Document toolboxDocument toolbox

Big ID collector

Overview

The BigID API allows you to perform all the actions you're used to performing via the BigID user interface programmatically. This is perfect for scenarios like the one in this exercise where you need to perform the same operation on a scheduled basis.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

  • not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

  • table

Flattening preprocessing

  • no

Allowed source events obfuscation

  • yes

Data sources

Data source

API endpoint

Collector service name

Devo table

Data source

API endpoint

Collector service name

Devo table

Audit

/v1/api/audit-logs

audit

dspm.bigid.audit.events

For more information on how the events are parsed, visit our page.

Vendor setup

To log in to the Big ID environment. Using the vendor doc here:

Getting Credentials

User Token - A user token (generated from Administration -> Access Management by a System Administrator) allows you to access BigID by exchanging a user token for a session token at the /refresh endpoint. This means you don't have to store your username and password within an application, but user tokens are only valid for a maximum of 999 days.

  1. First we'll need to create a user token for us to use through the BigID UI.

  2. To do this we need to navigate to the Access Management screen under Administration -> Access Management. On the Access Management screen, select the user you want to create a token for from the System Users List. Then press the Generate button to start the token creation process.

    1.jpeg
  3. Tokens can only be valid for up to 999 days. Since we're just using this token for testing, let's set it to 30 days and then click Generate like in the screenshot below.

    2.jpeg

  4. On the next screen you'll see a name for the token as well as the token value. Copy the token value by clicking the icon to the right of it then close the dialog. You can't see the token value again so be sure you have saved it someplace safe.

  5. Finally, save the user so the token can take effect.

This token you'll have to ROTATE YOURSELF in your collector app

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

integration_key

The key you generate in the setup guide

environment

This is the domain name of the cloud where your BigID instance is. the code will replace the url for the calls with this value

Accepted Authentication Methods

Authentication Method

Integration Key

Environment

Authentication Method

Integration Key

Environment

Api Key

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

The process for deduplication of events is handled by the event id that is returned that is stored and checked against on each pull.

All services are tagged by the service they are pulled by.

2024-04-09T09:56:19.561389088Z 2024-04-09T09:56:19.561 WARNING InputProcess::BigIDPullerSetup(BigID,BigID#56752,audit#predefined) -> Testing fetch from /mcm/get-audit. 2024-04-09T09:56:19.771898077Z 2024-04-09T09:56:19.771 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,relay_0) -> Number of available senders: 1, sender manager internal queue size: 0 2024-04-09T09:56:19.772167710Z 2024-04-09T09:56:19.771 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,relay_0) -> Number of available senders: 1, sender manager internal queue size: 0 2024-04-09T09:56:19.772327665Z 2024-04-09T09:56:19.772 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,relay_0) -> enqueued_elapsed_times_in_seconds_stats: {} 2024-04-09T09:56:19.772395427Z 2024-04-09T09:56:19.772 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,relay_0) -> enqueued_elapsed_times_in_seconds_stats: {} 2024-04-09T09:56:19.772425735Z 2024-04-09T09:56:19.772 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,relay_0) -> Sender: DevoSender(internal_senders,devo_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True} 2024-04-09T09:56:19.772519048Z 2024-04-09T09:56:19.772 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,relay_0) -> Sender: DevoSender(lookup_senders,devo_sender_0), status: {"internal_queue_size": 0, "is_connection_open": False} 2024-04-09T09:56:19.772601144Z 2024-04-09T09:56:19.772 INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,relay_0) -> Internal - Total number of messages: 6333 messages/bytes sent since/to "2024-04-09T09:51:19.771169+00:00/2024-04-09T09:56:19.772408+00:00": 25/13762, (elapsed 0.052 seconds) 2024-04-09T09:56:19.772631900Z 2024-04-09T09:56:19.772 INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,relay_0) -> Lookup - Total number of messages sent: 0, messages sent since "2024-04-09 09:51:19.770969+00:00": 0 (elapsed 0.000 seconds) 2024-04-09T09:56:20.261298432Z 2024-04-09T09:56:20.261 INFO InputProcess::BigIDPullerSetup(BigID,BigID#56752,audit#predefined) -> Successfully tested fetch from /mcm/get-audit. Source is pullable. 2024-04-09T09:56:20.262730750Z 2024-04-09T09:56:20.262 INFO InputProcess::BigIDPullerSetup(BigID,BigID#56752,audit#predefined) -> Setup for module <BigIDPuller> has been successfully executed 2024-04-09T09:56:22.704294203Z 2024-04-09T09:56:22.704 INFO InputProcess::BigIDPuller(BigID,56752,audit,predefined) -> Pull Started 2024-04-09T09:56:23.124016843Z 2024-04-09T09:56:23.123 INFO InputProcess::BigIDPuller(BigID,56752,audit,predefined) -> Updating the persistence 2024-04-09T09:56:23.124811682Z 2024-04-09T09:56:23.124 INFO InputProcess::BigIDPuller(BigID,56752,audit,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1712656582704):Number of requests made: 535; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 4.759.
  1. Update the Unique Id of the collector and restart, this will remove the Id values that have been pulled.

  2. Update the start_datetime_utc to new date to avoid as many duplicates as possible.

  3. Multiple changes to this can cause duplication.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error Type

Error Id

Error Message

Cause

Solution

 

Error Type

Error Id

Error Message

Cause

Solution

 

ApiError

401,403

Failed to fetch data from {endpoint}. Source is not pullable. Exception: {response.text}

Could Not connect to the Host

Ensure the endpoint is reachable with the credentials

 

SetUpError

102

Failed to fetch from {endpoint}. Error: {response.text}. API Error: {response.status_code}

The collector was unable to access the specified endpoint.

Ensure the endpoint is reachable with the credentials

Collector operations

Change log

Release

Released on

Release type

Recommendations

Release

Released on

Release type

Recommendations

v1.0.0

Dec 16, 2024

NEW FEATURE

Recommended version