Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

Configuration requierements

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

client_id

Credential client ID.

client_secret

Credential client secret.

account_id

Credential account ID.

api_base_url

Credential API base url.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Overview

Malwarebytes Nebula is a cloud-hosted security operations platform that allows you to manage control of any malware or ransomware incident

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

Not allowed

Allowed

Running environments

Collector server

On-premise

Populated Devo events

Table

Flattening preprocessing

No

Data sources

Data Source

Description

API Endpoint

Collector service name

Devo Table

Available from release

Notifications

Malwarebytes Nebula can notify you when certain events occur, such as when real-time protection or scheduled scans detect threats, or if a new endpoint registers to your console.

<base_url>/notifications/subscriptions

notifications

my.app.nebula.notifications

v1.0.0

Detection

The Detections section in Malwarebytes Nebula displays information on all threats, and potential threats, with the action taken for each item found on endpoints in your environment

<base_url>/detections

detections

my.app.nebula.detections

v1.0.0

Events

Event is a general term for a threat that has occurred, remediation or other action taken on a threat, and other endpoint-related activity. 

<base_url>/events

events

my.app.nebula.events

v1.0.0

Vulnerability Management

shows vulnerabilities for installed software and operating systems on managed endpoints. 

<base_url>/cve/export

<base_url>/cve/{id}

vulnerability_management

my.app.nebula.vulnerabilitymanagement

v1.0.0

Suspicious activity 

Suspicious Activity Monitoring is a feature included in Malwarebytes Endpoint Detection and Response

<base_url>/sa

suspicious_activity

my.app.nebula.suspiciousactivity

v1.0.0

DNS Logs Data

Logs of Dns data

<base_url>/dns

dns_log_data

my.app.nebula.dnslogdata

v1.0.0

Vendor setup

There are some steps you need to follow to run the collector.


Accepted authentication methods

Authentication Method

Username

Password

client_id/client_secret

REQUIRED

REQUIRED

account_id

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

 Internal process and deduplication method

Data is first pulled for events based on the historic date provided or default historic days, event_id of the last event is stored in a state file, and data is sorted manually in descending order, the last event will be the old one. New data is compared with the previously stored event id to identify the duplicate items and removed them.

 Devo categorization and destination

All events of Events service are ingested into the table  my.app.nebula.events

 Verify data collection

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::MainThread -> NebulaEventsDataPuller(example_input,12345,events,predefined) - Starting thread
2023-01-23T16:16:31.386 WARNING InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Waiting until setup will be executed
2023-01-23T16:16:31.386    INFO InputProcess::NebulaDataPullerSetup(example_collector,example_input#12345,events#predefined) -> Token has expired. Generating the new one
2023-01-23T16:16:31.387 WARNING InputProcess::NebulaDataPullerSetup(example_collector,example_input#12345,events#predefined) -> The token/header/authentication is expired and it needs to be refreshed
2023-01-23T16:16:31.388    INFO InputProcess::NebulaDataPullerSetup(example_collector,example_input#12345,events#predefined) -> Requesting access token from the Nebula server
2023-01-23T16:16:31.402    INFO OutputProcess::MainThread -> [GC] global: 25.0% -> 25.0%, process: RSS(46.83MiB -> 47.60MiB), VMS(1.19GiB -> 1.19GiB)
2023-01-23T16:16:31.408    INFO InputProcess::MainThread -> [GC] global: 25.0% -> 25.0%, process: RSS(46.96MiB -> 47.29MiB), VMS(791.23MiB -> 791.48MiB)
2023-01-23T16:16:31.720    INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"url": "collector-eu.devo.io:443", "chain_path": "/home/metronlads/Documents/nebula_bug/devo-MalwarebytesNebula/certs/chain.crt", "cert_path": "/home/metronlads/Documents/nebula_bug/devo-MalwarebytesNebula/certs/if_metronlabs.crt", "key_path": "/home/metronlads/Documents/nebula_bug/devo-MalwarebytesNebula/certs/if_metronlabs.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "metronlabs", session_id: "140563744962544"
2023-01-23T16:16:31.721    INFO OutputProcess::DevoSender(standard_senders,devo_sender_0) -> Created a sender: {"url": "collector-eu.devo.io:443", "chain_path": "/home/metronlads/Documents/nebula_bug/devo-MalwarebytesNebula/certs/chain.crt", "cert_path": "/home/metronlads/Documents/nebula_bug/devo-MalwarebytesNebula/certs/if_metronlabs.crt", "key_path": "/home/metronlads/Documents/nebula_bug/devo-MalwarebytesNebula/certs/if_metronlabs.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "metronlabs", session_id: "140563744962400"
2023-01-23T16:16:32.343    INFO InputProcess::NebulaDataPullerSetup(example_collector,example_input#12345,events#predefined) -> Requesting access token from the Nebula server
2023-01-23T16:16:32.344    INFO InputProcess::NebulaDataPullerSetup(example_collector,example_input#12345,events#predefined) -> Successfully generated new access token. Token is valid till: 2023-01-23 16:46:31
2023-01-23T16:16:32.344    INFO InputProcess::NebulaDataPullerSetup(example_collector,example_input#12345,events#predefined) -> Previously generated token is still valid. Skipping the generation of new access token 
2023-01-23T16:16:32.344    INFO InputProcess::NebulaDataPullerSetup(example_collector,example_input#12345,events#predefined) -> Setup for module <NebulaEventsDataPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

023-01-24T08:03:26.575    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Pull Started
2023-01-24T08:03:27.586    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Response received from Nebula server Resource Url: https://api.malwarebytes.com/nebula/v1/events?start=2023-01-24T02:32:26Z
2023-01-24T08:03:27.588    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Removing the duplicate events if present...
2023-01-24T08:03:27.589    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Number of events sent to Devo: 0
2023-01-24T08:03:27.589    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Total number of events: 0
2023-01-24T08:03:27.590    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> State last_polled_timestamp is updated with retrieving timestamp
2023-01-24T08:03:27.591    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Saved state: {'last_polled_timestamp': 1674527606.575356, 'historic_date_utc': None, 'ids_with_same_timestamp': ['0fa33de2-963a-4b7f-b709-4111eb82712c'], '@persistence_version': 1}
2023-01-24T08:03:27.591    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1674527606575):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
2023-01-24T08:03:27.593    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> The data is up to date!
2023-01-24T08:03:27.595    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Data collection completed. Elapsed time: 1.019 seconds. Waiting for 58.980 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2023-01-24T08:03:27.591    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1674527606575):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
2023-01-24T08:03:27.593    INFO InputProcess::NebulaEventsDataPuller(example_input,12345,events,predefined) -> The data is up to date!

The value @devo_pulling_id is injected in each event to group all events ingested by the same pull action. You can use it to get the exact events downloaded in that Pull action in Devo’s search window.

 Restart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the historical_date_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

 Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

SetupError

1

api_base_url must be specified

The api_base_url setting is missing.

Make sure the api_base_url setting is present under the events service in your configuration.

2

api_base_url not of expected type: str

The api_base_url setting has a type other than string.

Make sure the api_base_url setting is a string.

3

api_base_url must match one of two regexes: [...]

The api_base_url setting does not follow the expected format.

Make sure your api_base_url has this format: http[s]://{ip_address_or_domain}{:optional_port}

4

Required setting, credentials not found in user configuration

There is no credentials section in your input settings.

Make sure there is a credentials section under the threatquotient_data_puller input in your configuration.

5

Required setting, credentials not of expected type: dict

The credentials section is empty or has a simple type (is not an object).

Make sure the credentials section has a username and password fields.

6

Required setting, username not found in user configuration

The username setting is missing.

Make sure the username setting from the credentials section has a value.

7

Required setting, username not of expected type: str

The username setting has a type other than string.

Make sure the username setting from the credentials section is a string.

8

Required setting, password not found in user configuration

The password setting is missing.

Make sure the password setting from the credentials section has a value.

9

Required setting, password not of expected type: str

The password setting has a type other than string.

Make sure the password setting from the credentials section is a string.

10

Optional setting, verify_host_ssl_cert not of expected type: bool

The verify_host_ssl_cert setting has a type other than boolean.

Make sure the verify_host_ssl_cert setting is a boolean value (true/false).

11

event_fetch_limit_in_items must be greater than or equal to [...] and less than equal to [...]

The event_fetch_limit_in_items setting has a value too low or too high for the specified limits.

Make sure the event_fetch_limit_in_items setting is an integer ranged between the specified limits.

12

devo_tag_map must have an entry named "default"

This error is not expected to happen in a regular flow.

This needs to be troubleshooted by the colllector’s developers.

13

Required setting, reset_persistence_auth not of expected type: str

The reset_persistence_auth setting has a value, but its type is other than string.

Make sure the reset_persistence_auth setting is a string.

14

Required setting, historical_poll_datetime not of expected type: str

The historical_poll_datetime setting has a type other than string.

Make sure the historical_poll_datetime setting is a string.

15

historical_poll_datetime does not match expected format [...]

The historical_poll_datetime setting does not look like a valid date.

Make sure the historical_poll_datetime setting meets the mentioned format (a reference of this representation can be found here).

16

Please enter valid date for historical_poll_datetime less than or equal to one year

The historical_poll_datetime setting is a date older than one year.

Make sure the historical_poll_datetime setting does not represent a date older than one year.

17

Please enter valid date for historical_poll_datetime less than or equal to the current date

The historical_poll_datetime setting is a future date.

Make sure the historical_poll_datetime setting does not represent a future date.

InitVariablesError

100

Unexpected status code when fetching ThreatQuotient JWT: [...]

When a token was retrieved, the response had an unexpected error code.

Make sure your credentials are correct.

101

Unexpected status code when fetching ThreatQuotient client_id: [...]

The collector is having issues connecting to the ThreatQ instance.

Make sure you have properly configured the api_base_url setting and that you can access the {api_base_url}/assets/js/config.js URL.

102

Cannot parse client_id from ThreatQuotient server

The collector was expecting to find the Client’s ID, but could not find it. This is likely because the ThreatQ has been upgraded and the collector does not support it.

This needs to be troubleshooted by the colllector’s developers.

ApiError

400

Unexpected status code when fetching ThreatQuotient events: [...]

This error happens when the collector tries to fetch the ThreatQ events from its REST API.

In this error you will find the HTTP error code as long as the response’s text. This information should be enough to understand why is the error happening. Otherwise, please contact support.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

 Verify collector operations

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:


INFO MainThread -> (CollectorMultithreadingQueue) standard_queue_multithreading -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
WARNING MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-us.devo.io
WARNING MainThread -> [OUTPUT] OutputLookupSenders -> <threshold_for_using_gzip_in_transport_layer> setting has been modified from 1.1 to 1.0 due to this configuration increases the Lookup sender performance.
WARNING MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-us.devo.io
INFO MainThread -> [OUTPUT] OutputMultithreadingController(threatquotient_collector) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSender(standard_senders,devo_sender_0) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 600 seconds)
INFO MainThread -> [OUTPUT] DevoSenderManager(standard_senders,manager,devo_1)(devo_1) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSender(lookup_senders,devo_sender_0) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 600 seconds)
INFO MainThread -> [OUTPUT] DevoSenderManager(lookup_senders,manager,devo_1)(devo_1) -> Starting thread
INFO MainThread -> InitVariables Started
INFO MainThread -> start_time_value initialized
INFO MainThread -> verify_host_ssl_cert initialized
INFO MainThread -> event_fetch_limit_in_items initialized
INFO MainThread -> InitVariables Terminated
INFO MainThread -> [INPUT] InputMultithreadingController(threatquotient_collector) - Starting thread (executing_period=300s)
INFO MainThread -> [INPUT] InputThread(threatquotient_collector,threatquotient_data_puller#111) - Starting thread (execution_period=600s)
INFO MainThread -> [INPUT] ServiceThread(threatquotient_collector,threatquotient_data_puller#111,events#predefined) - Starting thread (execution_period=600s)
INFO MainThread -> [SETUP] ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) - Starting thread
INFO MainThread -> [INPUT] ThreatQuotientDataPuller(threatquotient_collector,threatquotient_data_puller#111,events#predefined) - Starting thread

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:


INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Sender: SyslogSender(standard_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Standard - Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 44 (elapsed 0.007 seconds)
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Sender: SyslogSender(internal_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Internal - Total number of messages sent: 1, messages sent since "2022-06-28 10:39:22.516313+00:00": 1 (elapsed 0.019 seconds)

By default, these information traces will be displayed every 10 minutes.

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.00 seconds to be delivered.

By default these traces will be shown every 10 minutes.

 Check memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory


INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Differences between RSS and VMS memory usage:

  • RSS is the Resident Set Size, which is the actual physical memory the process is using

  • VMS is the Virtual Memory Size which is the virtual memory that process is using

 Enable/disable the logging debug mode

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

  • To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.

  • To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Change log for v1.x.x

Release

Released on

Release type

Details

Recommendations

v1.0.0

​Jan 1, 1990

​NEW FEATURE ​BUG FIX​VULN​IMPROVEMENT

New features:

  • New space rocket.

Improvements:

  • 45% more fuel capacity.

Bug Fixes:

  • The “Panic” protocol has been fixed and now works well.

Vulnerabilities Mitigation:

  • Critical - AlienTrojan 1345

  • High - AlienTrojan 154

  • Medium - AlienTrojan 0024

  • Low - AlienTrojan 5882

Recommended version

  • No labels