Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Trellix Data Loss Prevention (DLP) delivers unprecedented protection for sensitive and proprietary information from the keyboard to the cloud.

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

collector server

Populated Devo events

table

Flattening preprocessing

no

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

incident

Get all the incident event type.

/dpim/v2/incident

dpim_incident

dlp.trellix.dpim.incident

v1.0.0

For more information on how the events are parsed, visit our page.

Flattening preprocessing

...

Data source

...

Collector service

...

Optional

...

Flattening details

...

incident

...

dpim_incident

...

yes

...

API Limits, Delays, Known Issues

We occasionally encounter a 429 "Too Many Requests" error, indicating a rate limit has been reached. This is a known limitation, but the exact rate limit thresholds are not disclosed in Trellix’s documentation, which makes precise management challenging. To handle this, our system is configured to pause briefly and retry requests automatically after encountering the error. This approach helps to recover data access smoothly once the API limit resets.

Flattening preprocessing

Data source

Collector service

Optional

Flattening details

incident

dpim_incident

yes

not required

Accepted authentication methods

Authentication method

api_key

username

password

Bearer auth token

Status
colourGreen
titleREQUIRED

Status
colourGreen
titleREQUIRED

Status
colourGreen
titleREQUIRED

Minimum configuration required for basic pulling

...

Info

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

api_key

The API key for Trellix API.

username

The username to generate the auth token for authentication.

password

The username to generate the auth token for authentication.

Info

The auth token timeout specified in Trellix DLP official documentation is 300 seconds, but we are using it as 280 seconds as the token expires around that time.

Accepted authentication methods

...

Authentication method

...

api_key

...

username

...

password

...

Bearer auth token

...

Status
colourGreen
titleREQUIRED

...

Status
colourGreen
titleREQUIRED

...

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro
Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml 
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

image-20240730-093645.png
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: trellix_dlp_collector
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: collector-us.devo.io
      port: 443
      type: SSL
      chain: chain.crt
      cert: <devo_domain>.crt
      key: <devo_domain>.key

inputs:
  trellix_dlp:
    id: <short_unique_id>
    enabled: true
    credentials:
      username: <username>
      password: <password>
      api_key: <api_key_value>
    services:
      incident:
        initial_start_time_in_utc: <initial_start_time_in_utc_value>
        override_tag: <override_tag_value>
        sort_by: <sort_by_value>
        include: <include_value>
        X-Trace-Id: <x-Trace-id_value>
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

<short_unique_id>

int

Mandatory

Minimum Length 5

Use this param to give a unique id to this input service.

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

<username>

str

Mandatory

Minimum Length 1

Username for accessing Trellix API

<password>

str

Mandatory

Minimum Length 1

Password for accessing Trellix API

<override_devo_value>

str

Optional

A Devo tag

This parameter allows defining a custom devo tag.

<initial_start_time_in_utc>

str

Mandatory

UTC format/ Not more than 180 days old from current date

Start date to pull data from

<include_value>

str

Optional

set of relationships

Set of relationships that must be shown in the result

<x-Trace-id_value>

str

Optional

Trace ID

Trace ID can be included in logs to help identify requests. It is responsible for making this unique per request or session.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-trellix_dlp_if-docker-image-1.01.0

41a2194c53202f772c79f082f3fdb8a1506698a20fa467b4c7f51512d2f4656184139c35fd6d920b0fea673627c5f09924ca71324b1f04b6d0cd08ccf1bde3d9

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, visit the support site and get in touch with us and we will to guide you through the configuration.

...

This section is intended to explain how to proceed with specific actions for services.

dpim incident

Expand
titledpim incident

Verify data collection

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Code Block
2024-07-12T12:37:20.608    INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
2024-07-12T12:37:20.608    INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_2) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(lookup_senders,manager,devo_2) -> Nothing retrieved from the persistence.
2024-07-12T12:37:20.608    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_2) -> Starting thread (every 300 seconds)
2024-07-12T12:37:20.608    INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_2) -> Starting thread
2024-07-12T12:37:20.608    INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputLookupConsumer(lookup_senders_consumer_0) -> Nothing retrieved from the persistence.
2024-07-12T12:37:20.609    INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_2) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(internal_senders,manager,devo_2) -> Nothing retrieved from the persistence.
2024-07-12T12:37:20.610    INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputInternalConsumer(internal_senders_consumer_0) -> Nothing retrieved from the persistence.
2024-07-12T12:37:20.610    INFO InputProcess::MainThread -> Running overriding rules
2024-07-12T12:37:20.611    INFO InputProcess::MainThread -> Overriding rule #1 - service key <override_tag> with value <my.app.trellix.dlp> overrides definition key <tag> with value <None> when the first is not <None>
2024-07-12T12:37:20.611    INFO InputProcess::MainThread -> Validating the rate limiter config given by the user
2024-07-12T12:37:20.611    INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead.
2024-07-12T12:37:20.611    INFO InputProcess::MainThread -> Adding raw config to the collector store
2024-07-12T12:37:20.611    INFO InputProcess::MainThread -> Running custom validation rules
2024-07-12T12:37:20.615    INFO InputProcess::MainThread -> TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) Finalizing the execution of init_variables()
2024-07-12T12:37:20.617    INFO InputProcess::MainThread -> InputThread(trellix_dlp,65768) - Starting thread (execution_period=60s)
2024-07-12T12:37:20.617    INFO InputProcess::MainThread -> ServiceThread(trellix_dlp,65768,incidents,predefined) - Starting thread (execution_period=60s)
2024-07-12T12:37:20.617    INFO InputProcess::MainThread -> TrellixDLPPullerSetup(trellix_dlp_collector,trellix_dlp#65768,incidents#predefined) -> Starting thread
2024-07-12T12:37:20.618 WARNING InputProcess::TrellixDLPPullerSetup(trellix_dlp_collector,trellix_dlp#65768,incidents#predefined) -> The token/header/authentication has not been created yet
2024-07-12T12:37:20.620    INFO InputProcess::MainThread -> TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) - Starting thread
2024-07-12T12:37:20.621 WARNING InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> Waiting until setup will be executed
2024-07-12T12:37:20.640    INFO OutputProcess::MainThread -> [GC] global: 93.4% -> 93.5%, process: RSS(41.10MiB -> 41.97MiB), VMS(926.02MiB -> 926.02MiB)
2024-07-12T12:37:20.645    INFO InputProcess::MainThread -> [GC] global: 93.5% -> 93.5%, process: RSS(40.12MiB -> 40.12MiB), VMS(422.00MiB -> 422.00MiB)
2024-07-12T12:37:21.052    INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/pulkit/devo/collectors/devo-collector-trellix-dlp/certs/chain.crt", "cert_path": "/home/pulkit/devo/collectors/devo-collector-trellix-dlp/certs/int-if-integrations-india.crt", "key_path": "/home/pulkit/devo/collectors/devo-collector-trellix-dlp/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-APAC-0049", session_id: "128927996684944"
2024-07-12T12:37:29.632    INFO InputProcess::TrellixDLPPullerSetup(trellix_dlp_collector,trellix_dlp#65768,incidents#predefined) -> Token is valid. Skipping the generation of new auth token 
2024-07-12T12:37:29.633    INFO InputProcess::TrellixDLPPullerSetup(trellix_dlp_collector,trellix_dlp#65768,incidents#predefined) -> Token is valid. Skipping the generation of new auth token 
2024-07-12T12:37:29.633    INFO InputProcess::TrellixDLPPullerSetup(trellix_dlp_collector,trellix_dlp#65768,incidents#predefined) -> Setup for module <TrellixDLPPuller> has been successfully executed
2024-07-12T12:37:30.631    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) Starting the execution of pre_pull()
2024-07-12T12:37:30.631    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> Reading persisted data
Expand
titlePuller output

A successful initial run has the following output messages for the puller module:

Info

Note that the PrePull action is executed only one time before the first run of the Pull action.

Code Block
2024-07-12T12:37:30.638    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> Pull Started
2024-07-12T12:37:30.639    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> Fetching data From : 2024-01-29T00:00:00.000Z
2024-07-12T12:37:35.855    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> Sent 372 incidents events to Devo.
2024-07-12T12:37:35.855    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1720768050631):Number of requests made: 1; Number of events received: 372; Number of duplicated events filtered out: 0; Number of events generated and sent: 372; Average of events per second: 71.308.
2024-07-12T12:37:36.206    INFO OutputProcess::DevoSender(standard_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(standard_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/pulkit/devo/collectors/devo-collector-trellix-dlp/certs/chain.crt", "cert_path": "/home/pulkit/devo/collectors/devo-collector-trellix-dlp/certs/int-if-integrations-india.crt", "key_path": "/home/pulkit/devo/collectors/devo-collector-trellix-dlp/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-APAC-0049", session_id: "128927986295952"
2024-07-12T12:37:41.589    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> Sent 500 incidents events to Devo.

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

Code Block
2024-07-12T12:37:41.589    INFO InputProcess::TrellixDLPPuller(trellix_dlp,65768,incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1720768050631):Number of requests made: 2; Number of events received: 872; Number of duplicated events filtered out: 0; Number of events generated and sent: 872; Average of events per second: 79.628.

Restart the

...

persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the initial_start_time_in_utc_value parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note

Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

Expand
titleTroubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

InitVariablesError

1

initial_start_time_in_utc is not set as per the datetime_format : {datetime_format}

The date in config is not as per required format

Ensure the date format is correct.

InitVariablesError

2

Date {initial_start_time_str} is in the future

The date in config is greater than current time

Ensure the datetime is less than current time

SetupError

100

HTTP Error occurred while generating auth token from trellix server

Wrong credentials

Check the credentials and ensure that the collector has the necessary permissions to access the Trellix API.

SetupError

101

Some error occurred while generating auth token from trellix server. Error details: {e}

Generate auth token api failed

Contact the developer with exact error message.

SetupError

102

Unable to generate auth token with status code as {response.status_code}

Generate auth token api failed

Contact the developer with exact error message.

SetupError

103

HTTP Error occurred while fetching apim incident from trellix server

Trellix API call is failing

Check the credentials and ensure that the collector has the necessary permissions to access the Trellix API.

PullError

300

HTTP Error occurred while fetching apim incident from trellix server

Trellix API call is failing

Check the credentials and ensure that the collector has the necessary permissions to access the Trellix API.

PullError

301

Some error occurred while fetching apim incident from trellix server. Error details: {e}

Trellix API call is failing

Contact the developer with exact error message.

Expand
titleCheck memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Code Block
INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)
Info

Differences between RSS and VMS memory usage:

  • RSS is the Resident Set Size, which is the actual physical memory the process is using

  • VMS is the Virtual Memory Size which is the virtual memory that process is using

Change log

Release

Released on

Release type

Details

Recommendations

v1.1.0

Status
colourYellow
titlebug fixing

Fixed a bug and update DCSDK to 1.12.4.

Recommended Version

v1.0.0

Status
colourPurple
titleNEW FEATURE

-


New collector

-