If you are migrating to version 2.X from version any 1.X x version, please read this section.
Overview
...
Data source
Description
API endpoint
Collector service name
Devo table
Audit logs - provisioning
Represents an action performed by the Microsoft Entra provisioning service and its associated properties.
v1.0/auditLogs/provisioning
provisioning_audits
cloud.azure.ad.provisioning.*.msgraph
Audit logs - directory
Represents the directory audit items and its collection.
v1.0/auditLogs/directoryaudits
directory_audits
cloud.azure.ad.audit.*.msgraph
Audit logs - sign-ins
Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.
v1.0/auditLogs/signIns
signIns
cloud.azure.ad.signin.*.msgraph
Audit logs - sign-ins (v2)
Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.
This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified.
This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in Use the Microsoft Graph security API. It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions.
v1.0/security/alerts
alerts
cloud.azure.ad.alerts.*.msgraph
cloud.office365.cloud_apps.alerts.*.msgraph
cloud.office365.endpoint.alerts.*.msgraph
cloud.office365.security.alerts.*.msgraph
cloud.azure.sentinel.alerts.*.msgraph
cloud.office365.identity.alerts.*.msgraph
cloud.azure.securitycenter.alerts.*.msgraph
Alerts (v2)
This resource corresponds to the latest generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft 365 Defender, or a security provider integrated with Microsoft 365 Defender, has identified.
When detecting a threat, a security provider creates an alert in the system. Microsoft 365 Defender pulls this alert data from the security provider, and consumes the alert data to return valuable clues in an alert resource about any related attack, impacted assets, and associated evidence. It automatically correlates other alerts with the same attack techniques or the same attacker into an incident to provide a broader context of an attack. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
v1.0/security/alerts_v2
alerts_v2
cloud.msgraph.security.alerts_v2.*
Secure Scores
Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held. This data is sorted by createdDateTime, from latest to earliest. This will allow you to page responses by using $top=n, where n = the number of days of data that you want to retrieve.
v1.0/security/secureScores
secure_scores
cloud.office365.security.scores.*.msgraph
Secure Scores Control Profiles
Represents a tenant's secure score per control data. By default, this resource returns all controls for a tenant and can explicitly pull individual controls.
v1.0/security/secureScoreControlProfiles/
secure_score_control_profiles
cloud.office365.security.scorecontrol.*.msgraph
Vendor setup
...
Microsoft Graph data collector works over Microsoft products. To activate the resources from the Microsoft Graph API, you need:
An Azure account that has an active subscription.
The Azure account must have permission to manage applications in Azure Active Directory (Azure AD).
A working Azure AD tenant.
You will need to register a new application and apply the required permissions to the corresponding resources to authenticate the collector in order to retrieve the data.
Note
You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits.
...
Action
...
Steps
...
1
...
Register and configure the application
...
API limits, delays and known issues
The Graph API imposes some throttling limits to the applications. The number of requests in a given time is limited according to several criteria. There is a generic limitation for the Graph API and service specific limits.
Any request can be evaluated against multiple limits, depending on the scope of the limit (per app across all tenants, per tenant for all apps, per app per tenant, and so on), the request type (GET, POST, PATCH, and so on), and other factors. The first limit to be reached triggers throttling behavior.
In the case of the services used by the collector, the limits are:
Request type
Per app across all tenants
Any
130,000 requests per 10 seconds
provisioning_audits
5 requests per 10 seconds
directory_audits
5 requests per 10 seconds
signins
5 requests per 10 seconds
signIns_v2
5 requests per 10 seconds
alerts
150 requests per minute
alerts_v2
150 requests per minute
secure_scores
150 requests per minute or 10,000 in a 10-minute period
secure_score_control_profiles
10,000 in a 10-minute period
A complete reference of the limits can be found here.
When the collector reaches the API limit, the API returns a 429 error code. This is reflected in the logs of the collector with a message like 429 Error during API call. If several of these messages are found, the solution is to use the request_period_in_seconds for this service to decrease the frequency of calls. For instance, a request period of 300 means that the API will be called every 5 minutes for this service, instead of the default value of 60 seconds.
API delays
Microsoft SLAs can be anywhere from 3 minutes to 6 hours in most cases. Check more information here.
Vendor setup
Anchor
vendor-setup
vendor-setup
Microsoft Graph data collector works over Microsoft products. To activate the resources from the Microsoft Graph API, you need:
An Azure account that has an active subscription.
The Azure account must have permission to manage applications in Azure Active Directory (Azure AD).
A working Azure AD tenant.
You will need to register a new application and apply the required permissions to the corresponding resources to authenticate the collector in order to retrieve the data.
Note
You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits.
Action
Steps
1
Register and configure the application
Go to Azure portal and click on Azure Active Directory.
Click on App registration on the left-menu side. Then click on + New registration.
On the Register and Application page:
Name the application.
Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) in Supported Accounts type.
In Redirect URI (optional) leave it as default (blank).
Click Register.
App registration page will open. Click on your app to configure it and give it permissions. You will see your app’s dashboard with information (docs, endpoints, etc.) when clicking it.
Click Authentication on the left-menu side, then choose + Add a platform and select Mobile and desktop application.
Click + Add permission in case you don’t have Microsoft Graph in the API/Permission list.
Select Application permissions and check SecurityEvents.Read.All.
Check the following permissions: AuditLog.Read.All,Directory.Read.All and User.Read.All. If you did everything correctly, permissions will display.
Select Grant admin consent for the applications.
Info
You do not need to activate permissions if you are not going to use its corresponding resource. Check the Permissions reference per service section for a detailed breakdown on resource and their needed permissions.
3
Obtain the requires credentials for the collector
Go to Certificates & Secrets, select + New client secret . Named it and copy the token value.
Go to Overview to get your Tenant ID and Client ID and copy both values.
Note
The token will display only once. You will need to create another one if you didn’t copy it the first time.
...
Rw ui tabs macro
Rw tab
title
On-premise collector
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.
Replace the placeholders with your required values following the description table below:
Parameter
Data type
Type
Value Range / Format
Details
collector_id_value
str
mandatory
minimum length: 1 maximum length: 5
Use this parameter to give a unique ID to this collector.
collector_name_value
str
mandatory
minimum length: 1 maximum length: 10
Use this parameter to give a name to this collector.
devo_address
str
mandatory
One of:
collector-us.devo.io
collector-eu.devo.io
Use this parameter to identify the Devo Cloud where the events will be sent.
chain_filename
str
mandatory
minimum length: 4 maximum length: 20
Use this parameter to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt.
cert_filename
str
mandatory
minimum length: 4 maximum length: 20
Use this parameter to identify the file.cert downloaded from your Devo domain.
key_filename
str
mandatory
minimum length: 4 maximum length: 20
Use this parameter to identify the file.key downloaded from your Devo domain.
short_unique_id
str
mandatory
minimum length: 15 maximum length: 5-
Use this parameter to give a unique ID to this input service. This parameter is used to build the persistence address; do not use the same value for multiple collectors. It could cause a collision.
tenant_id_value
str
mandatory
minimum length: 1
This is the Tenant’s ID you created in Azure AD. You can obtain it from the Overview page in your registered application.
client_id_value
str
mandatory
minimum length: 1
This is the Application (client) ID you created in Azure AD. You can obtain it from the Overview page in your registered application.
client_secret_value
str
mandatory
minimum length: 1
This is the client secret you created in Azure AD. You can obtain it from the Certificates & secrets page in your registered application.
environment_value
str
optional
minimum length: 1
This is an optional control parameter that is injected into the events and allows you to differentiate the environment. For example: dev and prod.
Info
This parameter should be removed if it is not used.
request_period_in_seconds_value
int
optional
minimum length: 60
Period in seconds used between each data pulling. This value will overwrite the default value (300 seconds).
start_time_in_utc_value
str
optional
UTC datetime string having datetime string format %Y-%m-%dT%H-%M-%SZ (e.g., “2020-01-01T00:00:01Z”)
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
Info
This parameter should be removed if it is not used.
additional_filter_value
str
optional
minimum length: 1
This parameter allows you to add an additional Microsoft Graph OData query clause to the default filters. By default, the collector attempts to fetch all data possible for a given Microsoft Graph entity type.
A parameter that allows you to override the scope value.
Info
This parameter should be removed if it is not used.
override_query_window_max_seconds
int
optional
default value: None
A parameter that allows you to override the maximum query window. This is useful for any APIs that greatly restrict the amount of data one can fetch for a given datetime range (performance reasons). The collector will continuously fetch data but in smaller increments.
Info
This parameter should be removed if it is not used.
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Replace <product_name>, <image_name> and <version> with the proper values.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note
Replace <product_name>, <image_name> and <version> with the proper values.
Rw tab
title
Cloud collector
We use a piece of software called Collector Server to host and manage all our available collectors.
To enable the collector for a customer:
In the Collector ServerGUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
In the Parameters section, establish the Collector Parameters as follows below:
Use this parameter to give a unique ID to this input service. This parameter is used to build the persistence address; do not use the same value for multiple collectors. It could cause a collision.
tenant_id_value
str
mandatory
minimum length: 1
This is the Tenant’s ID you created in Azure AD. You can obtain it from the Overview page in your registered application.
client_id_value
str
mandatory
minimum length: 1
This is the Application (client) ID you created in Azure AD. You can obtain it from the Overview page in your registered application.
client_secret_value
str
mandatory
minimum length: 1
This is the client secret you created in Azure AD. You can obtain it from the Certificates & secrets page in your registered application.
environment_value
str
optional
minimum length: 1
This is an optional control parameter that is injected into the events and allows you to differentiate the environment. For example: dev and prod.
Info
This parameter should be removed if it is not used.
request_period_in_seconds_value
int
optional
minimum length: 60
Period in seconds used between each data pulling. This value will overwrite the default value (300 seconds).
start_time_in_utc_value
str
optional
UTC datetime string having datetime string format %Y-%m-%dT%H-%M-%SZ (e.g., “2020-01-01T00:00:01Z”)
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
Info
This parameter should be removed if it is not used.
additional_filter_value
str
optional
minimum length: 1
This parameter allows you to add an additional Microsoft Graph OData query clause to the default filters. By default, the collector attempts to fetch all data possible for a given Microsoft Graph entity type.
A parameter that allows you to override the scope value.
Info
This parameter should be removed if it is not used.
override_query_window_max_seconds
int
optional
default value: None
...
Error type
Error ID
Error message
Cause
Solution
InitVariablesError
1
Invalid start_time_in_utc: {ini_start_str}. Must be in parseable datetime format.
The configured start_time_in_utc parameter is a non-parseable format.
Update the start_time_in_utc value to have the recommended format as indicated in the guide.
InitVariablesError
2
Invalid start_time_in_utc: {ini_start_str}. Must be in the past.
The configured start_time_in_utc parameter is a future date.
Update the start_time_in_utc value to a past datetime.
SetupError
101
Failed to fetch OAuth token from {token_endpoint}. Exception: {e}.
The provided credentials, base URL, and/or token endpoint are incorrect.
Revisit the configuration steps and ensure that the correct values were specified in the config file.
SetupError
102
Failed to fetch data from {endpoint}. Source is not pullable.
The provided credentials, base URL, and/or token endpoint are incorrect.
Revisit the configuration steps and ensure that the correct values were specified in the config file.
ApiError
401
Error during API call to [API provider HTML error response here]
The server returned an HTTP 401 response.
Ensure that the provided credentials are correct and provide read access to the targeted data.
ApiError
429
Error during API call to [API provider HTML error response here]
The server returned an HTTP 429 response.
The collector will attempt to retry requests (default up to 3 times) and respect back-off headers if they exist. If the collector repeatedly encounters this error, adjust the rate limit and/or contact the API provider to ensure that you have enough quota to complete the data pull.
Please note that IBM Cloud supports a limited amount of concurrent searches for the Activity Tracker instances at any given time. Please refer to your IBM Cloud plan for these limitations (most plans only support one concurrent search). If you encounter a 429 due to a concurrent search, and the collector proceeds normally during the subsequent pull, then there is nothing to correct. If you repeatedly encounter a 429 due to a concurrent search, make sure that you do not have multiple collectors running against the same Activity Tracker instance and that you do not have other, non-Devo-collector API searches running against the Activity Tracker instance.
HTTP 401 response.
Ensure that the provided credentials are correct and provide read access to the targeted data.
ApiError
429
Error during API call to [API provider HTML error response here]
The server returned an HTTP 429 response.
The collector will attempt to retry requests (default up to 3 times) and respect back-off headers if they exist. If the collector repeatedly encounters this error, adjust the request_period_in_seconds. (see section about API limits)
ApiError
498
Error during API call to [API provider HTML error response here]
The server returned an HTTP 500 response.
If the API returns a 500 but successfully completes subsequent runs then you may ignore this error. If the API repeatedly returns a 500 error, ensure the server is reachable and operational.
...
The URL endpoints (override_base_url_main, override_base_url_vendor, override_base_url_vendor_with_sub_provider , override_login_url) have been moved from the individual services to the global configuration section.
override_base_url_main has been renamed to override_base_url.
tag_version has been removed.
pull_sliding_window_timespan_period has been removed.
reset_persistence_auth has been removed.
override_time_delta_in_days has been removed.
ms_365_environment has been replaced by override_top_level_domain. GCC High Gov should use us in the override_top_level_domain. Alternatively, users can use override_base_url to specify the GCC High Gov base URL.
additional_filter has been added to all services. Users can use this field to specify additional filters that will be applied when querying the Microsoft Graph API.
The collector can use new services from Graph (beta endpoint in Graph), that services, that use to be in a separate service for each type, have been consolidated into one service called signIns_v2. Users should remove all three services from their config and use only the signIns_v2 service.
start_time has been renamed to start_time_in_utc.
Persistence changes
The persistence object consists of the following fields: persistence_version, last_event_time_in_utc, last_ids, and next_link.
The collector will automatically map old key names (e.g. last_polled_timestamp → last_event_time_in_utc) to the appropriate value.
Change log
Release
Released on
Release type
Details
Recommendations
v2.0.1
Status
colour
Green
title
IMPROVEMENT
Status
colour
Red
title
BUG FIX
Improvements
Updated DCSDK to 1.12.2 from 1.11.1
Bug Fixing
authlib updated to 1.3.1 to solve CVE-2024-37568
Recommended version
v2.0.0
Status
colour
Green
title
IMPROVEMENT
Improvements
Complete reimplementation of the collector, refactoring all the services
Recommended versionUpgrade
v1.7.1
Status
colour
Purple
title
NEW FEATURE
Status
colour
Green
title
IMPROVEMENT
Status
colour
Red
title
BUG FIX
New features
time_delta_in_days can now be overwritten in the user configuration by override_time_delta_in_days in all the service that are “time-based”. This new parameter cannot be combined with reset_persistence_auth and/or start_time.
Improvements
The state is now persisted more frequently for most of the services. This means that, in case of a collector restart, the chances of duplicating data have been reduced considerably, as the collector will continue pulling data from the same point where it was when the collector was stopped.
Bug Fixingfixing
The collector will get the most recent token available before performing any new request, reducing the possibilities to get a 401 code as a response.
The 504 code responses were returned many time; some of them for having asked for too old data. This used to cause a locking state in the collector, as it was not able to continue. Some mechanisms has been added to avoid requiring that old data to the API. Anyway, if a 504 appears now for any other reason, the improvement related to persisting the state frequently makes the collector continue collecting correctly after the service restart.
Upgrade
v1.7.0
Status
colour
Purple
title
NEW FEATURE
Status
colour
Green
title
IMPROVEMENT
Status
colour
Red
title
BUG FIX
New features:
alerts_v2 service included, keeping old alerts service for compatibility.
Compliance for MS 365 GCC High US environments added.
Improvements:
Update DCSDK from 1.8.0 to 1.9.2
Bug Fixingfixing:
The collector now keeps retrieving events when it is up-to-date.
Added extra protection to refresh token and avoid 401 status errors.
When a 401 status code is received from a response, the collector tries the request again using the access_token available in the collector_variables, instead of raising en Error. This definitely fixes the bug that used to make the collector restart due to 401 errors.
A vendor thread termination event has been set, including three different check points in the thread's run method, as a protection against non-terminated vendor threads, causing the alerts service to stop. Some extra logging has also been added to identify the root cause in case this keeps happening.
Recommended versionUpgrade
v1.6.2
Status
colour
Red
title
BUG FIX
Status
colour
Green
title
IMPROVEMENT
Improvements:
Update DCSDK from 1.6.0 to 1.8.0
Bug Fixingfixing:
Fix in the service urls: they were not being formatted correctly with the start_time variable, which allows the user to select the date from which they want to collect events.
Updated the limits of the API: The limits have been modified with the official values. This fixes throttling issues.
Updated the default value of star_time from 61 days in the past to 30, as this is the maximum limit the API allows.
Upgrade
v1.6.0
Status
colour
Purple
title
NEW FEATURE
New features:
The pulling mechanism now uses a sliding window to avoid event loss and duplication.
Improvements:
DevoCollectorSDK upgraded to v1.6.0:
Added:
More log traces related to execution environment details.
Global rate limiters functionality.
Extra checks for supporting MacOS as development environment.
Obfuscation functionality.
Changed:
Some log traces now are shown less frequently.
The default value for the logging frequency for "main" processes has been changed (to 120 seconds).
Updated some Python Packages.
Controlled stopping functionality more stable when using the "template".
Improved some log messages related to Devo certificates (when using the Devo sender).
Validate json objects before saving them to persistence (using filesystem).
Upgrade
v1.4.2
Status
colour
Red
title
BUG FIX
Fixed bugs:
Fixes bug with non-time-based puller state.
Upgrade
v1.4.1
Status
colour
Red
title
BUG FIX
Fixed bugs:
Fix error with vendor state when checking the reset_persistence_auth parameter.
Allow using v2 tags for secure_scores and secure_scores_control_profile tags.
Add missing Devo metadata into events.
Upgrade
v1.4.0
Status
colour
Green
title
IMPROVEMENT
Improvements:
Automatic outdated start_time correction for audit-based services.
New “reset persistence” functionality.
Upgrade
v1.3.0
Status
colour
Green
title
IMPROVEMENT
Status
colour
Red
title
BUG FIX
Improvements:
start_time configuration parameter normalization for audit and provisioning services.
Upgraded devocollectorsdk from 1.4.0 to 1.4.4b:
Added:
New "templates" functionality.
New controlled stopping condition when any input thread fatally fails.
Log traces for knowing the execution environment status (debug mode).
Changed:
Improved log trace details when runtime exceptions happen
Refactored source code structure
Fixes in the current puller template version
The Docker container exits with the proper error code
Bug fixing:
Correct token validation when a Partial Content response is received.
Use appropriate destination tag for provisioning events.
Upgrade
v1.2.0
Status
colour
Purple
title
NEW FEATURE
Status
colour
Green
title
IMPROVEMENT
New features:
New supported sources
Sign In (signIn service)
Audit (audit service)
Provisioning (provisioning service)
Previous services modification
The new tagging introduced in the previous v1.1.3 release is now customizable through the tag_version service parameter. The default tagging has been reverted to the original one.
The alerts source, when setting the tag_version to v2, will try to categorize the events by applying different tags based on the event’s provider.
Improvements:
Token validation is now performed against the corresponding endpoint.
