(deprecated) SentinelOne Deep Visibility with Cloud Funnel collector

[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Flattening preprocessing ] [ 5 Accepted authentication methods ] [ 6 Minimum configuration required for basic pulling ] [ 7 Run the collector ] [ 8 Collector services detail ] [ 9 Collector operations ] [ 10 Change log for v1.x.x ]

Deprecated collector

This collector is deprecated and no longer supported by us. Please use the procedure described here to set up data ingestion.

Overview

SentinelOne Deep Visibility extends the SentinelOne Endpoint Protection Platform (EPP) to provide full visibility into endpoint data. Its patented kernel-based monitoring allows a near real-time search across endpoints for all indicators of compromise (IOC) to empower security teams to augment real-time threat detection capabilities with a powerful tool that enables threat hunting.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`allowed`
Running environments	`collector server` `on-premise`
Populated Devo events	`table`
Flattening preprocessing	`no`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Cloud Funnel	Deep Visibility data stored in AWS via Cloud Funnel	`AWS S3 and SQS (via boto3 libraries)`	cloud_funnel	`edr.sentinelone.dv.{event_category}`	`v1.0.0`

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source	Collector service	Optional	Flattening details

Data source	Collector service	Optional	Flattening details
Source	Service	`no`	Flattening steps

Accepted authentication methods

Authentication method	AWS Access Key	AWS Secret Access Key

Authentication method	AWS Access Key	AWS Secret Access Key
AWS access key/secret	status:REQUIRED	status:REQUIRED

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details

Setting	Details
`aws_access_key_id`	Credentials aws_access_key_id
`aws_secret_access_key`	Credentials aws_secret_access_key
`region`	AWS region
`queue_name`	AWS SQS queue_name

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component	Description

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2023-04-24T10:07:07.753    INFO InputProcess::MainThread -> SentinelOneCloudFunnelPullerSetup(sentinelone-cloud-funnel,cloud_funnel#12345,events#predefined) -> Starting thread
2023-04-24T10:07:07.753 WARNING InputProcess::SentinelOneCloudFunnelPullerSetup(sentinelone-cloud-funnel,cloud_funnel#12345,events#predefined) -> The token/header/authentication has not been created yet
2023-04-24T10:07:07.836    INFO InputProcess::SentinelOneCloudFunnelPullerSetup(sentinelone-cloud-funnel,cloud_funnel#12345,events#predefined) -> Checking if SQS queue arn:aws:sqs:us-east-1:384869583565:devo-s1-sqs exists
2023-04-24T10:07:08.724    INFO InputProcess::SentinelOneCloudFunnelPullerSetup(sentinelone-cloud-funnel,cloud_funnel#12345,events#predefined) -> SQS queue arn:aws:sqs:us-east-1:384869583565:devo-s1-sqs exists. Records are pullable.
2023-04-24T10:07:08.724    INFO InputProcess::SentinelOneCloudFunnelPullerSetup(sentinelone-cloud-funnel,cloud_funnel#12345,events#predefined) -> Setup for module <SentinelOneCloudFunnelPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

INFO MainThg for 4.517 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2023-04-24T10:07:08.756    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> Pull Started
2023-04-24T10:07:09.267    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> Fetched 10 message(s) from SQS arn:aws:sqs:us-east-1:384869583565:devo-s1-sqs. Extracting records from S3 files.
2023-04-24T10:07:12.211    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Number of messages per tag sent so far in this partial pull cycle: {'edr.sentinelone.dv.dns': 23, 'edr.sentinelone.dv.registry': 430, 'edr.sentinelone.dv.file': 294, 'edr.sentinelone.dv.ip': 15, 'edr.sentinelone.dv.logins': 14, 'edr.sentinelone.dv.scheduled_task': 2, 'edr.sentinelone.dv.group': 1, 'edr.sentinelone.dv.process': 2, 'edr.sentinelone.dv.cross_process': 2}
2023-04-24T10:07:12.211    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1682323628755):Number of requests made: 21; Number of events received: 783; Number of duplicated events filtered out: 0; Number of events generated and sent: 783; Average of events per second: 226.657.
2023-04-24T10:07:12.784    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> Fetched 10 message(s) from SQS arn:aws:sqs:us-east-1:384869583565:devo-s1-sqs. Extracting records from S3 files.
2023-04-24T10:07:15.083    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Number of messages per tag sent so far in this partial pull cycle: {'edr.sentinelone.dv.dns': 47, 'edr.sentinelone.dv.registry': 830, 'edr.sentinelone.dv.file': 600, 'edr.sentinelone.dv.ip': 29, 'edr.sentinelone.dv.logins': 26, 'edr.sentinelone.dv.scheduled_task': 8, 'edr.sentinelone.dv.group': 4, 'edr.sentinelone.dv.process': 6, 'edr.sentinelone.dv.cross_process': 14, 'edr.sentinelone.dv.indicators': 1}
2023-04-24T10:07:15.083    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1682323628755):Number of requests made: 42; Number of events received: 1565; Number of duplicated events filtered out: 0; Number of events generated and sent: 1565; Average of events per second: 247.351.
2023-04-24T10:07:15.619    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> Fetched 10 message(s) from SQS arn:aws:sqs:us-east-1:384869583565:devo-s1-sqs. Extracting records from S3 files.
2023-04-24T10:07:17.880    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Number of messages per tag sent so far in this partial pull cycle: {'edr.sentinelone.dv.dns': 70, 'edr.sentinelone.dv.registry': 1465, 'edr.sentinelone.dv.file': 894, 'edr.sentinelone.dv.ip': 41, 'edr.sentinelone.dv.logins': 38, 'edr.sentinelone.dv.scheduled_task': 8, 'edr.sentinelone.dv.group': 7, 'edr.sentinelone.dv.process': 9, 'edr.sentinelone.dv.cross_process': 20, 'edr.sentinelone.dv.indicators': 3}
2023-04-24T10:07:46.490    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> Fetched 10 message(s) from SQS arn:aws:sqs:us-east-1:384869583565:devo-s1-sqs. Extracting records from S3 files.
2023-04-24T10:07:48.878    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Number of messages per tag sent so far in this partial pull cycle: {'edr.sentinelone.dv.dns': 311, 'edr.sentinelone.dv.registry': 6580, 'edr.sentinelone.dv.file': 4031, 'edr.sentinelone.dv.ip': 209, 'edr.sentinelone.dv.logins': 184, 'edr.sentinelone.dv.scheduled_task': 58, 'edr.sentinelone.dv.group': 37, 'edr.sentinelone.dv.process': 50, 'edr.sentinelone.dv.cross_process': 112, 'edr.sentinelone.dv.indicators': 14}
2023-04-24T10:07:48.878    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1682323628755):Number of requests made: 284; Number of events received: 11586; Number of duplicated events filtered out: 0; Number of events generated and sent: 11586; Average of events per second: 288.769.
2023-04-24T10:07:49.291    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> No visible messages found in the queue arn:aws:sqs:us-east-1:384869583565:devo-s1-sqs
2023-04-24T10:07:49.291    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1682323628755):Number of requests made: 285; Number of events received: 11586; Number of duplicated events filtered out: 0; Number of events generated and sent: 11586; Average of events per second: 285.829.
2023-04-24T10:07:49.292    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1682323628755):Number of requests made: 285; Number of events received: 11586; Number of duplicated events filtered out: 0; Number of events generated and sent: 11586; Average of events per second: 285.826.
2023-04-24T10:07:49.292    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> The data is up to date!
2023-04-24T10:07:49.292    INFO InputProcess::SentinelOneCloudFunnelPuller(cloud_funnel,12345,events,predefined) -> Data collection completed. Elapsed time: 40.537 seconds. Waiting for 19.463 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

The value @devo_pulling_id is injected in each event to group all events ingested by the same pull action. You can use it to get the exact events downloaded in that Pull action in Devo’s search window.

This collector does not support persistence restart. Once all events for a given S3 file are ingested, the message is deleted from the SQS queue so that file cannot be processed again unless a new SQS message becomes available.

If a user wishes to send results to a new table or otherwise change the collector configuration, they must simply update the configuration and restart the collector. The collector will operate with the new configuration parameters for all new SQS messages going forward.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
ApiError	`401`	`AWS access key or secret key provided do not have the necessary permissions.`	AWS access key or secret key provided do not have the necessary permissions.	Contact SentinelOne support and ensure the configuration parameters are correct.
	`402`	`AWS access key provided is invalid or incorrect.`	AWS access key provided is invalid or incorrect.	Contact SentinelOne support and ensure the configuration parameters are correct.
	`403`	`AWS access key has expired.`	AWS access key has expired.	Contact SentinelOne support and retrieve a new AWS access key.
	`404`	`AWS request timed out.`	This can occur if the network is currently experiencing an outage.	To diagnose the cause of an AWS request timeout in boto3, you can try the following: Check your network connectivity and ensure that you have a stable internet connection. Check the AWS service status to see if there are any known issues or service disruptions. Check your security groups and firewalls to ensure that they are properly configured and not blocking the traffic between your client and the AWS service. If none of the troubleshooting steps above are able to help resolve the issue, contact Devo support for assistance in configuring a custom rate limiter.
	`420`	`AWS access key provided is invalid or incorrect.`	AWS access key provided is invalid or incorrect.	Contact SentinelOne support and ensure the configuration parameters are correct.
	`421`	`AWS SQS queue does not exist.`	AWS SQS queue does not exist.	Contact SentinelOne support and ensure the configuration parameters are correct.
	`423`	`AWS SQS queue has been deleted recently.`	AWS SQS queue has been deleted recently.	Contact SentinelOne support and ensure the configuration parameters are correct.
	`430`	`AWS S3 bucket does not exist.`	AWS S3 bucket does not exist.	Contact SentinelOne support and ensure the configuration parameters are correct.
	`499`	`AWS request client encountered an exception: {error_message}`	Review the detailed error message to determine the cause of the error.	Review the detailed error message to determine the cause of the error.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

INFO MainThread -> (CollectorMultithreadingQueue) standard_queue_multithreading -> max_size_in_messages: 10000, max_size_in_mb: 1024, max_wrap_size_in_items: 100
WARNING MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-us.devo.io
WARNING MainThread -> [OUTPUT] OutputLookupSenders -> <threshold_for_using_gzip_in_transport_layer> setting has been modified from 1.1 to 1.0 due to this configuration increases the Lookup sender performance.
WARNING MainThread -> [INTERNAL LOGIC] DevoSender::_validate_kwargs_for_method__init__ -> The <address> does not appear to be an IP address and cannot be verified: collector-us.devo.io
INFO MainThread -> [OUTPUT] OutputMultithreadingController(threatquotient_collector) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSender(standard_senders,devo_sender_0) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 600 seconds)
INFO MainThread -> [OUTPUT] DevoSenderManager(standard_senders,manager,devo_1)(devo_1) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSender(lookup_senders,devo_sender_0) -> Starting thread
INFO MainThread -> [OUTPUT] DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 600 seconds)
INFO MainThread -> [OUTPUT] DevoSenderManager(lookup_senders,manager,devo_1)(devo_1) -> Starting thread
INFO MainThread -> InitVariables Started
INFO MainThread -> start_time_value initialized
INFO MainThread -> verify_host_ssl_cert initialized
INFO MainThread -> event_fetch_limit_in_items initialized
INFO MainThread -> InitVariables Terminated
INFO MainThread -> [INPUT] InputMultithreadingController(threatquotient_collector) - Starting thread (executing_period=300s)
INFO MainThread -> [INPUT] InputThread(threatquotient_collector,threatquotient_data_puller#111) - Starting thread (execution_period=600s)
INFO MainThread -> [INPUT] ServiceThread(threatquotient_collector,threatquotient_data_puller#111,events#predefined) - Starting thread (execution_period=600s)
INFO MainThread -> [SETUP] ThreatQuotientDataPullerSetup(threatquotient_collector,threatquotient_data_puller#111,events#predefined) - Starting thread
INFO MainThread -> [INPUT] ThreatQuotientDataPuller(threatquotient_collector,threatquotient_data_puller#111,events#predefined) - Starting thread

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Sender: SyslogSender(standard_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(standard_senders,sidecar_0) -> Standard - Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 44 (elapsed 0.007 seconds)
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Number of available senders: 1, sender manager internal queue size: 0
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> enqueued_elapsed_times_in_seconds_stats: {}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Sender: SyslogSender(internal_senders,syslog_sender_0), status: {"internal_queue_size": 0, "is_connection_open": True}
INFO OutputProcess::SyslogSenderManagerMonitor(internal_senders,sidecar_0) -> Internal - Total number of messages sent: 1, messages sent since "2022-06-28 10:39:22.516313+00:00": 1 (elapsed 0.019 seconds)

By default, these information traces will be displayed every 10 minutes.

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description

Sender services	Description
`internal_senders`	In charge of delivering internal metrics to Devo such as logging traces or metrics.
`standard_senders`	In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

By default these traces will be shown every 10 minutes.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Differences between RSS and VMS memory usage:

RSS is the Resident Set Size, which is the actual physical memory the process is using
VMS is the Virtual Memory Size which is the virtual memory that process is using

Change log for v1.x.x

Release	Released on	Release type	Details	Recommendations

Release

Released on

Release type

Details

Recommendations

v1.0.0

Apr 21, 2023

status:NEW FEATURE

New features:

Events service: Deep Visibility events stored in AWS via Cloud Funnel. These events are of different types, the collector autocategorizes them and sends them to different tables in Devo.

Recommended version

Devo latest