OneTrust collector

[ 1 Configuration requirements ] [ 2 Overview ] [ 3 Devo collector features ] [ 4 Data sources ] [ 5 Flattening preprocessing ] [ 6 Vendor setup ] [ 7 Minimum configuration required for basic pulling ] [ 8 Accepted authentication methods ] [ 9 Run the collector ] [ 10 Collector services detail ] [ 11 Collector operations ] [ 12 Change log for v1.x.x ]

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration	Details

Configuration	Details
OneTrust instance	You need to purchase or obtain a partner/NFR instance of OneTrust.
ClientID and SecretID	Configure the credentials in OneTrust instance.

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

OneTrust collector supports all versions of the OneTrust Threat Intelligence Access Management Platform. This collector fetches audit related via the OneTrust Access Management audit API.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`Allowed`
Running environments	`Collector server` `On-premise`
Populated Devo events	`Table`
Flattening preprocessing	`No`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Audit Records of Login	User login activity	/api/access/v1/login_history	login_history	`grc.onetrust.audit.login_history`	v1.0
Audit Records of a User’s Profile	User profile change events	/api/audit/v1/users/{userId}/activities	profile_activity	`grc.onetrust.audit.profile_activity`	v1.0

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source	Collector service	Optional

Data source	Collector service	Optional
Source	Service	`No`

Vendor setup

There are some configurations requirements to run this collector

Obtain access to OneTrust instance.
Obtain credentials (ClientID and SecretID) within the OneTrust platform.

More information

Refer to the Authorization Configuration guide for more details about how to configure OAuth client.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details

Setting	Details
client_id	Client ID obtained when configuring access.
client_secret	Client secret obtained when configuring access.
domain	Your OneTrust domain, for example myorg.onetrust.com.

Accepted authentication methods

Authentication method	client_id	client_secret

Authentication method	client_id	client_secret
client_id/client_secret	REQUIRED	REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component	Description

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2022-11-29T06:23:09.220    INFO InputProcess::MainThread -> OneTrustBasePullerSetup(unknown,onetrust#onetrust_1,profile_activity#predefined) -> Starting thread
2022-11-29T06:23:09.221    INFO InputProcess::MainThread -> OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) - Starting thread
2022-11-29T06:23:09.222 WARNING InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Waiting until setup will be executed
2022-11-29T06:23:09.244    INFO InputProcess::MainThread -> [GC] global: 64.7% -> 64.7%, process: RSS(54.09MiB -> 54.09MiB), VMS(33.80GiB -> 33.80GiB)
2022-11-29T06:23:09.245    INFO InputProcess::MainThread -> global_status: {"input_process": {"process_id": 27965, "process_status": "running", "thread_counter": 10, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "QueueFeederThread", "OneTrustBasePullerSetup(unknown,onetrust#onetrust_1,profile_activity#predefined)", "OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined)", "ServiceThread(onetrust,onetrust_1,profile_activity,predefined)", "InputThread(onetrust,onetrust_1)"], "memory_info": {"rss": "54.09MiB", "vms": "33.80GiB", "pfaults": "16.21KiB", "pageins": "17.00B"}, "input_threads": [[]], "running_flag": true, "message_queues": {"standard": {"name": "standard_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=unknown)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x10fdba760>"}, "lookup": {"name": "lookup_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=unknown)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x10fdc80d0>"}, "internal": {"name": "internal_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 1, "put_lock": "<Lock(owner=unknown)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x10fdce7f0>"}}}}
2022-11-29T06:23:10.097    INFO InputProcess::OneTrustBasePullerSetup(unknown,onetrust#onetrust_1,profile_activity#predefined) -> Setup for module <OneTrustProfileActivityPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

2022-11-29T06:23:10.227    INFO InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Detected initial start time in UTC change: {'values_changed': {'root': {'new_value': DateTime(2022, 6, 1, 0, 0, 0, tzinfo=Timezone('UTC')), 'old_value': DateTime(2022, 11, 1, 1, 0, 0, tzinfo=Timezone('UTC'))}}}. Setting last run time to 2022-11-01T01:00:00+00:00
2022-11-29T06:23:10.230    INFO InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Starting data collection every 60 seconds
2022-11-29T06:23:10.231    INFO InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Retrieving profile_activity events since 2022-11-01T01:00:00+00:00 to 2022-11-29 11:23:10.225980+00:00 and sending to my.app.onetrust.audit.profile_activity
2022-11-29T06:23:13.114    INFO InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Found 42 of 102 users having profiles having modified date >= 2022-11-01T01:00:00+00:00 and created date <= 2022-11-29T11:23:10.225980+00:00
2022-11-29T06:23:31.258    INFO InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Sending 48 events to my.app.onetrust.audit.profile_activity
2022-11-29T06:23:31.264    INFO InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Retrieved and sent 48 profile_activity event(s) to my.app.onetrust.audit.profile_activity for period 2022-11-01T01:00:00+00:00 to 2022-11-29 11:23:10.225980+00:00
2022-11-29T06:23:31.264    INFO InputProcess::OneTrustProfileActivityPuller(onetrust,onetrust_1,profile_activity,predefined) -> Data collection completed. Elapsed time: 21.038 seconds. Waiting for 38.962 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2023-01-11T18:09:21.852    INFO InputProcess::OneTrustLoginHistoryPuller(onetrust,onetrust_1,login_history,predefined) -> Data collection completed. Elapsed time: 0.526 seconds. Waiting for 59.474 second(s) until the next one

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the initial_start_time_in_utc parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
SetupError	101	`The credentials do not seem to be valid. Please doublecheck.`	The API returns an “unauthorized” message.	Generate a new client_id/client_secret pair and add it to config file.
InitVariablesError	1	`Error while fetching collector variables: [..]`	One of required parameters is absent or a parameter has an incorrect type	Add the parameter or correct the type.
	2	`Error validating collector variables: [...]`	One of the parameters has the correct type but it is not correct. For instance, a date is not a valid date, or a number is out of its range.	Correct the parameter in the configuration file.
	3	`Error while setting up collector variables: [...]`	The URLs of the API cannot be created	Review the `domain` value in config file.
	5	`Error while creating client: [..]`	Other error inizializing the collector.	Solution depends on specific error message.
Prepull Error	200	`Error during pre_pull: [...]`	Something was wrong creating the checkpoints	Review the `initial_start_time_in_utc`
Pull Error	300	`Encountered pull error: [...]`	Something was wrong contacting the API.	Read the HTTP error code as long as the response’s text. This information should be enough to understand why is the error happening.

Collector operations

This section is intended to explain how to proceed with the specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description

Sender services	Description
`internal_senders`	In charge of delivering internal metrics to Devo such as logging traces or metrics.
`standard_senders`	In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Change log for v1.x.x

Release	Released on	Release type	Details	Recommendations

Release

Released on

Release type

Details

Recommendations

v1.1.0

Dec 23, 2022

NEW FEATURE

Improvements:

Add data user enrichment to “login history” information

Recommended version