’t have Microsoft Graph in the API/Permission list.

  3. Select Application permissions and search for Security. Check SecurityEvents.Read.All.

  4. Repeat the same step 3 for AuditLog.Read.All,Directory.Read.All and User.Read. If you did everything correctly, permissions will display.

  5. Select Grant admin consent for the applications.

Info

You do not need to activate permissions if you are not going to use its corresponding resource. Check the Permissions reference per service section for a detailed breakdown on resource and their needed permissions.

3

Obtain the requires credentials for the collector

  1. Go to Certificates & Secrets, select + New client secret . Named it and copy the token value.

  2. Go to Overview to get your Tenant ID and Client ID and copy both values.

Note

The token will display only once. You will need to create another one if you didn’t copy it the first time.

...

Expand
titleEnable/disable the logging debug mode

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

  • To enable this option you just need to edit the configuration and change the debug parameter from false to true and restart the collector.

  • To disable this option, you just need to update the configuration and change the debug parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Change log for v1.x.x

Release

Released on

Release type

Details

Recommendations

v1.2.0

Status
colourPurple
titleNEW FEATURE

Status
colourGreen
titleIMPROVEMENT

New features:

  • New supported sources

    • Sign In (signIn service)

    • Audit (audit service)

    • Provisioning (provisioning service)

  • Previous services modification

    • The new tagging introduced in the previous v1.1.3 release is now customizable through the tag_version service parameter. The default tagging has been reverted to the original one.

    • The alerts source, when setting the tag_version to v2, will try to categorize the events by applying different tags based on the event’s provider.

Improvements:

  • Token validation is now performed against the corresponding endpoint.

Upgrade

v1.3.0

Status
colourGreen
titleIMPROVEMENT

Status
colourRed
titleBUG FIX

Improvements:

  • start_time configuration parameter normalization for audit and provisioning services.

  • Upgraded devocollectorsdk from 1.4.0 to 1.4.4b:

    • Added:

      • New "templates" functionality.

      • New controlled stopping condition when any input thread fatally fails.

      • Log traces for knowing the execution environment status (debug mode).

    • Changed:

      • Improved log trace details when runtime exceptions happen

      • Refactored source code structure

      • Fixes in the current puller template version

      • The Docker container exits with the proper error code

Bug fixing:

  • Correct token validation when a Partial Content response is received.

  • Use appropriate destination tag for provisioning events.

Upgrade

v1.4.0

Status
colourGreen
titleIMPROVEMENT

Improvements:

  • Automatic outdated start_time correction for audit-based services.

    • New “reset persistence” functionality.

Recommended version

Upgrade

v1.4.1

2,

Status
colourRed
titleBUG FIX

Fixed bugs:

  • Fix error with vendor state when checking the reset_persistence_auth parameter.

  • Allow using v2 tags for secure_scores and secure_scores_control_profile tags.

  • Add missing Devo metadata into events.

Recommended version

Upgrade

v1.4.2

Status
colourRed
titleBUG FIX

Fixed bugs:

  • Fixes bug with non-time-based puller state.

Upgrade

v1.6.0

Status
colourPurple
titleNEW FEATURE

New features:

  • The pulling mechanism now uses a sliding window to avoid event loss and duplication.

Improvements:

  • DevoCollectorSDK upgraded to v1.6.0:

    • Added:

      • More log traces related to execution environment details.

      • Global rate limiters functionality.

      • Extra checks for supporting MacOS as development environment.

      • Obfuscation functionality.

    • Changed:

      • Some log traces now are shown less frequently.

      • The default value for the logging frequency for "main" processes has been changed (to 120 seconds).

      • Updated some Python Packages.

      • Controlled stopping functionality more stable when using the "template".

      • Improved some log messages related to Devo certificates (when using the Devo sender).

      • Validate json objects before saving them to persistence (using filesystem).

The v1.5.0 release has not been published.

Recommended version