{"type":"doc","content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"2"},"maxLevel":{"value":"2"},"type":{"value":"flat"}},"macroMetadata":{"macroId":{"value":"812af86120b7d64463b747ac09afa7ed"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"72c9b4a1-f493-4b84-b268-16358df35c8b"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Microsoft Defender for Endpoint","type":"text","marks":[{"type":"link","attrs":{"href":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/?view=o365-worldwide"}}]},{"text":", formerly Microsoft Defender Advanced Threat Protection (Defender ATP), provides enterprise-level protection to endpoints to prevent, detect, investigate, and respond to advanced threats.","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"Devo Defender","type":"text","marks":[{"type":"strong"}]},{"text":" for Endpoint Collector enables you to retrieve data from the listed sources below via Microsoft Defender for Endpoints APIs into Devo query, correlate, analyze, and visualize to enable Enterprise IT and Cybersecurity teams to take decisions at the petabyte scale.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configuration requirements","type":"text"}]},{"type":"paragraph","content":[{"text":"To run this collector, there are some configurations detailed below that you need to take into account.","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"5eff26c3-f1bf-48f1-bc66-75d38031e771"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Configuration","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Microsoft Defender account","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You need to have a Microsoft Defender account. Refer to ","type":"text"},{"text":"Vendor setup","type":"text","marks":[{"type":"link","attrs":{"href":"#vendor-setup"}}]},{"text":" section to see how to do it.","type":"text"}]}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Microsoft Azure account","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You need to have a Microsoft Azure account. Refer to ","type":"text"},{"text":"Vendor setup","type":"text","marks":[{"type":"link","attrs":{"href":"#vendor-setup"}}]},{"text":" section to see how to do it.","type":"text"}]}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Devo collector features","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"0ab3b2ef-2f2a-4b04-9967-e08c1200cb68"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[378.0]},"content":[{"type":"paragraph","content":[{"text":"Feature","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[382.0]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[378.0]},"content":[{"type":"paragraph","content":[{"text":"Allow parallel downloading (","type":"text"},{"text":"multipod","type":"text","marks":[{"type":"code"}]},{"text":")","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[382.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Not allowed","type":"text","marks":[{"type":"code"}]}]}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[378.0]},"content":[{"type":"paragraph","content":[{"text":"Running environments","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[382.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Collector server","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"On-premise","type":"text","marks":[{"type":"code"}]}]}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[378.0]},"content":[{"type":"paragraph","content":[{"text":"Populated Devo events","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[382.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Table","type":"text","marks":[{"type":"code"}]}]}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[378.0]},"content":[{"type":"paragraph","content":[{"text":"Flattening preprocessing","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[382.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Yes (optional)","type":"text","marks":[{"type":"code"}]}]}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Data sources","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"9435c4ed-b468-41be-9313-494ec9731a76"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Data source","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"paragraph","content":[{"text":"API endpoint","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"Collector service name","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Devo table","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Available from release","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Alerts","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Alerts data source shows a list of alerts that were flagged from devices in your network. They can be filtered by these topics:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"domain","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"file","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"ip","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"machine","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"user","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"List alerts:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/alerts","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Alert details:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/alerts/{{alert_id}}","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Alerts related to other ","type":"text"},{"text":"{{topic}}:","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/alerts/{{alert_id}}/{{topic}}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"alerts","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"edr.microsoft_defender.endpoint.alerts","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Events","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"The events ingested by this table are ","type":"text"},{"text":"Microsoft Defender Identity Events","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Vulnerabilities","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Vulnerabilities data source offers continuous vulnerability discovery and assessment.","type":"text"}]},{"type":"paragraph","content":[{"text":"It can be filtered by this topic:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"machine","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"List vulnerabilities:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/vulnerabilities","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Vulnerability details:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/vulnerabilities/{{vulnerability_id}}","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Alerts related to machine:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/vulnerabilities/{{vulnerability_id}}/machineReferences","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"vulnerabiities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"edr.microsoft_defender.endpoint.vulnerabilities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Machines","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Machines data source gets a list of devices in your network.","type":"text"}]},{"type":"paragraph","content":[{"text":"They can be filtered by these topics:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"user","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"alert","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"software","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"vulnerability","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"recommendation","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"This is a snapshot-like service able to run in periods no shorter than 1h.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"List machines:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/machines","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machine details:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/machines/{{machine_id}}","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machines related to other ","type":"text"},{"text":"{{topic}}","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/machines/{{machine_id}}/{{topic}}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"machines","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"edr.microsoft_defender.endpoint.machines","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Software","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Software data source gets a list of software installed in devices in your network.","type":"text"}]},{"type":"paragraph","content":[{"text":"It can be filtered by these topics:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Vulnerability","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machine","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Distribution","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Missing KB.","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"List software:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/software","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Software details:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/software/{{software_id}}","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Software related to other ","type":"text"},{"text":"{{topic}}","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/software/{{software_id}}/{{topic}}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"softwares","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"edr.microsoft_defender.endpoint.software","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Recommendations","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Recommendations data source lists security recommendations for devices in your network.","type":"text"}]},{"type":"paragraph","content":[{"text":"It can be filtered by these topics:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Software","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machine","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Vulnerability","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"List recommendations:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/recommendations","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Recommendation details:","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/recommendations/{{recommendation_id}}","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Recommendations related to other ","type":"text"},{"text":"{{topic}}","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/recommendations/{{recommendation_id}}/{{topic}}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"recommendations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"edr.microsoft_defender.endpoint.recommendations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Investigations","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Investigations data source lists all the automated investigations done by MS Defender in your network.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/investigations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"investigations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"edr.microsoft_defender.endpoint.investigations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Advanced Hunting","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Advance Hunting data source gives the possibility to run custom queries.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/api/advancedqueries/run","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"advanced_huntuing","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"custom table: ","type":"text"},{"text":"my.app.xxx.yyy","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[130.0]},"content":[{"type":"paragraph","content":[{"text":"Assessments of vulnerabilities and secure","type":"text","marks":[{"type":"strong"}]},{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Get all known software vulnerabilities and their details for all devices, on a per-device basis.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[191.0]},"content":[{"type":"paragraph","content":[{"text":"Secure_configuration_assessment:","type":"text"}]},{"type":"paragraph","content":[{"text":"https://api.securitycenter.microsoft.com/SecureConfigurationsAssessmentExport","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"Software_inventory_assessment:","type":"text"},{"type":"hardBreak"},{"text":"https://api.securitycenter.microsoft.com/SoftwareInventoryExport","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"software_vulnerabilities_assessment:","type":"text"},{"type":"hardBreak"},{"text":"https://api.securitycenter.microsoft.com//SoftwareVulnerabilitiesExport","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[59.0]},"content":[{"type":"paragraph","content":[{"text":"assessments","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Secure_configuration_assessment:","type":"text"}]},{"type":"paragraph","content":[{"text":"edr.microsoft_defender.endpoint.assessment_secure_configuration","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"software_inventory_assessment:","type":"text"},{"type":"hardBreak"},{"text":"edr.microsoft_defender.endpoint.assessment_software_inventory","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"type":"hardBreak"},{"text":"software_vulnerabilities_assessment:","type":"text"},{"type":"hardBreak"},{"text":"edr.microsoft_defender.endpoint.assessment_software_vulnerabilities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"v2.0.0","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"For more information on how the events are parsed, ","type":"text"},{"text":"visit our page","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.devo.com/space/latest/133890089/edr.microsoft"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Flattening preprocessing","type":"text"}]},{"type":"paragraph","content":[{"text":"In order to improve the data exploitation and enrichment, this collector is able to apply some flattering actions to the collected data before delivering it to Devo.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"What is Flattening?","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Flattening is used when some data is nested into the data structure, it is used to be faster on data exploitation, this process re-shapes the data structure to do so. There are different ways to flatten data, but the most used are applied over ","type":"text"},{"text":"objects","type":"text","marks":[{"type":"strong"}]},{"text":" or ","type":"text"},{"text":"arrays","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Flattening over objects","type":"text"}]},{"type":"paragraph","content":[{"text":"When flattening over objects, it creates new keys whose names are the combination of the external/internal keys.","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"7424bb0d-b991-4f60-bec4-bd1024a95219"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Original structure","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"codeBlock","content":[{"text":"{\n 'machine': {\n 'hostname': 'machine1',\n 'os': 'linux',\n 'ip': '1.2.3.4'\n }\n}","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"codeBlock","content":[{"text":"{\n 'machine_hostname': 'machine1',\n 'machine_os': 'linux',\n 'machine_ip': '1.2.3.4'\n}","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Flattening over arrays","type":"text"}]},{"type":"paragraph","content":[{"text":"When flattening over arrays it replicates the event using one element of the array in each replicated event:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Example","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Take into account that this flattening method generates more events than those originally collected. In the example below 1 single event, 3 events are generated. In the case of an event with multiple fields that contains an array, the number of events generated per original event is obtained by multiplying the number of elements in each array.","type":"text"}]},{"type":"paragraph","content":[{"text":"For instance, given an event with 3 fields that contains arrays with 2, 3 and 4 elements each, if we flatten this event, we’re going to generate 24 events from this single event (2*3*4 = 24).","type":"text"}]}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"cd4e03d8-2ae7-481c-86eb-eb50a3a4d6e4"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Original structure","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"codeBlock","content":[{"text":"{\n 'machine_hostname': 'machine1',\n 'machine_os': 'linux',\n 'ips':['1.2.3.4', '4.3.2.1', '1.1.1.1']\n}\n\n# Flattened data structure (3 events generated from the original one)","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[380.0]},"content":[{"type":"codeBlock","content":[{"text":"[\n {\n 'machine_hostname': 'machine1',\n 'machine_os': 'linux',\n 'ip':'1.2.3.4'\n },\n {\n 'machine_hostname': 'machine1',\n 'machine_os': 'linux',\n 'ip':'4.3.2.1'\n },\n {\n 'machine_hostname': 'machine1',\n 'machine_os': 'linux',\n 'ip':'1.1.1.1'\n }\n]","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enrichment techniques","type":"text"}]},{"type":"paragraph","content":[{"text":"The enrichment made in this collector consists of adding some fields to the original message, where the count of affected elements is displayed. This field uses the ","type":"text"},{"text":"prefix_related","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Example","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"In this case, the event is enriched with the fields ","type":"text"},{"text":"related_alerts","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"related_vulnerabilities","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"{\n 'machine_hostname': 'machine1',\n 'machine_os': 'linux',\n 'related_alerts': 3,\n 'related_vulnerabilities': 12\n}","type":"text"}]},{"type":"paragraph","content":[{"text":"The enrichment process is optional. In the configuration, it can be defined which entities must be enriched, for each data source. Refer to the Service Detail section.","type":"text"}]},{"type":"paragraph","content":[{"text":"The flattening cases processed in this collector are:","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"ba0cfe1a-ecb5-462a-b230-16a77554ecc2"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[143.0]},"content":[{"type":"paragraph","content":[{"text":"Data Source","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[140.0]},"content":[{"type":"paragraph","content":[{"text":"Collector Service","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"Behavior Details","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":2,"colwidth":[143.0]},"content":[{"type":"paragraph","content":[{"text":"Alerts","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":2,"colwidth":[140.0]},"content":[{"type":"paragraph","content":[{"text":"alerts","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"Flattening over objects","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"When ","type":"text"},{"text":"relatedUser","type":"text","marks":[{"type":"code"}]},{"text":" is received as an alert detail, the flattening is applied as shown:","type":"text"}]},{"type":"paragraph","content":[{"text":"Received data (an object):","type":"text"}]},{"type":"codeBlock","content":[{"text":"{\n ...\n 'relatedUser' : {\n 'userName': 'john',\n 'domainName': 'foo'\n },\n ...\n}","type":"text"}]},{"type":"paragraph","content":[{"text":"Flattened data:","type":"text"}]},{"type":"codeBlock","content":[{"text":"{\n 'relatedUser_userName' : 'john',\n 'relatedUser_domainName' : 'foo'\n}","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[140.0]},"content":[{"type":"paragraph","content":[{"text":"Flattening over arrays","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"When ","type":"text"},{"text":"evidence","type":"text","marks":[{"type":"code"}]},{"text":" is received as an alert detail, the flattening is applied as shown:","type":"text"}]},{"type":"paragraph","content":[{"text":"Received data (an object):","type":"text"}]},{"type":"codeBlock","content":[{"text":"{\n ...\n 'evidence' : [\n {detail': 'abc'},\n {'detail': 'xyz'},\n ]\n}","type":"text"}]},{"type":"paragraph","content":[{"text":"Flattened and enriched data:","type":"text"}]},{"type":"codeBlock","content":[{"text":"[\n {\n ...\n 'related_evidences': 2,\n 'evidence_detail': 'abc'\n },\n {\n ...\n 'related_evidences': 2,\n 'evidence_detail': 'xyz'\n }\n]","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[143.0]},"content":[{"type":"paragraph","content":[{"text":"Alerts","type":"text"},{"type":"hardBreak"},{"text":"Machines","type":"text"},{"type":"hardBreak"},{"text":"Software","type":"text"},{"type":"hardBreak"},{"text":"Vulnerabilities","type":"text"},{"type":"hardBreak"},{"text":"Recommendations","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[140.0]},"content":[{"type":"paragraph","content":[{"text":"alerts","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"machines","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"software","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"vulnerabilities","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"recommendations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[162.0]},"content":[{"type":"paragraph","content":[{"text":"Enrichment","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[315.0]},"content":[{"type":"paragraph","content":[{"text":"Visit the Service Details section for details.","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"anchor","parameters":{"macroParams":{"":{"value":"vendor-setup"},"legacyAnchorId":{"value":"MicrosoftDefenderATPforEndpointcollector-vendor-setup"}},"macroMetadata":{"macroId":{"value":"337345b357f06f5fb6016ec1899c3eec"},"schemaVersion":{"value":"1"},"title":"Anchor"}},"localId":"34d74a4c-61be-49db-b8d8-4c09e32a7450"}}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Vendor setup","type":"text"}]},{"type":"paragraph","content":[{"text":"There are some minimal requirements to enable this collector:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Microsoft Azure account.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Microsoft Defender account.","type":"text"}]}]}]},{"type":"bodiedExtension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-ui-expands-macro","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"9fabbecc-7c7b-414b-a43d-264d0a027796"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/expand-container.png"}}],"title":"Refined Expand Container"}},"localId":"ca9a94d0-7100-492f-a1f5-00e8e767747c"},"content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-expand","parameters":{"macroParams":{"title":{"value":"Create an account in Microsoft Defender"}},"macroMetadata":{"macroId":{"value":"069fadd3fb4fb7219633b79320b8f092"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/expand.png"}}],"title":"Refined Expand"}},"localId":"f1cb930e-e286-4902-bde5-a597deb2887b"}},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to ","type":"text"},{"text":"https://securitycenter.windows.com","type":"text","marks":[{"type":"underline"},{"type":"link","attrs":{"href":"https://securitycenter.windows.com/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Sign in with you Microsoft Azure credentials.","type":"text"}]}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-expand","parameters":{"macroParams":{"title":{"value":"Register an app in Microsoft Azure"}},"macroMetadata":{"macroId":{"value":"0b759934f97b7303ddac27c265d15058"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/expand.png"}}],"title":"Refined Expand"}},"localId":"1e55f22a-1d34-4144-b11f-4ff4614fcb54"}},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Sign in and search for ","type":"text"},{"text":"App registrations","type":"text","marks":[{"type":"em"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click on ","type":"text"},{"text":"New registration","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Give a name to the application and select the appropriate permissions. ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click on ","type":"text"},{"text":"Register","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-expand","parameters":{"macroParams":{"title":{"value":"Save Application (client) ID and Directory Tenant ID"}},"macroMetadata":{"macroId":{"value":"9eb4527e78563962e66f3e6e869cfaf5"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/expand.png"}}],"title":"Refined Expand"}},"localId":"cbddc833-13ef-459f-b804-b83dbca97364"}},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"From the Overview section, save Application (client) ID as ","type":"text"},{"text":"client_id","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Save Directory Tenant ID as ","type":"text"},{"text":"tenant_id","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The value ","type":"text"},{"text":"client_secret ","type":"text","marks":[{"type":"code"}]},{"text":"will be obtained below.","type":"text"}]}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-expand","parameters":{"macroParams":{"title":{"value":"Give appropriate API permissions"}},"macroMetadata":{"macroId":{"value":"162efc0e4bbdb368b56769906585246b"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/expand.png"}}],"title":"Refined Expand"}},"localId":"8f0553b3-8818-447c-b35f-80ea2fa7e914"}},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click on ","type":"text"},{"text":"API permissions","type":"text","marks":[{"type":"strong"}]},{"text":" on the left-menu.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click on ","type":"text"},{"text":"Add permissions.","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select ","type":"text"},{"text":"APIs my organization uses","type":"text","marks":[{"type":"em"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Search for ","type":"text"},{"text":"WindowsDefenderATP","type":"text","marks":[{"type":"em"}]},{"text":" and select it.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Grant the following permission for ","type":"text"},{"text":"Application permissions","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Alert.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Alert.ReadWrite.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Url.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"File.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Ip.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machine.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machine.ReadWrite.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"User.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Vulnerability.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Software.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"SecurityRecommendation.Read.All","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"AdvancedQuery.Read.All","type":"text","marks":[{"type":"em"}]}]}]}]}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Don’t forget","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"Click on","type":"text"},{"text":" Grant admin consent","type":"text","marks":[{"type":"strong"}]},{"text":" to your account (next to the ","type":"text"},{"text":"Add a permission","type":"text","marks":[{"type":"strong"}]},{"text":" button), a green checkmark should appear on the right-side for each permission. These permissions are required to enable all enrichment features in this collector.","type":"text"}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-expand","parameters":{"macroParams":{"title":{"value":"Obtain client_secret"}},"macroMetadata":{"macroId":{"value":"75613ea0f9a7a57a3a4ca85f45571017"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/expand.png"}}],"title":"Refined Expand"}},"localId":"9eca076e-a638-4919-bab0-6a5c86ad46ab"}},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click on ","type":"text"},{"text":"Certificates and Secrets","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click on ","type":"text"},{"text":"New client secret","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Give it a name.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Save it carefully, as it is going to be shown only once.","type":"text"}]}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-expand","parameters":{"macroParams":{"title":{"value":"Confirm the registered application"}},"macroMetadata":{"macroId":{"value":"5276a2d3dd27df9aee9dc563538cbb59"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/expand.png"}}],"title":"Refined Expand"}},"localId":"e22e18d1-0c8e-4b58-9a51-a3147e32ae4e"}},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to ","type":"text"},{"text":"Microsoft Defender portal","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open ","type":"text"},{"text":"Partners and APIs","type":"text","marks":[{"type":"strong"}]},{"text":" on the side panel.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Select ","type":"text"},{"text":"Connected applications.","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Check if the registered application is listed here.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Minimum configuration required for basic pulling","type":"text"}]},{"type":"paragraph","content":[{"text":"Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.","type":"text"}]}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"c87e6d42-26c5-49e8-bf97-d0d5a38f20ab"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[132.0]},"content":[{"type":"paragraph","content":[{"text":"Setting","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[628.0]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[132.0]},"content":[{"type":"paragraph","content":[{"text":"client_id","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[628.0]},"content":[{"type":"paragraph","content":[{"text":"Application (client) ID of the application created during the setup.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[132.0]},"content":[{"type":"paragraph","content":[{"text":"client_secret","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[628.0]},"content":[{"type":"paragraph","content":[{"text":"Client secret created during the setup.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[132.0]},"content":[{"type":"paragraph","content":[{"text":"tenant_id","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[628.0]},"content":[{"type":"paragraph","content":[{"text":"Tenant ID of the application created during the setup.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[132.0]},"content":[{"type":"paragraph","content":[{"text":"override_api_base_url","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[628.0]},"content":[{"type":"paragraph","content":[{"text":"[optional] The URL of the REST API server for your MicrosoftDefender tenant. The default is : ","type":"text"},{"text":"https://api.securitycenter.microsoft.com","type":"text","marks":[{"type":"underline"},{"type":"link","attrs":{"href":"https://api.securitycenter.microsoft.com/"}}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[132.0]},"content":[{"type":"paragraph","content":[{"text":"override_token_url","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[628.0]},"content":[{"type":"paragraph","content":[{"text":"[optional] The URL to get a Bearer token . The default is : ","type":"text"},{"text":"https://login.microsoftonline.com","type":"text","marks":[{"type":"link","attrs":{"href":"https://login.microsoftonline.com/"}}]}]}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"See the ","type":"text"},{"text":"Accepted authentication methods","type":"text","marks":[{"type":"strong"}]},{"text":" section to verify what settings are required based on the desired authentication method.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Accepted authentication methods","type":"text"}]},{"type":"paragraph","content":[{"text":"Depending on how did you obtain your credentials, you will have to either fill or delete the following properties on the JSON ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" configuration block.","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"5f089a94-6cb3-46b4-92dd-380573f4e86d"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[300.0]},"content":[{"type":"paragraph","content":[{"text":"Authentication Method","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[176.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Client ID","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Client Secret","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[143.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Tenant ID","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[300.0]},"content":[{"type":"paragraph","content":[{"text":"Client ID / Client Secret / Tenant ID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[176.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"REQUIRED","localId":"b22d27a0-aa30-480c-b009-6b37531e8c64"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"REQUIRED","localId":"97ee4a61-e250-4f22-8f1a-600e985fe4e9"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[143.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"REQUIRED","localId":"e3a0aded-9ea4-4c2b-b7e7-0f51b8f52e8a"}}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Run the collector","type":"text"}]},{"type":"paragraph","content":[{"text":"Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (","type":"text"},{"text":"Cloud collector","type":"text","marks":[{"type":"underline"}]},{"text":"), or deploy and host the collector in your own machine using a Docker image (","type":"text"},{"text":"On-premise collector","type":"text","marks":[{"type":"underline"}]},{"text":").","type":"text"}]},{"type":"bodiedExtension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-ui-tabs-macro","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"6a805bc0-abf6-4d98-987c-6a9164c77642"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/tab-container.png"}}],"title":"Refined Tab Container"}},"localId":"51a38310-b288-4fb7-a20e-43dcd020e55a"},"content":[{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-tab","parameters":{"macroParams":{"title":{"value":"Cloud collector"}},"macroMetadata":{"macroId":{"value":"2825992cb366f7c43cdf1373692654dc"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/tab.png"}}],"title":"Refined Tab"}},"localId":"4f2a7074-beea-424f-82ed-0e5b68bd51ad"}},{"type":"paragraph","content":[{"text":"We use a piece of software called Collector Server to host and manage all our available collectors.","type":"text"}]},{"type":"paragraph","content":[{"text":"To enable the collector for a customer:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Collector Server","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"GUI","type":"text","marks":[{"type":"strong"}]},{"text":", access the ","type":"text"},{"text":"domain","type":"text","marks":[{"type":"strong"}]},{"text":" in which you want this instance to be created","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Click ","type":"text"},{"text":"Add Collector","type":"text","marks":[{"type":"strong"}]},{"text":" and find the one you wish to add.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Version","type":"text","marks":[{"type":"strong"}]},{"text":" field, select the latest value.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Collector Name","type":"text","marks":[{"type":"strong"}]},{"text":" field, set the value you prefer (this name must be unique inside the same Collector Server domain).","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the sending method select ","type":"text"},{"text":"Direct Send. Direct Send","type":"text","marks":[{"type":"strong"}]},{"text":" configuration is optional for collectors that create ","type":"text"},{"text":"Table","type":"text","marks":[{"type":"code"}]},{"text":" events, but mandatory for those that create ","type":"text"},{"text":"Lookups","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In the ","type":"text"},{"text":"Parameters","type":"text","marks":[{"type":"strong"}]},{"text":" section, establish the ","type":"text"},{"text":"Collector Parameters","type":"text","marks":[{"type":"strong"}]},{"text":" as follows below:","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Editing the JSON configuration","type":"text"}]},{"type":"codeBlock","content":[{"text":"{\n \"global_overrides\": {\n \"debug\": \n },\n \"inputs\": {\n \"defender_atp\": {\n \"id\": \"\",\n \"enabled\": true,\n \"requests_per_second\": ,\n \"override_api_base_url\": \"\",\n \"override_token_url\": \"\",\n \"credentials\": {\n \"client_id\": \"\",\n \"client_secret\": \"\",\n \"tenant_id\": \"\"\n },\n \"services\": {\n \"alerts\": {\n \"request_period_in_seconds\": ,\n \"historical_poll_datetime\": \"\",\n \"flatten_alert_related_evidences\": ,\n \"request_alert_related_domains\": ,\n \"request_alert_related_files\": ,\n \"request_alert_related_ips\": ,\n \"request_alert_related_devices\": ,\n \"request_alert_related_users\": \n },\n \"machines\": {\n \"request_period_in_seconds\": , # minimum value 3600 for this service\n \"historical_poll_datetime\": \"\",\n \"request_machine_logon_users\": ,\n \"request_machine_related_alerts\": ,\n \"request_machine_installed_software\": ,\n \"request_machine_vulnerabilities\": ,\n \"request_machine_security_recommendations\": \n },\n \"software\": {\n \"request_period_in_seconds\": ,\n \"request_software_version_distributions\": ,\n \"request_machines_by_software\": ,\n \"request_vulnerabilities_by_software\": ,\n \"request_software_missing_kbs\": \n },\n \"vulnerabilities\": {\n \"request_period_in_seconds\": ,\n \"historical_poll_datetime\": \"\",\n \"request_machine_by_vulnerabilities\": \n },\n \"recommendations\": {\n \"request_period_in_seconds\": ,\n \"request_recommendations_by_software\": ,\n \"request_machines_by_recommendations\": ,\n \"request_vulnerability_by_recommendations\": \n },\n \"investigations\": {\n \"request_period_in_seconds\": ,\n \"historical_poll_datetime\": \"\"\n },\n \"assessments\": {\n \"request_period_in_seconds\": \"\",\n \"include_software_vulnerabilities_by_machine\": \"\",\n \"historical_poll_datetime\": \"\"\n },\n \"advanced_hunting\": {\n \"request_period_in_seconds\": ,\n \"endpoint\": \"\",\n \"queries\": [\n {\n \"devo_tag\": \"\",\n \"query_json\": \"\"\n }\n ]\n }\n }\n }\n }\n}","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the ","type":"text"},{"text":"services","type":"text","marks":[{"type":"code"}]},{"text":" object.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Please replace the placeholders with real world values following the description table below:","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":1800.0,"localId":"df7ff0b2-3d1a-4e28-9a4a-507902ff0b69"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"Parameter","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"Data type","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"Value range / Format","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"debug_status","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"If the value is ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]},{"text":", the debug logging traces will be enabled when running the collector. If the value is ","type":"text"},{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":", only the ","type":"text"},{"text":"info","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"warning","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"error","type":"text","marks":[{"type":"code"}]},{"text":" logging levels will be printed.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"short_unique_id","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"},{"type":"hardBreak"},{"text":"Maximum length: 5","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to give an unique id to this input service.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"requests_per_second_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum value: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Customize the maximum number of API requests per second. If not used, the default setting will be used","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"60","type":"text","marks":[{"type":"code"}]},{"text":" requests/sec.","type":"text"}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"override_api_base_url_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"The URL must comply with the following format:","type":"text"}]},{"type":"paragraph","content":[{"text":"(^https:\\/\\/)([\\da-z\\.-]+)\\.([a-z\\.])([\\/\\w \\.-]*)*([a-z])(:\\d{1,5})?$","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to override the default base URL used by the collector to pull data.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"https://api.securitycenter.microsoft.com","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"override_token_url_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"-","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to override the default URL used by the collector to get the authentication token.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"https://login.microsoftonline.com","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"client_id_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Set up here your Application (client) ID of the registered application in the Azure console.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"client_secret_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Set up here your Client Secret created in the Azure console.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"tenant_id_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Set up here your Tenant ID of the registered application in the Azure console.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"request_period_in_seconds_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum value: 1","type":"text"}]},{"type":"paragraph","content":[{"text":"Minimum value: 3600 for the Machines service.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Period in seconds used between each data pulling, this value will overwrite the default value.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"300","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"historical_poll_datetime_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"UTC with format: ","type":"text"},{"text":"YYYY-mm-ddTHH:MM:SS.sssZ","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (1 month back for example) before downloading new events.","type":"text"}]},{"type":"paragraph","content":[{"text":"If not used, it will start collecting data since 10 days ago.","type":"text"}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"request_enrichment_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use these parameters to config the enrichment behavior. You can disable entities that are not interesting to you and speed up the ingestion. When the ingestion is not selected, the field will be displayed as ","type":"text"},{"text":"Null","type":"text","marks":[{"type":"code"}]},{"text":" in Loxcope.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"flatten_evidences_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter to do not flatten the alert evidences. This data will be ingested into Devo in the ","type":"text"},{"text":"evidences","type":"text","marks":[{"type":"code"}]},{"text":" field as raw content. This field is populated only when when the data is not flattened.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"note"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"endpoint_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]},{"text":" only for Advanced Hunting service.","type":"text"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"The URL must comply with the following format:","type":"text"}]},{"type":"paragraph","content":[{"text":"(^https:\\/\\/)([\\da-z\\.-]+)\\.([a-z\\.])([\\/\\w \\.-]*)*([a-z])(:\\d{1,5})?$","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter if you are going to use Advanced Hunting service. It completes the endpoint to which the query is going to be performed. A usual value for this is ","type":"text"},{"text":"/api/advancedqueries/run","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Be careful, this value is not default in the collector.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"devo_tag_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]},{"text":" only for Advanced Hunting service.","type":"text"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"my.app.{table_name}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter if you are going to use Advanced Hunting service. It is the tag bound to the data collected using Advanced Hunting.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"query_json_value","type":"text","marks":[{"type":"annotation","attrs":{"annotationType":"inlineComment","id":"f7fb3c4d-5119-431f-89f2-650a7517074a"}},{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]},{"text":" only for Advanced Hunting service.","type":"text"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"A valid Kusto query for Microsoft Defender for Endpoint.","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter if you are going to use Advanced Hunting service. It is the query that is going to be requested to the Microsoft Defender API.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[170.0]},"content":[{"type":"paragraph","content":[{"text":"include_software_vulnerabilities_by_machine","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[61.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[85.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[271.0]},"content":[{"type":"paragraph","content":[{"text":"If this parameter to get the data from this endpoint ","type":"text"},{"text":"https://api.securitycenter.microsoft.com/SoftwareVulnerabilityChangesByMachine","type":"text","marks":[{"type":"code"}]},{"text":" to get the software vulnerabilities assessment per device data. If assigned ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":" then it is ","type":"text"},{"text":"mandatory","type":"text","marks":[{"type":"strong"}]},{"text":" to define ","type":"text"},{"text":"historical_poll_datetime_value","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"false","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"mediaSingle","attrs":{"layout":"center","width":500,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":1244,"alt":"140_Microsoft Defender Cloud Apps.png","id":"d9f9c477-fa8b-49cb-a5b8-ac307cd371b9","collection":"contentId-178618369","type":"file","height":933}}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"rw-tab","parameters":{"macroParams":{"title":{"value":"On-premise collector"}},"macroMetadata":{"macroId":{"value":"0e08d10a084320745cfcad174c481cfb"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://static.dg.refinedtheme.refinedwiki.com/refinedtheme-for-cloud/macro-icons/tab.png"}}],"title":"Refined Tab"}},"localId":"3392ad6b-e017-4587-96ac-e5e9d4459cb2"}},{"type":"paragraph","content":[{"text":"This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Structure","type":"text"}]},{"type":"paragraph","content":[{"text":"The following directory structure should be created for being used when running the collector:","type":"text"}]},{"type":"codeBlock","content":[{"text":"\n└── devo-collectors/\n └── /\n ├── certs/\n │ ├── chain.crt\n │ ├── .key\n │ └── .crt\n ├── state/\n └── config/ \n └── config.yaml ","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with the proper value.","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Devo credentials","type":"text"}]},{"type":"paragraph","content":[{"text":"In Devo, go to ","type":"text"},{"text":"Administration → Credentials → X.509 Certificates","type":"text","marks":[{"type":"strong"}]},{"text":", download the ","type":"text"},{"text":"Certificate","type":"text","marks":[{"type":"strong"}]},{"text":", ","type":"text"},{"text":"Private key","type":"text","marks":[{"type":"strong"}]},{"text":" and ","type":"text"},{"text":"Chain CA","type":"text","marks":[{"type":"strong"}]},{"text":" and save them in ","type":"text"},{"text":"/certs/","type":"text","marks":[{"type":"code"}]},{"text":". Learn more about security credentials in Devo ","type":"text"},{"text":"here","type":"text","marks":[{"type":"link","attrs":{"href":"#"}}]},{"text":".","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":950,"id":"87c399a3-1c1e-44cd-b20c-110275bf07a7","collection":"contentId-178618369","type":"file","height":448}}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with the proper value.","type":"text"}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Editing the config.yaml file","type":"text"}]},{"type":"codeBlock","content":[{"text":"globals:\n debug: \n id: \n name: \n persistence:\n type: filesystem\n config:\n directory_name: state\noutputs:\n devo_1:\n type: devo_platform\n config:\n address: \n port: 443\n type: SSL\n chain: \n cert: \n key: \ninputs:\n defender_atp:\n id: \n enabled: true\n requests_per_second: \n override_api_base_url: \n override_token_url: \n credentials:\n client_id: \n client_secret: \n tenant_id: \n services:\n alerts:\n request_period_in_seconds: \n historical_poll_datetime: \n flatten_alert_related_evidences: \n request_alert_related_domains: \n request_alert_related_files: \n request_alert_related_ips: \n request_alert_related_devices: \n request_alert_related_users: \n machines:\n request_period_in_seconds: # Minimum value 3600 for this service\n historical_poll_datetime: \n request_machine_logon_users: \n request_machine_related_alerts: \n request_machine_installed_software: \n request_machine_vulnerabilities: \n request_machine_security_recommendations: \n software:\n request_period_in_seconds: \n request_software_version_distributions: \n request_machines_by_software: \n request_vulnerabilities_by_software: \n request_software_missing_kbs: \n vulnerabilities:\n request_period_in_seconds: \n historical_poll_datetime: \n request_machine_by_vulnerabilities: \n recommendations:\n request_period_in_seconds: \n request_recommendations_by_software: \n request_machines_by_recommendations: \n request_vulnerability_by_recommendations: \n investigations:\n request_period_in_seconds: \n historical_poll_datetime: \n advanced_hunting:\n request_period_in_seconds: \n endpoint: \n queries:\n - devo_tag: \n query_json: \n assessments:\n include_software_vulnerabilities_by_machine: \n historical_poll_datetime: \n request_period_in_seconds: ","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the ","type":"text"},{"text":"services","type":"text","marks":[{"type":"code"}]},{"text":" object.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Replace the placeholders with your required values following the description table below:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"65aaaf78-33bf-4b6a-951d-b6a61ea5d189"},"content":[{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"Parameter","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"Data Type","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Value Range","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"background":"#f4f5f7","rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"debug_status","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"If the value is ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]},{"text":", the debug logging traces will be enabled when running the collector. If the value is ","type":"text"},{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":", only the ","type":"text"},{"text":"info","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"warning","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"error","type":"text","marks":[{"type":"code"}]},{"text":" logging levels will be printed.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"collector_id","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"},{"type":"hardBreak"},{"text":"Maximum length: 5","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to give an unique id to this collector.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"collector_name","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"},{"type":"hardBreak"},{"text":"Maximum length: 10","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to give a valid name to this collector.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"devo_address","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"collector-us.devo.io","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"collector-eu.devo.io","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to identify the Devo Cloud where the events will be sent.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"chain_filename","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 4","type":"text"},{"type":"hardBreak"},{"text":"Maximum length: 20","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: ","type":"text"},{"text":"chain.crt","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"cert_filename","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 4","type":"text"},{"type":"hardBreak"},{"text":"Maximum length: 20","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to identify the ","type":"text"},{"text":"file.cert","type":"text","marks":[{"type":"code"}]},{"text":" downloaded from your Devo domain.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"key_filename","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 4","type":"text"},{"type":"hardBreak"},{"text":"Maximum length: 20","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to identify the ","type":"text"},{"text":"file.key","type":"text","marks":[{"type":"code"}]},{"text":" downloaded from your Devo domain.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"input_id","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 5","type":"text"}]},{"type":"paragraph","content":[{"text":"Maximum length: -","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to give an unique id to this input service.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"requests_per_second_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum value: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Customize the maximum number of API requests per second. If not used, the default setting will be used","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"60","type":"text","marks":[{"type":"code"}]},{"text":" requests/sec.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"override_api_base_url_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"The URL must comply with the following format:","type":"text"}]},{"type":"paragraph","content":[{"text":"(^https:\\/\\/)([\\da-z\\.-]+)\\.([a-z\\.])([\\/\\w \\.-]*)*([a-z])(:\\d{1,5})?$","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to override the default base URL used by the collector to pull data.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"https://api.securitycenter.microsoft.com","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"override_token_url_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"-","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this param to override the default URL used by the collector to get the authentication token.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"https://login.microsoftonline.com","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"client_id_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Set up here your Application (client) ID of the registered application in the Azure console.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"client_secret_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Set up here your Client Secret created in the Azure console.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"tenant_id_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Set up here your Tenant ID of the registered application in the Azure console.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"request_period_in_seconds_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Minimum length: 1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Period in seconds used between each data pulling, this value will overwrite the default value.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"300","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"historical_poll_datetime_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"UTC with format: ","type":"text"},{"text":"YYYY-mm-ddTHH:MM:SS.sssZ","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (1 month back for example) before downloading new events.","type":"text"}]},{"type":"paragraph","content":[{"text":"If not used, it will start collecting data since 10 days ago.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"request_enrichment_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use these parameters to config the enrichment behavior. You can disable entities that are not interesting to you and speed up the ingestion. When the ingestion is not selected, the field will be displayed as ","type":"text"},{"text":"Null","type":"text","marks":[{"type":"code"}]},{"text":" in Loxcope.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"flatten_evidences_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter to do not flatten the alert evidences. This data will be ingested into Devo in the ","type":"text"},{"text":"evidences","type":"text","marks":[{"type":"code"}]},{"text":" field as raw content. This field is populated only when when the data is not flattened.","type":"text"}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This parameter should be removed if it is not used.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"endpoint_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]},{"text":" only for Advanced Hunting service.","type":"text"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"The URL must comply with the following format:","type":"text"}]},{"type":"paragraph","content":[{"text":"(^https:\\/\\/)([\\da-z\\.-]+)\\.([a-z\\.])([\\/\\w \\.-]*)*([a-z])(:\\d{1,5})?$","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter if you are going to use Advanced Hunting service. It completes the endpoint to which the query is going to be performed. A usual value for this is ","type":"text"},{"text":"/api/advancedqueries/run","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Be careful, this value is not default in the collector.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"devo_tag_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]},{"text":" only for Advanced Hunting service.","type":"text"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"my.app.{table_name}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter if you are going to use Advanced Hunting service. It is the tag bound to the data collected using Advanced Hunting.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"query_json_value","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Mandatory","type":"text","marks":[{"type":"code"}]},{"text":" only for Advanced Hunting service.","type":"text"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"A valid Kusto query for Microsoft Defender for Endpoint.","type":"text"}]},{"type":"paragraph","content":[{"text":"Learn the advanced hunting query language in Microsoft 365 Defender","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Use this parameter if you are going to use Advanced Hunting service. It is the query that is going to be requested to the Microsoft Defender API.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[152.0]},"content":[{"type":"paragraph","content":[{"text":"include_software_vulnerabilities_by_machine","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[96.0]},"content":[{"type":"paragraph","content":[{"text":"Optional","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":" / ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"If this parameter to get the data from this endpoint ","type":"text"},{"text":"https://api.securitycenter.microsoft.com/SoftwareVulnerabilityChangesByMachine","type":"text","marks":[{"type":"code"}]},{"text":" to get the software vulnerabilities assessment per device data. If assigned ","type":"text"},{"text":"true","type":"text","marks":[{"type":"strong"}]},{"text":" then it is ","type":"text"},{"text":"mandatory","type":"text","marks":[{"type":"strong"}]},{"text":" to define ","type":"text"},{"text":"historical_poll_datetime_value","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Default:","type":"text","marks":[{"type":"strong"}]},{"text":" ","type":"text"},{"text":"false","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Download the Docker image","type":"text"}]},{"type":"paragraph","content":[{"text":"The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"94785be3-54fc-4266-9d73-deee265f1451"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"Collector Docker image","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"SHA-256 hash","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"collector-microsoft_defender_atp_if-docker-image-2.0.0","type":"text","marks":[{"type":"link","attrs":{"href":"https://drive.google.com/file/d/1JdtIAk5KhOdBv1guSbkm7soy16BdIWCt/view?usp=drive_link"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[363.0]},"content":[{"type":"paragraph","content":[{"text":"0e0e3afa23b30bb65a67e525de843d17e37d6518d5cbf37316fb8e22548c3e3a","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Use the following command to add the Docker image to the system:","type":"text"}]},{"type":"codeBlock","content":[{"text":"gunzip -c -.tgz | docker load","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with a proper value.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"The Docker image can be deployed on the following services:","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Docker","type":"text"}]},{"type":"paragraph","content":[{"text":"Execute the following command on the root directory ","type":"text"},{"text":"/devo-collectors//","type":"text","marks":[{"type":"code"}]}]},{"type":"codeBlock","content":[{"text":"docker run \n--name collector- \n--volume $PWD/certs:/devo-collector/certs \n--volume $PWD/config:/devo-collector/config \n--volume $PWD/state:/devo-collector/state \n--env CONFIG_FILE=config.yaml \n--restart=always \n--interactive \n--tty \n:","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with the proper values.","type":"text"}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Docker Compose","type":"text"}]},{"type":"paragraph","content":[{"text":"The following Docker Compose file can be used to execute the Docker container. It must be created in the ","type":"text"},{"text":"/devo-collectors//","type":"text","marks":[{"type":"code"}]},{"text":" directory.","type":"text"}]},{"type":"codeBlock","content":[{"text":"version: '3'\nservices:\n collector-:\n image: :${IMAGE_VERSION:-latest}\n container_name: collector-\n restart: always\n volumes:\n - ./certs:/devo-collector/certs\n - ./config:/devo-collector/config\n - ./credentials:/devo-collector/credentials\n - ./state:/devo-collector/state\n environment:\n - CONFIG_FILE=${CONFIG_FILE:-config.yaml}","type":"text"}]},{"type":"paragraph","content":[{"text":"To run the container using docker-compose, execute the following command from the ","type":"text"},{"text":"/devo-collectors//","type":"text","marks":[{"type":"code"}]},{"text":" directory:","type":"text"}]},{"type":"codeBlock","content":[{"text":"IMAGE_VERSION= docker-compose up -d","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Replace ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" with the proper values.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Collector services detail","type":"text"}]},{"type":"paragraph","content":[{"text":"This section is intended to explain how to proceed with specific actions for services.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Events service","type":"text"}]},{"type":"expand","attrs":{"title":"Verify data collection"},"content":[{"type":"paragraph","content":[{"text":"Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.","type":"text"}]},{"type":"paragraph","content":[{"text":"This service has the following components:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"0fc14022-ade5-4eae-ba9b-eaa9749ea4a9"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[135.0]},"content":[{"type":"paragraph","content":[{"text":"Component","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[595.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[135.0]},"content":[{"type":"paragraph","content":[{"text":"Setup","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[595.0]},"content":[{"type":"paragraph","content":[{"text":"The setup module is in charge of authenticating the service and managing the token expiration when needed.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[135.0]},"content":[{"type":"paragraph","content":[{"text":"Puller","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[595.0]},"content":[{"type":"paragraph","content":[{"text":"The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Setup output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful run has the following output messages for the setup module:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderCommonPullerSetup(example.collector,microsoftdefender_common_data_puller#111,alerts#predefined) -> Puller Setup started\nINFO InputProcess::MicrosoftDefenderCommonPullerSetup(example.collector,microsoftdefender_common_data_puller#111,alerts#predefined) -> We do not have a token. Getting a new one from the server.\nINFO InputProcess::MicrosoftDefenderCommonPullerSetup(example.collector,microsoftdefender_common_data_puller#111,alerts#predefined) -> Attempting to get OAuth2 token from Microsoft Defender server....\nINFO InputProcess::MicrosoftDefenderCommonPullerSetup(example.collector,microsoftdefender_common_data_puller#111,alerts#predefined) -> Successfully received JWT token from https://login.microsoftonline.com//oauth2/token which expires in 3599 seconds\nINFO InputProcess::MicrosoftDefenderCommonPullerSetup(example.collector,microsoftdefender_common_data_puller#111,alerts#predefined) -> Puller Setup terminated\nINFO InputProcess::MicrosoftDefenderCommonPullerSetup(example.collector,microsoftdefender_common_data_puller#111,alerts#predefined) -> Setup for module has been successfully executed","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Restart the persistence","type":"text"}]},{"type":"paragraph","content":[{"text":"This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Edit the configuration file.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Change the value of the ","type":"text"},{"text":"historical_poll_datetime","type":"text","marks":[{"type":"code"}]},{"text":" parameter to a different one.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Save the changes.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart the collector.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.","type":"text"}]}]}]},{"type":"expand","attrs":{"title":"Alerts service"},"content":[{"type":"paragraph","content":[{"text":"This service uses the field ","type":"text"},{"text":"lastUpdateTime","type":"text","marks":[{"type":"code"}]},{"text":" as a time reference. The goal is to detect the evolution an alert has had. The alerts detected in Microsoft Defender can be updated. For example, they can update the status from ","type":"text"},{"text":"New","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"In Progress","type":"text","marks":[{"type":"code"}]},{"text":" or to ","type":"text"},{"text":"Resolved","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"This means the API can return the same alert ID multiple times, and it can be read and sent to Devo at different moments. However, keep in mind that ","type":"text"},{"text":"these are not duplicate events","type":"text","marks":[{"type":"strong"}]},{"text":", but the same event with a modification applied.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Devo categorization and destination","type":"text"}]},{"type":"paragraph","content":[{"text":"All events are ingested into table ","type":"text"},{"text":"edr.microsoft_defender.endpoint.alerts","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Data enrichment","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"97552ad7-4309-4543-bafd-276559f07a65"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"Entity","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Config paratemeter","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Endpoint","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"files","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"request_alert_related_files","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the alert with the counter of related files.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"/api/alerts/{alert_id}/files","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_files': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"ips","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"request_alert_related_ips","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the alert with the counter of related ips.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"/api/alerts/{alert_id}/ips","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_ips': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"machines","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"request_alert_related_machines","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the alert with the counter of related machines.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"/api/alerts/{alert_id}/machine","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_machines': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"domains","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"request_alert_related_domains","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the alert with the counter of related domains.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"/api/alerts/{alert_id}/domains","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_domains': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[106.0]},"content":[{"type":"paragraph","content":[{"text":"users","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"request_alert_related_users","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the alert with the counter of related users.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"/api/alerts/{alert_id}/user","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[156.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_users': int}","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> Starting data collection every 300 seconds\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> Pull Started for alerts. Retrieving timestamp: 2022-09-05 07:47:31.099770+00:00\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> 10 of 31 Alerts pulled so far\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> 20 of 31 Alerts pulled so far\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> 30 of 31 Alerts pulled so far\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> (Partial) Statistics for this pull cycle (1662364051099) so far: Number of requests made: 187; Number of events received: 31; Number of duplicated events filtered out: 0; Number of events generated and sent: 31; Average of events per second: 0.085\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> No more data pending to be pulled on the remote. Stopping the collection.\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> Statistics for this pull cycle (1662364051099): Number of requests made: 188; Number of events received: 31; Number of duplicated events filtered out: 0; Number of events generated and sent: 31; Average of events per second: 0.085\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> Pull terminated for alerts\nINFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> Data collection completed. Elapsed time: 0.786 seconds. Waiting for 299.214 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderAlertsDataPuller(defender_atp,111,alerts,predefined) -> Statistics for this pull cycle (1662364051099): Number of requests made: 188; Number of events received: 31; Number of duplicated events filtered out: 0; Number of events generated and sent: 31; Average of events per second: 0.085","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that a ","type":"text"},{"text":"Partial","type":"text","marks":[{"type":"code"}]},{"text":" Statistics Report will be displayed after downloading a page when the pagination is required to pull all available events. Look for the report without the ","type":"text"},{"text":"Partial","type":"text","marks":[{"type":"code"}]},{"text":" reference. ","type":"text"},{"text":"(Partial) Statistics for this pull cycle (@devo_pulling_id=1656602793.044179) so far: Number of requests made: 2; Number of events received: 45; Number of duplicated events filtered out: 0; Number of events generated and sent: 40.","type":"text","marks":[{"type":"code"}]}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]}]},{"type":"expand","attrs":{"title":"Machine service"},"content":[{"type":"paragraph","content":[{"text":"All events of this service are ingested into table ","type":"text"},{"text":"edr.microsoft_defender.endpoint.machines","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Data Enrichment","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"c08798e3-7332-46fc-ac0e-c7cbe7e34444"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[142.0]},"content":[{"type":"paragraph","content":[{"text":"Entity","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Config paratemeter","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Endpoint","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[142.0]},"content":[{"type":"paragraph","content":[{"text":"logon_users","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"request_machine_logon_users","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the machine with the counter of related logged on users.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"/api/machines/{machine_id}/logonusers","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_logon_users': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[142.0]},"content":[{"type":"paragraph","content":[{"text":"alerts","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"request_machine_related_alerts","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the machine with the counter of related alerts.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"/api/machines/{machine_id}/alerts","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_alerts': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[142.0]},"content":[{"type":"paragraph","content":[{"text":"vulnerabilities","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"request_machine_vulnerabilities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the machine with the counter of related vulnerabilities.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"/api/machines/{machine_id}/vulnerabilities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_vulnerabilities': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[142.0]},"content":[{"type":"paragraph","content":[{"text":"recommendations","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"request_machine_security_recommendations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the machine with the counter of related recommendations.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"/api/machines/{machine_id}/recommendations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[147.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_recommendations': int}","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> Starting data collection every 120 seconds\nINFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> Pull Started for machines. Retrieving timestamp: 2022-09-05 08:36:29.716343+00:00\nINFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> (Partial) Statistics for this pull cycle (1662366989716) so far: Number of requests made: 17; Number of events received: 4; Number of duplicated events filtered out: 0; Number of events generated and sent: 4; Average of events per second: 0.34\nINFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> No more data pending to be pulled on the remote. Stopping the collection.\nINFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> Statistics for this pull cycle (1662366989716): Number of requests made: 18; Number of events received: 4; Number of duplicated events filtered out: 0; Number of events generated and sent: 4; Average of events per second: 0.333\nINFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> Pull terminated for machines\nINFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> Data collection completed. Elapsed time: 12.003 seconds. Waiting for 107.997 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderMachinesDataPuller(defender_atp,111,machines,predefined) -> Statistics for this pull cycle (1662366989716): Number of requests made: 18; Number of events received: 4; Number of duplicated events filtered out: 0; Number of events generated and sent: 4; Average of events per second: 0.333","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]}]},{"type":"expand","attrs":{"title":"Software service"},"content":[{"type":"paragraph","content":[{"text":"All events of this service are ingested into table ","type":"text"},{"text":"edr.microsoft_defender.endpoint.software","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Data Enrichment","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"0fe2cc16-5dc5-4289-ba52-459a202665e7"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"Entity","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[221.0]},"content":[{"type":"paragraph","content":[{"text":"Config paratemeter","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Endpoint","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"vulnerabilities","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[221.0]},"content":[{"type":"paragraph","content":[{"text":"request_vulnerabilities_by_software","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the software with the counter of related vulnerabilities.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"/api/software/{soft_id}/vulnerabilities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_vulnerabilities': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"missing kbs","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[221.0]},"content":[{"type":"paragraph","content":[{"text":"request_softtware_missing_kbs","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the software with the counter of related missing KBs.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"/api/software/{soft_id}/getmissingkbs","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_missing_kbs': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"machines","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[221.0]},"content":[{"type":"paragraph","content":[{"text":"request_machines_by_software","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the software with the counter of related machines.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"/api/software/{soft_id}/machineReferences","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_machines': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[86.0]},"content":[{"type":"paragraph","content":[{"text":"distributions","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[221.0]},"content":[{"type":"paragraph","content":[{"text":"request_softtware_version_distributions","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the software with the counter of related version distributions.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"/api/software/{soft_id}/distributions","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[141.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_version_distribution': int}","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> Starting data collection every 120 seconds\nINFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> Pull Started for software. Retrieving timestamp: 2022-09-05 08:39:53.719698+00:00\nINFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> 10 of 17 Software entities pulled so far\nINFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> (Partial) Statistics for this pull cycle (1662367193719) so far: Number of requests made: 69; Number of events received: 17; Number of duplicated events filtered out: 0; Number of events generated and sent: 17; Average of events per second: 0.879\nINFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> No more data pending to be pulled on the remote. Stopping the collection.\nINFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> Statistics for this pull cycle (1662367193719): Number of requests made: 70; Number of events received: 17; Number of duplicated events filtered out: 0; Number of events generated and sent: 17; Average of events per second: 0.867\nINFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> Pull terminated for software\nINFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> Data collection completed. Elapsed time: 19.617 seconds. Waiting for 100.383 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderSoftwaresDataPuller(defender_atp,111,software,predefined) -> Statistics for this pull cycle (1662367193719): Number of requests made: 70; Number of events received: 17; Number of duplicated events filtered out: 0; Number of events generated and sent: 17; Average of events per second: 0.867","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]}]},{"type":"expand","attrs":{"title":"Vulnerabilities service"},"content":[{"type":"paragraph","content":[{"text":"All events of this service are ingested into table ","type":"text"},{"text":"edr.microsoft_defender.endpoint.vulnerabilities","type":"text","marks":[{"type":"code"}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Data Enrichment","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"d0e0349d-cbaf-46b6-a155-947a187a36f1"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[134.0]},"content":[{"type":"paragraph","content":[{"text":"Entity","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"Config paratemeter","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"Endpoint","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[134.0]},"content":[{"type":"paragraph","content":[{"text":"machines","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"request_machine_by_vulnerabilities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the vulnerability with the counter of related machines.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"/api/vulnerabilities/{vuln_id}/machineReferences","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[149.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_machines': int}","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> Starting data collection every 120 seconds\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> Pull Started for vulnerabilities. Retrieving timestamp: 2022-09-05 08:46:59.292694+00:00\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> 10 of 52 Vulnerabilities pulled so far\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> 20 of 52 Vulnerabilities pulled so far\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> 30 of 52 Vulnerabilities pulled so far\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> 40 of 52 Vulnerabilities pulled so far\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> 50 of 52 Vulnerabilities pulled so far\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> (Partial) Statistics for this pull cycle (1662367619292) so far: Number of requests made: 105; Number of events received: 52; Number of duplicated events filtered out: 0; Number of events generated and sent: 52; Average of events per second: 1.749\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> No more data pending to be pulled on the remote. Stopping the collection.\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> Statistics for this pull cycle (1662367619292): Number of requests made: 106; Number of events received: 52; Number of duplicated events filtered out: 0; Number of events generated and sent: 52; Average of events per second: 1.708\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> Pull terminated for vulnerabilities\nINFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> Data collection completed. Elapsed time: 30.445 seconds. Waiting for 89.555 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderVulnerabilitiesDataPuller(defender_atp,111,vulnerabilities,predefined) -> Statistics for this pull cycle (1662367619292): Number of requests made: 106; Number of events received: 52; Number of duplicated events filtered out: 0; Number of events generated and sent: 52; Average of events per second: 1.708","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that a ","type":"text"},{"text":"Partial","type":"text","marks":[{"type":"code"}]},{"text":" Statistics Report will be displayed after download a page when the pagination is required to pull all available events. Look for the report without the ","type":"text"},{"text":"Partial","type":"text","marks":[{"type":"code"}]},{"text":" reference. ","type":"text"},{"text":"(Partial) Statistics for this pull cycle (@devo_pulling_id=1656602793.044179) so far: Number of requests made: 2; Number of events received: 45; Number of duplicated events filtered out: 0; Number of events generated and sent: 40.","type":"text","marks":[{"type":"code"}]}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]},{"type":"paragraph"}]},{"type":"expand","attrs":{"title":"Recommended service"},"content":[{"type":"paragraph","content":[{"text":"All events of this service are ingested into table ","type":"text"},{"text":"edr.microsoft_defender.endpoint.recommendations","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Data Enrichment","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"bbac33b2-ce36-447d-be19-6262fb46fd3a"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"Entity","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Config paratemeter","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Endpoint","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Result","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"software","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"request_recommendations_by_software","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the recommendation with the counter of related software.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"/api/recommendations/{recommendation_id}/software","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_software': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"machines","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"request_machines_by_recommendations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the recommendation with the counter of related machines.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"/api/recommendations/{recommendation_id}/machineReferences","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_machines': int}","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[126.0]},"content":[{"type":"paragraph","content":[{"text":"machines","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"request_vulnerability_by_recommendations","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Enrich the recommendation with the counter of related vulnerabilities.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"/api/recommendations/{recommendation_id}/vulnerabilities","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Add to the final message the field:","type":"text"}]},{"type":"paragraph","content":[{"text":"{..., 'related_vulnerabilities': int}","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> Starting data collection every 120 seconds\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> Pull Started for machines. Retrieving timestamp: 2022-09-05 08:51:31.498321+00:00\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> 10 of 79 Recommendations pulled so far\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> 20 of 79 Recommendations pulled so far\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> 30 of 79 Recommendations pulled so far\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> 40 of 79 Recommendations pulled so far\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> 50 of 79 Recommendations pulled so far\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> 60 of 79 Recommendations pulled so far\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> 70 of 79 Recommendations pulled so far\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> No more data pending to be pulled on the remote. Stopping the collection.\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> Statistics for this pull cycle (1662367891498): Number of requests made: 239; Number of events received: 79; Number of duplicated events filtered out: 0; Number of events generated and sent: 79; Average of events per second: 1.21\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> Pull terminated for recommendations\nINFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> Data collection completed. Elapsed time: 65.282 seconds. Waiting for 54.718 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderRecommendationsDataPuller(defender_atp,111,recommendations,predefined) -> Statistics for this pull cycle (1662367891498): Number of requests made: 239; Number of events received: 79; Number of duplicated events filtered out: 0; Number of events generated and sent: 79; Average of events per second: 1.21","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]},{"type":"paragraph"}]},{"type":"expand","attrs":{"title":"Investigations service"},"content":[{"type":"paragraph","content":[{"text":"All events of this service are ingested into table ","type":"text"},{"text":"edr.microsoft_defender.endpoint.investigations","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderInvestigationsDataPuller(defender_atp,111,investigations,predefined) -> Starting data collection every 120 seconds\nINFO InputProcess::MicrosoftDefenderInvestigationsDataPuller(defender_atp,111,investigations,predefined) -> Pull Started for investigations. Retrieving timestamp: 2022-09-05 08:55:01.142605+00:00\nINFO InputProcess::MicrosoftDefenderInvestigationsDataPuller(defender_atp,111,investigations,predefined) -> No more data pending to be pulled on the remote. Stopping the collection.\nINFO InputProcess::MicrosoftDefenderInvestigationsDataPuller(defender_atp,111,investigations,predefined) -> Statistics for this pull cycle (1662368101142): Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.0\nINFO InputProcess::MicrosoftDefenderInvestigationsDataPuller(defender_atp,111,investigations,predefined) -> Pull terminated for investigations\nINFO InputProcess::MicrosoftDefenderInvestigationsDataPuller(defender_atp,111,investigations,predefined) -> Data collection completed. Elapsed time: 0.327 seconds. Waiting for 119.673 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderInvestigationsDataPuller(defender_atp,111,investigations,predefined) -> Statistics for this pull cycle (1662368101142): Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.0","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]},{"type":"paragraph"}]},{"type":"expand","attrs":{"title":"Advanced hunting service"},"content":[{"type":"paragraph","content":[{"text":"The events collected through this service are ingested into a custom table defined in the configuration file.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderAdvancedHuntingDataPuller(defender_atp,111,advanced_hunting,predefined) -> Starting data collection every 120 seconds\nINFO InputProcess::MicrosoftDefenderAdvancedHuntingDataPuller(defender_atp,111,advanced_hunting,predefined) -> Pull Started for advanced hunting. Retrieving timestamp: 2022-09-05 08:56:34.803099+00:00\nINFO InputProcess::MicrosoftDefenderAdvancedHuntingDataPuller(defender_atp,111,advanced_hunting,predefined) -> Statistics for this pull cycle (1662368194803): Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 4.27\nINFO InputProcess::MicrosoftDefenderAdvancedHuntingDataPuller(defender_atp,111,advanced_hunting,predefined) -> Pull terminated for advanced hunting.\nINFO InputProcess::MicrosoftDefenderAdvancedHuntingDataPuller(defender_atp,111,advanced_hunting,predefined) -> Data collection completed. Elapsed time: 0.469 seconds. Waiting for 119.531 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderAdvancedHuntingDataPuller(defender_atp,111,advanced_hunting,predefined) -> Statistics for this pull cycle (1662368194803): Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 4.27","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]},{"type":"paragraph"}]},{"type":"expand","attrs":{"title":"assesments service"},"content":[{"type":"paragraph","content":[{"text":"The events collected through this service are ingested into a custom table defined in the configuration file.","type":"text"}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Verify data collection","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Puller Output","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful initial run has the following output messages for the puller module:","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Note that the ","type":"text"},{"text":"PrePull","type":"text","marks":[{"type":"code"}]},{"text":" action is executed only one time before the first run of the ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action.","type":"text"}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderAssessmentsDataPuller(defender_atp,111,assessments,predefined) -> Starting data collection every 120 seconds\nINFO InputProcess::MicrosoftDefenderAssessmentsDataPuller(defender_atp,111,assessments,predefined) -> Pull Started for advanced hunting. Retrieving timestamp: 2022-09-05 08:56:34.803099+00:00\nINFO InputProcess::MicrosoftDefenderAssessmentsDataPuller(defender_atp,111,assessments,predefined) -> Statistics for this pull cycle (1662368194803): Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 4.27\nINFO InputProcess::MicrosoftDefenderAssessmentsDataPuller(defender_atp,111,assessments,predefined) -> Pull terminated for advanced hunting.\nINFO InputProcess::MicrosoftDefenderAssessmentsDataPuller(defender_atp,111,assessments,predefined) -> Data collection completed. Elapsed time: 0.469 seconds. Waiting for 119.531 second(s) until the next one","type":"text"}]},{"type":"paragraph","content":[{"text":"After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MicrosoftDefenderAssessmentsDataPuller(defender_atp,111,assessments,predefined) -> Statistics for this pull cycle (1662368194803): Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 4.27","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"@devo_pulling_id","type":"text","marks":[{"type":"code"}]},{"text":" value is injected into each event to allow grouping all events ingested by the same pull action. You can use it to get the exact events downloaded on that ","type":"text"},{"text":"Pull","type":"text","marks":[{"type":"code"}]},{"text":" action in Loxcope.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Restart the persistence","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This service makes use of persistence. Refer to ","type":"text"},{"text":"Restart the persistence","type":"text","marks":[{"type":"link","attrs":{"href":"https://additional.refined.site/space/LAD/178618369#Restart-the-persistence"}}]},{"text":" section.","type":"text"}]}]},{"type":"paragraph"}]},{"type":"expand","attrs":{"title":"Troubleshooting"},"content":[{"type":"paragraph","content":[{"text":"This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"278f5b66-f16f-445f-9ccd-f9b39ca087fd"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[128.0]},"content":[{"type":"paragraph","content":[{"text":"ErrorType","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","content":[{"text":"Error Id","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Error Message","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"Cause","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Solution","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":37,"colwidth":[128.0]},"content":[{"type":"paragraph","content":[{"text":"InitVariablesError","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"1","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"user_agent not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"user_agent","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"2","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"upper_bound_for_historical_poll_datetime not of expected type: int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"upper_bound_for_historical_poll_datetime","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type integer, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"3","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Please enter valid upper_bound_for_historical_poll_datetime ranging from 0 to 365","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"upper_bound_for_historical_poll_datetime","type":"text","marks":[{"type":"code"}]},{"text":" property out of range, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"4","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"devo_tag not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"devo_tag","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"5","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"event_delay_in_seconds not of expected type: int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"event_delay_in_seconds","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type integer, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"6","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Please enter valid event_delay_in_seconds ranging from 0 to 60","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"event_delay_in_seconds","type":"text","marks":[{"type":"code"}]},{"text":" property out of range, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"7","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"default_historic_polling_days not of expected type: int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"default_historic_polling_days","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type integer, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"8","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Please enter valid default_historic_polling_days ranging from 0 to 10000","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"default_historic_polling_days","type":"text","marks":[{"type":"code"}]},{"text":" property out of range, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"9","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"api_url_regex not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"api_url_regex","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"10","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"historic_date_format not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"historic_date_format","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"11","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"page_size_in_events not of expected type: int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"page_size_in_events","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type integer, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"12","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Please enter valid page_size_in_events ranging from 0 to 10000","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"page_size_in_events","type":"text","marks":[{"type":"code"}]},{"text":" property out of range, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"13","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"period_of_ratelimit_in_seconds not of expected type: int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"period_of_ratelimit_in_seconds","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type integer, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"14","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Please enter valid period_of_ratelimit_in_seconds ranging from 0 to 60","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"period_of_ratelimit_in_seconds","type":"text","marks":[{"type":"code"}]},{"text":" property out of range, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"15","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"number_of_calls not of expected type: int","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"number_of_calls","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type integer, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"16","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Please enter valid number_of_calls ranging from 0 to 100","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"number_of_calls","type":"text","marks":[{"type":"code"}]},{"text":" property out of range, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"17","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Optional setting, historical_poll_datetime not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"historical_poll_datetime","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Edit the value of ","type":"text"},{"text":"historic_poll_datetime","type":"text","marks":[{"type":"code"}]},{"text":" in the config file, so it is of type ","type":"text"},{"text":"str","type":"text","marks":[{"type":"code"}]},{"text":". Or leave it empty so the collector starts pulling data N days ago at the current time.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"18","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"{historical_poll_datetime} does not match expected format {historic_date_format}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"historical_poll_datetime","type":"text","marks":[{"type":"code"}]},{"text":" property does not fit the expected format indicated in the error message.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Make the value of ","type":"text"},{"text":"historic_poll_datetime","type":"text","marks":[{"type":"code"}]},{"text":" in the config file match the indicated format. Or leave it empty so the collector starts pulling data N days ago at the current time.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"19","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"api_base_url not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"api_base_url","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"20","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"api_base_url must match regex: {api_url_regex}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"api_base_url","type":"text","marks":[{"type":"code"}]},{"text":" property does not fit the expected Regular Expression indicated in the error message, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"21","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"override_api_base_url not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"override_api_base_url","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Edit the value of ","type":"text"},{"text":"override_api_base_url","type":"text","marks":[{"type":"code"}]},{"text":" in the config file, so it is of type ","type":"text"},{"text":"str","type":"text","marks":[{"type":"code"}]},{"text":". Or leave it empty so the collector starts pulling data N days ago at the current time.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"22","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"override_api_base_url must match regex: {api_url_regex}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"override_api_base_url","type":"text","marks":[{"type":"code"}]},{"text":" property does not fit the expected Regular Expression indicated in the error message, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Edit the value of ","type":"text"},{"text":"override_api_base_url","type":"text","marks":[{"type":"code"}]},{"text":" in the config file, so it fits the indicated Regular Expression. Or leave it empty so the collector starts pulling data N days ago at the current time.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"23","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"token_url not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"token_url","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"24","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"token_url must match regex: {token_url}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"token_url","type":"text","marks":[{"type":"code"}]},{"text":" property does not fit the expected Regular Expression indicated in the error message, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"25","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"override_token_url not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"override_token_url","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Edit the value of ","type":"text"},{"text":"override_token_url","type":"text","marks":[{"type":"code"}]},{"text":" in the config file, so it is of type ","type":"text"},{"text":"str","type":"text","marks":[{"type":"code"}]},{"text":". Or leave it empty so the collector starts pulling data N days ago at the current time.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"26","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"override_token_url must match regex: {api_url_regex}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"override_token_url","type":"text","marks":[{"type":"code"}]},{"text":" property does not fit the expected Regular Expression indicated in the error message, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Edit the value of ","type":"text"},{"text":"override_token_url","type":"text","marks":[{"type":"code"}]},{"text":" in the config file, so it fits the indicated Regular Expression. Or leave it empty so the collector starts pulling data N days ago at the current time.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"27","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, credentials not found in user configuration","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" property not found in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" dictionary into config file, including ","type":"text"},{"text":"client_id","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"client_secret","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"tenant_id","type":"text","marks":[{"type":"code"}]},{"text":" properties.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"28","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, credentials not of expected type: dict","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type dict, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Edit the credentials property to be a dictionary, including ","type":"text"},{"text":"client_id","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"client_secret","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"tenant_id","type":"text","marks":[{"type":"code"}]},{"text":" properties.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"29","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, client_id not found in user configuration","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"client_id","type":"text","marks":[{"type":"code"}]},{"text":" property is not found in ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" dict, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"client_id","type":"text","marks":[{"type":"code"}]},{"text":" property into ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" dictionary.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"30","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, client_id not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"client_id","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Make sure ","type":"text"},{"text":"client_id","type":"text","marks":[{"type":"code"}]},{"text":" property is of type string.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"31","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, client_secret not found in user configuration","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"client_secret","type":"text","marks":[{"type":"code"}]},{"text":" property is not found in ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" dict, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"client_secret","type":"text","marks":[{"type":"code"}]},{"text":" property into ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" dictionary.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"32","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, client_secret not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"client_secret","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Make sure ","type":"text"},{"text":"client_secret","type":"text","marks":[{"type":"code"}]},{"text":" property is of type string.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"33","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, tenant_id not found in user configuration","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"tenant_id","type":"text","marks":[{"type":"code"}]},{"text":" property is not found in ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" dict, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"tenant_id","type":"text","marks":[{"type":"code"}]},{"text":" property into ","type":"text"},{"text":"credentials","type":"text","marks":[{"type":"code"}]},{"text":" dictionary.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"34","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Required setting, tenant_id not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"tenant_id","type":"text","marks":[{"type":"code"}]},{"text":" property is not of type string, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Make sure ","type":"text"},{"text":"tenant_id","type":"text","marks":[{"type":"code"}]},{"text":" property is of type string.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"35","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"{assessment_tag} not of expected type: str","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"{assessment_tag}","type":"text","marks":[{"type":"code"}]},{"text":" property indicated in the error message is not of type string, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"36","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Flag {flag} not of type bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"The property indicated by the error is not of type boolean, in internal configuration.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"37","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Overriden flag {flag} not of type bool","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"The property indicated by the error is not of type boolean, in config file.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Set the property indicated by the error to ","type":"text"},{"text":"true","type":"text","marks":[{"type":"code"}]},{"text":" or ","type":"text"},{"text":"false","type":"text","marks":[{"type":"code"}]},{"text":", in config file.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":3,"colwidth":[128.0]},"content":[{"type":"paragraph","content":[{"text":"SetupError","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"100","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Authentication failed: {message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"The credentials used are not valid","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Ensure correct credentials are used.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"101","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Unexpected status code when fetching MicrosoftDefender JWT: {status_code} {message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"The authentication was correct, but returned an unexpected status code.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"102","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Error occurred while accessing the access_token: {message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"There has been an error during the authentication process.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":8,"colwidth":[128.0]},"content":[{"type":"paragraph","content":[{"text":"PullError","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"300","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Error occurred while fetching events from MicrosoftDefender.","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Error message: {error_message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"There has been an error upon API request process.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"301","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"After {max_retries} retries still getting the too many requests error. Restarting the service.","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"Too many requests have been made to the API and retrial strategy did not work properly.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Check the ","type":"text"},{"text":"request_period_in_seconds","type":"text","marks":[{"type":"code"}]},{"text":" parameter for each service. Leaving bigger gaps between requests could solve the problem.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"310","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"The access token provided has been expired. New token will be created in the next poll.","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Status code: 401","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Error message: {error_message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"Token has expired.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"After some time (typically 10 minutes) it should start pulling data again.","type":"text"}]},{"type":"paragraph","content":[{"text":"If it doesn’t, it means this is an internal issue, so contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"311","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"The access token does not have necessary permissions to retrieve events from Microsoft Defender","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Status code: 403","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Error message: {error_message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"The resource to which the collector is asking for data is forbidden.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Check if the correct permissions are set for the resource that is being pulled.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"312","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"The requested URL {url} is not found. The URL may have been depreciated","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Status code: 404","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Error message: {error_message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"The resource to which the collector is asking for data is not found.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"313","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"The server has returned {status_code} status code. The server may not be available for fetching events. Try after some time. Error message from server: {error_message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"There has been an error at Microsoft Defender’s API server.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"Wait some time and try again. This should be solved by Microsoft.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"314","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Unexpected error occurred while getting events from MicrosoftDefender server","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Status code: {status_code}","type":"text","marks":[{"type":"code"}]}]},{"type":"paragraph","content":[{"text":"Error message: {error_message}","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"An unexpected, not common error was returned by the API.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[53.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"320","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[151.0]},"content":[{"type":"paragraph","content":[{"text":"Pause command has been detected in {class_name} class.","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[196.0]},"content":[{"type":"paragraph","content":[{"text":"An execution error forced the collector to stop.","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[202.0]},"content":[{"type":"paragraph","content":[{"text":"This is an internal issue. Contact with Devo Support team.","type":"text"}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Collector operations","type":"text"}]},{"type":"paragraph","content":[{"text":"This section is intended to explain how to proceed with specific operations of this collector.","type":"text"}]},{"type":"expand","attrs":{"title":"Verify collector operations"},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Initialization","type":"text"}]},{"type":"paragraph","content":[{"text":"The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful run has the following output messages for the initializer module:","type":"text"}]},{"type":"codeBlock","content":[{"text":"2022-08-05T10:02:14.825 INFO MainProcess::MainThread -> (CollectorMultiprocessingQueue) standard_queue_multiprocessing -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100\n2022-08-05T10:02:14.916 INFO MainProcess::MainThread -> [OUTPUT] OutputMultiprocessingController::__init__ Configuration -> {'sidecar_0': {'type': 'sidecar', 'config': {'port': 601, 'address': 'sidecar-service-default.integrations-factory-collectors', 'concurrent_connections': 1, 'period_sender_stats_in_seconds': 300, 'activate_final_queue': False, 'threshold_for_using_gzip_in_transport_layer': 1.1, 'compression_level': 6, 'compression_buffer_in_bytes': 51200, 'generate_metrics': False}}}\n2022-08-05T10:02:14.918 INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=300s)\n2022-08-05T10:02:14.923 INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=300s)\n2022-08-05T10:02:14.923 INFO OutputProcess::MainThread -> Process started\n2022-08-05T10:02:14.926 INFO InputProcess::MainThread -> Process Started\n2022-08-05T10:02:14.935 INFO OutputProcess::MainThread -> [INTERNAL LOGIC] SyslogSender::_validate_kwargs_for_method__init__ -> The

does not appear to be an IP address and cannot be verified: sidecar-service-default.integrations-factory-collectors\n2022-08-05T10:02:14.935 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderAlertsDataPuller\n2022-08-05T10:02:14.935 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.935 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.936 WARNING OutputProcess::MainThread -> [OUTPUT] OutputSenderManagerListLookup -> Lookup Service is UNAVAILABLE due to no compatible outputs have been found.\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.936 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderAlertsDataPuller\n2022-08-05T10:02:14.937 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderMachinesDataPuller\n2022-08-05T10:02:14.937 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.938 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderMachinesDataPuller\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderSoftwaresDataPuller\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.939 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderSoftwaresDataPuller\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderVulnerabilitiesDataPuller\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.940 INFO OutputProcess::MainThread -> [INTERNAL LOGIC] SyslogSender::_validate_kwargs_for_method__init__ -> The

does not appear to be an IP address and cannot be verified: sidecar-service-default.integrations-factory-collectors\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.940 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderVulnerabilitiesDataPuller\n2022-08-05T10:02:14.941 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderRecommendationsDataPuller\n2022-08-05T10:02:14.941 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.941 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.941 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderRecommendationsDataPuller\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderInvestigationsDataPuller\n2022-08-05T10:02:14.942 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.943 INFO InputProcess::MainThread -> InitVariables terminated for MicrosoftDefenderInvestigationsDataPuller\n2022-08-05T10:02:14.943 INFO OutputProcess::MainThread -> SyslogSender(standard_senders,syslog_sender_0) -> Starting thread\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderAdvancedHuntingDataPuller\n2022-08-05T10:02:14.944 INFO OutputProcess::MainThread -> SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Starting thread (every 300 seconds)\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.944 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderAdvancedHuntingDataPuller\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderAssessmentsDataPuller\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> InitVariables started for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> Initialization of api_base_url has started.\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> api_base_url has been initialized https://api.securitycenter.microsoft.com\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> Initialization of token_url has started.\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> token_url has been initialized https://login.microsoftonline.com\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> Initialization of credentials has started.\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> Credentials setting found and validated\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> credentials have been initialized.\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderBaseDataPuller\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> Initialization of secure_configuration_assessment has started.\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> secure_configuration_assessment has been initialized edr.microsoft_defender.endpoint.assessment_secure_configuration.1.json\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> Initialization of software_inventory_assessment has started.\n2022-08-05T10:02:14.945 INFO InputProcess::MainThread -> software_inventory_assessment has been initialized edr.microsoft_defender.endpoint.assessment_software_inventory.1.json\n2022-08-05T10:02:14.945 INFO OutputProcess::MainThread -> SyslogSenderManager(standard_senders,manager,sidecar_0) -> Starting thread\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> Initialization of software_vulnerabilities_assessment has started.\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> software_vulnerabilities_assessment has been initialized edr.microsoft_defender.endpoint.assessment_software_vulnerabilities.1.json\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> Initialization of endpoint_for_secure_configuration_assessment has started.\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> endpoint_for_secure_configuration_assessment has been initialized /SecureConfigurationsAssessmentExport\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> Initialization of endpoint_for_software_inventory_assessment has started.\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> endpoint_for_software_inventory_assessment has been initialized /SoftwareInventoryExport\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> Initialization of endpoint_for_software_vulnerabilities_assessment has started.\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> endpoint_for_software_vulnerabilities_assessment has been initialized /SoftwareVulnerabilitiesExport\n2022-08-05T10:02:14.946 INFO InputProcess::MainThread -> InitVariables Terminated for MicrosoftDefenderAssessmentsDataPuller","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Events delivery and Devo ingestion","type":"text"}]},{"type":"paragraph","content":[{"text":"The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.","type":"text"}]},{"type":"paragraph","content":[{"text":"A successful run has the following output messages for the initializer module:","type":"text"}]},{"type":"codeBlock","content":[{"text":"INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0\nINFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}\nINFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Sender: SyslogSender(standard_senders,syslog_sender_0), status: {\"internal_queue_size\": 0, \"is_connection_open\": True}\nINFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Standard - Total number of messages sent: 44, messages sent since \"2022-06-28 10:39:22.511671+00:00\": 44 (elapsed 0.007 seconds)\nINFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0\nINFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}\nINFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Sender: SyslogSender(internal_senders,syslog_sender_0), status: {\"internal_queue_size\": 0, \"is_connection_open\": True}\nINFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Internal - Total number of messages sent: 1, messages sent since \"2022-06-28 10:39:22.516313+00:00\": 1 (elapsed 0.019 seconds)","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"By default, these information traces will be displayed every 10 minutes.","type":"text"}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Sender services","type":"text"}]},{"type":"paragraph","content":[{"text":"The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (","type":"text"},{"text":"internal","type":"text","marks":[{"type":"code"}]},{"text":", ","type":"text"},{"text":"standard","type":"text","marks":[{"type":"code"}]},{"text":", and ","type":"text"},{"text":"lookup","type":"text","marks":[{"type":"code"}]},{"text":"). This collector uses the following Sender Services:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"6bd704ef-0e1e-4407-992c-002264d15132"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[193.0]},"content":[{"type":"paragraph","content":[{"text":"Sender services","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[537.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[193.0]},"content":[{"type":"paragraph","content":[{"text":"internal_senders","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[537.0]},"content":[{"type":"paragraph","content":[{"text":"In charge of delivering internal metrics to Devo such as logging traces or metrics.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[193.0]},"content":[{"type":"paragraph","content":[{"text":"standard_senders","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[537.0]},"content":[{"type":"paragraph","content":[{"text":"In charge of delivering pulled events to Devo.","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":4},"content":[{"text":"Sender statistics","type":"text"}]},{"type":"paragraph","content":[{"text":"Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:","type":"text"}]},{"type":"table","attrs":{"layout":"default","localId":"b4ce6589-85aa-4583-b31b-545216de40ff"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Logging trace","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[463.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Number of available senders: 1","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[463.0]},"content":[{"type":"paragraph","content":[{"text":"Displays the number of concurrent senders available for the given Sender Service.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"sender manager internal queue size: 0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[463.0]},"content":[{"type":"paragraph","content":[{"text":"Displays the items available in the internal sender queue.","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.","type":"text"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[267.0]},"content":[{"type":"paragraph","content":[{"text":"Total number of messages sent: 44, messages sent since \"2022-06-28 10:39:22.511671+00:00\": 21 (elapsed 0.007 seconds)","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[463.0]},"content":[{"type":"paragraph","content":[{"text":"Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"44 events were sent to Devo since the collector started.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The last checkpoint timestamp was ","type":"text"},{"text":"2022-06-28 10:39:22.511671+00:00","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"21 events where sent to Devo between the last UTC checkpoint and now.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Those 21 events required ","type":"text"},{"text":"0.007 seconds","type":"text","marks":[{"type":"code"}]},{"text":" to be delivered.","type":"text"}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"By default these traces will be shown every 10 minutes.","type":"text"}]}]}]}]}]}]},{"type":"expand","attrs":{"title":"Check memory usage"},"content":[{"type":"paragraph","content":[{"text":"To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The global pressure of the available memory is displayed in the ","type":"text"},{"text":"global","type":"text","marks":[{"type":"code"}]},{"text":" value.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"All metrics (Global, RSS, VMS) include the value before freeing and after ","type":"text"},{"text":"previous -> after freeing memory","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"codeBlock","content":[{"text":"INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)\nINFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)","type":"text"}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Some collectors can be tuned to reduce the memory impact when pulling data in large infrastructures.","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"Differences between ","type":"text"},{"text":"RSS","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"VMS","type":"text","marks":[{"type":"code"}]},{"text":" memory usage:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"RSS","type":"text","marks":[{"type":"code"}]},{"text":" is the Resident Set Size, which is the actual physical memory the process is using","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"VMS","type":"text","marks":[{"type":"code"}]},{"text":" is the Virtual Memory Size which is the virtual memory that process is using","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"Enable/disable the logging debug mode"},"content":[{"type":"paragraph","content":[{"text":"Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Change log","type":"text"}]},{"type":"table","attrs":{"layout":"default","width":760.0,"localId":"8e60cc8d-b3d4-4a2c-b424-fb7b45336b84"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Release","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Released on","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Release type","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Details","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"background":"var(--ds-background-neutral, #F4F5F7)","rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Recommendations","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v2.0.0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1742515200000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"blue","style":"bold","text":"IMPROVEMENT","localId":"ba4051d8-d054-4dc9-82c5-627dfdca444c"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Added an new endpoint for the service assessments","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Updated Docker image to 1.4.1","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Updated ","type":"text"},{"text":"DevoCollectorSDK","type":"text","marks":[{"type":"code"}]},{"text":" from ","type":"text"},{"text":"v1.12.4","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"v1.15.0","type":"text","marks":[{"type":"code"}]},{"text":":","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Change internal queue management for protecting against OOMK","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Extracted ModuleThread structure from PullerAbstract","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Improve Controlled stop when both processes fails to instantiate","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Improve Controlled stop when InputProcess is killed","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fixed error related a ValueError exception not well controlled","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Added new sender for relay in house + TLS","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Added persistence functionality for gzip sending buffer","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fixed error related a ValueError exception not well controlled","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fixed error related with loss of some values in internal messages","type":"text"}]}]}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Recommended version","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v1.4.0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1726617600000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"blue","style":"bold","text":"IMPROVEMENT","localId":"69ce799b-2325-4827-87e8-af3f14d4ee44"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"Improvements","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Updated ","type":"text"},{"text":"DevoCollectorSDK","type":"text","marks":[{"type":"code"}]},{"text":" from ","type":"text"},{"text":"v1.11.1","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"v1.12.4","type":"text","marks":[{"type":"code"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Added new sender for relay in house + TLS","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Added persistence functionality for gzip sending buffer","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Added Automatic activation of gzip sending","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Improved behaviour when persistence fails","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Upgraded DevoSDK dependency","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fixed console log encoding","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restructured python classes","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Improved behaviour with non-utf8 characters","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"New persistence format/structure (compression in some cases)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Removed dmesg execution (It was invalid for docker execution)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Applied changes to make DCSDK compatible with MacOS","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Upgrade DevoSDK dependency to version v5.4.0","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Change internal queue management for protecting against OOMK","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Extracted ModuleThread structure from PullerAbstract","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Improve Controlled stop when both processes fails to instantiate","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Improve Controlled stop when InputProcess is killed","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Bug related to lost of collector_name , collector_id and job_id","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Bug retaled queues and ValueError","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Updated the docker base image to 1.3.0","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Recommended version","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v1.3.0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1718582400000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"blue","style":"bold","text":"IMPROVEMENT","localId":"16d79477-1e99-4b14-9c80-3233ed604b08"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"Improvements","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Updated `DevoCollectorSDK` to `v1.11.1'","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Update","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v1.2.0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1709510400000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"blue","style":"bold","text":"IMPROVEMENT","localId":"95daea01-8788-4902-8932-ceabc8b3b8eb"}}]},{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"BUG FIXING","localId":"63a81330-e6d9-4512-ae09-a69fc9530b71"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"Improvements","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Updated Docker image base to 1.2.0","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Updated `DevoCollectorSDK` to `v1.11.0'","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fix for SyslogSender related to UTF-8","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Enhance of troubleshooting. Trace Standardization, Some traces has been introduced.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Introduced a mechanism to detect \"Out of Memory killer\" situation","type":"text"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"Bug fixing","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Changed the persistence logic related to 'lastPollTime' to solve the bug related to duplication of events","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Update","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v1.1.1","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1701648000000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"FEATURE","localId":"1fca494c-c1af-4c95-8daf-194c32645b07"}}]},{"type":"paragraph","content":[{"type":"status","attrs":{"color":"red","style":"bold","text":"BUG FIX","localId":"6fc19a20-2454-41c6-aa8b-2eb68dfff2c9"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"New features","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Devo Collector SDK upgraded from ","type":"text"},{"text":"1.8.0","type":"text","marks":[{"type":"code"}]},{"text":" to ","type":"text"},{"text":"1.10.2","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Bug fixing","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fix a use case that allowed sending duplicate events to Devo for the Alerts service, as the last IDs sent were deleted before required.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Fix a use case that avoided sending some events to Devo for the Alerts service, as the time of the latest sent event wasn’t appropriately persisted.","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Update","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v1.1.0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1686096000000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"FEATURE","localId":"d9e38ef3-88f0-4e9e-91f9-61b28aa3afa0"}}]},{"type":"paragraph","content":[{"type":"status","attrs":{"color":"red","style":"bold","text":"BUG FIX","localId":"0eaf8f99-7f4f-4e90-b8be-7abf5aba9147"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"New features","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machines service adapted to work as a snapshot-like service, instead of incrementally.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Devo Collector SDK upgraded from 1.4.4 to 1.8.0.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Bug fixing","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Upgrading the Devo Collector SDK solved a problem related to connection loss.","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Update","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v1.0.1","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1673913600000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"FEATURE","localId":"50c88f35-9019-40c7-9824-998cefd7fcbd"}}]},{"type":"paragraph","content":[{"type":"status","attrs":{"color":"red","style":"bold","text":"BUG FIX","localId":"882d6b57-cb24-4e53-9ebc-0d802ad848b1"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"New features","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Confirmed that only Application permissions are enough to run the collector.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Devo Collector SDK upgraded from 1.4.2 to 1.4.4.","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"Bug fixing","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Content Type header for Advanced Hunting set to ","type":"text"},{"text":"application/json","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"Upgrade","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[91.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"v1.0.0","type":"text","marks":[{"type":"code"}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[157.0]},"content":[{"type":"paragraph","content":[{"type":"date","attrs":{"timestamp":"1663632000000"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[139.0]},"content":[{"type":"paragraph","content":[{"type":"status","attrs":{"color":"green","style":"bold","text":"FEATURE","localId":"06833a76-c2ea-4cec-82bc-c7f8c6b38b29"}}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[213.0]},"content":[{"type":"paragraph","content":[{"text":"New features","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Alerts created in MS Defender are collected and enriched. The enrichment includes information related to evidences, domains, files, IPs, devices and users.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Machine information enriched with information related to logged on users, alerts, installed software, vulnerabilities and security recommendations.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Snapshot of software installed and enriched with data related to version distributions, machine, vulnerabilities and missing software updates.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Vulnerabilities information enriched with machines affected by the vulnerability.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Recommendations information snapshot, including information related to specific software, machines and vulnerabilities.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Investigations performed.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Advanced hunting, which allows making custom queries in Kusto Query Language.","type":"text"}]}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[160.0]},"content":[{"type":"paragraph","marks":[{"type":"alignment","attrs":{"align":"center"}}],"content":[{"text":"-","type":"text","marks":[{"type":"code"}]}]}]}]}]}],"version":1}

Browser not supported