Content Comparison

Table of Contents

minLevel	2
maxLevel	2
type	flat

Overview

Proofpoint Cloud App Security Broker (Proofpoint CASB) helps you secure applications such as Microsoft Office 365, Google Workspace, Box, and more. It gives you people-centric visibility and control over your cloud apps, so you can deploy cloud services with confidence.

Configuration requirements

...

Info

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

Proofpoint Cloud App Security Broker (Proofpoint CASB) helps you secure applications such as Microsoft Office 365, Google Workspace, Box, and more. It gives you people-centric visibility and control over your cloud apps, so you can deploy cloud services with confidence.

Devo collector features

Feature	Details
Allow parallel downloading (`multipod`)	`Allowed`
Running environments	`Collector server` `On-premise`
Populated Devo events	`Table`
Flattening preprocessing	`Yes`

...

Once the data source is configured, you can send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

<any_directory> └── devo-collectors/ └── <product_name>/ ├── certs/ │ ├── chain.crt

Rw ui tabs macro

Code Block

Rw tab

title	On-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Cloud collector

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

In the Collector Server GUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

Code Block

{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "proofpoint_casb": {
      "id": "<input_id>",
      "credentials": {
│    ├── <your_domain>.key   "client_id": "<client_id>",
    │   └── <your_domain>.crt
"client_secret": "<client_secret>",
       ├── state/
 "api_key": "<api_key>"
      },
└── config/     "commons": {
       └── config.yaml

Note
Replace `<product_name>` with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Image Removed

Note
Replace `<product_name>` with the proper value.

Editing the config.yaml file

Code Block

globals:
  debug: false
  id: "<collector_id>"
  name: "<collector_name>"
  persistence:
    type: filesystem
    config:
      directory_name: state
outputs:
  devo_us_1:
    type: devo_platform
    config:
 "initial_start_time_in_utc": "<initial_start_time_in_utc>"
      },
      "services": {
        "alerts": {
          "initial_start_time_in_utc": "<initial_start_time_in_utc>"
        }
      },
     address: "<devo_address>"
      portevents": 443{
      type: SSL
      chain: "<chain_filename> "initial_start_time_in_utc": "<initial_start_time_in_utc>"
      cert: "<cert_filename>"}
    }
  key: "<key_filename>"
inputs:
  proofpoint_casb:
    id: "<input_id>"
    credentials:
      client_id: "<client_id>"
      client_secret: "<client_secret>"
      api_key: "<api_key>"
    commons:
        }
}

Info
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the `services` object.

Please replace the placeholders with real world values following the description table below:

Parameter

Data Type

Type

Value Range / Format

Details

input_id

str

mandatory

minimum length: 1
maximum length: 20

Use this parameter to give a unique ID to this input service.

Note
This parameter is used to build the persistence address; do not use the same value for multiple collectors. It could cause a collision.

api_key

str

mandatory

minimum length: 1

The api_key obtained from Proofpoint for authentication.

client_id

str

mandatory

minimum length: 1

The client_id obtained from Proofpoint for authentication.

client_secret

str

mandatory

minimum length: 1

The client_secret obtained from Proofpoint for authentication.

initial_start_time_in_utc

: "<initial

str

optional

UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

Please note that setting the initial_start_time_in_

utc>" services: alerts:

utc for a particular service will override any initial_start_time_in_utc

: "<initial_start_time_in_utc>" events: initial_start_time_in_utc: "<initial_start_time_in_utc>"

Info
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the `services` object.

Replace the placeholders with your required values following the description table below:

Parameter

Data Type

Type

Value Range

Details

collector_id

str

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this collector.

collector_name

str

Mandatory

Minimum length: 1
Maximum length: 10

Use this param to give a valid name to this collector.

devo_address

str

Mandatory

collector-us.devo.io
collector-eu.devo.io

Use this param to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt

cert_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.key downloaded from your Devo domain.

input_id

str

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

Note
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

api_key

str

Mandatory

Minimum length: 1

The client_id obtained from Proofpoint for authentication.

client_id

str

Mandatory

Minimum length: 1

The client_id obtained from Proofpoint for authentication.

client_secret

str

Mandatory

Minimum length: 1

The client_secret obtained from Proofpoint for authentication.

initial_start_time_in_utc

str

Optional

UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

Please note that setting the initial_start_time_in_utc for a particular service will override any initial_start_time_in_utc set in the commons level.

Info
This parameter can be removed or commented.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-proofpoint_casb_if-docker-image-1.0.1

9a007dbd25d3f9e5c621464eda0e1bf583c40d2863b0ab34beaf79993a2912fe

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz \| docker load

Note
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace `<image_file>` and `<version>` with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block

docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block

version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Rw tab

title	Cloud collector

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

In the Collector Server GUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

Code Block

{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "proofpoint_casb": {
      "id": "<input_id>",
      "credentials": {
        "client_id": "<client_id>",
        "client_secret": "<client_secret>",
        "api_key": "<api_key>"
      },
      "commons": {
        "initial_start_time_in_utc": "<initial_start_time_in_utc>"
      },
      "services": {
        "alerts": {
          "initial_start_time_in_utc": "<initial_start_time_in_utc>"
        }
      },
      "events": {
        "initial_start_time_in_utc": "<initial_start_time_in_utc>"
      }
    }
  }
}

Info
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the `services` object.

Please replace the placeholders with real world values following the description table below:

Parameter

Data Type

Type

Value Range / Format

Details

input_id

str

mandatory

minimum length: 1
maximum length: 20

Use this parameter to give a unique ID to this input service.

Note
This parameter is used to build the persistence address; do not use the same value for multiple collectors. It could cause a collision.

api_key

str

mandatory

minimum length: 1

The api_key obtained from Proofpoint for authentication.

client_id

str

mandatory

minimum length: 1

The client_id obtained from Proofpoint for authentication.

client_secret

str

mandatory

minimum length: 1

The client_secret obtained from Proofpoint for authentication.

initial_start_time_in_utc

str

optional

UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

Please note that setting the initial_start_time_in_utc for a particular service will override any initial_start_time_in_utc set in the commons level.

This parameter should be removed if it is not used

set in the commons level.

This parameter should be removed if it is not used.

Image Added

Rw tab

title	On-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block

<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml

Note
Replace `<product_name>` with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Image Added

Note
Replace `<product_name>` with the proper value.

Editing the config.yaml file

Code Block

globals:
  debug: false
  id: "<collector_id>"
  name: "<collector_name>"
  persistence:
    type: filesystem
    config:
      directory_name: state
outputs:
  devo_us_1:
    type: devo_platform
    config:
      address: "<devo_address>"
      port: 443
      type: SSL
      chain: "<chain_filename>"
      cert: "<cert_filename>"
      key: "<key_filename>"
inputs:
  proofpoint_casb:
    id: "<input_id>"
    credentials:
      client_id: "<client_id>"
      client_secret: "<client_secret>"
      api_key: "<api_key>"
    commons:
        initial_start_time_in_utc: "<initial_start_time_in_utc>"
    services:
      alerts:
        initial_start_time_in_utc: "<initial_start_time_in_utc>"
      events:
        initial_start_time_in_utc: "<initial_start_time_in_utc>"

Info
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the `services` object.

Replace the placeholders with your required values following the description table below:

Parameter

Data Type

Type

Value Range

Details

collector_id

str

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this collector.

collector_name

str

Mandatory

Minimum length: 1
Maximum length: 10

Use this param to give a valid name to this collector.

devo_address

str

Mandatory

collector-us.devo.io
collector-eu.devo.io

Use this param to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt

cert_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.key downloaded from your Devo domain.

input_id

str

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

Note
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

api_key

str

Mandatory

Minimum length: 1

The client_id obtained from Proofpoint for authentication.

client_id

str

Mandatory

Minimum length: 1

The client_id obtained from Proofpoint for authentication.

client_secret

str

Mandatory

Minimum length: 1

The client_secret obtained from Proofpoint for authentication.

initial_start_time_in_utc

str

Optional

UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

Please note that setting the initial_start_time_in_utc for a particular service will override any initial_start_time_in_utc set in the commons level.

Info
This parameter can be removed or commented.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image	SHA-256 hash
collector-proofpoint_casb_if-docker-image-1.1.0	`9e24c7d4b115e44d6f7f87fc1d206edf3d2aa36af2c16d4da171833ead56c331`

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz \| docker load

Note
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace `<image_file>` and `<version>` with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block

docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block

version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Collector services detail

...

1

the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Expand

title	Enable/disable the logging debug mode

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.
To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Expand

title	Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

ErrorType

Error Id

Error Message

Cause

Solution

ProofpointCasbInitVariablesError

...

Release

...

Released on

...

Release type

...

Details

...

Expand

title	Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

ErrorType	Error Id	Error Message	Cause	Solution
`ProofpointCasbInitVariablesError`	1	`{error_message}`	There have been some kind of error while reading the user config file. Read the error carefully and find the parameter that is causing the error.	Read the error and make the appropriate modifications in the user config file. Some parameter could be missing, etc.
`ProofpointCasbInitVariablesError`	2	`{error_message}`	There have been some kind of error while validating the user config file. Read the error carefully and find the parameter that is causing the error.	Read the error and make the appropriate modifications in the user config file. The type of the parameter was not the expected one, etc.
`ProofpointCasbInitVariablesError`	3	`{error_message}`	There have been some kind of error while reading the user config file. Read the error carefully and find the parameter that is causing the error.	Read the error and make the appropriate modifications in the user config file. Some parameter could be missing, etc.
`ProofpointCasbInitVariablesError`	2	`{error_message}`	There have been some kind of error while validating the user config file. Read the error carefully and find the parameter that is causing the error.	Read the error and make the appropriate modifications in the user config file. The type of the parameter was not the expected one, etc.
`ProofpointCasbInitVariablesError`	3	`{error_message}`	There have been some kind of error while initializing the client class used to communicate with the API.	This is an internal issue. Please contact Devo Support.
`ProofpointCasbSetupError`	101	`Potential issue with authentication. Please check credentials and detailed error message: {error_message}`	The credentials used are not valid anymore.	Use some valid credentials.
`ValueError`	-	`Retry-After header not found`	The `Retry-After` header is not included in the response.	This is an internal issue. Please contact Devo Support.
`ValueError`	-	`Retry-After header value is None`	The `Retry-After` header is empty.	This is an internal issue. Please contact Devo Support.
`TypeError`	-	`Invalid type {type}. Must be epoch seconds, epoch millis, str, datetime, or DateTime`	The type used for the date is not correct.	Use one of the formats specified in the error message.

Change log for v1.x.x

initializing the client class used to communicate with the API.	This is an internal issue. Please contact Devo Support.
`ProofpointCasbSetupError`	101	`Potential issue with authentication. Please check credentials and detailed error message: {error_message}`	The credentials used are not valid anymore.	Use some valid credentials.
`ValueError`	-	`Retry-After header not found`	The `Retry-After` header is not included in the response.	This is an internal issue. Please contact Devo Support.
`ValueError`	-	`Retry-After header value is None`	The `Retry-After` header is empty.	This is an internal issue. Please contact Devo Support.
`TypeError`	-	`Invalid type {type}. Must be epoch seconds, epoch millis, str, datetime, or DateTime`	The type used for the date is not correct.	Use one of the formats specified in the error message.

Change log

Release

Released on

Release type

Details

Recommendations

v1.1.0

13 May 2024

Status

colour	Red
title	BUG FIXING

Status

colour	Yellow
title	IMPROVEMENTS

Improvements

Upgraded Docker base image from 1.0.0 to 1.2.0
Update DCSDK from 1.8.0 to 1.11.1:
- Updated DCSDK from 1.8.0 to 1.11.1 Updated DevoSDK to v5.1.9
- Fixed some bug related to development on MacOS
- Added an extra validation and fix when the DCSDK receives a wrong timestamp format
- Added an optional config property for use the Syslog timestamp format in a strict way
- Updated DevoSDK to v5.1.10
- Fix for SyslogSender related to UTF-8
- Enhace of troubleshooting. Trace Standardization, Some traces has been introduced.
- Introduced a mechanism to detect "Out of Memory killer" situation
- Updated DevoSDK to v5.1.9
- Fixed some bug related to development on MacOS
- Added an extra validation and fix when the DCSDK receives a wrong timestamp format
- Added an optional config property for use the Syslog timestamp format in a strict

Bug fixing

Fixed the issue with 429 error because of number of request exceeded.

Recommended version

v1.0.1

15 Jun 2023

Status

colour	Red
title	BUG FIXING

Status

colour	Yellow
title	IMPROVEMENTS

Improvements

Update DCSDK from 1.5.0 to 1.8.0

Bug Fixingfixing

Updated limits: The requests limits have been updated with the values recommended by the API to avoid 429 errors.

Recommended versionUpdate

v1.0.0

27 Dec 2022

Status

colour	Purple
title	NEW FEATURE

New features:

Events: Events generated by the cloud activity.
Alerts: Alerts corresponding to related events.

Update-

Version	Old Version 15	New Version Current
Changes made by	Former user	Virginia Camuñas Núñez
Saved on	Jan 30, 2024	Feb 17, 2025

Versions Compared

Key

Overview

Configuration requirements

Overview

Devo collector features

Structure

Editing the JSON configuration

Devo credentials

Editing the config.yaml file

Download the Docker image

Docker

Docker Compose

Editing the JSON configuration

Structure

Devo credentials

Editing the config.yaml file

Download the Docker image

Docker

Docker Compose

Collector services detail

Change log for v1.x.x

Change log