...
Rw ui tabs macro | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running this collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in Editing the config-crowdstrikeapi.yaml file
Replace the placeholders with the required values:
Download the Docker imageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace " The Docker image can be deployed on the following services:
DockerExecute the following command on the root directory
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
Copy |
...
Release | Released on | Release type | Details | Recommendations | |||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| New Features:
|
| ||||||||||||||||||||||||||||||||||
|
| Improvements:
Vulnerabilities mitigation:
|
| ||||||||||||||||||||||||||||||||||
| Improvements:
|
| |||||||||||||||||||||||||||||||||||
|
| Improvements:
|
|
| Status | | |||||||||||||||||||||||||||||||
colour | Green | title | IMPROVEMENTS
| ||||||||||||||||||||||||||||||||||
|
| Improvements:
Bug Fixing:
|
| ||||||||||||||||||||||||||||||||||
|
| Improvements:
New Features:
|
|
| 15 Sep
|
| |||||||||||||||||||||||||||||||
|
|
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Improvements:
Added @devo_pulling_id field.
Update the `details` endpoint to use the v2 API (due to v1 deprecation)
Bug Fixing:
Fixed a bug that prevented overriding the base URL.
Recommended Version
v1.4.2
Status | ||||
---|---|---|---|---|
|
Improvements:
The RegEx validation has been updated to enforce the
HTTP[S]
protocol for all services when this parameter is filled in by the user.The Event Stream (eStream) service has been updated to use the same overriding parameter for the
base_url
than the other previous services. This allows to the user define this only one time for all available services throughoverride_base_url
user config file.
Recommended Version
Status | ||||
---|---|---|---|---|
|
Improvements:
Upgraded underlay IFC SDK
v1.3.0
tov1.4.0
.Updated the underlying
DevoSDK
package tov3.6.4
and dependencies, this upgrade increases the resilience of the collector when the connection with Devo or the Syslog server is lost. The collector is able to reconnect in some scenarios without running the self-kill feature.Support for stopping the collector when a
GRACEFULL_SHUTDOWN
system signal is received.Re-enabled the logging to
devo.collector.out
for Input threads.Improved self-kill functionality behavior.
Added more details in log traces.
Added log traces for knowing system memory usage.
New Features:
CrowdStrike Event Stream (eStream) data source is now available. This service leverages the CrowdStrike Falcon Event Streams API to obtain the customer’s DataFeed URLs and continuosly fetch events that will be ingested under the
edr.crowdstrike.falconstreaming.*
family of tables. For more information, check the CrowdStrike’s official documentation.
Upgrade
v1.2.0
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Improvements:
Recommended Version
Updated DCSDK from Upgraded underlay IFC SDK
v1.1.
7.23
to 1v1.
83.0
:Ability to validate collector setup and exit without pulling any data.
Ability to store in the persistence the messages that couldn't be sent after the collector stopped.
Ability to send messages from the persistence when the collector starts and before the puller begins working.
Ensure special characters are properly sent to the platform.
Recommended Version
v1.4.3
Status | ||||
---|---|---|---|---|
|
Improvements:
New functionality, access to File Vantage API
Updated DCSDK from 1.8.0 to 1.10.2:
Upgrade internal dependencies
Store lookup instances into DevoSender to avoid creation of new instances for the same lookup
Ensure service_config is a dict into templates
Ensure special characters are properly sent to the platform
Changed log level to some messages from info to debug
Changed some wrong log messages
Upgraded some internal dependencies
Changed queue passed to setup instance constructor
Added input metrics
Modified output metrics
Updated DevoSDK to version 5.1.6
Standardized exception messages for traceability
Added more detail in queue statistics
Updated PythonSDK to version 5.0.7
Introduced pyproject.toml
Added requirements.dev.txt
Fixed error in pyproject.toml related to project scripts endpoint
.
The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.
When an exception is raised by the Collector Setup, the collector retries after 5 seconds. For consecutive exceptions, the waiting time is multiplied by 5 until hits 1800 seconds, which is the maximum waiting time allowed. No maximum retries are applied.
When an exception is raised by the Collector Pull method, the collector retries after 5 seconds. For consecutive exceptions, the waiting time is multiplied by 5 until hits 1800 seconds, which is the maximum waiting time allowed. No maximum retries are applied.
When an exception is raised by the Collector pre-pull method, the collector retries after 30 seconds. No maximum retries are applied.
Upgrade
v1.1.0
Status | ||||
---|---|---|---|---|
|
Status | ||||
---|---|---|---|---|
|
Improvements:
The underlay IFC SDK has been updated from
v1.1.2
tov1.1.3
.The resilience has been improved with a new feature that restart the collector when the Devo connections is lost and it cannot be recovered.
Vulnerabilities mitigation:
All
critical
andhigh
vulnerabilities have been mitigated.
Upgrade
v1.0.0
Status | ||||
---|---|---|---|---|
|
New Features:
Initial release that includes the following data sources from CrowdStrike API:
Hosts
Incidents
Vulnerabilities
Behaviors
Upgrade