We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration. Rw tab |
---|
title | On-premise collector |
---|
|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running this collector: Code Block |
---|
<any_directory>
└── devo-collectors/
└── devo-collector-crowdstrikeapi/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
└── config/
└── config-crowdstrikeapi.yaml |
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in devo-collectors-crowdstrikeapi/certs/ . Learn more about security credentials in Devo here. Editing the config-crowdstrikeapi.yaml file Code Block |
---|
globals:
debug: <debug_value>
id: not_used
name: <collector_name>
persistence:
type: filesystem
config:
directory_name: state
multiprocessing: false
queue_max_size_in_mb: 1024
queue_max_size_in_messages: 1000
queue_max_elapsed_time_in_sec: 60
queue_wrap_max_size_in_messages: 100
outputs:
devo_1:
type: devo_platform
config:
address: <devo_address>
port: 443
type: SSL
chain: <chain_filename>
cert: <cert_filename>
key: <key_filename>
inputs:
crowdstrike:
id: <input_id>
enabled: true
requests_per_second: <request_per_seconds>
override_base_url: <override_base_url_value>
credentials:
client_id: <client_id_value>
secret_key: <secret_key_value>
services:
incidents:
request_period_in_seconds: <request_period_in_seconds_value>
start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
hosts:
request_period_in_seconds: <request_period_in_seconds_value>
start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
vulnerabilities:
request_period_in_seconds: <request_period_in_seconds_value>
start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
behaviors:
request_period_in_seconds: <request_period_in_seconds_value>
start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
filevantage:
request_period_in_seconds: <request_period_in_seconds_value>
start_timestamp_in_epoch_seconds: <start_timestamp_in_epoch_seconds_value>
estream:
request_period_in_seconds: <request_period_in_seconds_value>
reset_persistence_auth: <reset_persistence_auth_value>
overide_offset_save_batch_size_in_events: <overide_offset_save_batch_size_in_events_value>
overide_max_seconds_after_last_ingestion: <overide_max_seconds_after_last_ingestion_value>
initial_partition_offsets:
<partition_id_value>: <partition_offset_value>
tagging_version: <tagging_version_value>
additional_tag_mappings:
<lowercased_event_type_value>: <fourth_tag_level_value> |
Replace the placeholders with the required values: Parameter | Data Type | Type | Value Range | Details | input_id
| int
| Mandatory
| Minimum length: 1 Maximum length: 5 | Use this param to give an unique id to this input service. | input_status
| bool
| Mandatory
| false / true | If the value is true, the input definition will be executed. If the value is false, the service will be ignored. | requests_per_second
| int
| Optional
| Minimum value: 1 | Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec. Info |
---|
This parameter should be removed if it is not used. |
| override_base_url
| str
| Optional
| Valid URL following this regex:
pending | By default, the base url is https://api.crowdstrike.com . This parameter allows you to customize the base url. Info |
---|
This parameter should be removed if it is not used. |
| creds_client
| str
| Mandatory
| Any | User Client ID to authenticate to the service. | creds_secret
| str
| Mandatory
| Any | User Secret Key to authenticate to the service. | period_in_seconds
| int
| Optional
| Minimum length: 1 | By default, this service will run every 600 seconds. This parameter allows you to customize this behavior. Info |
---|
This parameter should be removed if it is not used. |
| start_timestamp_in_epoch_seconds
| int
| Mandatory
| Format: Unix timestamps Minimum value: 1609455600 Maximum value: Now() | Initial time period used when fetching data from the endpoint. Note |
---|
Updating this value will produce the lost of all persisted data and current pipelines. |
| <reset_persistence_auth_value>
| str
| Optional
| Format: YYYY-MM-DDTHH:mm:ss.SSSZ Maximum value: current date | This parameter allows you to clear the persistence of the collector and restart the download pipeline. Updating this value will produce the loss of all persisted data and current pipelines. Info |
---|
This parameter should be removed if it is not used. |
| <overide_offset_save_batch_size_in_events_value>
| int
| Optional
| Minimum value: 1 Maximum value: 1000 | Although the stream services use a streaming API (events are fetched continuously one by one), we send the collected events in batches for better performance. This parameter controls the amount of items to be sent per batch. The default value is 10 . Info |
---|
This parameter should be removed if it is not used. |
| <overide_max_seconds_after_last_ingestion_value>
| int
| Optional
| Minimum value: 1 Maximum value: 1000 | If the collector did not ingest a batch of events in the last n seconds, the connection will be closed and all the streams will be restarted. This parameter configures this time span. Info |
---|
This parameter should be removed if it is not used. |
| <initial_partition_offsets_value>
| object
| Optional
| It has the following structure: Code Block |
---|
| initial_partition_offsets:
<partition_id_value>: <partition_offset_value> |
Where: <partition_id_value> : The partition ID (0, 1, 2…) that will use this initial offset.
<partition_offset_value> : The initial offset. This offset will not be included in the ingestion (it will start from the next offset).
| the CrowdStrike Events Stream has partitions, each one streaming its own events and hence managing its own event offset. When querying for events, you can specify an initial offset to start receiving events from. This parameter allows you to define initial offsets for the initial run of this service or when the state is being reset. Info |
---|
This parameter should be removed if it is not used. |
| <tagging_version_value>
| str
| Optional
| A version string (like "1.3.0" ) or "latest" . | This parameter configures the tagging mechanism that every release might introduce. If you want to keep the original tagging mechanism, remove this parameter. If you want to use a specific mechanism created for a certain release, set your desired version. If you want to always have the latest tagging mechanism without having backwards compatibility, use latest .
Info |
---|
This parameter should be removed if it is not used. |
| <additional_tag_mappings_value>
| object
| Optional
| It has the following structure: Code Block |
---|
| additional_tag_mappings:
<lowercased_event_type_value>: <fourth_tag_level_value> |
Where: | In case you want to have a custom destination tag for certain events that is not covered by default, you can set it up using this parameter. Info |
---|
This parameter should be removed if it is not used. |
|
Download the Docker imageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table: Use the following command to add the Docker image to the system: Code Block |
---|
gunzip -c collector-crowdstrike-docker-image-<version>.tgz | docker load |
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace "<version> " with a proper value. The Docker image can be deployed on the following services: DockerExecute the following command on the root directory <any_directory>/devo-collectors/crowdstrikeapi/ Code Block |
---|
docker run \
--name collector-crowdstrikeapi\
--volume $PWD/certs:/devo-collector/certs \
--volume $PWD/config:/devo-collector/config \
--volume $PWD/state:/devo-collector/state \
--env CONFIG_FILE=config-crowdstrikeapi.yaml \
--rm -it docker.devo.internal/collector/crowdstrikeapi:<version> |
Note |
---|
Replace <version> with the required value. |
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/crowdstrikeapi/ directory. Code Block |
---|
version: '3'
services:
collector-crowdstrikeapi
image: docker.devo.internal/collector/crowdstrikeapi:${IMAGE_VERSION:-latest}
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config-crowdstrikeapi.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/crowdstrikeapi/ directory: Code Block |
---|
IMAGE_VERSION=<version> docker-compose up -d |
Note |
---|
Replace <version> with the required value. |
Copy |