CloudSEK XVigil collector

[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Vendor setup ] [ 5 Minimum configuration required for basic pulling ] [ 6 Accepted authentication methods ] [ 7 Run the collector ] [ 8 Collector services detail ] [ 9 Collector operations ] [ 10 Change log ]

Overview

CloudSEK XVigil is a unified Digital Risk Protection platform that apprehends threats posed on the surface web, deep web, and dark web including brand intelligence and attack surface monitoring.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`allowed`
Running environments	`collector server` `on-premise`
Populated Devo events	`table`
Flattening preprocessing	`no`
Allowed source events obfuscation	`yes`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Alerts	Alerts related to incidents	`/api/historic/alerts`	`alerts`	`drp.cloudsek.xvigil.alerts`	`v1.0`

For more information on how the events are parsed, visit our page.

Vendor setup

Steps

Action	Steps
Obtain API token	Login to your CloudSEK admin portal to retrieve your API token or contact CloudSEK support to retrieve your API token.

Assigning necessary permissions

Only the credentials above are required.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details

Setting	Details
`base_url`	Base URL of your CloudSEK instance.
`token`	The `token` obtained from CloudSEK for authentication.

Accepted authentication methods

Setting	Details

Setting	Details
`Token`	Required

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Internal process and deduplication method

Alerts are continuously fetched since the last known record time. Alerts are sorted by the incident_time field. The last known event time for a given batch of record(s) and the ID associated with the latest record(s) are deduped by persisting the latest IDs (id) from the previous run to ensure duplicate events are not inserted into Devo.

Devo categorization and destination

All events are sent by default to drp.cloudsek.xvigil.alerts

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::MainThread -> Validating service input config
INFO InputProcess::MainThread -> Running overriding rules
INFO InputProcess::MainThread -> Validating the rate limiter config given by the user
INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead.
INFO InputProcess::MainThread -> Adding raw config to the collector store
INFO InputProcess::MainThread -> Running custom validation rules
INFO InputProcess::MainThread -> CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) Finalizing the execution of init_variables()
INFO InputProcess::MainThread -> InputThread(cloudsek,cloudsek_1) - Starting thread (execution_period=60s)
INFO InputProcess::MainThread -> ServiceThread(cloudsek,cloudsek_1,alerts,predefined) - Starting thread (execution_period=60s)
INFO InputProcess::MainThread -> CloudSekPullerSetup(cloudsek,cloudsek#cloudsek_1,alerts#predefined) -> Starting thread
INFO InputProcess::MainThread -> CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) - Starting thread
WARNING InputProcess::CloudSekPullerSetup(cloudsek,cloudsek#cloudsek_1,alerts#predefined) -> The token/header/authentication has not been created yet
WARNING InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Waiting until setup will be executed
INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_us_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_us_1) -> Starting thread
INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_us_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_us_1) -> Starting thread
INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_us_1) -> Starting thread (every 300 seconds)
INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_us_1) -> Starting thread
INFO InputProcess::MainThread -> [GC] global: 51.1% -> 51.2%, process: RSS(40.54MiB -> 40.84MiB), VMS(507.20MiB -> 507.20MiB)
INFO InputProcess::MainThread -> global_status: {"input_process": {"process_id": 220918, "process_status": "running", "thread_counter": 7, "thread_names": ["MainThread", "QueueFeederThread", "CloudSekPullerSetup(cloudsek,cloudsek#cloudsek_1,alerts#predefined)", "CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined)", "QueueFeederThread", "ServiceThread(cloudsek,cloudsek_1,alerts,predefined)", "InputThread(cloudsek,cloudsek_1)"], (...)
INFO InputProcess::CloudSekPullerSetup(cloudsek,cloudsek#cloudsek_1,alerts#predefined) -> Setup for module <CloudSekPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) Starting the execution of pre_pull()
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Reading persisted data
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Data retrieved from the persistence: {'initial_start_time_in_utc': '2022-01-01T00:00:00Z', 'last_event_time_in_utc': '2022-01-01T00:00:00Z', 'last_ids': ['1a2b3c'], '@persistence_version': 1}
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Running the persistence upgrade steps
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Running the persistence corrections steps
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Running the persistence corrections steps
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> No changes were detected in the persistence
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) Finalizing the execution of pre_pull()
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Pull Started
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Retrieving/sending alerts events since last 8 day(s)
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1234):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1234):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> The data is up to date!
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Data collection completed. Elapsed time: 0.602 seconds. Waiting for 59.398 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> The data is up to date!
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Data collection completed. Elapsed time: 0.602 seconds. Waiting for 59.398 second(s) until the next one

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the reset_persistence_auth parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Common logic

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
ApiError	401	Unauthorized API response	Credentials may not be valid for pulling the data.	Ensure the API token is properly created and configured in the collector.
ApiError	403	Forbidden API response	Credentials may not be valid for pulling the data.	Ensure the API token is properly created and configured in the collector.
ApiError	495	Failed to parse `<response_type>` object from response: `<response_content>`. Exception: `<exception>`	Error reading API response	Contact Devo support.
ApiError	496	Connection Timeout Error. Verify that endpoint and URL parameters are correct.	Connection error with the API	Ensure the collector has connection with the API and restart the collector. If problem persists, contact Devo support.
ApiError	497	Connection Error. Ensure the URL parameters are correct and that host has access to server.	Connection error with the API	Ensure the collector has connection with the API and restart the collector. If problem persists, contact Devo support.
ApiError	498	Max Retries Error. Request attempts with `<retries>` retries failed.	Connection error with the API.	Ensure the collector has connection with the API and restart the collector. If problem persist, contact Devo support.
ApiError	499	Failed to close RequestClient session with the following error: `<traceback>`	Connection cannot be stopped properly, usually caused by a connection error or a sudden collector stop.	Contact Devo support.

Custom troubleshooting for alerts service

The following errors are related to a specific service:

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
InitVariablesError	1	Invalid `initial_start_time_in_utc`: `<start_time_string>`. Must be in parseable datetime format.	Configured `initial_start_time_in_utc` value does not meet a valid datetime format.	Modify the `initial_start_time_in_utc` value.
InitVariablesError	2	Invalid `initial_start_time_in_utc`: `<start_time_string>`. Must be in the past.	Configured `initial_start_time_in_utc` is not a past datetime.	Modify the `initial_start_time_in_utc` value.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

INFO MainProcess::MainThread -> Added "/home/user/sample/devo-collector-cloudsek" directory to the Python path
INFO MainProcess::MainThread -> Added "/home/user/sample/devo-collector-cloudsek/config_internal" directory to the Python path
INFO MainProcess::MainThread -> Added "/home/user/sample/devo-collector-cloudsek/schemas" directory to the Python path
INFO MainProcess::MainThread -> Production mode: False, execute only setup and exit: False, Python version: "3.9.5 (default, Nov 23 2021, 15:27:38) [GCC 9.3.0]", current dir: "/home/user/sample/devo-collector-cloudsek", exists "config" dir: True, exists "config_internal" dir: True, exists "certs" dir: True, exists "schemas" dir: True, exists "credentials" dir: True
INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-test.yaml", "job_config_loc": null, "collector_config_loc": null}
INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
INFO MainProcess::MainThread -> "/etc/devo/job" does not exists
INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
INFO MainProcess::MainThread -> "/etc/devo/collector" does not exists
INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "/home/user/sample/devo-collector-cloudsek/config/config-test.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
INFO MainProcess::MainThread -> Build time: "UNKNOWN", OS: "Linux-5.14.0-1058-oem-x86_64-with-glibc2.31", collector(name:version): "cloudsek:1.0.0", owner: "integrations_factory@devo.com", started at: "665Z"
INFO MainProcess::MainThread -> Initialized all object from "MainProcess" process
INFO MainProcess::MainThread -> OutputProcess - Starting thread (executing_period=120s)
INFO MainProcess::MainThread -> InputProcess - Starting thread (executing_period=120s)
INFO OutputProcess::MainThread -> Process started
INFO MainProcess::MainThread -> Started all object from "MainProcess" process
INFO InputProcess::MainThread -> Process Started

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) Starting the execution of pre_pull()
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Reading persisted data
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Data retrieved from the persistence: {'initial_start_time_in_utc': '2022-01-01T00:00:00Z', 'last_event_time_in_utc': '2022-01-01T00:00:00Z', 'last_ids': ['1a2b3c'], '@persistence_version': 1}
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Running the persistence upgrade steps
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Running the persistence corrections steps
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Running the persistence corrections steps
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> No changes were detected in the persistence
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) Finalizing the execution of pre_pull()
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Pull Started
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Retrieving/sending alerts events since last 8 day(s)
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1234):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1234):Number of requests made: 1; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> The data is up to date!
INFO InputProcess::CloudSekPuller(cloudsek,cloudsek_1,alerts,predefined) -> Data collection completed. Elapsed time: 0.602 seconds. Waiting for 59.398 second(s) until the next one

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description

Sender services	Description
`internal_senders`	In charge of delivering internal metrics to Devo such as logging traces or metrics.
`standard_senders`	In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displays the number of events from the last time and following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
21 events where sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

INFO InputProcess::MainThread -> [GC] global: 51.1% -> 51.2%, process: RSS(40.54MiB -> 40.84MiB), VMS(507.20MiB -> 507.20MiB)
INFO OutputProcess::MainThread -> [GC] global: 51.2% -> 51.2%, process: RSS(42.10MiB -> 42.18MiB), VMS(939.21MiB -> 939.21MiB)

Change log

Release	Released on	Release type	Details	Recommendations

Release	Released on	Release type	Details	Recommendations
`v1.1.0`	Jan 6, 2025	status:Changed	* Upgraded the DCSDK to v1.13.1 * Ensure special characters are properly sent to the platform * Changed log level to some messages from info to debug * Changed some wrong log messages * Upgraded some internal dependencies * Changed queue passed to setup instance constructor * Ability to validate collector setup and exit without pulling any data * Ability to store in the persistence the messages that couldn't be sent after the collector stopped * Ability to send messages from the persistence when the collector starts and before the puller begins working * Updated DevoSDK to v5.1.9 * Fixed some bug related to development on MacOS * Added an extra validation and fix when the DCSDK receives a wrong timestamp format * Added an optional config property for use the Syslog timestamp format in a strict way * Updated DevoSDK to v5.1.10 * Fix for SyslogSender related to UTF-8 * Enhace of troubleshooting. Trace Standardization, Some traces has been introduced. * Introduced a mechanism to detect "Out of Memory killer" situation * Change internal queue management for protecting against OOMK * Extracted ModuleThread structure from PullerAbstract * Improve Controlled stop when both processes fails to instantiate * Improve Controlled stop when InputProcess is killed * Fixed error related a ValueError exception not well controlled * Fixed error related with loss of some values in internal messages * Upgraded the docker base image to 1.3.1. * Added support of new API version.	`Recommended version`
`v1.0.0`	Jun 2, 2023	status:NEW COLLECTOR	New collector	`-`

Devo latest