To run this collector, there are some configurations detailed below that you need to consider.
Configuration
Details
API access to a Proofpoint CASB
You will need a API access to a Proofpoint CASB instance configured in an environment acting as a cloud security app broker.
Configure Proofpoint CASB
Install and configure Proofpoint CASB in a cloud environment per Proofpoint instructions and guidance
Obtain API authentication details
Contact your Proofpoint customer representative to obtain your api_key, cliend_id, and client_secret
Info
More information
Refer to the Vendor setup section to know more about these configurations.
...
Proofpoint Cloud App Security Broker (Proofpoint CASB) helps you secure applications such as Microsoft Office 365, Google Workspace, Box, and more. It gives you people-centric visibility and control over your cloud apps, so you can deploy cloud services with confidence.
Devo collector features
Feature
Details
Allow parallel downloading (multipod)
Allowed
Running environments
Collector server
On-premise
Populated Devo events
Table
Flattening preprocessing
Yes
Data sources
Data Source
Description
API Endpoint
Collector service name
Devo Table
Available from release
Alerts
Alerts corresponding to related events
/v1/alerts
alerts
casb.proofpoint.alert
v1.0.0
Events
Cloud activity events
/v2/events
events
casb.proofpoint.event
v1.0.0
For more information on how the events are parsed, visit our page.
Flattening preprocessing
Data Source
Collector Service
Optional
Flattening Details
Alerts
alerts
No
Alerts are flattened on the related_events field. Each resultant record includes all the fields of the parent object, the target child object, and fields identifying the index of the target child object.
Events
events
No
Events are flattened on the additionalProperties field. Each resultant record includes all the fields of the parent object, the target child object, and fields identifying the index of the target child object.
Anchor
vendorsetup
vendorsetup
...
Info
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
Setting
Details
api_key
The api_key obtained from Proofpoint for authentication.
client_id
The client_id obtained from Proofpoint for authentication.
client_secret
The client_secret obtained from Proofpoint for authentication.
Info
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.
...
Depending on how did you obtain your credentials, you will have to either fill in or delete the following properties on the JSON credentials configuration block.
Authentication Method
API Key
Client ID
Client Secret
OAuth
Status
colour
Green
title
REQUIRED
Status
colour
Green
title
REQUIRED
Status
colour
Green
title
REQUIRED
Run the collector
Once the data source is configured, you can send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro
Rw tab
title
On-premise collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Replace the placeholders with your required values following the description table below:
Parameter
Data Type
Type
Value Range
Details
collector_id
str
Mandatory
Minimum length: 1 Maximum length: 5
Use this param to give an unique id to this collector.
collector_name
str
Mandatory
Minimum length: 1 Maximum length: 10
Use this param to give a valid name to this collector.
devo_address
str
Mandatory
collector-us.devo.io collector-eu.devo.io
Use this param to identify the Devo Cloud where the events will be sent.
chain_filename
str
Mandatory
Minimum length: 4 Maximum length: 20
Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt
cert_filename
str
Mandatory
Minimum length: 4 Maximum length: 20
Use this param to identify the file.cert downloaded from your Devo domain.
key_filename
str
Mandatory
Minimum length: 4 Maximum length: 20
Use this param to identify the file.key downloaded from your Devo domain.
input_id
str
Mandatory
Minimum length: 1 Maximum length: 5
Use this param to give an unique id to this input service.
Note
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.
api_key
str
Mandatory
Minimum length: 1
The client_id obtained from Proofpoint for authentication.
client_id
str
Mandatory
Minimum length: 1
The client_id obtained from Proofpoint for authentication.
client_secret
str
Mandatory
Minimum length: 1
The client_secret obtained from Proofpoint for authentication.
initial_start_time_in_utc
str
Optional
UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
Please note that setting the initial_start_time_in_utc for a particular service will override any initial_start_time_in_utc set in the commons level.
Info
This parameter can be removed or commented.
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Replace <product_name>, <image_name> and <version> with the proper values.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note
Replace <product_name>, <image_name> and <version> with the proper values.
Rw tab
title
Cloud collector
We use a piece of software called Collector Server to host and manage all our available collectors.If you want us to host this collector for you, get in touch with us and we will guide you through the configuration
To enable the collector for a customer:
In the Collector ServerGUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
In the Parameters section, establish the Collector Parameters as follows below:
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Please replace the placeholders with real world values following the description table below:
Parameter
Data Type
Type
Value Range / Format
Details
input_id
str
mandatory
minimum length: 1 maximum length: 20
Use this parameter to give a unique ID to this input service.
Note
This parameter is used to build the persistence address; do not use the same value for multiple collectors. It could cause a collision.
api_key
str
mandatory
minimum length: 1
The api_key obtained from Proofpoint for authentication.
client_id
str
mandatory
minimum length: 1
The client_id obtained from Proofpoint for authentication.
client_secret
str
mandatory
minimum length: 1
The client_secret obtained from Proofpoint for authentication.
initial_start_time_in_utc
str
optional
UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
Please note that setting the initial_start_time_in_utc for a particular service will override any initial_start_time_in_utc set in the commons level.
This parameter should be removed if it is not used.
Collector services detail
...
Expand
title
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
ErrorType
Error Id
Error Message
Cause
Solution
ProofpointCasbInitVariablesError
1
{error_message}
There have been some kind of error while reading the user config file.
Read the error carefully and find the parameter that is causing the error.
Read the error and make the appropriate modifications in the user config file.
Some parameter could be missing, etc.
ProofpointCasbInitVariablesError
2
{error_message}
There have been some kind of error while validating the user config file. Read the error carefully and find the parameter that is causing the error.
Read the error and make the appropriate modifications in the user config file.
The type of the parameter was not the expected one, etc.
ProofpointCasbInitVariablesError
3
{error_message}
There have been some kind of error while initializing the client class used to communicate with the API.
This is an internal issue. Please contact Devo Support.
ProofpointCasbSetupError
101
Potential issue with authentication. Please check credentials and detailed error message: {error_message}
The credentials used are not valid anymore.
Use some valid credentials.
ValueError
-
Retry-After header not found
The Retry-After header is not included in the response.
This is an internal issue. Please contact Devo Support.
ValueError
-
Retry-After header value is None
The Retry-After header is empty.
This is an internal issue. Please contact Devo Support.
TypeError
-
Invalid type {type}. Must be epoch seconds, epoch millis, str, datetime, or DateTime
The type used for the date is not correct.
Use one of the formats specified in the error message.
Change log for v1.x.x
Release
Released on
Release type
Details
Recommendations
v1.0.1
Status
colour
Red
title
BUG FIXING
Status
colour
Yellow
title
IMPROVEMENTS
Improvements
Update DCSDK from 1.5.0 to 1.8.0
Bug Fixing
Updated limits: The requests limits have been updated with the values recommended by the API to avoid 429 errors.
