Document toolboxDocument toolbox

Microsoft Graph collector

Owned by Juan TomƔs Alonso Nieto (Deactivated)
Last updated: Dec 02, 2024 by Ɓngel Garcƭa
32 min read
[ 1 Overview ] [ 2 Configuration requirements ] [ 3 Devo collector features ] [ 4 Data sources ] [ 5 API limits, delays and known issues ] [ 6 API delays ] [ 7 Vendor setup ] [ 8 Minimum configuration required for basic pulling ] [ 9 Accepted authentication methods ] [ 10 Run the collector ] [ 11 Collector services detail ] [ 12 Collector operations ] [ 13 1.X to 2.X migration guide ] [ 14 Change log ]

If you are migrating from any 1.x version, please read this section.

Overview

The Microsoft Graph Collector provides the ability to collect data and intelligence from services such as Microsoft 365, Windows, and Enterprise Mobility and Security. Currently, this data collector is able to ingest only security alerts, scores, provisioning, audit and sign ins retrieved from the Microsoft products. This empowers customers to streamline security operations and better defend against increasing cyber threats faced in their Azure AD and Microsoft 365 environments and beyond.

Devoā€™s Microsoft Graph collector also enables customers to correlate events and context to improve threat protection and response, and includes key entities described in the next sections.

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration

Details

Configuration

Details

Azure account

Azure account with admin level permissions and Azure AD tenant.

Credentials

The credentials configuration block has been filled correctly.

More information

Refer to the Vendor setup section to know more about these configurations.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

table

Flattening preprocessing

no

Allowed source events obfuscation

yes

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Data source

Description

API endpoint

Collector service name

Devo table

Audit logs - provisioning

Represents an action performed by the Microsoft Entra provisioning service and its associated properties.

v1.0/auditLogs/provisioning

provisioning_audits

cloud.azure.ad.provisioning.*.msgraph

Audit logs - directory

Represents the directory audit items and its collection.

v1.0/auditLogs/directoryaudits

directory_audits

cloud.azure.ad.audit.*.msgraph

Audit logs - sign-ins

Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.

v1.0/auditLogs/signIns

signIns

cloud.azure.ad.signin.*.msgraph

Audit logs - sign-ins (v2)

Details user and application sign-in activity for a tenant (directory). You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.

beta/auditLogs/signIns

signIns_v2

  • cloud.azure.ad.interactive_user_signin.*.msgraph

  • cloud.azure.ad.noninteractive_user_signin.*.msgraph

  • cloud.azure.ad.managed_identity_signin.*.msgraph

  • cloud.azure.ad.service_principal_signin.*.msgraph

  • cloud.azure.ad.unknown_future_value_signin.*.msgraph

Legacy Alerts

This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified.

This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in Use the Microsoft Graph security API. It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions.

v1.0/security/alerts

alerts

  • cloud.azure.ad.alerts.*.msgraph

  • cloud.office365.cloud_apps.alerts.*.msgraph

  • cloud.office365.endpoint.alerts.*.msgraph

  • cloud.office365.security.alerts.*.msgraph

  • cloud.azure.sentinel.alerts.*.msgraph

  • cloud.office365.identity.alerts.*.msgraph

  • cloud.azure.securitycenter.alerts.*.msgraph

Alerts (v2)

This resource corresponds to the latest generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft 365 Defender, or a security provider integrated with Microsoft 365 Defender, has identified.

When detecting a threat, a security provider creates an alert in the system. Microsoft 365 Defender pulls this alert data from the security provider, and consumes the alert data to return valuable clues in an alert resource about any related attack, impacted assets, and associated evidence. It automatically correlates other alerts with the same attack techniques or the same attacker into an incident to provide a broader context of an attack. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

v1.0/security/alerts_v2

alerts_v2

cloud.msgraph.security.alerts_v2.*

Secure Scores

Represents a tenant's secure score per day of scoring data, at the tenant and control level. By default, 90 days of data is held. This data is sorted by createdDateTime, from latest to earliest. This will allow you to page responses by using $top=n, where n = the number of days of data that you want to retrieve.

v1.0/security/secureScores

secure_scores

cloud.office365.security.scores.*.msgraph

Secure Scores Control Profiles

Represents a tenant's secure score per control data. By default, this resource returns all controls for a tenant and can explicitly pull individual controls.

v1.0/security/secureScoreControlProfiles/

secure_score_control_profiles

cloud.office365.security.scorecontrol.*.msgraph

API limits, delays and known issues

The Graph API imposes some throttling limits to the applications. The number of requests in a given time is limited according to several criteria. There is a generic limitation for the Graph API and service specific limits.

Any request can be evaluated against multiple limits, depending on the scope of the limit (per app across all tenants, per tenant for all apps, per app per tenant, and so on), the request type (GET, POST, PATCH, and so on), and other factors. The first limit to be reached triggers throttling behavior.

In the case of the services used by the collector, the limits are:

Request type

Per app across all tenants

Request type

Per app across all tenants

Any

130,000 requests per 10 seconds

provisioning_audits

5 requests per 10 seconds

directory_audits

5 requests per 10 seconds

signins

5 requests per 10 seconds

signIns_v2

5 requests per 10 seconds

alerts

150 requests per minute

alerts_v2

150 requests per minute

secure_scores

150 requests per minute or 10,000 in a 10-minute period

secure_score_control_proļ¬les

10,000 in a 10-minute period

A complete reference of the limits can be found here.

When the collector reaches the API limit, the API returns a 429 error code. This is reflected in the logs of the collector with a message like 429 Error during API call. If several of these messages are found, the solution is to use the request_period_in_seconds for this service to decrease the frequency of calls.
For instance, a request period of 300 means that the API will be called every 5 minutes for this service, instead of the default value of 60 seconds.

API delays

The Graph API has some peculiarities that we need to consider to get optimal results. Events are only sometimes available in the Graph API in real time or near real time. Most events arrive seconds after they actually occur, but some can arrive minutes or even hours late. Microsoft SLAs can be anywhere from 3 minutes to 6 hours in most cases. Check more information here.

So, trying to fetch the events in near real time sometimes causes the collector to miss events. For instance, if we try to get the events at 12:00 and we ask the API for events in the range 11:55ā€“12:00, we will get the existing events with event dates between 11:55 and 12:00, as they are stored in the Graph API at 12:00. But a new event with an internal event date of 11:58 may arrive at 12:03, for example. In this case, the collector would not gather the new event when asking the API for events from 12:00 to 12:05, because the Graph API considers the event date of 11:58 to be out of this range.

The solution to this issue is to ask the API for events after some time, not immediately. For instance, we can ask for events in the range of 11:55ā€“12:00 at 13:00 instead of trying to get them right at 12:00. This way, if an event arrives at 12:03, the Graph API will include it in the events gathered for the range.

An optional parameter allows us to postpone data gathering. The override_fetch_gap_seconds parameter value is the number of seconds we want to wait fordata gathering. For instance, if we set it to 3600 seconds, the collector gathers the events an hour late; it asks for events from 11:55ā€“12:00 at 13:00, and so on.

There are two caveats to consider:

  • Using this parameter delays the appearance of events in Devo. For some applications, this delay could be unacceptable; some applications require near real time operation.

  • Sometimes, when we start the collector, no events are received for a while. For instance, using a delay of 3600 seconds, if we start the collector at 12:00 with a start_time_in_utc of 12:00, the first events will not arrive in Devo until 13:00.

Vendor setup

Microsoft Graph data collector works over Microsoft products. To activate the resources from the Microsoft Graph API, you need:

  1. An Azure account that has an active subscription.

  2. The Azure account must have permission to manage applications in Azure Active Directory (Azure AD).

  3. A working Azure AD tenant.

You will need to register a new application and apply the required permissions to the corresponding resources to authenticate the collector in order to retrieve the data.

You need the Admin level permissions on the Azure portal as the subscription setup will require admin consent API permissions, authentications, and audits.

Ā 

Action

Steps

1

Register and configure the application

  1. Go to Azure portal and click on Azure Active Directory.

  2. Click on App registration on the left-menu side. Then click on + New registration.

  3. On the Register and Application page:

    1. Name the application.

    2. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) in Supported Accounts type.

    3. In Redirect URI (optional) leave it as default (blank).

    4. Click Register.

  4. App registration page will open. Click on your app to configure it and give it permissions. You will see your appā€™s dashboard with information (docs, endpoints, etc.) when clicking it.

  5. Click Authentication on the left-menu side, then choose + Add a platform and select Mobile and desktop application.

  6. Select the three redirects URIs:

    • https://login.microsoftonline.com/common/oauth2/nativeclient

    • https://login.live.com/oauth20_desktop.srf

    • msale36f3a02-3eef-437b-874e-8a0aa29a2bf0://auth

  7. Click Configure.

2

Grant the required permissions

  1. Go to API permissions on the left-menu side.

  2. Click + Add permission in case you donā€™t have Microsoft Graph in the API/Permission list.

  3. Select Application permissions and check SecurityEvents.Read.All.

  4. Check the following permissions: AuditLog.Read.All, Directory.Read.All and User.Read.All. If you did everything correctly, permissions will display.

  5. Select Grant admin consent for the applications.

3

Obtain the requires credentials for the collector

  1. Go to Certificates & Secrets, select + New client secret . Named it and copy the token value.

  2. Go to Overview to get your Tenant ID and Client ID and copy both values.

Permission reference per service

Collector service

Resource

Required permissions

Microsoft documentation

alerts

alerts

SecurityEvents.Read.All

List alerts

alerts_v2

alerts_v2

SecurityAlert.Read.All, SecurityIncidents.Read.All, and SecurityActions.Read.All

List alerts_v2

secure_scores

secureScores

SecurityEvents.Read.All

List secureScores

secure_score_control_profiles

secureScoreControlProfiles

SecurityEvents.Read.All

List secureScoreControlProfiles

directory_audit

directoryAudits

AuditLog.Read.All and Directory.Read.All

List directoryAudits

provisioning_audit

provisioningObjectSummary

AuditLog.Read.All and Directory.Read.All

List provisioningObjectSummary

signIn

signIns

AuditLog.Read.All and Directory.Read.All

List signIns

Required for all services

authentication

User.Read

Microsoft Graph permissions

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

Setting

Details

tenant_id_value

This is the Tenantā€™s ID you created in Azure AD. You can obtain it from the Overview page in your registered application.

client_id_value

This is the Clientā€™s ID you created in Azure AD. You can obtain it from the Overview page in your registered application.

client_secret_value

This is the Clientā€™s secret you created in Azure AD. You can obtain it from the Certificates & secrets page in your registered application.

Accepted authentication methods

This collector only accepts one single authentication method. You will have to fill the following properties on the credentials configuration block:

Authentication method

Tenant ID

Client ID

Client secret

OAuth2 Client credentials

REQUIRED

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Internal process and deduplication method

All directory audit records are continuously pulled subject to the activityDateTime timestamp property. A unique hash value is computed for each event and used for deduplication purposes to ensure events are not fetched multiple times in subsequent pulls. The collector utilizes the @odata.nextLink link (if provided) to fetch the next page of records for a given query window until no more remain.

Devo categorization and destination

All events of this service are ingested into the table cloud.azure.ad.audit.

Internal process and deduplication method

All provisioning audit records are continuously pulled subject to the activityDateTime timestamp property. A unique hash value is computed for each event and used for deduplication purposes to ensure events are not fetched multiple times in subsequent pulls. The collector utilizes the @odata.nextLink link (if provided) to fetch the next page of records for a given query window until no more remain.

Devo categorization and destination

All events of this service are ingested into the table cloud.azure.ad.provisioning.

Internal process and deduplication method

All sign-in records are continuously pulled subject to the createdDateTime timestamp property. A unique hash value is computed for each event and used for deduplication purposes to ensure events are not fetched multiple times in subsequent pulls. The collector utilizes the @odata.nextLink link (if provided) to fetch the next page of records for a given query window until no more remain.

Devo categorization and destination

All events of this service are ingested into the table cloud.azure.ad.signin.

Internal process and deduplication method

All sign-in_v2 records are continuously pulled subject to the createdDateTime timestamp property. A unique hash value is computed for each event and used for deduplication purposes to ensure events are not fetched multiple times in subsequent pulls. The collector utilizes the @odata.nextLink link (if provided) to fetch the next page of records for a given query window until no more remain.

Devo categorization and destination

Events of this service are ingested into the following tables:

signIn event type

Devo table

signIn event type

Devo table

interactiveUser

cloud.azure.ad.interactive_user_signin

nonInteractiveUser

cloud.azure.ad.noninteractive_user_signin

managedIdentity

cloud.azure.ad.managed_identity_signin

servicePrincipal

cloud.azure.ad.service_principal_signin

unknownFutureValue

cloud.azure.ad.unknown_future_value_signin

Internal process and deduplication method

All alert records are continuously pulled subject to the createdDateTime timestamp property. A unique hash value is computed for each event and used for deduplication purposes to ensure events are not fetched multiple times in subsequent pulls. The collector utilizes the @odata.nextLink link (if provided) to fetch the next page of records for a given query window until no more remain.

Devo categorization and destination

Events of this service are ingested into the following tables:

Vendor

Devo table

Vendor

Devo table

IPC

cloud.azure.ad.alerts

MCAS

cloud.office365.cloud_apps.alerts

Microsoft Defender ATP

cloud.office365.endpoint.alerts

Microsoft 365 Defender

cloud.office365.endpoint.alerts

Office 365 Security and Compliance

cloud.office365.security.alerts

Azure Sentinel

cloud.azure.sentinel.alerts

ASC

cloud.office365.identity.alerts

Azure Advanced Threat Protection

cloud.azure.securitycenter.alerts

Restart the persistence for a service

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the start_time_in_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector. The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Common logic

Error type

Error ID

Error message

Cause

Solution

Error type

Error ID

Error message

Cause

Solution

InitVariablesError

1

Invalid start_time_in_utc: {ini_start_str}. Must be in parseable datetime format.

The configured start_time_in_utc parameter is a non-parseable format.

Update the start_time_in_utc value to have the recommended format as indicated in the guide.

InitVariablesError

2

Invalid start_time_in_utc: {ini_start_str}. Must be in the past.

The configured start_time_in_utc parameter is a future date.

Update the start_time_in_utc value to a past datetime.

SetupError

101

Failed to fetch OAuth token from {token_endpoint}. Exception: {e}.

The provided credentials, base URL, and/or token endpoint are incorrect.

Revisit the configuration steps and ensure that the correct values were specified in the config file.

SetupError

102

Failed to fetch data from {endpoint}. Source is not pullable.

The provided credentials, base URL, and/or token endpoint are incorrect.

Revisit the configuration steps and ensure that the correct values were specified in the config file.

ApiError

401

Error during API call to [API provider HTML error response here]

The server returned an HTTP 401 response.

Ensure that the provided credentials are correct and provide read access to the targeted data.

ApiError

429

Error during API call to [API provider HTML error response here]

The server returned an HTTP 429 response.

The collector will attempt to retry requests (default up to 3 times) and
respect back-off headers if they exist. If the collector repeatedly encounters
this error, adjust the request_period_in_seconds. (see section about API
limits)

ApiError

498

Error during API call to [API provider HTML error response here]

The server returned an HTTP 500 response.

If the API returns a 500 but successfully completes subsequent runs then you may ignore this error. If the API repeatedly returns a 500 error, ensure the server is reachable and operational.

Collector operations

Verify collector operations

Check memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB) INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)Change log

1.X to 2.X migration guide

Version 2.0.0 introduced several changes to the collector's configuration. When upgrading the collector, users must make changes to their configuration file to ensure that the collector continues to work as expected.

In versions 1.X of the collector, some services had a config parameter tag_version with values v1or v2. The effect of this parameter is that the destination table for these services will be different. These are the destination tables according to the tag_version value:

v1

v2 (default)

v1

v2 (default)

cloud.msgraph.security.score

cloud.office365.security.score

cloud.msgraph.security.scorecontrol

cloud.office365.security.scorecontrol

In the new collector 2.0.0, the old config parameter tag_version has been removed. The same effect as v1can be made using override_tag, with these values:

Service

override_tag (to obtain the behaviour equivalent to tag_version: v1)

Service

override_tag (to obtain the behaviour equivalent to tag_version: v1)

secure_scores

cloud.msgraph.security.scores.2

secure_score_control_profiles

cloud.msgraph.security.scorecontrol.2

For instance, if we have this in the old config:

you should change it to:

In old versions of this collector, all alerts were sent to the table cloud.msgraph.security.alerts

However, as there are alerts of several types, in version 2.0.0 alerts are categorized according to their vendorInformation-provider field (their vendor) and sent to different tables:

Vendor

Old table

New table

Vendor

Old table

New table

IPC

cloud.msgraph.security.alerts

cloud.azure.ad.alerts

MCAS

cloud.office365.cloud_apps.alerts

Microsoft Defender ATP

cloud.office365.endpoint.alerts

Microsoft 365 Defender

cloud.office365.endpoint.alerts

Office 365 Security and Compliance

cloud.office365.security.alerts

Azure Sentinel

cloud.azure.sentinel.alerts

ASC

cloud.office365.identity.alerts

Azure Advanced Threat Protection

cloud.azure.securitycenter.alerts

Others

cloud.msgraph.security.alerts

It is possible to avoid this feature and send all alerts to the same table by editing the config file and changing the tag:

Config file comparison

Below you will find a sample 1.7.1 configuration file and a sample 2.0.0 configuration file.

Config file changes

  • The URL endpoints (override_base_url_main, override_base_url_vendor, override_base_url_vendor_with_sub_provider , override_login_url) have been moved from the individual services to the global configuration section.

  • override_base_url_main has been renamed to override_base_url.

  • tag_version has been removed.

  • pull_sliding_window_timespan_period has been removed.

  • reset_persistence_auth has been removed.

  • override_time_delta_in_days has been removed.

  • ms_365_environment has been replaced by override_top_level_domain. GCC High Gov should use us in the override_top_level_domain. Alternatively, users can use override_base_url to specify the GCC High Gov base URL.

  • additional_filter has been added to all services. Users can use this field to specify additional filters that will be applied when querying the Microsoft Graph API.

  • The collector can use new services from Graph (beta endpoint in Graph), that services, that use to be in a separate service for each type, have been consolidated into one service called signIns_v2. Users should remove all three services from their config and use only the signIns_v2 service.

  • start_time has been renamed to start_time_in_utc.

Persistence changes

  • The persistence object consists of the following fields: persistence_version, last_event_time_in_utc, last_ids, and next_link.

  • The collector will automatically map old key names (e.g. last_polled_timestamp ā†’ last_event_time_in_utc) to the appropriate value.

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v2.1.0

Nov 29, 2024

IMPROVEMENT SECURITY

Changed

  • Upgrade DCSDK to v1.13.1

  • Upgrade Docker image base to version v1.3.1 in Dockerfile

Security

  • Remove vulnerabilities in libexpat1, expat

Recommended version

v2.0.1

Aug 2, 2024

IMPROVEMENTBUG FIX

Improvements

  • Updated DCSDK to 1.12.2 from 1.11.1

Bug Fixing

  • authlib updated to 1.3.1 to solve CVE-2024-37568

Upgrade

v2.0.0

Apr 1, 2024

IMPROVEMENT

Improvements

  • Complete reimplementation of the collector, refactoring all the services

Upgrade

v1.7.1

Oct 18, 2023

NEW FEATUREIMPROVEMENTBUG FIX

New features

  • time_delta_in_days can now be overwritten in the user configuration by override_time_delta_in_days in all the service that are ā€œtime-basedā€. This new parameter cannot be combined with reset_persistence_auth and/or start_time.

Improvements

  • The state is now persisted more frequently for most of the services. This means that, in case of a collector restart, the chances of duplicating data have been reduced considerably, as the collector will continue pulling data from the same point where it was when the collector was stopped.

Bug fixing

  • The collector will get the most recent token available before performing any new request, reducing the possibilities to get a 401 code as a response.

  • The 504 code responses were returned many time; some of them for having asked for too old data. This used to cause a locking state in the collector, as it was not able to continue. Some mechanisms has been added to avoid requiring that old data to the API. Anyway, if a 504 appears now for any other reason, the improvement related to persisting the state frequently makes the collector continue collecting correctly after the service restart.

Upgrade

v1.7.0

Ā Oct 10, 2023

NEW FEATUREIMPROVEMENTBUG FIX

New features:

  • alerts_v2 service included, keeping old alerts service for compatibility.

  • Compliance for MS 365 GCC High US environments added.

Improvements:

  • Update DCSDK from 1.8.0 to 1.9.2

Bug fixing:

  • The collector now keeps retrieving events when it is up-to-date.

  • Added extra protection to refresh token and avoid 401 status errors.

  • When a 401 status code is received from a response, the collector tries the request again using the access_token available in the collector_variables, instead of raising en Error. This definitely fixes the bug that used to make the collector restart due to 401 errors.

  • A vendor thread termination event has been set, including three different check points in the thread's run method, as a protection against non-terminated vendor threads, causing the alerts service to stop. Some extra logging has also been added to identify the root cause in case this keeps happening.

Upgrade

v1.6.2

Jan 14, 2023

BUG FIXIMPROVEMENT

Improvements:

  • Update DCSDK from 1.6.0 to 1.8.0

Bug fixing:

  • Fix in the service urls: they were not being formatted correctly with the start_time variable, which allows the user to select the date from which they want to collect events.

  • Updated the limits of the API: The limits have been modified with the official values. This fixes throttling issues.

  • Updated the default value of star_time from 61 days in the past to 30, as this is the maximum limit the API allows.

Upgrade

v1.6.0

Aug 2, 2022

NEW FEATURE

New features:

  • The pulling mechanism now uses a sliding window to avoid event loss and duplication.

Improvements:

  • DevoCollectorSDK upgraded to v1.6.0:

    • Added:

      • More log traces related to execution environment details.

      • Global rate limiters functionality.

      • Extra checks for supporting MacOS as development environment.

      • Obfuscation functionality.

    • Changed:

      • Some log traces now are shown less frequently.

      • The default value for the logging frequency for "main" processes has been changed (to 120 seconds).

      • Updated some Python Packages.

      • Controlled stopping functionality more stable when using the "template".

      • Improved some log messages related to Devo certificates (when using the Devo sender).

      • Validate json objects before saving them to persistence (using filesystem).

Upgrade

v1.4.2

Dec 27, 2022

BUG FIX

Fixed bugs:

  • Fixes bug with non-time-based puller state.

Upgrade

v1.4.1

Dec 2, 2022

BUG FIX

Fixed bugs:

  • Fix error with vendor state when checking the reset_persistence_auth parameter.

  • Allow using v2 tags for secure_scores and secure_scores_control_profile tags.

  • Add missing Devo metadata into events.

Upgrade

v1.4.0

Dec 2, 2022

IMPROVEMENT

Improvements:

  • Automatic outdated start_time correction for audit-based services.

    • New ā€œreset persistenceā€ functionality.

Upgrade

v1.3.0

Nov 18, 2022

IMPROVEMENTBUG FIX

Improvements:

  • start_time configuration parameter normalization for audit and provisioning services.

  • Upgraded devocollectorsdk from 1.4.0 to 1.4.4b:

    • Added:

      • New "templates" functionality.

      • New controlled stopping condition when any input thread fatally fails.

      • Log traces for knowing the execution environment status (debug mode).

    • Changed:

      • Improved log trace details when runtime exceptions happen

      • Refactored source code structure

      • Fixes in the current puller template version

      • The Docker container exits with the proper error code

Bug fixing:

  • Correct token validation when a Partial Content response is received.

  • Use appropriate destination tag for provisioning events.

Upgrade

v1.2.0

Aug 2, 2022

NEW FEATURE IMPROVEMENT

New features:

  • New supported sources

    • Sign In (signIn service)

    • Audit (audit service)

    • Provisioning (provisioning service)

  • Previous services modification

    • The new tagging introduced in the previous v1.1.3 release is now customizable through the tag_version service parameter. The default tagging has been reverted to the original one.

    • The alerts source, when setting the tag_version to v2, will try to categorize the events by applying different tags based on the eventā€™s provider.

Improvements:

  • Token validation is now performed against the corresponding endpoint.

Upgrade