DELL Technologies Trusted Device Event Repository Owner’s Manual
- June 1, 2024
- DELL Technologies
Table of Contents
- Trusted Device Event Repository
- Specifications:
- Product Information:
- BIOS Verification:
- BIOS Events & Indicators of Attack:
- Secured Component Verification (On Cloud):
- Security Risk Protection Score:
- Chapter 1: Introduction
- Chapter 3: Download the software
- Chapter 4: SIEM
- Chapter 6: Download the Event Repository image
- Chapter 7: Run the Event Repository
- Chapter 8: Customize the API URIs
- Chapter 9: Troubleshooting
- Q: What is the purpose of BIOS Verification?
- Q: How does Security Risk Protection Score help
Trusted Device Event Repository
“`html
Specifications:
- Product: Dell Trusted Device Event Repository
- Version: Configuration Guide v6.3
- Date: April 2024
- Revision: A01
Product Information:
The Dell Trusted Device agent is part of the Dell SafeBIOS
product portfolio. It includes features such as BIOS Verification,
BIOS Events & Indicators of Attack, Image Capture, Intel ME
Verification, Secured Component Verification (On Cloud), Security
Risk Protection Score, Dell Event Repository, and SIEM
integration.
BIOS Verification:
Allows customers to verify BIOS integrity without interrupting
the boot process, providing affirmation that devices are secured
below the operating system where IT administrator visibility is
lacking.
BIOS Events & Indicators of Attack:
Enables administrators to analyze events in the Windows Event
Viewer to detect potential attacks on BIOS attributes, allowing for
monitoring and mitigation of attack vectors.
Secured Component Verification (On Cloud):
Provides supply-chain assurance by verifying the integrity of
components inside Dell computers.
Security Risk Protection Score:
Helps administrators assess the security risk level of
enterprise computers by scanning for security solutions and
assigning a risk score for overall assessment.
Usage Instructions:
Chapter 1: Introduction
Introduces the Dell Trusted Device agent and its features.
Chapter 3: Download the software
Instructions on downloading the necessary software for the Dell
Trusted Device agent.
Chapter 4: SIEM
Information on integrating the Dell Event Repository with SIEM
systems.
Chapter 6: Download the Event Repository image
Steps to download the Event Repository image, including guidance
for disconnected environments.
Chapter 7: Run the Event Repository
Guidance on running the Dell Event Repository on your
system.
Chapter 8: Customize the API URIs
Instructions for customizing API URIs for specific
requirements.
Chapter 9: Troubleshooting
Troubleshooting tips and guidance for common issues.
FAQ:
Q: What is the purpose of BIOS Verification?
A: The purpose of BIOS Verification is to affirm that devices
are secured below the operating system without interrupting the
boot process.
Q: How does Security Risk Protection Score help
administrators?
A: Security Risk Protection Score helps administrators assess
the security risk level of computers in their enterprise by
scanning for security solutions and assigning a risk score per
overall assessment.
“`
Dell Trusted Device Event Repository
Configuration Guide v6.3
April 2024 Rev. A01
Notes, cautions, and warnings
NOTE: A NOTE indicates important information that helps you make better use of
your product. CAUTION: A CAUTION indicates either potential damage to hardware
or loss of data and tells you how to avoid the problem. WARNING: A WARNING
indicates a potential for property damage, personal injury, or death.
© 2019 – 2024 Dell Inc. or its subsidiaries. All rights reserved. Dell
Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its
subsidiaries. Other trademarks may be trademarks of their respective owners.
Contents
Chapter 1: Introduction………………………………………………………………………………………………….. 4
Chapter 2: Requirements……………………………………………………………………………………………….. 5
Prerequisites……………………………………………………………………………………………………………………………………………………. 6
Ports………………………………………………………………………………………………………………………………………………………………… 6 Operating
systems………………………………………………………………………………………………………………………………………….. 6
Chapter 3: Download the software…………………………………………………………………………………… 8
Chapter 4: SIEM…………………………………………………………………………………………………………… 11
Chapter 5: Prerequisites……………………………………………………………………………………………….. 12
Architecture…………………………………………………………………………………………………………………………………………………….12
Download and install Docker…………………………………………………………………………………………………………………………. 12
Create the persistent directories…………………………………………………………………………………………………………………..
12 Configure the appsettings.json
file……………………………………………………………………………………………………………….. 13 Use the Appsettings
Generator……………………………………………………………………………………………………………….. 17 Configure the Trusted
Device agent……………………………………………………………………………………………………………. 20 Use the Client
Registry Generator……………………………………………………………………………………………………………21 Configure to
forward data to a SIEM solution……………………………………………………………………………………………… 21
Chapter 6: Download the Event Repository image…………………………………………………………….. 23
Disconnected environments…………………………………………………………………………………………………………………………. 23
Chapter 7: Run the Event Repository……………………………………………………………………………….24
Chapter 8: Customize the API URIs………………………………………………………………………………… 25
Chapter 9: Troubleshooting…………………………………………………………………………………………… 27
Contents
3
1
Introduction
The Dell Trusted Device agent is part of the Dell SafeBIOS product portfolio.
The Trusted Device agent includes the following:
BIOS Verification BIOS Events & Indicators of Attack Image Capture Intel ME
Verification Secured Component Verification (On Cloud) Security Risk
Protection Score Dell Event Repository and SIEM integration
BIOS Verification provides customers with affirmation that devices are secured
below the operating system, a place where IT administrator visibility is
lacking. It enables customers to verify BIOS integrity using an off-host
process without interrupting the boot process. After the Trusted Device agent
runs on the endpoint, a pass or fail result (0 or 1) displays in some of these
locations:
Web browser Command line Registry entry Event Viewer Logs
BIOS Events & Indicators of Attack enables administrators to analyze events in
the Windows Event Viewer that may indicate bad actors targeting BIOS on
enterprise endpoints. Bad actors change BIOS attributes to gain access to
enterprise computers locally or remotely. These attack vectors can be
monitored then mitigated through the BIOS Events & Indicators of Attack
features’ ability to monitor BIOS attributes.
Secured Component Verification (On Cloud) is a supply-chain assurance offering
that enables you to verify the integrity of the components inside your Dell
computer.
Security Risk Protection Score enables administrators to determine the
security risk level of computers in their enterprise. Trusted Device scans for
security solutions and assigns a score per overall risk assessment.
4
Introduction
2
Requirements
See the Trusted Device Installation and Administrator Guide for a list of
supported platforms. NOTE: If the Trusted Device agent is installed on non-
Dell platforms, the following error displays.
Figure 1. Non-Dell platforms NOTE: If the Trusted Device agent is run on an
unsupported platform, the following error displays.
Figure 2. Platform not currently supported
Exclusions
Exclusions may be required for compatibility with third-party software, anti-
virus, or scripts. Exclude the following.
Folders
C:ProgramDataDellBiosVerification C:Program FilesDellBIOSVerification
C:Program FilesDELLTrustedDevice
Requirements
5
Files or processes
C:Program FilesDELLTrustedDeviceDell.SecurityCenter.Agent.Console.exe
C:Program FilesDELLTrustedDeviceDell.TrustedDevice.Service.Console.exe
C:Program FilesDELLTrustedDeviceDell.TrustedDevice.Service.exe C:Program
FilesDELLTrustedDeviceDCF.Agent.exe C:WindowsSystem32driversDellBV.sys
C:WindowsSystem32driversdtdsel.sys
File types
.bv .rcv .sha256
Prerequisites
Microsoft .NET Framework 4.7.2 (or later) is required for the installer. The
installer does not install the Microsoft .NET Framework component. All systems
that are shipped from the Dell factory are preinstalled with the full version
of Microsoft .Net Framework 4.8 (or later). To verify the version of Microsoft
.Net installed, follow these instructions on the computer targeted for
installation. To install Microsoft .Net Framework 4.7.2, see these Microsoft
instructions. For more information about Microsoft .Net Framework, see this
Microsoft document.
Trusted Device interoperation with SIEM solutions requires the following:
Docker The Trusted Device Event Repository image Trusted Device v3.6 or later
NOTE: Trusted Device agent v4.6 and later requires the Trusted Device Event
Repository v4.6 or later.
Universal SIEM forwarder
Ports
Trusted Device uses certificate pinning. The Trusted Device agent must pass SSL and TLS Inspection, Deep Packet Inspection, proxy servers, and any traffic-shaping applications. Ensure the Trusted Device agent can communicate with the Dell Cloud by allowlisting port 443. See the following table for more information:
Table 1. Ports Destination api.delltrusteddevicesecurity.com
Protocol HTTPS
Port 443
bas.solution.delltrusteddevicesecurity.com cds.service.securityscore.dell.com
HTTPS
443
HTTPS
443
cds.service.securityscore.dell.com/devicesvc/api/v1
HTTPS
443
service.delltrusteddevicesecurity.com
HTTPS
443
solution.delltrusteddevicesecurity.com
HTTPS
443
Operating systems
The following table details supported operating systems:
6
Requirements
Table 2. Supported operating systems
Windows Operating Systems (64-bit)
Windows 10 Windows 11
Requirements
7
3
Download the software
This section details obtaining the software from dell.com/support. If you
already have the software, you can skip this section. Go to dell.com/support
to begin. 1. On the Dell Support webpage, select Browse all products.
2. Select Software & Solutions from the list of products.
3. Select Security.
8
Download the software
4. Select the product group.
Trusted Device Security
5. Select the product. Trusted Device
6. Access the product landing page. Click Select This Product
7. Click Drivers & downloads.
Download the software
9
8. Select the wanted client operating system type. 9. Select Trusted Device
Agent check box.
10. Click Download.
10
Download the software
4
SIEM
Security Information Event Management (SIEM) solutions aggregate data from
multiple sources in your enterprise. SIEM enables administrators to identify
trends and unusual behavior or to perform real-time analysis of alerts that
are generated by applications and hardware. Data aggregated through SIEM can
be transformed into charts and graphs on a dashboard to facilitate use. This
helps administrators ensure that the enterprise maintains security compliance
and protection against bad actors. Trusted Device can interoperate with SIEM
solutions and supports the following features: BIOS Verification BIOS Events &
Indicators of Attack Image Capture Security Risk Protection Score The Dell
Event Repository must be installed to deliver Trusted Device results to a SIEM
solution. See Download the Event Repository to download the Docker image.
SIEM
11
5
Prerequisites
The following details the Trusted Device Event Repository installation
prerequisites.
Architecture
The following diagram describes deployment steps and data flow from the
Trusted Device agent to a SIEM solution.
Download and install Docker
The Event Repository requires Docker. Go to https://docs.docker.com/get-
docker/ to download and install Docker. NOTE: If you are installing Docker on
Windows, see this Microsoft article to configure Windows Subsystem for Linux
(WSL).
Create the persistent directories
The Event Repository requires persistent storage that is shared between the
Docker host and the Event Repository Docker container to stage Trusted Device
and certificate data. Before installing the Event Repository, copy the Signing
certificate, private key, TLS certificate, and TLS private key to the
C:eventrepositoryCerts folder. The following are examples of the required
folders for persistent data storage created on the Docker host:
12
Prerequisites
C:eventrepository C:eventrepositoryCerts C:eventrepositoryData
Configure the appsettings.json file
The appsettings.json file requires modification for the Event Repository to properly communicate with the Docker Instance. Use the appsettings.json generator in the Event Repository container or modify the file manually with a text editor. The following table details the top-level elements of the appsettings.json file:
Table 3. Top-level elements Name Logging
Tenant Upload
Required No
Yes Yes
Description
Enables administrators to configure the methods with which the Event
Repository generates logs.
Configuration of tenant information for this instance of the Event Repository.
Configuration of the SIEM upload method.
Tenant
The Tenant element configures the Event Repository with tenant information.
Tenant information details the configuration necessary to control which
computers can register with this Event Repository instance. The following
table details the elements of the Tenant object:
Optionally, you can configure the appsettings generator to create a
PbkdfTenantApiKey for PBKDF2 password storage.
Table 4. Tenant elements Name TenantName
TenantApiKey
PbkdfTenantApiKey TenantApiKeyHash
Required Yes
Yes No No
Description
The name of the tenant. This name is typically based on the company name or
division. The TenantName should be unique in an organization.
The TenantApiKey is a string that represents a password that a computer must
provide during registration.
PbkdfTenantApiKey enables PBKDF2 password storage.
A hash value of the TenantApiKey. NOTE: The TenantApiKeyHash value must be a
valid base64 string. If the appsettings generator does not detect the above
expected values in use, the PbkdfTenantApiKey element is not created.
Salt
No
The salt value used to hash the TenantApiKey.
NOTE:
The salt value must be a valid base64 string generated using a 16 byte array
at minimum.
Prerequisites
13
Table 4. Tenant elements (continued)
Name
Required
RandomFunction
No
Iterations
No
TenantUUID
Yes
SigningCertificate
Yes
JwtCertificate
Yes
SigningCertficate
The SigningCertificate element requires the following entries:
Signing certificate Private key associated with the signing certificate
14
Prerequisites
Description
If the appsettings generator does not detect the above expected values in use,
the PbkdfTenantApiKey element is not created.
The function used to hash the TenantApiKey.
NOTE: The RandomFunction must use
HMACSHA256 or HMACSHA512. If the appsettings generator
does not detect the above expected values in use, the PbkdfTenantApiKey
element is not created.
The number of iterations used to generate the TenantApiKey hash.
NOTE: If the RandomFunction in use is
HMACSHA256, then the iteration must be at least 310000. If the RandomFunction
in use is HMACSHA512, then the iteration must be at least 120000. If the
appsettings generator does not detect the above expected values in use, the
PbkdfTenantApiKey element is not created.
A string representing a GUID unique to this tenant.
NOTE: To create a GUID in Windows PowerShell, use the new-guid command. For
more information, see this Microsoft article.
Also known as the Tenant Certificate. This certificate is used to sign the
Identity Certificate generated during registration.
NOTE: The SigningCertificate value must match the JwtCertificate value or be
derived from it.
The entire certificate chain used to validate bearer tokens generated by the
computers.
The following table details the member used to describe the certificate and private key:
Table 5. Certificate elements
Name IssuerPublicCertsPem and IssuerPublicCertsFile
Description
Provide one of the two choices. For IssuerPublicCertsPem, the string is the
PEM encoded X509 certificate with newlines that are replaced with ‘n’
characters. For IssuerPublicCertsFile, the string is the path to the file
containing the PEM encoded X509 certificate.
IssuerPrivateKeyPem and IssuerPrivatekeyFile
Provide one of the two choices. For IssuerPrivateKeyPem, the string is the PEM encoded private key that is associated with the IssuerPublicCert. For IssuerPrivateKeyFile, the string is the path to the file containing the PEM encoded private key. In both cases, the private key must not be password that is protected.
Upload The Upload element details the connection to the SIEM solution. The following table details the Upload components:
Table 6. Upload elements Name BaseFileName
Required Yes
Description
A string containing a user-defined component of the filename used for log
files. The name of the file is
OutputLocation
Yes
MaxFileSizeMb
Yes
The path indicating the folder where the output log files are written.
The maximum size to which a log file can grow. When a log file exceeds this
amount, the file is closed and a new log file is created.
MaxActiveFileDays
Yes
The maximum amount of time, which is specified in days, for which a log file can be open. When the log file is open for longer than the time specified, it is closed, and a new log file is opened.
MaxFileAge
Yes
The time log files persist in the output folder. Files older than this time period, which is specified in days, are deleted.
Kestrel The Kestrel element details the TLS connection. The following table
details the Kestrel components:
NOTE: Dell Technologies recommends using only TLS v1.2 or TLS v1.3 and newer.
Table 7. Kestrel elements Name Endpoints Http/Https
Pathbase
Url
Required Yes Yes
Yes
Yes
Description
Details for the container listening ports.
Protocol definitions for the docker listening ports.
URI relative path with respect to the container (/devicesvr/api/v1).
The container protocol and listening port ( https://*:5001″).
Prerequisites
15
Table 7. Kestrel elements (continued)
Name
Required
Certificate
Yes
Path
Yes
Password
Yes
Description
Details of the certificate that is used for TLS connections to the container.
The location of the PKCS12 certificate (/app/certs/test.pfx).
Password to the PKCS12 certificate.
To use the utility included with the Event Repository Docker image, see Use
the Appsettings Generator. If your organization
requires custom API notation, see Customize the API URIs. Use a text editor to
configure the required elements. See the
appsettings.json below with configurable examples in bold:
{ “https port”: 443, “Logging”: { “LogLevel”: { “Default”: “Information”,
“Microsoft”: “Warning”, “Microsoft.Hosting.Lifetime”: “Information” } },
“Tenant”: { “TenantName”: “ExampleTenant”, “TenantApiKey”: “ExampleTenantKey”,
“PbkdfTenantApiKey”: { “TenantApiKeyHash”: “ExampleTenantKeyHash”, “Salt”:
“ExampleSaltValue”, “RandomFunction”: “ExampleFunctionValue”, “Iterations”:
120000 “TenantUUID”: “5568165d-216a-4631-a115-80de74f294fd”,
“SigningCertificate”: { “IssuerPublicCertsPem”: “ExampleCertificate or the
Docker container path to the public key
certificate”, “IssuerPrivateKeyPem”: “ExampleCertificate or the Docker
container path to the private
key” }, “JwtCertificate”: { “TrustedRootsPem”: “ExampleCertificate or the
Docker container path to the trust chain of
the signing certificate” }
}, “Upload”: {
“BaseFileName”: “SIEM_Output”, “OutputLocation”: “/var/dataEventRepository”,
“MaxFileSizeMb”: 15, “MaxActiveFileDays”: 1, “MaxFileAge”: 3 }, “Kestrel”: {
“Endpoints”: {
“Http”: { “PathBase”: “/devicesvc/api/v1”, “Url”: “http://*:5000”
}, “Https”: {
“PathBase”: “/devicesvc/api/v1”, “Url”: “http://*:5001”, “Certificate”: {
“Path”: “/app/certs/test.pfx”, “Password”: “Password@123″ }, }, } } } } }
16
Prerequisites
Move the appsettings.json file to the persistent directory after modifying the above values.
Use the Appsettings Generator
NOTE: Certificates that are used with the Appsettings Generator must be in PEM format.
The Appsettings Generator builds the required appsettings.json file and writes
it to the Docker console. Optionally, you can configure the Appsettings
Generator to create a PbkdfTenantApiKey for PBKDF2 password storage.
The following table describes options that are used with the Appsettings
Generator.
Table 8. Options Option –help –certfile
Description
This option displays help file in text format.
This option forces the Appsettings Generator to find certificate in a
predefined location.
The following table describes the parameters that are used to create the appsettings.json file.
Table 9. Parameters
Parameter
Required
/app/
Yes
Dell.TrustedDevice.EventsRepository.Ap
pSettingsGenerator.dll
dellemc/dtd-event-repository
Yes
Description
This string invokes the Appsettings Generator in the Event Repository
container.
This string defines the container image to use for this container.
NOTE: If a specific version of the Event Repository image is required, append
this command with :
Iterations
No
The number of iterations used to generate the TenantApiKey hash.
NOTE:
Prerequisites
17
Table 9. Parameters (continued) Parameter
Required
MaxFileSizeMb
No
MaxActiveFileDays
No
MaxFileAge
No
Path
Yes
Password
Yes
RandomFunction
No
Salt
No
18
Prerequisites
Description
If the RandomFunction in use is HMACSHA256, then the iteration must be at
least 310000.
If the RandomFunction in use is HMACSHA512, then the iteration must be at
least 120000.
If the Appsettings Generator does not detect the above expected values in use,
the PbkdfTenantApiKey element is not created.
The maximum size to which a log file can grow. When a log file exceeds this
amount, the file is closed and a new log file is created. The default value
for this parameter is 15 Mb.
The maximum amount of time, which is specified in days, for which a log file
can be open. When the log file is open for longer than the time specified, it
is closed, and a new log file is opened. The default for this parameter is one
day.
The time log files persist in the output folder. Files older than this time
period, which is specified in days, are deleted. The default for this
parameter is three days.
This parameter is the file path of the Kestrel certificate.
This parameter is the password to the Kestrel certificate.
The function used to hash the TenantApiKey.
NOTE: The RandomFunction must use
HMACSHA256 or HMACSHA512. If the Appsettings Generator
does not detect the above expected values in use, the PbkdfTenantApiKey
element is not created.
The salt value used to hash the TenantApiKey.
NOTE: The salt value must be a valid
base64 string generated using a 16 byte array at minimum. If the Appsettings
Generator does not detect the above expected values in use, the
PbkdfTenantApiKey element is not created.
Table 9. Parameters (continued) Parameter TenantName
Required Yes
TenantApiKey
Yes
TenantApiKeyHash
No
TenantUUID
No
–tty=false
No
HttpPort
No
IssuerPublicCertsPem
No
IssuerPrivateKeyPem
No
TrustedRootsPem
No
Description
This parameter is the name of the tenant. This name is typically based on the
company name or division. The TenantName should be unique in an organization.
The TenantApiKey is a string that represents a password that a computer must
provide during registration.
A hash value of the TenantApiKey. NOTE: The TenantApiKeyHash value must be a
valid base64 string. If the Appsettings Generator does not detect the above
expected values in use, the PbkdfTenantApiKey element is not created.
This parameter is the GUID of the Tenant. If a GUID is not provided, the
Appsettings Generator creates one.
To write the appsettings.json file to a specific location, use this option.
This parameter is the Kestrel endpoint entity port.
This parameter is the file path of the public certificate.
NOTE: This parameter is required only if the –certfile option is not in use.
This parameter is the file path of the private certificate.
NOTE: This parameter is required only if the –certfile option is not in use.
This parameter is the file path of the trusted roots certificate.
NOTE: This parameter is required only if the –certfile option is not in use.
Example commands
The following example displays the help file for the Appsettings Generator in
the Command line window.
docker run dellemc/dtd-event-repository /app/
Dell.TrustedDevice.EventsRepository.AppSettingsGenerator.dll –help
The following example creates the appsettings.json file in C:eventrepository
using the –certfile option with example parameters and adds a
PbkdfTenantApiKey for PBKDF2 password storage.
docker run dellemc/dtd-event-repository /app/
Dell.TrustedDevice.EventsRepository.AppSettingsGenerator.dll –certfile
TenantName=ExampleTenant TenantApiKey=ExampleTenantKey
TenantApiKeyHash=”ExampleTenantApiHash” Salt=”ExampleSalt”
Prerequisites
19
RandomFunction=”ExampleRandomFunction” Iterations=120000 Path=”/app/certs/
example.pem” password=ExamplePassword
Configure the Trusted Device agent
The Trusted Device agent requires custom registry values to deliver data to
the Event Repository. To create these registry values with the Client Registry
Generator in the Event Repository container, see Use the Client Registry
Generator. Alternatively, create or modify the following registry values
manually to configure the Trusted Device agent for use with the Event
Repository: HKLMSoftwareDellDellTrustedDeviceOverrides
NOTE: This registry key is protected from tampering at the Administrator
level. Dell Technologies recommends implementing these registry values before
installing the Trusted Device agent on the target computer.
NOTE: The values that are specified in these registry entries must match the
appsettings.json configuration entries.
Modify the following registry values per the configuration of your Event
Repository.
[HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsRegistration]
“Tenant”=”ExampleTenant” “TenantApiKey”=”ExampleTenantKey” “TenantId
”=”5568165d-216a-4631-a115-80de74f294fd”
“Uri”=”https://example.server.com:31235/siem/api/v1”
NOTE: The URI must be an HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match,
the Trust Chain must be trusted, and the date must be valid.
“RootCertificate”=”ExampleCertificate”
[HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsConnection]
“Uri”=”https://example.server.com:31235/siem/api/v1” NOTE: The URI must be an
HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match,
the Trust Chain must be trusted, and the date must be valid.
“RootCertificate”=”ExampleCertificate” Add the following registry values if
you must use multiple root certificate hashes.
NOTE: Use a space (” “) between each root certificate as a delimiter.
[HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsRegistration]
“Tenant”=”ExampleTenant” “TenantApiKey”=”ExampleTenantKey” “TenantId
”=”5568165d-216a-4631-a115-80de74f294fd”
“Uri”=”https://example.server.com:31235/siem/api/v1” NOTE: The URI must be an
HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match,
the Trust Chain must be trusted, and the date must be valid.
“RootCertificate”=”ExampleCertificate1 ExampleCertificate2”
[HKLMSoftwareDellDellTrustedDeviceOverridesSiemIntegrationPolicyRepositoriesCollectorHttpsConnection]
“Uri”=”https://example.server.com:31235/siem/api/v1” NOTE: The URI must be an
HTTPS connection.
NOTE: The server example.server.com must be trusted. The hostname must match,
the Trust Chain must be trusted, and the date must be valid.
“RootCertificate”=”ExampleCertificate1 ExampleCertificate2”
20
Prerequisites
Use the Client Registry Generator
The Client Registry Generator builds the required registry files using the
appsettings.json file and certificates and writes them to the Docker console.
The Client Registry Generator requires the following: A complete
appsettings.json file mounted at /app/appsettings.json The public certificate
mounted at /app/certs/
NOTE: The public certificate must be in PEM format. The root certificate
mounted at /app/certs/
NOTE: The Client Registry Generator requires a complete appsettings.json file.
If you do not have a complete appsettings.json file, see Use the appsettings
generator.
The following table describes variables that are used with the Client Registry
Generator.
NOTE: All variables are case sensitive.
Table 10. Client Registry Generator variables Variable -b, –baseUri
Description
This variable represents the Event Repository IP address or Hostname followed
by the Docker host listening port. For example, example.server.com:31235
NOTE: This port must be the Docker host listening port or client registration
fails.
Dell.TrustedDevice.EventsRepository.GenerateRegistry.dll dellemc/dtd-event- repository
This string invokes the Client Registry Generator in the Event Repository
container.
This string defines the container image to use for this container.
NOTE: If a specific version of the Event Repository image is required, append
this command with :
-p, –pathToPublicCert
This variable specifies the file path of the PEM-enconded public certificate.
NOTE: This file path must include the certificate name and extension.
-r, –repository –tty=false
-v
This variable specifies the name of the Event Repository.
To write the client registry file to a specific location, use this option.
This parameter specifies the volume to mount.
The following example mounts the volumes in C:exampleappsettings.json:/app/appsettings.json and the certificates in C:examplecerts:/app/certs and then writes the client registry file to the Docker console.
docker compose run -v c:examplecerts:/app/certs -v
c:exampleappsettings.json:/app/appsettings.json dellemc/dtd-event-repository
Dell.TrustedDevice.EventsRepository.GenerateRegistry.dll –baseUri https://
example.server.com:31235 -r
Configure to forward data to a SIEM solution
SIEM solutions often require a utility to consume data sources. The Splunk
universal forwarder is a lightweight forwarding solution that can be
configured for use with the Event Repository during or after installation. The
following example provides
Prerequisites
21
installation and configuration reference for the Splunk universal forwarder to
push data from Event Repository to a Splunk SIEM instance.
Use one of the following articles to install a universal forwarder based on
the environment in which your Event Repository is installed:
To install a universal forwarder on Windows, see this Splunk article. To
install a universal forwarder on Linux, Solaris, macOS, FreeBSD, or AIX, see
this Splunk article.
After installation, see this Splunk article to configure the universal
forwarder for use with the Event Repository.
After Docker is installed and prerequisites are configured, go to Run the
Event Repository.
22
Prerequisites
6
Download the Event Repository image
Use the following workflow to download the Event Repository image: 1. Ensure
that Docker is installed and running on the target computer. 2. Go to
https://hub.docker.com/r/dellemc/dtd-event-repository and sign in with your
Docker credentials. 3. Download the dtd-event-repository image. 4. Go to the
dtd-event-repository image download location and open PowerShell or Terminal
application. 5. Enter the following command to install the Event Repository:
docker pull dellemc/dtd-event-repository
Disconnected environments
If your SIEM solution is configured in Disconnected mode, see the following
articles: Go to this Docker article to see the steps for saving a Docker image
for later use. Go to this Docker article to see the steps for loading a
previously saved Docker image.
Download the Event Repository image
23
7
Run the Event Repository
After downloading the Docker image, the Event Repository must be initialized to begin collating data from the agents. See this Docker article for more information on Docker run commands. The following table details the Docker- based variables needed to configure the Event Repository container:
Table 11. Event Repository variables Variable -d
Meaning Run the docker container in a detached mode.
dellemc/dtd-event-repository
Defines the container image to use for this container. NOTE: If a specific
version of the Event Repository image is required, append this command with
:
-it
-p –rm -u nobody
-v
Starts an interactive command-line session connected to the Docker container.
Specifies ports used for the container.
Automatically removes the container when it exits.
The recommended unelevated user context in which the container is run.
Enables the creation of a volume shared between the Docker host and the Docker
container.
The following example starts the Event Repository container in unelevated user
context and maps C:eventrepositoryData on the host computer to
/app/appsettings.json in the container then configures the host listening on
port 31235 while using port 5001 in the container.
NOTE: This example retrieves the latest Docker image if it is not present on
the target computer.
docker run -it rm -d -p 31235:5001 -v c:eventrepositoryappsettings.json:/app/ appsettings.json -v c:eventrepositoryData:/var/data -v C: eventrepositorycerts:/app/certs -u nobody dellemc/dtd-event-repository
24
Run the Event Repository
8
Customize the API URIs
If your organization requires custom API notation, use the following example
to customize the API URIs for your Event Repository.
NOTE: If the Version element is not included in your appsettings.json, default
URI values for Device Registration, Event Posting, and Health are applied.
Table 12. URIs Name Device Registration
Event Posting
Health
Required Yes
Yes
Yes
Description
The URI through which the Trusted Device agent registers with the Event
Repository.
The URI through which the Trusted Device agent sends events to the Event
Repository.
The URI that prints the health status of the Event Repository to a browser.
Use a text editor to configure the required elements. See the appsettings.json
below with configurable examples in bold
{ “https port”: 443, “Logging”: { “LogLevel”: { “Default”: “Information”,
“Microsoft”: “Warning”, “Microsoft.Hosting.Lifetime”: “Information” } },
“Tenant”: { “TenantName”: “ExampleTenant”, “TenantApiKey”: “ExampleTenantKey”,
“TenantUUID”: “5568165d-216a-4631-a115-80de74f294fd”, “SigningCertificate”: {
“IssuerPublicCertsPem”: “ExampleCertificate or the Docker container path to
the public key certificate”, “IssuerPrivateKeyPem”: “ExampleCertificate or the
Docker container path to
the private key” }, “JwtCertificate”: { “TrustedRootsPem”: “ExampleCertificate
or the Docker container path to the
trust chain of the signing certificate ” }
}, “Upload”: {
“BaseFileName”: “SIEM_Output”, “OutputLocation”: “/var/dataEventRepository”,
“MaxFileSizeMb”: 15, “MaxActiveFileDays”: 1, “MaxFileAge”: 3 }, “Kestrel”: {
“Endpoints”: {
“Http”: { “PathBase”: “/devicesvc/api/v1”, “Url”: “http://*:5000”
}, “Https”: {
“PathBase”: “/devicesvc/api/v1”,
Customize the API URIs
25
“Url”: “http://*:5001”, “Certificate”: {
“Path”: “/app/certs/test.pfx”, “Password”: “Password@123” } } } },
“AppSettings”: {
“Version”: 2, “UrlPrefix”: {
“Health”: {“Prefix”:”path/to/health”},
“Registration”: {“Prefix”:”path/to/registration”},
“EventUpload”: {“Prefix”:”path/to/eventupload”} } } }
26
Customize the API URIs
9
Troubleshooting
Check the following if the Event Repository instance is not properly
communicating to the host computer. Ensure that your network connection is
active. Ensure the Docker container is running by using following command:
docker container ps. If the container is running,
the following details display: Container ID Image Command Created Status Ports
Names Ensure that the Event Repository container is properly configured
against the appsettings.json file. See Configure the appsettings.json file for
more information. Open a browser on the Event Repository host and enter
http://
If the host computer can properly communicate to the Event Repository instance
over the specified port, a Healthy status displays in the browser.
NOTE: Ensure you use HTTP in this health check as HTTPS will not resolve.
Troubleshooting
27
References
- .NET Framework & Windows OS versions - .NET Framework | Microsoft Learn
- New-Guid (Microsoft.PowerShell.Utility) - PowerShell | Microsoft Learn
- Get started with Docker containers on WSL | Microsoft Learn
- Configure the universal forwarder - Splunk Documentation
- Install a *nix universal forwarder - Splunk Documentation
- Install a Windows universal forwarder from an installer - Splunk Documentation
- Determine which .NET Framework versions are installed - .NET Framework | Microsoft Learn
- Microsoft .NET Framework 4.7.2 offline installer for Windows - Microsoft Support