Document toolboxDocument toolbox

HackerOne collector

Owned by Former user (Deleted)
Last updated: Jan 31, 2024 by Sarah Bigault (Deactivated)
18 min read
[ 1 Minimum configuration required for basic pulling ] [ 2 Overview ] [ 3 Devo collector features ] [ 4 Data sources ] [ 5 Vendor setup ] [ 6 Accepted authentication methods ] [ 7 Run the collector ] [ 8 Collector services detail ] [ 9 Collector operations ] [ 10 Change log for v1.x.x ]

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

api_username

The name given to the API token while creating one.

api_token

The token that is generated on the HackerOne portal.

More information

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Overview

HackerOne is a company that specializes in cybersecurity, specifically attack resistance management which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find close gaps in the digital attack surface.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

Not allowed

Allowed

Running environments

Collector server

On-premise

Populated Devo events

Table

Flattening preprocessing

No

Data sources

Data Source

Description

API Endpoint

Collector service name

Devo Table

Available from release

Data Source

Description

API Endpoint

Collector service name

Devo Table

Available from release

Audit Logs

Audit logs enable one to view all the changes and actions done on a particular program so that one can review critical changes, find suspect actions and investigate incidents for a given program

programs/{id}/audit_log

audit_logs

vuln.hackerone.audit.logs

v1.0.0

For more information on how the events are parsed, visit our page

Vendor setup

There are some requirements to set up this collector. You will need to create an Organization account and an API token to run this collector. Follow these steps:

Accepted authentication methods

Authentication Method

Username

Password

Username/Password

rEQUIRED

rEQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

If the user provides a program id and the start from page number in the config.yaml, the collector poll for audit logs for the program from the given page number. If the user does not provide a program id then the collector will poll for audit logs of all the available programs. 

Internal process and deduplication method

The collector will poll for 100 audit logs on each poll and save the offset page number in the state file. To remove duplicate audit logs, the collector will store the id of the last polled audit log and will ignore all the logs that are created before the saved audit log id. As the data is sorted, we will only have new audit logs.

Devo categorization and destination

All events of this service are ingested into the table hackerone.auditlogs

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::MainThread -> Validating service input config INFO InputProcess::MainThread -> Running overriding rules INFO InputProcess::MainThread -> Overriding rule #1 - service key <override_tag> with value <None> overrides definition key <tag> with value <my.app.hackerone.auditlogs> when the first is not <None> INFO InputProcess::MainThread -> Populating collector_variables WARNING InputProcess::MainThread -> Key <override_tag> has been rejected based on the auto-population rules: Related to Overriding Rules WARNING InputProcess::MainThread -> Key <request_period_in_seconds> has been rejected based on the auto-population rules: Already present WARNING InputProcess::MainThread -> Key <tag> has been rejected based on the auto-population rules: Related to Overriding Rules INFO InputProcess::MainThread -> Validating the rate limiter config given by the user INFO OutputProcess::MainThread -> [GC] global: 29.7% -> 29.8%, process: RSS(44.20MiB -> 46.04MiB), VMS(1.19GiB -> 1.19GiB) INFO InputProcess::MainThread -> <rate_limiter> setting has been accepted with the content {'period_in_seconds': 60, 'requests_limit_in_units': 600} WARNING InputProcess::MainThread -> The rate_limiter object has been overridden with the following config: {'period_in_seconds': 60, 'requests_limit_in_units': 600} INFO InputProcess::MainThread -> Running custom validation rules INFO InputProcess::MainThread -> HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) Finalizing the execution of init_variables() INFO InputProcess::MainThread -> InputThread(hacker_one_collector,12345) - Starting thread (execution_period=60s) INFO InputProcess::MainThread -> ServiceThread(hacker_one_collector,12345,audit_logs,predefined) - Starting thread (execution_period=60s) INFO InputProcess::MainThread -> HackerOnePullerSetup(hacker_one_collector,hacker_one_collector#12345,audit_logs#predefined) -> Starting thread WARNING InputProcess::HackerOnePullerSetup(hacker_one_collector,hacker_one_collector#12345,audit_logs#predefined) -> The token/header/authentication has not been created yet INFO InputProcess::MainThread -> HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) - Starting thread WARNING InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Waiting until setup will be executed INFO InputProcess::MainThread -> [GC] global: 29.9% -> 29.9%, process: RSS(44.86MiB -> 44.89MiB), VMS(788.94MiB -> 788.94MiB) INFO OutputProcess::DevoSender(standard_senders,devo_sender_0) -> Created a sender: {"url": "collector-eu.devo.io:443", "chain_path": "/home/batman/Downloads/devo-HackerOne/certs/chain.crt", "cert_path": "/home/batman/Downloads/devo-HackerOne/certs/al_sandbox.crt", "key_path": "/home/batman/Downloads/devo-HackerOne/certs/al_sandbox.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "batman-VirtualBox", session_id: "139624977371392"INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"url": "collector-eu.devo.io:443", "chain_path": "/home/batman/Downloads/devo-HackerOne/certs/chain.crt", "cert_path": "/home/batman/Downloads/devo-HackerOne/certs/al_sandbox.crt", "key_path": "/home/batman/Downloads/devo-HackerOne/certs/al_sandbox.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "batman-VirtualBox", session_id: "139624977372832" INFO InputProcess::HackerOnePullerSetup(hacker_one_collector,hacker_one_collector#12345,audit_logs#predefined) -> Api token has been validated successfully. INFO InputProcess::HackerOnePullerSetup(hacker_one_collector,hacker_one_collector#12345,audit_logs#predefined) -> Setup for module <HackerOnePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) Starting the execution of pre_pull() INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Reading persisted data INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Data retrieved from the persistence: {60537: {'offset_page': 1, 'audit_log_id': '949406'}, '@persistence_version': 1} INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Running the persistence upgrade steps INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Running the persistence corrections steps INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Running the persistence corrections steps INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> No changes were detected in the persistence INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) Finalizing the execution of pre_pull() INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Starting data collection every 600 seconds INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Pull Started INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> fetching audit logs for program 60537 with offset 1 INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> fetched 42 audit logs for 60537 INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> sent 2 audit logs for program 60537 to Devo. INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> State file is updated with latest offset page INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Saved state: {60537: {'offset_page': 1, 'audit_log_id': '951427'}, '@persistence_version': 1}

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1670996950730):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 40; Number of events generated and sent: 2; Average of events per second: 2.416. INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> The data is up to date! INFO InputProcess::HackerOnePuller(hacker_one_collector,12345,audit_logs,predefined) -> Data collection completed. Elapsed time: 0.836 seconds. Waiting for 599.164 second(s) until the next one WARNING MainProcess::MainThread -> Received the "Interrupt" system signal (code: 2), all the processes will be gracefully stopped

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error Type

Error Id

Error Message

Cause

Solution

SetupError

100

The remote data is not pullable with the given credentials. Check the error traces for details

The API token does not have enough permissions to fetch audit logs or incorrect credentials

Give the access token permission to fetch audit logs or check if the conditionals provided in the config file are correct

PullError

301

The API token does not have enough permissions to fetch audit logs

The API token does not have enough permissions to fetch audit logs

Give the access token permission to fetch audit logs

PullError

302

The API token does not grant the client access to perform this action. This can happen in case where the client requests a resource that belongs to another program or account. If the request belongs to this program, give admin permission to the token in the organization settings -> API Token

User requests a resource that belongs to another program or account. If the request belongs to this program

give admin permission to the token in the organization settings -> API Token

 

PullError

303

The requested resource is not found. The client might be using outdated information to identify the resource

The Url may have been moved to a different location.

Recheck the base url

PullError

304

Error on the HackerOne server side

Error occurred on the Hacerone side

Try running the collector after some time

PullError

305

HackerOne servers are offline. Check for server status at: https://www.hackeronestatus.com

HackerOne servers are down.

Try running the collector after some time

PullError

306

Unexpected error occurred at the HackerOne server

Check log message to know the cause

Check the log message for more details

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

Sender services

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 40, messages sent since "2023-02-14 12:17:02.954105+00:00": 40 (elapsed 0.376 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 40 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-02-14 12:17:02.954105+00:00

  • 40 events where sent to Devo between the last UTC checkpoint and now.

  • Those 240 events required 0.376 seconds to be delivered.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 40, messages sent since "2023-02-14 12:17:02.954105+00:00": 40 (elapsed 0.376 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 40 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-02-14 12:17:02.954105+00:00.

  • 40 events where sent to Devo between the last UTC checkpoint and now.

  • Those 40 events required 0.376 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Change log for v1.x.x

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.0.0

Feb 20, 2023

NEW FEATURE

New features:

  • New service for fetching the audit logs

  • It can fetch logs from all the “programs” or from one concrete “program” (in HackerOne terminology”

Recommended version