We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
<any_directory>
└── devo-collectors/
└── <product_name>/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
├── state/
└── config/
└── config.yaml |
Replace |
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
Replace |
Editing the config.yaml file
globals:
debug: <debug_status>
id: not_used
name: mandiant_advantage
persistence:
type: filesystem
config:
directory_name: state
outputs:
devo_us_1:
type: devo_platform
config:
address: <devo_address>
port: 443
type: SSL
chain: <chain_filename>
cert: <cert_filename>
key: <key_filename>
inputs:
mandiant_advantage:
id: <input_id_value>
enabled: true
environment: <environment_value>
credentials:
api_key_public: <api_key_public_value>
api_key_secret: <api_key_secret_value>
services:
dtm_alert:
override_tag: <override_tag_value>
start_time_in_utc: <start_time_in_utc_value>
obfuscation_data: [<obfuscation_data_values>]
indicator:
override_base_lookup_name: <override_base_lookup_name_value>
override_m_score_threshold: <override_m_score_threshold_value>
override_lookback_days: <override_lookback_days_value> |
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Replace the placeholders with your required values following the description table below:
Parameter | Data type | Type | Value Range / Format | Details | ||
|
| mandatory | true / false | If the value is | ||
|
| mandatory |
| Use this parameter to identify the Devo Cloud where the events will be sent. | ||
|
| mandatory | minimum length: 4 maximum length: 20 | Use this parameter to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | ||
|
| mandatory | minimum length: 4 maximum length: 20 | Use this parameter to identify the file.cert downloaded from your Devo domain. | ||
|
| mandatory | minimum length: 4 maximum length: 20 | Use this parameter to identify the file.key downloaded from your Devo domain. | ||
|
| mandatory | minimum length: 1 maximum length: 5 | Use this parameter to give a unique ID to this input service.
| ||
|
| optional | minimum length: 1 | This is an optional control parameter that is injected into the events and allows you to differentiate the environment. For example: dev and prod.
| ||
|
| mandatory | minimum length: 1 | The Mandiant Advantage public API key | ||
|
| mandatory | minimum length: 1 | The Mandiant Advantage secret API key | ||
|
| optional | Devo tag-friendly string (no special characters, spaces, etc.) For more information see Devo Tags. | An optional tag that allows users to override the service default tags.
| ||
|
| optional | UTC datetime string having datetime string format | This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
| ||
|
| optional | The objects in the array look like this:
| Each object represents the necessary configuration to obfuscate messages before these are sent to Devo.
| ||
|
| optional | minimum length: 1 | An optional configuration that allows the user to specify a new name for the CEWL lookup table. The default value is | ||
|
| optional | minimum value: 0 maximum value: 100 | An optional parameter that allows users to override the minimum M score used to fetch indicators. The default value is 80.
| ||
|
| optional | minimum value: 1 maximum value: 3650 | An optional parameter that allows users to specify the lookback period the collector uses when fetching all indicators that were updated during that period. The default value is 90.
|
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Collector Docker image | SHA-256 hash |
|---|---|
|
Use the following command to add the Docker image to the system:
gunzip -c <image_file>-<version>.tgz | docker load |
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
docker run --name collector-<product_name> --volume $PWD/certs:/devo-collector/certs --volume $PWD/config:/devo-collector/config --volume $PWD/state:/devo-collector/state --env CONFIG_FILE=config.yaml --rm --interactive --tty <image_name>:<version> |
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
IMAGE_VERSION=<version> docker-compose up -d |
Replace |