Versions Compared

Old Version 11

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 12

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The <start_datetime_utc_value> has the format "YYYY-MM-DDTHH:MM:SS.000Z". For example, a valid start_datetime_utc_value would be "2024-07-01T00:00:00.000Z".

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

no

Running environments

  • collector server

  • on premise

Populated Devo events

table

Flattening pre-processing

no

Allowed source events obfuscation

no

Data source description

This collector extracts data from 3 log services available from Duo:

  • Administrator: Returns a list of administrator log events.

  • Authentication: Returns a paged list of authentication log events.

  • Telephony: Returns a list of telephony log events.

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Administrator

Returns a list of administrator log events.

/admin/v1/logs/administrator

administrator

auth.duo.administrator.login
auth.duo.administrator.events

v0.9

Authentication

Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two-minute delay in the availability of new authentications in the API response. Duo operates a large-scale distributed system, and this two-minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

/admin/v2/logs/authentication

authentication

auth.duo.authentication.events

v0.9

Telephony

Returns a list of telephony log events.

/admin/v1/logs/telephony

telephony

auth.duo.telephony.events

v0.9

API limits

  • Administrator:

    • Only the 1000 earliest events (maximum) will be returned with each page; the collector will be called multiple times to page through the entire log.

    • The recommended limit suggests requesting logs no more than once per minute.

  • Authentication:

    • Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

    • The recommended limit suggests requesting logs no more than once per minute.

  • Telephony:

    • Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new telephony events in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

    • The recommended limit suggests requesting logs no more than once per minute.

...

Note

This minimum configuration refers exclusively to those specific parameters of this integration. Additional parameters related to the generic behavior of the collector are required. Check the setting sections for details.

Setting

Details

integration_key_value

The integration key is required to authenticate the requests. The integration key acts as the HTTP username

secret_key_value

The secret key is required to authenticate the requests. The secret key acts as the HTTP password

hostname_value

The hostname is required to authenticate the requests. This is the URL for the different requests

Accepted authentication methods

Authentication method

Details

user/pass

You will need your integration_key_value and secret_key_value to connect to the hostname_value.

Vendor setup

You need the owner role to perform these steps. Learn more here.

...

This application communicates with Duo's service on SSL TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337. Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro
Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Image Added
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: Cyble_Collector
  persistence:
    type: filesystem
    config:
      directory_name: state
outputs:
  devo_us_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  cyble_vision:
    id: <input_id_value>
    enabled: true
    override_base_url: <override_base_url_value>
    credentials:
      api_key: <api_key_value>
    services:
      alerts:
        override_tag: <override_tag_value>
        start_time_in_utc: <start_time_in_utc_value>
        obfuscation_data: [<obfuscation_data_values>]
      iocs:
        override_base_lookup_name: <override_lookup_name_value>
        start_time_in_utc: <start_time_in_utc_value>

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

debug_status

bool

mandatory

true / false

If the value is true, the debug logging traces will be enabled when running the collector. If the value is false, only the info, warning, and error logging levels will be printed.

devo_address

str

mandatory

Use this parameter to identify the Devo Cloud where the events will be sent.

chain_filename

str

mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt.

cert_filename

str

mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.cert downloaded from your Devo domain.

key_filename

str

mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.key downloaded from your Devo domain.

start_time_in_utc_value

str

optional

UTC datetime string having datetime string format %-Y-%m-%d %H-%M-%S (e.g., “2000-01-01 00:00:01”)

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

Info

This parameter should be removed if it is not used.

obfuscation_data_values

array<object>

optional

The objects in the array look like this:

Code Block
obfuscation_data:
    - name:
        -
credentials
      - "*"
    value: 
"**********"

Each object represents the necessary configuration to obfuscate messages before these are sent to Devo.

Info

This parameter can be removed or commented.

override_lookup_name_value

str

optional

minimum length: 3

An optional lookup name to use for the IOCs lookup service. By default the collector uses cyble_vision_iocs.

Info

This parameter can be removed or commented.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-cyble_vision_it-docker-image-1.0.0.tgz

d42a485a1bc536d6a5478086db4fdf9e4327d0bd966895a271fac45e58069d69

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.