Trend Micro Vision One collector

[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Flattening preprocessing ] [ 5 Vendor setup ] [ 6 Minimum configuration required for basic pulling ] [ 7 Token creation (using Trend Micro) ] [ 8 Accepted authentication methods ] [ 9 Run the collector ] [ 10 API limitations and event delay ] [ 11 Collector services detail ] [ 12 Collector operations ] [ 13 Change log ]

Overview

Trend Micro Vision One is a purpose-built threat defense platform that provides added value and new benefits beyond XDR solutions, allowing you to see more and respond faster. Providing deep and broad extended detection and response (XDR) capabilities that collect and automatically correlate data across multiple security layers —email, endpoints, servers, cloud workloads, and networks— Trend Micro Vision One prevents the majority of attacks with automated protection.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading	`not allowed`
Running environments	`collector server` `on-premise`
Populated Devo events	`table`
Flattening preprocessing	`yes`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Audit logs	Audit log entries	/v3.0/audit/logs	audit	`xdr.trend_micro.vision_one.audit`	v1.0
Alerts	Displays information about workbench alerts	/v3.0/workbench/al	alerts	`xdr.trend_micro.vision_one.alerts`	v1.0
Observed attack techniques (OATs)	Displays information about OATs	/v3.0/oat/detections	observed_attack_techniques	`xdr.trend_micro.vision_one.observed_attack_techniques`	v1.0
Discovered devices information	Displays information about the devices Attack Surface Discovery found in your environment	/v3.0/asrm/attackSurfaceDevices	`discovered_device`	`xdr.trend_micro.vision_one.discovered_device`	v1.3
Device Vulnerabilities	Displays all the highly-exploitable CVEs found in a device	/v3.0/asrm/vulnerableDevices	`vulnerable_device`	`xdr.trend_micro.vision_one.vulnerable_device`	v1.3
Account compromise indicators	Displays a paginated list of events on user accounts that: Display unusual activity. Have been detected on the dark web. Have been targeted by malicious email campaigns.	/v3.0/asrm/accountCompromiseIndicators	`account_compromise_indicator`	`xdr.trend_micro.vision_one.account_compromise_indicator`	v1.3
Risk event definitions	Displays detailed information about risk events related to account compromise and the corresponding remediation and suggested actions.	/v3.0/asrm/accountCompromiseEventDefinitions	`risk_event_definition`	`xdr.trend_micro.vision_one.risk_event_definition`	v1.3
Device Risk Profile	Displays information about at-risk devices.	/v3.0/asrm/highRiskDevices	`device_risk_profile`	`xdr.trend_micro.vision_one.device_risk_profile`	v1.3
User Risk Profile	Displays information about at-risk users.	/v3.0/asrm/highRiskUsers	`user_risk_profile`	`xdr.trend_micro.vision_one.user_risk_profile`	v1.3

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source	Collector service	Optional	Flattening details

Data source	Collector service	Optional
Alerts	alerts	`yes` `no`
Observed attack techniques	observed_attack_techniques	`yes` `no`
Device Vulnerabilities	vulnerable_device	`yes` `no`
Risk event definitions	risk_event_definition	`yes` `no`
Device risk profile	device_risk_profile	`yes` `no`
User risk profile	user_risk_profile	`yes` `no`

Vendor setup

There are some requirements to set up this collector:

Have administrative access to the Trend Micro XDR portal in order to retrieve the data.
Create an API key associated with an administrative user to authenticate the collector.

Follow these steps to obtain an access token:

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details

Setting	Details
token	The token obtained from Trend Micro Vision One for authentication.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Token creation (using Trend Micro)

Accepted authentication methods

Authentication method	token

Authentication method	token
token	REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

API limitations and event delay

The Trend Micro API is subject to rate limiting (see Trend Micro’s API Request Limits for details). In the event the collector encounters a 429 (that is, the requests hit a rate limit), the collector will attempt to gracefully respect the 429 rate limit and re-attempt the request three times before failing.
Authentication tokens expire after one year. You must create another token before expiration and reconfigure the collector to avoid downtime.
The services only allow pulling data from 5 days in the past and it will fail to start if the configuration does not comply with this limitation.
The Observed Attack Techniques endpoint can be very slow (around 15 seconds to resolve a request). The requests are paginated, so we send one page at a time to Devo but take into account that if there is any delay with the current date, it may take a long time to reach the current up-to-date info.

Event delay

One issue to consider is that Vision One API events aren't immediately available upon creation, specially in the Observed Attack Techniques endpoint. Only some events are available in real-time or near real-time. Most events arrive a few seconds or minutes after their 'detection time,' but some can arrive many minutes or even hours late.

Thus, attempting to fetch events in near real-time can lead to missed events by the collector. For instance, if we try to get events at 12:00 by querying the API for the 11:55-12:00 range, we'll only receive events that were already stored in the API at that time. A new event created at 11:58, which might arrive at 12:03, would be missed by a subsequent query at 12:05, as the API considers its detection time outside the specified range.

To address this, we can delay fetching events. Instead of querying the API immediately, we can wait, for example, until 13:00 to request events from 11:55 to 12:00. This way, the 11:58 event, even if it arrives by 12:03, will be included.

The override_fetch_gap_seconds parameter allows us to customize this delay. By setting it to 3600 seconds, for instance, the collector would query for the 11:55-12:00 range at 13:00.

However, this delay can impact real-time requirements.

For applications demanding near real-time data, a shorter delay of 300-600 seconds might be appropriate.
For applications prioritizing completeness over immediacy, a longer delay of several hours or even a day can ensure all events are captured.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component	Description

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::MainThread -> VisionOnePullerSetup(unknown,trend_micro_vision_one#23,audit#predefined) -> Starting thread
INFO InputProcess::VisionOnePullerSetup(unknown,trend_micro_vision_one#23,audit#predefined) -> Setup for module <VisionOnePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

INFO InputProcess::MainThread -> VisionOnePuller(trend_micro_vision_one,23,audit,predefined) - Starting thread
WARNING InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Waiting until setup will be executed
WARNING InputProcess::VisionOnePullerSetup(unknown,trend_micro_vision_one#23,audit#predefined) -> The token/header/authentication has not been created yet
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> VisionOnePuller(trend_micro_vision_one,23,audit,predefined) Starting the execution of pre_pull()
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Reading persisted data
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Data retrieved from the persistence: {'initial_start_time_in_utc': '2022-11-02T00:00:00Z', 'last_event_time_in_utc': '2022-12-16T19:03:04Z', 'last_ids': ['1c09b778f203997ab5bc6302a45c93f18d2efb78d56fc94433b1e12baf30ba80'], '@persistence_version': 1}
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Running the persistence upgrade steps
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Running the persistence corrections steps
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Running the persistence corrections steps
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Detected initial start time in UTC change: {'values_changed': {'root': {'new_value': '2022-11-03T00:00:00Z', 'old_value': '2022-11-02T00:00:00Z'}}}. Resetting state to {'initial_start_time_in_utc': '2022-11-03T00:00:00Z', 'last_event_time_in_utc': '2022-11-03T00:00:00Z', 'last_ids': [], '@persistence_version': 1}
WARNING InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Some changes have been detected and the persistence needs to be updated. Previous content: {'initial_start_time_in_utc': '2022-11-02T00:00:00Z', 'last_event_time_in_utc': '2022-12-16T19:03:04Z', 'last_ids': ['1c09b778f203997ab5bc6302a45c93f18d2efb78d56fc94433b1e12baf30ba80'], '@persistence_version': 1}. New content: {'initial_start_time_in_utc': '2022-11-03T00:00:00Z', 'last_event_time_in_utc': '2022-11-03T00:00:00Z', 'last_ids': [], '@persistence_version': 1}
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Updating the persistence
WARNING InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Persistence has been updated successfully
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> VisionOnePuller(trend_micro_vision_one,23,audit,predefined) Finalizing the execution of pre_pull()
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Pull Started
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Retrieving/sending audit events having loggedDateTime between 2022-11-03T00:00:00+00:00 and 2023-01-10T14:23:04.419818+00:00 via get_audit_logs_batch method
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Updating the persistence
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1673360584419):Number of requests made: 1; Number of events received: 20; Number of duplicated events filtered out: 0; Number of events generated and sent: 20; Average of events per second: 16.337.
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Retrieving/sending audit events having loggedDateTime between 2022-12-16T19:03:04+00:00 and 2023-01-10T14:23:04.419818+00:00 via get_audit_logs_batch method
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1673360584419):Number of requests made: 2; Number of events received: 20; Number of duplicated events filtered out: 0; Number of events generated and sent: 20; Average of events per second: 8.182.
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1673360584419):Number of requests made: 2; Number of events received: 20; Number of duplicated events filtered out: 0; Number of events generated and sent: 20; Average of events per second: 8.174.
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> The data is up to date!
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Data collection completed. Elapsed time: 2.488 seconds. Waiting for 57.512 second(s) until the next one
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Pull Started
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> is_data_up_to_date: starts a new pull cycle
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Retrieving/sending audit events having loggedDateTime between 2022-12-16T19:03:04+00:00 and 2023-01-10T14:24:04.426632+00:00 via get_audit_logs_batch method
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1673360644426):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1673360644426):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> The data is up to date!
INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Data collection completed. Elapsed time: 1.176 seconds. Waiting for 58.824 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

INFO InputProcess::VisionOnePuller(trend_micro_vision_one,23,audit,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1673360584419):Number of requests made: 2; Number of events received: 20; Number of duplicated events filtered out: 0; Number of events generated and sent: 20; Average of events per second: 8.174.

The value @devo_pulling_id is injected in each event to group all events ingested by the same pull action. You can use it to get the exact events downloaded in that Pull action in Devo’s search window.

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the historical_date_utc parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
SetupError	101	`Client fetch method [...] is not valid`	The `client_fetch_method` is not valid.	Contact support, this is a problem in the internal collector definitions.
	102	`HTTP Error while making request to Vision One API:`	The API returns an 401 or 403 error, likely the access token is not valid.	Make sure that the token is valid, generate a new one in Trend Micro if needed. Remember: Access token has an expiration date
	103	`Error while making request to Vision One API: [...]`	Other error accessing the API. For instance, there is a network issue.	The solution depends of the specific error message.
InitVariablesError	1	`Error while fetching collector variables: [..]`	One of required parameters is absent or a parameter has an incorrect type	Add the parameter or correct the type.
	2	`Error validating collector variables: [...]`	One of the parameters has the correct type but it is not correct. For instance, a date is not a valid date, or a number is out of its range.	Correct the parameter in the configuration file.
	3	`Error while creating client: [..]`	Other error inizializing the collector.	Solution depends on specific error message.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

2023-01-10T15:22:57.146    INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-josemi-test-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146    INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147    INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147    INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148    INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148    INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "C:\git\collectors2\devo-collector-trend-micro-vision-one\config\config-josemi-test-local.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False
2023-01-10T15:22:57.287    INFO MainProcess::MainThread -> Build time: "UNKNOWN", OS: "Windows-10-10.0.19045-SP0", collector(name:version): "A333:1.0.0", owner: "integrations_factory@devo.com", started at: "2023-01-10T14:22:57.184692Z"
2023-01-10T15:22:57.296    INFO MainProcess::MainThread -> Initialized all object from "MainProcess" process
2023-01-10T15:22:57.296    INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=120s)
2023-01-10T15:23:00.147    INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=120s)
2023-01-10T15:23:00.153    INFO OutputProcess::MainThread -> Process started
2023-01-10T15:23:00.788    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.792    INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.793    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.794    INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.797    INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.799    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.800    INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_1) -> Starting thread

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

2023-01-10T15:23:00.788    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842    INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)", "DevoSender(lookup_senders,devo_sender_0)", "DevoSenderManagerMonitor(lookup_senders,devo_1)", "DevoSenderManager(lookup_senders,manager,devo_1)", "OutputLookupConsumer(lookup_senders_consumer_0)", "DevoSender(internal_senders,devo_sender_0)", "DevoSenderManagerMonitor(internal_senders,devo_1)", "DevoSenderManager(internal_senders,manager,devo_1)", "OutputInternalConsumer(internal_senders_consumer_0)"], "memory_info": {"rss": "58.28MiB", "vms": "47.50MiB", "num_page_faults": "20.06KiB", "peak_wset": "58.29MiB", "wset": "58.28MiB", "peak_paged_pool": "180.32KiB", "paged_pool": "180.20KiB", "peak_nonpaged_pool": "45.48KiB", "nonpaged_pool": "44.43KiB", "pagefile": "47.50MiB", "peak_pagefile": "47.50MiB", "private": "47.50MiB"}, "Consumers": {"standard": {"name": "OutputStandardConsumer(standard_senders_consumer_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false}, "lookup": {"name": "OutputLookupConsumer(lookup_senders_consumer_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false}, "internal": {"name": "OutputInternalConsumer(internal_senders_consumer_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false}}, "SenderManagers": {"standard": [{"name": "DevoSenderManager(standard_senders,manager,devo_1)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false, "internal_queue_size": 0, "senders": [{"name": "DevoSender(standard_senders,devo_sender_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_running": true, "is_pausing": false, "is_paused": false, "is_stopping": false, "is_stopped": false, "details": {"name": "DevoSender(standard_senders,devo_sender_0)", "url": "collector-us.devo.io:443", "chain_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\chain_us.crt", "cert_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.crt", "key_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}}]}], "lookup": [{"name": "DevoSenderManager(lookup_senders,manager,devo_1)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false, "internal_queue_size": 0, "senders": [{"name": "DevoSender(lookup_senders,devo_sender_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_running": true, "is_pausing": false, "is_paused": false, "is_stopping": false, "is_stopped": false, "details": {"name": "DevoSender(lookup_senders,devo_sender_0)", "url": "collector-us.devo.io:443", "chain_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\chain_us.crt", "cert_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.crt", "key_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}}]}], "internal": [{"name": "DevoSenderManager(internal_senders,manager,devo_1)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false, "internal_queue_size": 0, "senders": [{"name": "DevoSender(internal_senders,devo_sender_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_running": true, "is_pausing": false, "is_paused": false, "is_stopping": false, "is_stopped": false, "details": {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-us.devo.io:443", "chain_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\chain_us.crt", "cert_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.crt", "key_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}}]}]}, "running_flag": true, "message_queues": {"standard": {"name": "standard_queue_multiprocessing", "max_size_in_messages": 1000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=None)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x000001F0634FD0A0>"}, "lookup": {"name": "lookup_queue_multiprocessing", "max_size_in_messages": 1000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=None)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x000001F063505F10>"}, "internal": {"name": "internal_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 1, "put_lock": "<Lock(owner=None)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x000001F06350CAF0>"}}}}
2023-01-10T15:23:03.660    INFO OutputProcess::DevoSender(standard_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(standard_senders,devo_sender_0)", "url": "collector-us.devo.io:443", "chain_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\chain_us.crt", "cert_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.crt", "key_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2020-EMEA-0117", session_id: "2131971226496"
2023-01-10T15:25:00.933    INFO OutputProcess::MainThread -> [GC] global: 81.5% -> 81.5%, process: RSS(60.42MiB -> 60.76MiB), VMS(47.58MiB -> 48.10MiB)
2023-01-10T15:25:00.960    INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 20, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)", "DevoSender(lookup_senders,devo_sender_0)", "DevoSenderManagerMonitor(lookup_senders,devo_1)", "DevoSenderManager(lookup_senders,manager,devo_1)", "OutputLookupConsumer(lookup_senders_consumer_0)", "DevoSender(internal_senders,devo_sender_0)", "DevoSenderManagerMonitor(internal_senders,devo_1)", "DevoSenderManager(internal_senders,manager,devo_1)", "OutputInternalConsumer(internal_senders_consumer_0)"], "memory_info": {"rss": "60.77MiB", "vms": "48.10MiB", "num_page_faults": "20.71KiB", "peak_wset": "60.77MiB", "wset": "60.77MiB", "peak_paged_pool": "184.05KiB", "paged_pool": "183.92KiB", "peak_nonpaged_pool": "77.56KiB", "nonpaged_pool": "46.31KiB", "pagefile": "48.10MiB", "peak_pagefile": "48.10MiB", "private": "48.10MiB"}, "Consumers": {"standard": {"name": "OutputStandardConsumer(standard_senders_consumer_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false}, "lookup": {"name": "OutputLookupConsumer(lookup_senders_consumer_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false}, "internal": {"name": "OutputInternalConsumer(internal_senders_consumer_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false}}, "SenderManagers": {"standard": [{"name": "DevoSenderManager(standard_senders,manager,devo_1)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false, "internal_queue_size": 0, "senders": [{"name": "DevoSender(standard_senders,devo_sender_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_running": true, "is_pausing": false, "is_paused": false, "is_stopping": false, "is_stopped": false, "details": {"name": "DevoSender(standard_senders,devo_sender_0)", "url": "collector-us.devo.io:443", "chain_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\chain_us.crt", "cert_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.crt", "key_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.key", "transport_layer_type": "SSL", "last_usage_timestamp": "2023-01-10T14:23:05.681930", "socket_status": {"remote_hostname": "collector-us.devo.io", "timeout": 30.0, "session_stats": {"number": 0, "connect": 1, "connect_good": 1, "connect_renegotiate": 0, "accept": 0, "accept_good": 0, "accept_renegotiate": 0, "hits": 0, "misses": 0, "timeouts": 0, "cache_full": 0}, "details": "<ssl.SSLSocket fd=1528, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.1.115', 61259), raddr=('34.235.61.7', 443)>"}}}]}], "lookup": [{"name": "DevoSenderManager(lookup_senders,manager,devo_1)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false, "internal_queue_size": 0, "senders": [{"name": "DevoSender(lookup_senders,devo_sender_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_running": true, "is_pausing": false, "is_paused": false, "is_stopping": false, "is_stopped": false, "details": {"name": "DevoSender(lookup_senders,devo_sender_0)", "url": "collector-us.devo.io:443", "chain_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\chain_us.crt", "cert_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.crt", "key_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}}]}], "internal": [{"name": "DevoSenderManager(internal_senders,manager,devo_1)", "status": "RUNNING(10)", "non_active_reason": null, "is_pausing": false, "is_paused": false, "is_flushing": false, "is_flushed": false, "is_stopping": false, "is_stopped": false, "internal_queue_size": 0, "senders": [{"name": "DevoSender(internal_senders,devo_sender_0)", "status": "RUNNING(10)", "non_active_reason": null, "is_running": true, "is_pausing": false, "is_paused": false, "is_stopping": false, "is_stopped": false, "details": {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-us.devo.io:443", "chain_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\chain_us.crt", "cert_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.crt", "key_path": "C:\\git\\collectors2\\devo-collector-trend-micro-vision-one\\certs\\josegarrido_us.key", "transport_layer_type": "SSL", "last_usage_timestamp": "2023-01-10T14:24:05.613885", "socket_status": {"remote_hostname": "collector-us.devo.io", "timeout": 30.0, "session_stats": {"number": 0, "connect": 1, "connect_good": 1, "connect_renegotiate": 0, "accept": 0, "accept_good": 0, "accept_renegotiate": 0, "hits": 0, "misses": 0, "timeouts": 0, "cache_full": 0}, "details": "<ssl.SSLSocket fd=1476, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('192.168.1.115', 61256), raddr=('34.235.61.7', 443)>"}}}]}]}, "running_flag": true, "message_queues": {"standard": {"name": "standard_queue_multiprocessing", "max_size_in_messages": 1000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=None)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x000001F0634FD0A0>"}, "lookup": {"name": "lookup_queue_multiprocessing", "max_size_in_messages": 1000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=None)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x000001F063505F10>"}, "internal": {"name": "internal_queue_multiprocessing", "max_size_in_messages": 10000, "max_size_in_mb": 1024, "max_wrap_size_in_items": 100, "current_size": 0, "put_lock": "<Lock(owner=None)>", "input_lock": "<multiprocessing.synchronize.Event object at 0x000001F06350CAF0>"}}}}
2023-01-10T15:25:04.436    INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> Consumed messages: 8, total_bytes: 5736 (60.003418 seconds)
2023-01-10T15:25:04.440    INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Consumed messages: 8 messages (60.002855 seconds) => 0 msg/sec
2023-01-10T15:26:04.453    INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> Consumed messages: 7, total_bytes: 5131 (60.016978 seconds)
2023-01-10T15:26:04.456    INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Consumed messages: 7 messages (60.015667 seconds) => 0 msg/sec
2023-01-10T17:09:16.104    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_1) -> Number of available senders: 1, sender manager internal queue size: 0
2023-01-10T17:09:16.104    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_1) -> Number of available senders: 1, sender manager internal queue size: 0
2023-01-10T17:09:16.105    INFO OutputProcess::DevoSenderManagerMonitor(standard_senders,devo_1) -> This sender has not been used for 296.409026 seconds, it will be closed and destroyed
2023-01-10T17:09:16.107    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_1) -> enqueued_elapsed_times_in_seconds_stats: {}
2023-01-10T17:09:16.109    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_1) -> enqueued_elapsed_times_in_seconds_stats: {}
2023-01-10T17:09:16.112    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_1) -> Sender: DevoSender(internal_senders,devo_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
2023-01-10T17:09:16.114    INFO OutputProcess::DevoSenderManagerMonitor(standard_senders,devo_1) -> Number of available senders: 1, sender manager internal queue size: 0
2023-01-10T17:09:16.114    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_1) -> Sender: DevoSender(lookup_senders,devo_sender_0), status: {"internal_queue_size": 0, "is_connection_open": False}
2023-01-10T17:09:16.115    INFO OutputProcess::DevoSenderManagerMonitor(internal_senders,devo_1) -> Internal - Total number of messages sent: 66, messages sent since "2023-01-10 16:04:16.071006+00:00": 66 (elapsed 0.335 seconds)
2023-01-10T17:09:16.117    INFO OutputProcess::DevoSenderManagerMonitor(standard_senders,devo_1) -> enqueued_elapsed_times_in_seconds_stats: {}
2023-01-10T17:09:16.118    INFO OutputProcess::DevoSenderManagerMonitor(lookup_senders,devo_1) -> Lookup - Total number of messages sent: 0, messages sent since "2023-01-10 16:04:16.010755+00:00": 0 (elapsed 0.000 seconds)
2023-01-10T17:09:16.119    INFO OutputProcess::DevoSenderManagerMonitor(standard_senders,devo_1) -> Sender: DevoSender(standard_senders,devo_sender_0), status: {"internal_queue_size": 0, "is_connection_open": False}

By default, these information traces will be displayed every 10 minutes.

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description

Sender services	Description
`internal_senders`	In charge of delivering internal metrics to Devo such as logging traces or metrics.
`standard_senders`	In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

57 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
0 events where sent to Devo between the last UTC checkpoint and now.
Those 0 events required 0.000 seconds to be delivered.

By default these traces will be shown every 10 minutes.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Differences between RSS and VMS memory usage:

RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using

Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.

To enable this option you just need to edit the configuration file and change the debug_status parameter from false to true and restart the collector.
To disable this option, you just need to update the configuration file and change the debug_status parameter from true to false and restart the collector.

For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode.

Change log

Release	Released on	Release type	Recommendations

Release	Released on	Release type	Recommendations
`v1.3.0`	Nov 22, 2024	IMPROVEMENT	`Recommended version`
`v1.3.0`	New features New endpoints for risk insights: discovered_device vulnerable_device account_compromise_indicator risk_event_definition device_risk_profile user_risk_profile
`v1.2.3`	Nov 18, 2024	Bug fixIMPROVEMENT	`Upgrade`
`v1.2.3`	Bug fixing Added parameter `fetch_gap_seconds` Improvements Upgraded the DCSDK from 1.12.4 to 1.13.1 Change internal queue management to protect against OOMK Extracted ModuleThread structure from PullerAbstract Improve Controlled stop when both processes fail to instantiate Improve Controlled stop when InputProcess is killed Fixed error related to a ValueError exception not well-controlled Upgraded SDK image base from 1.3.0 to 1.3.1
`v1.2.2`	Oct 7, 2024	BUG FIXING	`Upgrade`
`v1.2.2`	Bug fixing Fix the problem with `initial_start_time_in_utc` if absent from the configuration Fix the missing events in the `observed attack techniques` service
`v1.2.1`	Jul 28, 2023	BUG FIXING	`Upgrade`
`v1.2.1`	Bug fixing Fix reading `base_url` from the configuration
`v1.2.0`	Jul 27, 2023	IMPROVEMENT BUG FIXING	`Upgrade`
`v1.2.0`	Improvements Upgraded DCSDK from `1.9.0` to `1.12.4` Upgraded Base Docker Image to `1.3.0` Improved pagination handling in the `observed attack techniques` service Added `refresh_interval_in_seconds` parameter to autoconfig settings Bug fixing Fixed issue with start date in the configuration. Added checking the start date in the configuration to be no earlier than 5 days.
`v1.1.0`	Jul 20, 2023	IMPROVEMENT BUG FIXING	`Upgrade`
`v1.1.0`	Improvements: Update DCSDK from 1.5.1 to 1.9.0: Ability to validate collector setup and exit without pulling any data Ability to store in the persistence the messages that couldn't be sent after the collector stopped Ability to send messages from the persistence when the collector starts and before the puller begins working Ensure special characters are properly sent to the platform Added a lock to enhance sender object Added new class attrs to the setstate and getstate queue methods Fix sending attribute value to the setstate and getstate queue methods Added log traces when queues are full and have to wait Added log traces of queues time waiting every minute in debug mode Added method to calculate queue size in bytes Block incoming events in queues when there are no space left Send telemetry events to Devo platform Upgraded internal Python dependency Redis to v4.5.4 Upgraded internal Python dependency DevoSDK to v5.1.3 Fixed obfuscation not working when messages are sent from templates New method to figure out if a puller thread is stopping Upgraded internal Python dependency DevoSDK to v5.0.6 Improved logging on messages/bytes sent to Devo platform Fixed wrong bytes size calculation for queues New functionality to count bytes sent to Devo Platform (shown in console log) Upgraded internal Python dependency DevoSDK to v5.0.4 Fixed bug in persistence management process, related to persistence reset Aligned source code typing to be aligned with Python 3.9.x Inject environment property from user config Obfuscation service can be now configured from user config and module definiton Obfuscation service can now obfuscate items inside arrays Bugs fixing: Controlled for the audit service that the start date is no earlier than 180 days or that the collector has not been idle for more than that period of time due to API's own restriction.

Devo latest