Document toolboxDocument toolbox

SpyCloud collector

Owned by Former user (Deleted)
Last updated: May 28, 2024 by Juan Tomás Alonso Nieto (Deactivated)
12 min read
[ 1 Overview ] [ 2 Minimum configuration required for basic pulling ] [ 3 Devo collector features ] [ 4 Data sources ] [ 5 Vendor setup ] [ 6 Accepted authentication methods ] [ 7 Run the collector ] [ 8 Collector services detail ] [ 9 Collector operations ] [ 10 Change log ]

Overview

The SpyCloud collector can help fraud prevention teams stay ahead of customer ATO fraud by detecting and resetting exposed consumer passwords early in the breach lifecycle, heading off account takeover attempts.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

api_key

SpyCloud API key. You can access your API key(s)
securely in your Customer Portal account. Your API keys carry many privileges, so be sure to keep them secret. Please do not share your API keys in any publicly accessible areas such as source code
repositories, client-side web application code, etc.

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

Allowed

Running environments

Collector server

On-premise

Populated Devo events

Table

Flattening preprocessing

No

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Watchlist

Watchlist assets extracted from breach data

/enterprise-v1/breach/data/watchlist

 

watchlist

ofd.spycloud.ato_prevention.watchlist

v1.0

Vendor setup

  1. Configure domains: Add all appropriate domains and subdomains owned by your company to the watchlist - you must own your domain to add it-.

  2. Configure emails: Add all the personal email addresses of key employees and executives to the Personal email watchlist. The owner of the email will receive a verification message. Once the owner of the mailbox clicks the verification button in the message, the email address will be immediately added to monitor it.

  3. Configure IPs: Add the IP address ranges that your company uses to the watchlist.

  4. Whitelist the Devo collector IP:

    1. Request that your Devo account manager or support provide you with the IP of your Devo collector.

    2. Once you know the IP, request that SpyCloud add your IP to the whitelist in the API section.

    3. Obtain your SpyCloud API key from the API page.

  5. Generate sample events:

    1. Insert example.net into the domains watchlist.

    2. Insert 192.168.1.0 into the IP watchlist.

    3. Wait for the SpyCloud platform to correlate watchlist entries with the collections dataset to create incidents.

Accepted authentication methods

Authentication method

API key

API key

Required

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Watchlist events contain records extracted from breaches that correspond with your monitored IP, email address, and domain assets.

Internal process and deduplication method

Watchlist records are continuously fetched since the last known record time. Records are sorted by the spycloud_publish_date. The last known record time for a given batch of record(s) and the latest record hash(es) are persisted and referenced in the subsequent pull. Watchlist records are deduped by persisting the latest event object hashes from the previous run to ensure duplicate events are not inserted into Devo.

Devo categorization and destination

All events are sent by default to my.app.spycloud.watchlist.

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2023-02-01T18:57:33.935 INFO InputProcess::MainThread -> ServiceThread(spycloud,1,watchlist,predefined) - Starting thread (execution_period=60s) 2023-02-01T18:57:33.935 INFO InputProcess::MainThread -> SpyCloudWatchlistPullerSetup(unknown,spycloud#1,watchlist#predefined) -> Starting thread 2023-02-01T18:57:33.935 INFO InputProcess::MainThread -> SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) - Starting thread 2023-02-01T18:57:33.936 WARNING InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Waiting until setup will be executed 2023-02-01T18:57:33.936 WARNING InputProcess::SpyCloudWatchlistPullerSetup(unknown,spycloud#1,watchlist#predefined) -> The token/header/authentication has not been created yet 2023-02-01T18:57:34.635 INFO InputProcess::SpyCloudWatchlistPullerSetup(unknown,spycloud#1,watchlist#predefined) -> Successfully authenticated to SpyCloud API. 2023-02-01T18:57:34.636 INFO InputProcess::SpyCloudWatchlistPullerSetup(unknown,spycloud#1,watchlist#predefined) -> Setup for module <SpyCloudWatchlistPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2023-02-01T19:05:37.183 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) Starting the execution of pre_pull() 2023-02-01T19:05:37.184 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Reading persisted data 2023-02-01T19:05:37.184 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Data retrieved from the persistence: {'@persistence_version': 1, 'initial_start_time_in_utc': '2020-12-01T00:00:00Z', 'last_event_time_in_utc': '2023-02-03T00:04:36Z', 'last_ids': []} 2023-02-01T19:05:37.184 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Running the persistence upgrade steps 2023-02-01T19:05:37.184 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Running the persistence corrections steps 2023-02-01T19:05:37.184 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Running the persistence corrections steps 2023-02-01T19:05:37.185 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> No changes were detected in the persistence 2023-02-01T19:05:37.185 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) Finalizing the execution of pre_pull() 2023-02-01T19:05:37.185 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Starting data collection every 60 seconds 2023-02-01T19:05:37.185 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Pull Started 2023-02-01T19:05:37.186 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Retrieving/sending watchlist events having spycloud_publish_date between 2023-02-03T00:04:36+00:00 and 2023-02-02T00:05:37.183795+00:00 2023-02-01T19:05:37.188 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Updating the persistence 2023-02-01T19:05:37.188 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1675296337183):Number of requests made: 0; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000. 2023-02-01T19:05:37.188 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1675296337183):Number of requests made: 0; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000. 2023-02-01T19:05:37.189 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> The data is up to date! 2023-02-01T19:05:37.189 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Data collection completed. Elapsed time: 0.005 seconds. Waiting for 59.995 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2023-02-01T19:05:37.188 INFO InputProcess::SpyCloudWatchlistPuller(spycloud,1,watchlist,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1675296337183):Number of requests made: 0; Number of events received: 0; Number of duplicated events filtered out: 0; Number of events generated and sent: 0; Average of events per second: 0.000.

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the initial_start_time_in_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

InitVariableError

xxx

JSON schema / validation message.

The provided configuration does not match the required schemas.

Update the indicated value in the error message.

SetupError

100

The remote data is not pullable with the given credentials. Check the error traces for details.

The credentials are incorrect or the Devo collector IP is not whitelisted.

Check that credentials are correct and that Devo collector IP is whitelisted.

PrePullerror

-

-

-

-

PullError

300

Received 403 Forbidden. Check that calling IP is whitelisted in SpyCloud.

The collector IP is not whitelisted.

Check that the collector IP is whitelisted.

PullError

301

Received 401 Unauthorized. Check that the API key is valid.

The API key does not have access to the watchlist data.

Check that credentials are  correct.

PullError

302

Received 429 Too Many Requests. Check that the monthly quota is not met.

SpyCloud is responding with 429 server messages even after attempting to retry the request.

Check that the monthly API quota is not met. Contact SpyCloud to adjust the API quota accordingly.

PullError

303

Received HTTP error

Generic HTTP error handler for all other server calls.

Review the error message to determine the issue.

Collector operations

This section is intended to explain how to proceed with the specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 44, messages sent since ""2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.007 seconds to be delivered.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displays the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

Those 21 events required 0.00 seconds to be delivered.

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.1.0

May 24, 2023

IMPROVEMENTS

Improvements:

  • Upgraded DCSDK from 1.8.0 to 1.11.1

  • Upgrade the Docker base image to 1.2.0

Recommended version

v1.0.1

Jun 21, 2023

BUG FIX

Bug fixes:

  • Change the strategy to keep collecting events once up-to-date. The collector was losing events once reached the up-to-date state.

  • Fix a calculation that was providing an incorrect count of filtered out events.

Upgrade

v1.0.0

Jun 9, 2023

RELEASE

Features:

  • Released the first version for Spycloud Collector, including this service:

    • watchlist service: Watchlist assets extracted from breach data (ATO prevention).

  • By Spyclould's requirements, this collector must be run in a machine/pod/instance with an static public IP. This IP must be notified to Spycloud so they can whitelist it.

Initial release