DELL Technologies Trusted Device Event Repository Owner’s Manual

: June 1, 2024
: DELL Technologies

Trusted Device Event Repository

“`html

Specifications:

Product: Dell Trusted Device Event Repository
Version: Configuration Guide v6.3
Date: April 2024
Revision: A01

Product Information:

The Dell Trusted Device agent is part of the Dell SafeBIOS
product portfolio. It includes features such as BIOS Verification,
BIOS Events & Indicators of Attack, Image Capture, Intel ME
Verification, Secured Component Verification (On Cloud), Security
Risk Protection Score, Dell Event Repository, and SIEM
integration.

BIOS Verification:

Allows customers to verify BIOS integrity without interrupting
the boot process, providing affirmation that devices are secured
below the operating system where IT administrator visibility is
lacking.

BIOS Events & Indicators of Attack:

Enables administrators to analyze events in the Windows Event
Viewer to detect potential attacks on BIOS attributes, allowing for
monitoring and mitigation of attack vectors.

Secured Component Verification (On Cloud):

Provides supply-chain assurance by verifying the integrity of
components inside Dell computers.

Security Risk Protection Score:

Helps administrators assess the security risk level of
enterprise computers by scanning for security solutions and
assigning a risk score for overall assessment.

Usage Instructions:

Chapter 1: Introduction

Introduces the Dell Trusted Device agent and its features.

Chapter 3: Download the software

Instructions on downloading the necessary software for the Dell
Trusted Device agent.

Chapter 4: SIEM

Information on integrating the Dell Event Repository with SIEM
systems.

Chapter 6: Download the Event Repository image

Steps to download the Event Repository image, including guidance
for disconnected environments.

Chapter 7: Run the Event Repository

Guidance on running the Dell Event Repository on your
system.

Chapter 8: Customize the API URIs

Instructions for customizing API URIs for specific
requirements.

Chapter 9: Troubleshooting

Troubleshooting tips and guidance for common issues.

FAQ:

Q: What is the purpose of BIOS Verification?

A: The purpose of BIOS Verification is to affirm that devices
are secured below the operating system without interrupting the
boot process.

Q: How does Security Risk Protection Score help

administrators?

A: Security Risk Protection Score helps administrators assess
the security risk level of computers in their enterprise by
scanning for security solutions and assigning a risk score per
overall assessment.

“`

Dell Trusted Device Event Repository
Configuration Guide v6.3
April 2024 Rev. A01

Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
© 2019 – 2024 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Contents
Chapter 1: Introduction………………………………………………………………………………………………….. 4
Chapter 2: Requirements……………………………………………………………………………………………….. 5 Prerequisites……………………………………………………………………………………………………………………………………………………. 6 Ports………………………………………………………………………………………………………………………………………………………………… 6 Operating systems………………………………………………………………………………………………………………………………………….. 6
Chapter 3: Download the software…………………………………………………………………………………… 8
Chapter 4: SIEM…………………………………………………………………………………………………………… 11
Chapter 5: Prerequisites……………………………………………………………………………………………….. 12 Architecture…………………………………………………………………………………………………………………………………………………….12 Download and install Docker…………………………………………………………………………………………………………………………. 12 Create the persistent directories………………………………………………………………………………………………………………….. 12 Configure the appsettings.json file……………………………………………………………………………………………………………….. 13 Use the Appsettings Generator……………………………………………………………………………………………………………….. 17 Configure the Trusted Device agent……………………………………………………………………………………………………………. 20 Use the Client Registry Generator……………………………………………………………………………………………………………21 Configure to forward data to a SIEM solution……………………………………………………………………………………………… 21
Chapter 6: Download the Event Repository image…………………………………………………………….. 23 Disconnected environments…………………………………………………………………………………………………………………………. 23
Chapter 7: Run the Event Repository……………………………………………………………………………….24
Chapter 8: Customize the API URIs………………………………………………………………………………… 25
Chapter 9: Troubleshooting…………………………………………………………………………………………… 27

Contents

3

1
Introduction
The Dell Trusted Device agent is part of the Dell SafeBIOS product portfolio. The Trusted Device agent includes the following:
BIOS Verification BIOS Events & Indicators of Attack Image Capture Intel ME Verification Secured Component Verification (On Cloud) Security Risk Protection Score Dell Event Repository and SIEM integration
BIOS Verification provides customers with affirmation that devices are secured below the operating system, a place where IT administrator visibility is lacking. It enables customers to verify BIOS integrity using an off-host process without interrupting the boot process. After the Trusted Device agent runs on the endpoint, a pass or fail result (0 or 1) displays in some of these locations:
Web browser Command line Registry entry Event Viewer Logs
BIOS Events & Indicators of Attack enables administrators to analyze events in the Windows Event Viewer that may indicate bad actors targeting BIOS on enterprise endpoints. Bad actors change BIOS attributes to gain access to enterprise computers locally or remotely. These attack vectors can be monitored then mitigated through the BIOS Events & Indicators of Attack features’ ability to monitor BIOS attributes.
Secured Component Verification (On Cloud) is a supply-chain assurance offering that enables you to verify the integrity of the components inside your Dell computer.
Security Risk Protection Score enables administrators to determine the security risk level of computers in their enterprise. Trusted Device scans for security solutions and assigns a score per overall risk assessment.

4

Introduction

2
Requirements
See the Trusted Device Installation and Administrator Guide for a list of supported platforms. NOTE: If the Trusted Device agent is installed on non- Dell platforms, the following error displays.
Figure 1. Non-Dell platforms NOTE: If the Trusted Device agent is run on an unsupported platform, the following error displays.

Figure 2. Platform not currently supported
Exclusions
Exclusions may be required for compatibility with third-party software, anti- virus, or scripts. Exclude the following.
Folders
C:ProgramDataDellBiosVerification C:Program FilesDellBIOSVerification C:Program FilesDELLTrustedDevice

Requirements

5

Files or processes
C:Program FilesDELLTrustedDeviceDell.SecurityCenter.Agent.Console.exe C:Program FilesDELLTrustedDeviceDell.TrustedDevice.Service.Console.exe C:Program FilesDELLTrustedDeviceDell.TrustedDevice.Service.exe C:Program FilesDELLTrustedDeviceDCF.Agent.exe C:WindowsSystem32driversDellBV.sys C:WindowsSystem32driversdtdsel.sys

File types
.bv .rcv .sha256

Prerequisites
Microsoft .NET Framework 4.7.2 (or later) is required for the installer. The installer does not install the Microsoft .NET Framework component. All systems that are shipped from the Dell factory are preinstalled with the full version of Microsoft .Net Framework 4.8 (or later). To verify the version of Microsoft .Net installed, follow these instructions on the computer targeted for installation. To install Microsoft .Net Framework 4.7.2, see these Microsoft instructions. For more information about Microsoft .Net Framework, see this Microsoft document.
Trusted Device interoperation with SIEM solutions requires the following:
Docker The Trusted Device Event Repository image Trusted Device v3.6 or later
NOTE: Trusted Device agent v4.6 and later requires the Trusted Device Event Repository v4.6 or later.
Universal SIEM forwarder

Ports

Trusted Device uses certificate pinning. The Trusted Device agent must pass SSL and TLS Inspection, Deep Packet Inspection, proxy servers, and any traffic-shaping applications. Ensure the Trusted Device agent can communicate with the Dell Cloud by allowlisting port 443. See the following table for more information:

Table 1. Ports Destination api.delltrusteddevicesecurity.com

Protocol HTTPS

Port 443

bas.solution.delltrusteddevicesecurity.com cds.service.securityscore.dell.com

HTTPS

443

HTTPS

443

cds.service.securityscore.dell.com/devicesvc/api/v1

HTTPS

443

service.delltrusteddevicesecurity.com

HTTPS

443

solution.delltrusteddevicesecurity.com

HTTPS

443

Operating systems
The following table details supported operating systems:

6

Requirements

Table 2. Supported operating systems
Windows Operating Systems (64-bit)
Windows 10 Windows 11

Requirements

7

3
Download the software
This section details obtaining the software from dell.com/support. If you already have the software, you can skip this section. Go to dell.com/support to begin. 1. On the Dell Support webpage, select Browse all products.
2. Select Software & Solutions from the list of products.

3. Select Security.

8

Download the software

4. Select the product group.
Trusted Device Security
5. Select the product. Trusted Device
6. Access the product landing page. Click Select This Product

7. Click Drivers & downloads.

Download the software

9

8. Select the wanted client operating system type. 9. Select Trusted Device Agent check box.
10. Click Download.

10

Download the software

4
SIEM
Security Information Event Management (SIEM) solutions aggregate data from multiple sources in your enterprise. SIEM enables administrators to identify trends and unusual behavior or to perform real-time analysis of alerts that are generated by applications and hardware. Data aggregated through SIEM can be transformed into charts and graphs on a dashboard to facilitate use. This helps administrators ensure that the enterprise maintains security compliance and protection against bad actors. Trusted Device can interoperate with SIEM solutions and supports the following features: BIOS Verification BIOS Events & Indicators of Attack Image Capture Security Risk Protection Score The Dell Event Repository must be installed to deliver Trusted Device results to a SIEM solution. See Download the Event Repository to download the Docker image.

SIEM

11

5
Prerequisites
The following details the Trusted Device Event Repository installation prerequisites.
Architecture
The following diagram describes deployment steps and data flow from the Trusted Device agent to a SIEM solution.

Download and install Docker
The Event Repository requires Docker. Go to https://docs.docker.com/get- docker/ to download and install Docker. NOTE: If you are installing Docker on Windows, see this Microsoft article to configure Windows Subsystem for Linux (WSL).
Create the persistent directories
The Event Repository requires persistent storage that is shared between the Docker host and the Event Repository Docker container to stage Trusted Device and certificate data. Before installing the Event Repository, copy the Signing certificate, private key, TLS certificate, and TLS private key to the C:eventrepositoryCerts folder. The following are examples of the required folders for persistent data storage created on the Docker host:

12

Prerequisites

C:eventrepository C:eventrepositoryCerts C:eventrepositoryData

Configure the appsettings.json file

The appsettings.json file requires modification for the Event Repository to properly communicate with the Docker Instance. Use the appsettings.json generator in the Event Repository container or modify the file manually with a text editor. The following table details the top-level elements of the appsettings.json file:

Table 3. Top-level elements Name Logging
Tenant Upload

Required No
Yes Yes

Description
Enables administrators to configure the methods with which the Event Repository generates logs.
Configuration of tenant information for this instance of the Event Repository.
Configuration of the SIEM upload method.

Tenant
The Tenant element configures the Event Repository with tenant information. Tenant information details the configuration necessary to control which computers can register with this Event Repository instance. The following table details the elements of the Tenant object:
Optionally, you can configure the appsettings generator to create a PbkdfTenantApiKey for PBKDF2 password storage.

Table 4. Tenant elements Name TenantName
TenantApiKey
PbkdfTenantApiKey TenantApiKeyHash

Required Yes
Yes No No

Description
The name of the tenant. This name is typically based on the company name or division. The TenantName should be unique in an organization.
The TenantApiKey is a string that represents a password that a computer must provide during registration.
PbkdfTenantApiKey enables PBKDF2 password storage.
A hash value of the TenantApiKey. NOTE: The TenantApiKeyHash value must be a valid base64 string. If the appsettings generator does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.

Salt

No

The salt value used to hash the TenantApiKey.
NOTE:
The salt value must be a valid base64 string generated using a 16 byte array at minimum.

Prerequisites

13

Table 4. Tenant elements (continued)

Name

Required

RandomFunction

No

Iterations

No

TenantUUID

Yes

SigningCertificate

Yes

JwtCertificate

Yes

SigningCertficate
The SigningCertificate element requires the following entries:
Signing certificate Private key associated with the signing certificate

14

Prerequisites

Description
If the appsettings generator does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.
The function used to hash the TenantApiKey.
NOTE: The RandomFunction must use
HMACSHA256 or HMACSHA512. If the appsettings generator
does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.
The number of iterations used to generate the TenantApiKey hash.
NOTE: If the RandomFunction in use is
HMACSHA256, then the iteration must be at least 310000. If the RandomFunction in use is HMACSHA512, then the iteration must be at least 120000. If the appsettings generator does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.
A string representing a GUID unique to this tenant.
NOTE: To create a GUID in Windows PowerShell, use the new-guid command. For more information, see this Microsoft article.
Also known as the Tenant Certificate. This certificate is used to sign the Identity Certificate generated during registration.
NOTE: The SigningCertificate value must match the JwtCertificate value or be derived from it.
The entire certificate chain used to validate bearer tokens generated by the computers.

The following table details the member used to describe the certificate and private key:

Table 5. Certificate elements

Name IssuerPublicCertsPem and IssuerPublicCertsFile

Description
Provide one of the two choices. For IssuerPublicCertsPem, the string is the PEM encoded X509 certificate with newlines that are replaced with ‘n’ characters. For IssuerPublicCertsFile, the string is the path to the file containing the PEM encoded X509 certificate.

IssuerPrivateKeyPem and IssuerPrivatekeyFile

Provide one of the two choices. For IssuerPrivateKeyPem, the string is the PEM encoded private key that is associated with the IssuerPublicCert. For IssuerPrivateKeyFile, the string is the path to the file containing the PEM encoded private key. In both cases, the private key must not be password that is protected.

Upload The Upload element details the connection to the SIEM solution. The following table details the Upload components:

Table 6. Upload elements Name BaseFileName

Required Yes

Description
A string containing a user-defined component of the filename used for log files. The name of the file is TenantName-BaseFileName.log

OutputLocation

Yes

MaxFileSizeMb

Yes

The path indicating the folder where the output log files are written.
The maximum size to which a log file can grow. When a log file exceeds this amount, the file is closed and a new log file is created.

MaxActiveFileDays

Yes

The maximum amount of time, which is specified in days, for which a log file can be open. When the log file is open for longer than the time specified, it is closed, and a new log file is opened.

MaxFileAge

Yes

The time log files persist in the output folder. Files older than this time period, which is specified in days, are deleted.

Kestrel The Kestrel element details the TLS connection. The following table details the Kestrel components:
NOTE: Dell Technologies recommends using only TLS v1.2 or TLS v1.3 and newer.

Table 7. Kestrel elements Name Endpoints Http/Https
Pathbase
Url

Required Yes Yes
Yes
Yes

Description
Details for the container listening ports.
Protocol definitions for the docker listening ports.
URI relative path with respect to the container (/devicesvr/api/v1).
The container protocol and listening port ( https://*:5001″).

Prerequisites

15

Table 7. Kestrel elements (continued)

Name

Required

Certificate

Yes

Path

Yes

Password

Yes

Description
Details of the certificate that is used for TLS connections to the container.
The location of the PKCS12 certificate (/app/certs/test.pfx).
Password to the PKCS12 certificate.

To use the utility included with the Event Repository Docker image, see Use the Appsettings Generator. If your organization
requires custom API notation, see Customize the API URIs. Use a text editor to configure the required elements. See the
appsettings.json below with configurable examples in bold:
{ “https port”: 443, “Logging”: { “LogLevel”: { “Default”: “Information”, “Microsoft”: “Warning”, “Microsoft.Hosting.Lifetime”: “Information” } }, “Tenant”: { “TenantName”: “ExampleTenant”, “TenantApiKey”: “ExampleTenantKey”, “PbkdfTenantApiKey”: { “TenantApiKeyHash”: “ExampleTenantKeyHash”, “Salt”: “ExampleSaltValue”, “RandomFunction”: “ExampleFunctionValue”, “Iterations”: 120000 “TenantUUID”: “5568165d-216a-4631-a115-80de74f294fd”, “SigningCertificate”: { “IssuerPublicCertsPem”: “ExampleCertificate or the Docker container path to the public key
certificate”, “IssuerPrivateKeyPem”: “ExampleCertificate or the Docker container path to the private
key” }, “JwtCertificate”: { “TrustedRootsPem”: “ExampleCertificate or the Docker container path to the trust chain of
the signing certificate” }
}, “Upload”: {
“BaseFileName”: “SIEM_Output”, “OutputLocation”: “/var/dataEventRepository”, “MaxFileSizeMb”: 15, “MaxActiveFileDays”: 1, “MaxFileAge”: 3 }, “Kestrel”: { “Endpoints”: {
“Http”: { “PathBase”: “/devicesvc/api/v1”, “Url”: “http://*:5000”
}, “Https”: {
“PathBase”: “/devicesvc/api/v1”, “Url”: “http://*:5001”, “Certificate”: {
“Path”: “/app/certs/test.pfx”, “Password”: “Password@123″ }, }, } } } } }

16

Prerequisites

Move the appsettings.json file to the persistent directory after modifying the above values.

Use the Appsettings Generator

NOTE: Certificates that are used with the Appsettings Generator must be in PEM format.

The Appsettings Generator builds the required appsettings.json file and writes it to the Docker console. Optionally, you can configure the Appsettings Generator to create a PbkdfTenantApiKey for PBKDF2 password storage.
The following table describes options that are used with the Appsettings Generator.

Table 8. Options Option –help –certfile

Description
This option displays help file in text format.
This option forces the Appsettings Generator to find certificate in a predefined location.

The following table describes the parameters that are used to create the appsettings.json file.

Table 9. Parameters

Parameter

Required

/app/

Yes

Dell.TrustedDevice.EventsRepository.Ap

pSettingsGenerator.dll

dellemc/dtd-event-repository

Yes

Description
This string invokes the Appsettings Generator in the Event Repository container.
This string defines the container image to use for this container.
NOTE: If a specific version of the Event Repository image is required, append this command with :. For example: dellemc/dtd- eventrepository:1.0.2.0

Iterations

No

The number of iterations used to generate the TenantApiKey hash.
NOTE:

Prerequisites

17

Table 9. Parameters (continued) Parameter

Required

MaxFileSizeMb

No

MaxActiveFileDays

No

MaxFileAge

No

Path

Yes

Password

Yes

RandomFunction

No

Salt

No

18

Prerequisites

Description
If the RandomFunction in use is HMACSHA256, then the iteration must be at least 310000.
If the RandomFunction in use is HMACSHA512, then the iteration must be at least 120000.
If the Appsettings Generator does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.
The maximum size to which a log file can grow. When a log file exceeds this amount, the file is closed and a new log file is created. The default value for this parameter is 15 Mb.
The maximum amount of time, which is specified in days, for which a log file can be open. When the log file is open for longer than the time specified, it is closed, and a new log file is opened. The default for this parameter is one day.
The time log files persist in the output folder. Files older than this time period, which is specified in days, are deleted. The default for this parameter is three days.
This parameter is the file path of the Kestrel certificate.
This parameter is the password to the Kestrel certificate.
The function used to hash the TenantApiKey.
NOTE: The RandomFunction must use
HMACSHA256 or HMACSHA512. If the Appsettings Generator
does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.
The salt value used to hash the TenantApiKey.
NOTE: The salt value must be a valid
base64 string generated using a 16 byte array at minimum. If the Appsettings Generator does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.

Table 9. Parameters (continued) Parameter TenantName

Required Yes

TenantApiKey

Yes

TenantApiKeyHash

No

TenantUUID

No

–tty=false

No

HttpPort

No

IssuerPublicCertsPem

No

IssuerPrivateKeyPem

No

TrustedRootsPem

No

Description
This parameter is the name of the tenant. This name is typically based on the company name or division. The TenantName should be unique in an organization.
The TenantApiKey is a string that represents a password that a computer must provide during registration.
A hash value of the TenantApiKey. NOTE: The TenantApiKeyHash value must be a valid base64 string. If the Appsettings Generator does not detect the above expected values in use, the PbkdfTenantApiKey element is not created.
This parameter is the GUID of the Tenant. If a GUID is not provided, the Appsettings Generator creates one.
To write the appsettings.json file to a specific location, use this option.
This parameter is the Kestrel endpoint entity port.
This parameter is the file path of the public certificate.
NOTE: This parameter is required only if the –certfile option is not in use.
This parameter is the file path of the private certificate.
NOTE: This parameter is required only if the –certfile option is not in use.
This parameter is the file path of the trusted roots certificate.
NOTE: This parameter is required only if the –certfile option is not in use.

Example commands
The following example displays the help file for the Appsettings Generator in the Command line window.
docker run dellemc/dtd-event-repository /app/ Dell.TrustedDevice.EventsRepository.AppSettingsGenerator.dll –help
The following example creates the appsettings.json file in C:eventrepository using the –certfile option with example parameters and adds a PbkdfTenantApiKey for PBKDF2 password storage.
docker run dellemc/dtd-event-repository /app/ Dell.TrustedDevice.EventsRepository.AppSettingsGenerator.dll –certfile TenantName=ExampleTenant TenantApiKey=ExampleTenantKey TenantApiKeyHash=”ExampleTenantApiHash” Salt=”ExampleSalt”

Prerequisites

19

RandomFunction=”ExampleRandomFunction” Iterations=120000 Path=”/app/certs/ example.pem” password=ExamplePassword
Configure the Trusted Device agent
The Trusted Device agent requires custom registry values to deliver data to the Event Repository. To create these registry values with the Client Registry Generator in the Event Repository container, see Use the Client Registry Generator. Alternatively, create or modify the following registry values manually to configure the Trusted Device agent for use with the Event Repository: HKLMSoftwareDellDellTrustedDeviceOverrides
NOTE: This registry key is protected from tampering at the Administrator level. Dell Technologies recommends implementing these registry values before installing the Trusted Device agent on the target computer.
NOTE: The values that are specified in these registry entries must match the appsettings.json configuration entries.
Modify the following registry values per the configuration of your Event Repository. [HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsRegistration] “Tenant”=”ExampleTenant” “TenantApiKey”=”ExampleTenantKey” “TenantId ”=”5568165d-216a-4631-a115-80de74f294fd” “Uri”=”https://example.server.com:31235/siem/api/v1”
NOTE: The URI must be an HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match, the Trust Chain must be trusted, and the date must be valid. “RootCertificate”=”ExampleCertificate” [HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsConnection] “Uri”=”https://example.server.com:31235/siem/api/v1” NOTE: The URI must be an HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match, the Trust Chain must be trusted, and the date must be valid. “RootCertificate”=”ExampleCertificate” Add the following registry values if you must use multiple root certificate hashes.
NOTE: Use a space (” “) between each root certificate as a delimiter.
[HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsRegistration] “Tenant”=”ExampleTenant” “TenantApiKey”=”ExampleTenantKey” “TenantId ”=”5568165d-216a-4631-a115-80de74f294fd” “Uri”=”https://example.server.com:31235/siem/api/v1” NOTE: The URI must be an HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match, the Trust Chain must be trusted, and the date must be valid. “RootCertificate”=”ExampleCertificate1 ExampleCertificate2” [HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsConnection] “Uri”=”https://example.server.com:31235/siem/api/v1” NOTE: The URI must be an HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match, the Trust Chain must be trusted, and the date must be valid. “RootCertificate”=”ExampleCertificate1 ExampleCertificate2”

20

Prerequisites

Use the Client Registry Generator

The Client Registry Generator builds the required registry files using the appsettings.json file and certificates and writes them to the Docker console. The Client Registry Generator requires the following: A complete appsettings.json file mounted at /app/appsettings.json The public certificate mounted at /app/certs/
NOTE: The public certificate must be in PEM format. The root certificate mounted at /app/certs/
NOTE: The Client Registry Generator requires a complete appsettings.json file. If you do not have a complete appsettings.json file, see Use the appsettings generator.
The following table describes variables that are used with the Client Registry Generator.
NOTE: All variables are case sensitive.

Table 10. Client Registry Generator variables Variable -b, –baseUri

Description
This variable represents the Event Repository IP address or Hostname followed by the Docker host listening port. For example, example.server.com:31235
NOTE: This port must be the Docker host listening port or client registration fails.

Dell.TrustedDevice.EventsRepository.GenerateRegistry.dll dellemc/dtd-event- repository

This string invokes the Client Registry Generator in the Event Repository container.
This string defines the container image to use for this container.
NOTE: If a specific version of the Event Repository image is required, append this command with :. For example: dellemc/dtdevent- repository:1.0.2.0

-p, –pathToPublicCert

This variable specifies the file path of the PEM-enconded public certificate.
NOTE: This file path must include the certificate name and extension.

-r, –repository –tty=false
-v

This variable specifies the name of the Event Repository.
To write the client registry file to a specific location, use this option.
This parameter specifies the volume to mount.

The following example mounts the volumes in C:exampleappsettings.json:/app/appsettings.json and the certificates in C:examplecerts:/app/certs and then writes the client registry file to the Docker console.

docker compose run -v c:examplecerts:/app/certs -v c:exampleappsettings.json:/app/appsettings.json dellemc/dtd-event-repository Dell.TrustedDevice.EventsRepository.GenerateRegistry.dll –baseUri https:// example.server.com:31235 -r -p /app/certs/ ExamplePublicCertName.pem

Configure to forward data to a SIEM solution
SIEM solutions often require a utility to consume data sources. The Splunk universal forwarder is a lightweight forwarding solution that can be configured for use with the Event Repository during or after installation. The following example provides

Prerequisites

21

installation and configuration reference for the Splunk universal forwarder to push data from Event Repository to a Splunk SIEM instance.
Use one of the following articles to install a universal forwarder based on the environment in which your Event Repository is installed:
To install a universal forwarder on Windows, see this Splunk article. To install a universal forwarder on Linux, Solaris, macOS, FreeBSD, or AIX, see this Splunk article.
After installation, see this Splunk article to configure the universal forwarder for use with the Event Repository.
After Docker is installed and prerequisites are configured, go to Run the Event Repository.

22

Prerequisites

6
Download the Event Repository image
Use the following workflow to download the Event Repository image: 1. Ensure that Docker is installed and running on the target computer. 2. Go to https://hub.docker.com/r/dellemc/dtd-event-repository and sign in with your Docker credentials. 3. Download the dtd-event-repository image. 4. Go to the dtd-event-repository image download location and open PowerShell or Terminal application. 5. Enter the following command to install the Event Repository:
docker pull dellemc/dtd-event-repository
Disconnected environments
If your SIEM solution is configured in Disconnected mode, see the following articles: Go to this Docker article to see the steps for saving a Docker image for later use. Go to this Docker article to see the steps for loading a previously saved Docker image.

Download the Event Repository image

23

7

Run the Event Repository

After downloading the Docker image, the Event Repository must be initialized to begin collating data from the agents. See this Docker article for more information on Docker run commands. The following table details the Docker- based variables needed to configure the Event Repository container:

Table 11. Event Repository variables Variable -d

Meaning Run the docker container in a detached mode.

dellemc/dtd-event-repository

Defines the container image to use for this container. NOTE: If a specific version of the Event Repository image is required, append this command with :. For example: dellemc/dtdevent-repository:1.0.2.0

-it
-p –rm -u nobody
-v

Starts an interactive command-line session connected to the Docker container.
Specifies ports used for the container.
Automatically removes the container when it exits.
The recommended unelevated user context in which the container is run.
Enables the creation of a volume shared between the Docker host and the Docker container.

The following example starts the Event Repository container in unelevated user context and maps C:eventrepositoryData on the host computer to /app/appsettings.json in the container then configures the host listening on port 31235 while using port 5001 in the container.
NOTE: This example retrieves the latest Docker image if it is not present on the target computer.

docker run -it rm -d -p 31235:5001 -v c:eventrepositoryappsettings.json:/app/ appsettings.json -v c:eventrepositoryData:/var/data -v C: eventrepositorycerts:/app/certs -u nobody dellemc/dtd-event-repository

24

Run the Event Repository

8

Customize the API URIs

If your organization requires custom API notation, use the following example to customize the API URIs for your Event Repository.
NOTE: If the Version element is not included in your appsettings.json, default URI values for Device Registration, Event Posting, and Health are applied.

Table 12. URIs Name Device Registration
Event Posting
Health

Required Yes
Yes
Yes

Description
The URI through which the Trusted Device agent registers with the Event Repository.
The URI through which the Trusted Device agent sends events to the Event Repository.
The URI that prints the health status of the Event Repository to a browser.

Use a text editor to configure the required elements. See the appsettings.json below with configurable examples in bold
{ “https port”: 443, “Logging”: { “LogLevel”: { “Default”: “Information”, “Microsoft”: “Warning”, “Microsoft.Hosting.Lifetime”: “Information” } }, “Tenant”: { “TenantName”: “ExampleTenant”, “TenantApiKey”: “ExampleTenantKey”, “TenantUUID”: “5568165d-216a-4631-a115-80de74f294fd”, “SigningCertificate”: { “IssuerPublicCertsPem”: “ExampleCertificate or the Docker container path to
the public key certificate”, “IssuerPrivateKeyPem”: “ExampleCertificate or the Docker container path to
the private key” }, “JwtCertificate”: { “TrustedRootsPem”: “ExampleCertificate or the Docker container path to the
trust chain of the signing certificate ” }
}, “Upload”: {
“BaseFileName”: “SIEM_Output”, “OutputLocation”: “/var/dataEventRepository”, “MaxFileSizeMb”: 15, “MaxActiveFileDays”: 1, “MaxFileAge”: 3 }, “Kestrel”: { “Endpoints”: {
“Http”: { “PathBase”: “/devicesvc/api/v1”, “Url”: “http://*:5000”
}, “Https”: {
“PathBase”: “/devicesvc/api/v1”,

Customize the API URIs

25

“Url”: “http://*:5001”, “Certificate”: {
“Path”: “/app/certs/test.pfx”, “Password”: “Password@123” } } } }, “AppSettings”: {
“Version”: 2, “UrlPrefix”: {
“Health”: {“Prefix”:”path/to/health”},
“Registration”: {“Prefix”:”path/to/registration”},
“EventUpload”: {“Prefix”:”path/to/eventupload”} } } }

26

Customize the API URIs

9
Troubleshooting
Check the following if the Event Repository instance is not properly communicating to the host computer. Ensure that your network connection is active. Ensure the Docker container is running by using following command: docker container ps. If the container is running,
the following details display: Container ID Image Command Created Status Ports Names Ensure that the Event Repository container is properly configured against the appsettings.json file. See Configure the appsettings.json file for more information. Open a browser on the Event Repository host and enter
http://:<Docker host listening port>/health
If the host computer can properly communicate to the Event Repository instance over the specified port, a Healthy status displays in the browser.
NOTE: Ensure you use HTTP in this health check as HTTPS will not resolve.

Troubleshooting

27