Microsoft Defender for IoT Collector

[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Minimum configuration required for basic pulling ] [ 5 Accepted authentication methods ] [ 6 Run the collector ] [ 7 Collector services detail ] [ 8 Collector operations ] [ 9 Change log for v1.0.0 ]

Overview

This collector query Defender for IoT Azure subscriptions quickly and efficiently. Users can ingest all related Defender for IoT alerts into Devo. The user must be forwarding their Defender for IoT data to Azure.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`No`
Running environments	`Collector Server` `On Premise`
Populated Devo events	`Table`
Flattening preprocessing	`No`
Allowed source events obfuscation	`Yes`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Defender for IoT - Alerts

Alerts reported by Defender for IoT sensors.

microsoft.iotsecurity/locations/devicegroups/alerts

iot_security_alerts

edr.microsoft_defender.iot_security.alert

v1.0.0

For more information on how the events are parsed, visit our page.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details

Setting	Details
`client_id`	Client ID
`client_secret`	Client secret
`tenant_id`	Tenant ID

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method	Client ID	Client secret	Tenant ID

Authentication method	Client ID	Client secret	Tenant ID
`OAuth`	Required	Required	Required

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

iot_security_alerts

Internal process and deduplication method

All events are fetched via Azure Resource Graph API queries and filtered/ordered by their created datetime. The collector continually pulls new events since the last recorded timestamp. A unique hash value is computed for each event and used for deduplication purposes to ensure events are not fetched multiple times in subsequent pulls.

Devo categorization and destination

All events of this service are ingested into the table

edr.microsoft_defender.iot_security.alert

Setup output

A successful run has the following output messages for the setup module:

2023-11-03T18:59:50.822 WARNING InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Waiting until setup will be executed
2023-11-03T18:59:50.823 WARNING InputProcess::IotPullerSetup(defender_for_iot,defender_for_iot#23453,iot_security_alerts#predefined) -> The token/header/authentication has not been created yet
2023-11-03T18:59:52.042    INFO InputProcess::IotPullerSetup(defender_for_iot,defender_for_iot#23453,iot_security_alerts#predefined) -> Successfully tested fetch for microsoft.iotsecurity/locations/devicegroups/alerts. Source is pullable.
2023-11-03T18:59:52.043    INFO InputProcess::IotPullerSetup(defender_for_iot,defender_for_iot#23453,iot_security_alerts#predefined) -> Setup for module <IotPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2023-11-03T18:59:52.824    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) Starting the execution of pre_pull()
2023-11-03T18:59:52.826    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Reading persisted data
2023-11-03T18:59:52.829    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Data retrieved from the persistence: {'@persistence_version': 1, 'start_time_in_utc': '2023-10-01T09:03:00Z', 'last_event_time_in_utc': '2023-10-31T20:38:57Z', 'last_ids': ['c0deba5fa6d4ac957551b33665f5ff508c5c31f3791fff7bae2b68777a131a98'], 'skip_token': None}
2023-11-03T18:59:52.831    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Running the persistence upgrade steps
2023-11-03T18:59:52.833    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Running the persistence corrections steps
2023-11-03T18:59:52.834    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Running the persistence corrections steps
2023-11-03T18:59:52.841 WARNING InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Some changes have been detected and the persistence needs to be updated. Previous content: {'@persistence_version': 1, 'start_time_in_utc': '2023-10-01T09:03:00Z', 'last_event_time_in_utc': '2023-10-31T20:38:57Z', 'last_ids': ['c0deba5fa6d4ac957551b33665f5ff508c5c31f3791fff7bae2b68777a131a98'], 'skip_token': None}. New content: {'@persistence_version': 1, 'start_time_in_utc': '2023-10-01T09:01:00Z', 'last_event_time_in_utc': '2023-10-01T09:01:00Z', 'last_ids': [], 'skip_token': None}
2023-11-03T18:59:52.862    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Updating the persistence
2023-11-03T18:59:52.863 WARNING InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Persistence has been updated successfully
2023-11-03T18:59:52.864    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) Finalizing the execution of pre_pull()
2023-11-03T18:59:52.864    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Starting data collection every 60 seconds
2023-11-03T18:59:52.865    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Pull Started
2023-11-03T18:59:52.866    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Fetching all iotsecurityresources - microsoft.iotsecurity/locations/devicegroups/alerts records since 2023-10-01T09:01:00Z
2023-11-03T18:59:53.421    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> No skip_token returned. All records fetched.
2023-11-03T18:59:53.423    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1699034392824):Number of requests made: 1; Number of events received: 30; Number of duplicated events filtered out: 0; Number of events generated and sent: 30; Average of events per second: 53.834.
2023-11-03T18:59:53.423    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1699034392824):Number of requests made: 1; Number of events received: 30; Number of duplicated events filtered out: 0; Number of events generated and sent: 30; Average of events per second: 53.789.
2023-11-03T18:59:53.424    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> The data is up to date!

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2023-11-03T18:59:53.424    INFO InputProcess::IotPuller(defender_for_iot,23453,iot_security_alerts,predefined) -> Data collection completed. Elapsed time: 0.600 seconds. Waiting for 59.400 second(s) until the next one

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the start_time_in_utc parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. The following errors are related to a specific service.

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
InitVariablesError	1	`Invalid start_time_in_utc: {ini_start_str}. Must be in parseable datetime format.`	The configured `start_time_in_utc` parameter is a non-parseable format.	Update the `start_time_in_utc` value to have the recommended format as indicated in the guide.
InitVariablesError	2	`Invalid start_time_in_utc: {ini_start_str}. Must be in the past..`	The configured `start_time_in_utc` parameter is a future date.	Update the `start_time_in_utc` value to a past datetime.
SetupError	101	`Failed to fetch OAuth token from {token_endpoint}. Exception: {e}.`	The provided credentials, base URL, and/or token endpoint is incorrect.	Revisit the configuration steps and ensure that the correct values were specified in the config file.
SetupError	102	`Failed to fetch data from {endpoint}. Source is not pullable.`	The provided credentials, base URL, and/or token endpoint is incorrect.	Revisit the configuration steps and ensure that the correct values were specified in the config file.
ApiError	401	`Error during API call to [API provider HTML error response here`	The server returned an HTTP 401 response.	Ensure that the provided credentials are correct and provide read access to the targeted data.
ApiError	429	`Error during API call to [API provider HTML error response here]`	The server returned an HTTP 429 response.	The collector will attempt to retry requests (default up to 3 times) and respect back-off headers if they exist. If the collector repeatedly encounters this error, adjust the rate limit and/or contact the API provider to ensure that you have enough quota to complete the data pull.
ApiError	498	`Error during API call to [API provider HTML error response here]`	The server returned an HTTP 500 response.	If the API returns a 500 but successfully completes subsequent runs then you may ignore this error. If the API repeatedly returns a 500 error, ensure the server is reachable and operational.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services	Description

Sender services

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events were sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

By default these traces will be shown every 10 minutes.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
21 events were sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.00 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Change log for v1.0.0

Release	Released on	Release type	Details	Recommendations

Release	Released on	Release type	Details	Recommendations
`v1.0.0`		INITIAL RELEASE	Initial release