Versions Compared

Version Old Version 1 New Version Current
Changes made by

Ángel García

Ángel García

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Alerts: Returns Alert events

  • Anti-malware: Returns Anti-Malware events

  • Integrity: Returns Integrity Monitoring events

Data Source

Description

API Endpoint

Collector Service Name

Devo Table

Available from release

Alerts Events

Returns Alert events

/alert-types

/alerts

alerts

av.trendmicro.deepsec.alerts

v1.0.0

Anti-malware Events

Returns Anti-malware events

/events/antimalware

antimalware-events

av.trendmicro.deepsec.antimalwareevents

v1.0.0

Integrity Events

Returns Integrity events

/events/integrity

integrity-events

av.trendmicro.deepsec.integrityevents

v1.0.0

API Limits

API rate limits are set on API endpoints to prevent large spikes in API calls that could degrade Deep Security Manager performance.

...

For legacy authentication:

Setting

Details

tenantname

Status
colourGreen
titleREQUIRED
The tenant name is required to authenticate the requests

username

Status
colourGreen
titleREQUIRED
The username is required to authenticate the requests.

password

Status
colourGreen
titleREQUIRED
The password is required to authenticate the requests.

For Cloud One:

Setting

Details

tenantname

Status
colourGreen
titleREQUIRED
The tenant name is required to authenticate the requests

api_secret_key

Status
colourGreen
titleREQUIRED
The api_secret_key is required to authenticate the requests.

base_url_cloudone

Status
colourGreen
titleREQUIRED
The base_url_cloudone is required to initiate a session for the requests.

Accepted Authentication Methods

Authentication method

Details

Legacy: user/pass

You will need your username and password to connect to the hostname_value.

Cloud One: api_secret_key

You will need an api_secret_key to connect to the base_url_cloudone.

Treat Your Secret Key Like A Password

...

Rw ui tabs macro
Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

  1. In the Collector Server GUI, access the domain in which you want this instance to be created

  2. Click Add Collector and find the one you wish to add.

  3. In the Version field, select the latest value.

  4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.

  6. In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

Code Block
languagejson
{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "trendmicro_deepsec": {
      "id": <short_unique_id>,
      "enabled": true,
      "credentials": {
        "tenantname": "<tenant_name_value>",
        "username": "<username_value>",
        "password": "<password_value>",
        "api_secret_key": "<api_secret_key_value>",
        "base_url_cloudone": "<base_url_cloudone_value>"
      },
      "services": {
        "alerts": {
          "alerts_types_filter": [
            "<alerts_types_filter_values>",
            "<alerts_types_filter_values>"
          ]
        },
        "antimalware-events": {
          "start_time": "<start_time_value>"
        },
        "integrity-events": {
          "start_time": "<start_time_value>"
        }
      }
    }
  }
}
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

The following table outlines the parameters available for configuring the collector. Each parameter is categorized by its necessity (mandatory or optional), data type, acceptable values or formats, and a brief description.

Parameter

Data Type

Requirement

Value Range / Format

Description

short_unique_id

int

Mandatory

Min length: 1

A short unique ID for input service, used in persistence addressing. Avoid duplicates to prevent collisions.

tenant_name_value

str

Mandatory

Min length: 1

Tenant name used for authentication.

username_value

str

Mandatory*

Min length: 1

User name for authentication.

password_value

str

Mandatory*

Min length: 1

Password for authentication.

api_secret_key_value

str

Mandatory*

Min length: 1

API secret key for authentication.

base_url_cloudone_value

str

Mandatory*

Min length: 1

Base URL for authentication. This URL depends on the region where the account was registered. For instance, <https://workload.us-1.cloudone.trendmicro.com/rest>

alerts_types_filter_values

List of str

Optional

Comma-separated list of strings

Only for alerts: If present, the alerts will be retrieved from these types only.

start_time_value

str

Optional

"YYYY-MM-DDTHH:MM:SS.mmmZ"

Only for anti-malware or integrity events: It will be the start date and time for pulling events. Example: 2024-07-01T03:00:00.000Z

* For the authentication you must have one of these pairs:

  • Legacy API: username_value and password_value

  • Cloud One: api_secret_key_value and base_url_cloudone_value (This authentication method uses the Legacy_API_Key)

Rw tab
titleOn-premise collector

This data collector can be run on any machine with the Docker service available because it runs as a Docker container. The following sections explain how to prepare all the necessary configurations for the data collector to run.

Structure

The following directory structure should be created:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

To send data securely to the Devo platform, you will need to download X.509 Certificates from your Devo Domain:

  1. Login to your Devo tenant.

  2. On the left menu, click on Administration and later click on Credentials

  3. Download your Certificate by clicking on Certificate

  4. Download your Private Key by clicking on Private Key

  5. Download your Chain CA by clicking on Chain CA

  6. Move the downloaded files to <product_name>/certs/ folder

For more information about how to get the Devo certificates, please visit Devo Docs.

Note

Replace <product_name> with the proper value.

Editing the config.yaml file

An example of the config.yaml:

Code Block
languageyaml
globals:
  debug: false
  id: not used
  name: trendmicro-deepsec
  persistence:
    type: filesystem
    config:
      directory_name: state
outputs:
  devo_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  trendmicro_deepsec:
    id: <short_unique_id>
    enabled: true
    credentials:
      tenantname: <tenant_name_value>
      username: <username_value>
      password: <password_value>
      api_secret_key: <api_secret_key_value>
      base_url_cloudone: <base_url_cloudone_value>
    services:
      alerts:
        alerts_types_filter: [<alerts_types_filter_values>, <alerts_types_filter_values>]
      antimalware-events:
        start_time: "<YYYY-MM-DDTHH:MM:SS.000Z>"
      integrity-events:
        start_time: "<YYYY-MM-DDTHH:MM:SS.000Z>"

The following table outlines the parameters available for configuring the collector. Each parameter is categorized by its necessity (mandatory or optional), data type, acceptable values or formats, and a brief description.

Parameter

Data Type

Requirement

Value Range / Format

Description

short_unique_id

int

Mandatory

Min length: 1

A short unique ID for input service, used in persistence addressing. Avoid duplicates to prevent collisions.

tenant_name_value

str

Mandatory

Min length: 1

Tenant name used for authentication.

username_value

str

Mandatory*

Min length: 1

User name for authentication.

password_value

str

Mandatory*

Min length: 1

Password for authentication.

api_secret_key_value

str

Mandatory*

Min length: 1

API secret key for authentication.

base_url_cloudone_value

str

Mandatory*

Min length: 1

Base URL for authentication. This URL depends on the region where the account was registered. For instance, <https://workload.us-1.cloudone.trendmicro.com/rest>

alerts_types_filter_values

List of str

Optional

Comma-separated list of strings

Only for alerts: If present, the alerts will be retrieved from these types only.

start_time_value

str

Optional

"YYYY-MM-DDTHH:MM:SS.mmmZ"

Only for anti-malware or integrity events: It will be the start date and time for pulling events. Example: 2024-07-01T03:00:00.000Z

* For the authentication you must have one of these pairs:

  • Legacy API: username_value and password_value

  • Cloud One: api_secret_key_value and base_url_cloudone_value (This authentication method uses the Legacy_API_Key)

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-trend_micro_deep_sec-docker-image-1.4.0.tgz

965cc703191c673dbd085cd94e5d137756978cca7620fe4ba8a2e666244d0be7

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

...

Expand
titleCheck memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed
every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Code Block
languagelog
  INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
  INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)
Info

Differences between RSS and VMS memory usage:

  • RSS is the Resident Set Size, which is the actual physical memory the process is using

  • VMS is the Virtual Memory Size which is the virtual memory that process is using

Change log

Release

Released on

Release type

Details

Recommendations

v1.4.0

2024-10-25

Status
colourGreen
titleIMPROVEMENT

Improvements

  • Updated DC SDK from v1.11.1 to v1.13.1

  • Updated Docker Base image to v1.3.1

  • Collector transformed to the template model

Recommended version

v1.3.0

2024-04-17

Status
colourGreen
titleIMPROVEMENT

Improvements

  • Updated DevoCollectorSDK to v1.11.1

  • Updated Docker Base image to v1.2.0

  • Changed the way of executing the controlled stopping

Update