Collect CyberX logs
This document describes how you can collect CyberX logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations overview.
An ingestion label identifies the parser which normalizes raw log data to
structured UDM format. The information in this document applies to the parser
with the CyberX
ingestion label.
Configure CyberX
- Sign in to the CyberX UI.
- In the CyberX UI, select Forwarding, and then click Create forwarding rule.
To select filters for notifications, do the following:
- In the Protocols section, select the required protocols or click All to select all the protocols.
In the Severity list, select the lowest severity of alerts to be be sent.
For example, critical and major alerts are sent using notifications if you select Major severity.
In the Engines section, select the required engines or click All to select all of the engines.
Click Add to add a new notification method.
In the Action list, select an action type from the available actions.
If you add more than one action, multiple notification methods can be created for each rule.
Based on the action you selected, specify the required details in the appropriate fields. For example, if you selected Send to SYSLOG server (CEF), do the following:
- In the Host field, enter the syslog server address.
- In the Timezone field, enter the syslog server timezone.
- In the Port field, enter the syslog server port.
Click Submit.
Similarly, for other actions that you select, specify the required details.
Configure the Google Security Operations forwarder to ingest CyberX logs
- Select SIEM Settings > Forwarders.
- Click Add new forwarder.
- In the Forwarder name field, enter a unique name for the forwarder.
- Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a unique name for the collector.
- Select
Microsoft CyberX
as the Log type. - Select Syslog as the Collector type.
- Configure the following input parameters:
- Protocol: specify the connection protocol that the collector uses to listen for syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.
If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser handles CyberX logs in SYSLOG+KV format, transforming them into UDM. It initializes numerous fields to empty strings, performs several substitutions to rename and format key-value pairs within the message field, and then uses grok
and kv
filters to extract structured data into UDM fields. The parser prioritizes key-value data extraction and falls back to grok patterns if necessary, enriching the UDM event with metadata, principal, target, network, and security result information.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
Access Mask | security_result.detection_fields.value |
Value of access_mask from parsed access_request_kvdata |
Account Domain | principal.administrative_domain |
Value of principal_domain from parsed principal_kvdata |
Account Domain | target.administrative_domain |
Value of target_domain from parsed target_kvdata |
Account Name | principal.user.userid |
Value of principal_account_name from parsed principal_kvdata |
Account Name | target.user.userid |
Value of target_account_name from parsed target_kvdata |
action | security_result.action_details |
Value of action |
action | security_result.action |
Derived. If action is "accept", "passthrough", "pass", "permit", "detected", or "close", map to "ALLOW". If action is "deny", "dropped", or "blocked", map to "BLOCK". If action is "timeout", map to "FAIL". Otherwise, map to "UNKNOWN_ACTION". |
Algorithm Name | security_result.detection_fields.value |
Value of algorithm_name from parsed cryptographic_kvdata |
app | target.application |
Value of service if app_protocol_output is empty |
appcat | security_result.detection_fields.value |
Value of appcat |
Application Name | principal.application |
Value of application_name |
Authentication Package | security_result.about.resource.name |
Value of authentication_package |
Azure Defender for IoT Alert | security_result.detection_fields.value |
Value of azure_defender_for_iot_alert |
channel | security_result.detection_fields.value |
Value of channel |
Client Address | principal.ip , principal.asset.ip |
Value of source_ip |
Client Port | principal.port |
Value of source_port |
craction | security_result.detection_fields.value |
Value of craction |
Credential Manager credentials were backupped | security_result.description |
Value of description |
Credential Manager credentials were read. | security_result.description |
Value of description |
crscore | security_result.severity_details |
Value of crscore |
crlevel | security_result.severity , security_result.severity_details |
Value of crlevel . If crlevel is "HIGH", "MEDIUM", "LOW", or "CRITICAL", map to the corresponding UDM severity. |
Cryptographic Operation | metadata.description |
Value of product_desc |
CyberX platform name | security_result.detection_fields.value |
Value of cyberx_platform_name |
Description | security_result.description |
Value of description if Message is empty |
Destination | target.ip , target.asset.ip or target.hostname |
If Destination is an IP address, map to target.ip and target.asset.ip . Otherwise, map to target.hostname . |
Destination Address | target.ip , target.asset.ip |
Value of destination_ip from parsed network_information |
Destination DRA | target.resource.name |
Value of destination_dra |
Destination ip | target.ip , target.asset.ip |
Value of destination_ip |
Destination Port | target.port |
Value of destination_port from parsed network_information |
devid | principal.resource.product_object_id |
Value of devid |
devname | principal.resource.name |
Value of devname |
Direction | network.direction |
If Direction is "incoming", "inbound", or "response", map to "INBOUND". If Direction is "outgoing", "outbound", or "request", map to "OUTBOUND". |
dstip | target.ip , target.asset.ip |
Value of dstip if destination_ip is empty |
dstcountry | target.location.country_or_region |
Value of dstcountry |
dstintf | security_result.detection_fields.value |
Value of dstintf |
dstintfrole | security_result.detection_fields.value |
Value of dstintfrole |
dstosname | target.platform |
Value of dstosname if it is "WINDOWS", "LINUX", or "MAC". |
dstport | target.port |
Value of dstport if destination_port is empty |
dstswversion | target.platform_version |
Value of dstswversion |
duration | network.session_duration.seconds |
Value of duration |
event_id | security_result.rule_name |
Used to construct rule name as "EventID: %{event_id}" |
event_in_sequence | security_result.detection_fields.value |
Value of event_in_sequence |
Filter Run-Time ID | security_result.detection_fields.value |
Value of filter_run_time_id from parsed filter_information |
Group Membership | security_result.detection_fields.value |
Value of group_membership if event_id is not 4627 |
Group Membership | target.user.group_identifiers |
Values from parsed group_membership if event_id is 4627 |
handle_id | security_result.detection_fields.value |
Value of handle_id from parsed object_kvdata |
Handle ID | security_result.detection_fields.value |
Value of handle_id from parsed object_kvdata |
impersonation_level | security_result.detection_fields.value |
Value of impersonation_level from parsed logon_information_kvdata |
Key Length | security_result.detection_fields.value |
Value of key_length from parsed auth_kvdata |
Key Name | security_result.detection_fields.value |
Value of key_name from parsed cryptographic_kvdata |
Key Type | security_result.detection_fields.value |
Value of key_type from parsed cryptographic_kvdata |
keywords | security_result.detection_fields.value |
Value of keywords |
Layer Name | security_result.detection_fields.value |
Value of layer_name from parsed filter_information |
Layer Run-Time ID | security_result.detection_fields.value |
Value of layer_run_time_id from parsed filter_information |
logid | metadata.product_log_id |
Value of logid |
Logon GUID | principal.resource.product_object_id |
Value of logon_guid |
Logon ID | security_result.detection_fields.value |
Value of logon_id |
logon_type | event.idm.read_only_udm.extensions.auth.mechanism |
Derived. If logon_type is '3', map to "NETWORK". If '4', map to "BATCH". If '5', map to "SERVICE". If '8', map to "NETWORK_CLEAR_TEXT". If '9', map to "NEW_CREDENTIALS". If '10', map to "REMOTE_INTERACTIVE". If '11', map to "CACHED_INTERACTIVE". Otherwise, if not empty, map to "MECHANISM_OTHER". |
Logon Account | security_result.detection_fields.value |
Value of logon_id from grok parse |
Logon Process | security_result.detection_fields.value |
Value of logon_process from parsed auth_kvdata |
Mandatory Label | security_result.detection_fields.value |
Value of mandatory_label |
mastersrcmac | principal.mac |
Value of mastersrcmac |
Message | security_result.description |
Value of Message |
new_process_id | target.process.pid |
Value of new_process_id from parsed process_kvdata |
new_process_name | target.process.file.full_path |
Value of new_process_name from parsed process_kvdata |
Object Name | security_result.detection_fields.value |
Value of object_name from parsed object_kvdata |
Object Server | security_result.detection_fields.value |
Value of object_server from parsed object_kvdata |
Object Type | security_result.detection_fields.value |
Value of object_type from parsed object_kvdata |
osname | principal.platform |
Value of osname if it is "WINDOWS", "LINUX", or "MAC". |
Package Name (NTLM only) | security_result.detection_fields.value |
Value of package_name from parsed auth_kvdata |
policyid | security_result.rule_id |
Value of policyid |
policyname | security_result.rule_name |
Value of policyname |
policytype | security_result.rule_type |
Value of policytype |
Process ID | principal.process.pid |
Value of process_id |
Process Name | principal.process.file.full_path |
Value of creator_process_name from parsed process_kvdata |
profile_changed | security_result.detection_fields.value |
Value of profile_changed |
Profile Changed | security_result.detection_fields.value |
Value of profile_changed from grok parse |
proto | network.ip_protocol |
If proto is "17", map to "UDP". If "6" or subtype is "wad", map to "TCP". If "41", map to "IP6IN4". If service is "PING" or proto is "1" or service contains "ICMP", map to "ICMP". |
Protocol | network.application_protocol |
Value of app_protocol_output derived from Protocol |
Provider Name | security_result.detection_fields.value |
Value of provider_name from parsed provider_kvdata or cryptographic_kvdata |
rcvdbyte | network.received_bytes |
Value of rcvdbyte |
rcvdpkt | security_result.detection_fields.value |
Value of rcvdpkt |
restricted_admin_mode | security_result.detection_fields.value |
Value of restricted_admin_mode from parsed logon_information_kvdata |
Return Code | security_result.detection_fields.value |
Value of return_code from parsed cryptographic_kvdata |
response | security_result.detection_fields.value |
Value of response |
rule_id | security_result.rule_id |
Value of rule_id |
Security ID | principal.user.windows_sid |
Value of principal_security_id from parsed principal_kvdata |
Security ID | target.user.windows_sid |
Value of target_security_id from parsed target_kvdata |
sentbyte | network.sent_bytes |
Value of sentbyte |
sentpkt | security_result.detection_fields.value |
Value of sentpkt |
service | network.application_protocol or target.application |
Value of app_protocol_output derived from service . If app_protocol_output is empty, map to target.application . |
Service ID | security_result.detection_fields.value |
Value of service_id from parsed service_kvdata |
Service Name | security_result.detection_fields.value |
Value of service_name from parsed service_kvdata |
sessionid | network.session_id |
Value of sessionid |
Severity | security_result.severity , security_result.severity_details |
If Severity is "ERROR" or "CRITICAL", map to the corresponding UDM severity. If "INFO", map to "INFORMATIONAL". If "MINOR", map to "LOW". If "WARNING", map to "MEDIUM". If "MAJOR", map to "HIGH". Also map the raw value to severity_details . |
severity | security_result.severity , security_result.severity_details |
If severity is "1", "2", or "3", map to "LOW". If "4", "5", or "6", map to "MEDIUM". If "7", "8", or "9", map to "HIGH". Also map the raw value to severity_details . |
Share Name | security_result.detection_fields.value |
Value of share_name from parsed share_information_kvdata |
Share Path | security_result.detection_fields.value |
Value of share_path from parsed share_information_kvdata |
Source | principal.ip , principal.asset.ip or principal.hostname , principal.asset.hostname |
If Source is an IP address, map to principal.ip and principal.asset.ip . Otherwise, map to principal.hostname and principal.asset.hostname . |
Source Address | principal.ip , principal.asset.ip |
Value of source_ip from parsed network_information |
Source DRA | principal.resource.name |
Value of source_dra |
Source ip | principal.ip |
Value of source_ip |
Source Network Address | principal.ip , principal.asset.ip |
Value of source_ip |
Source Port | principal.port |
Value of source_port from parsed network_information |
Source Workstation | workstation_name |
Value of source_workstation_name |
srcip | source_ip |
Value of srcip if source_ip is empty |
srccountry | principal.location.country_or_region |
Value of srccountry |
srcmac | principal.mac |
Value of srcmac |
srcname | principal.hostname , principal.asset.hostname |
Value of srcname |
srcport | source_port |
Value of srcport if source_port is empty |
srcswversion | principal.platform_version |
Value of srcswversion |
Status Code | network.http.response_code |
Value of status_code |
Token Elevation Type | security_result.detection_fields.value |
Value of token_elevation_type |
transited_services | security_result.detection_fields.value |
Value of transited_services from parsed auth_kvdata |
transip | principal.nat_ip |
Value of transip |
transport | principal.nat_port |
Value of transport |
type | metadata.product_event_type |
Used with subtype to create metadata.product_event_type |
Type | security_result.detection_fields.value |
Value of Type |
UUID | metadata.product_log_id |
Value of UUID |
vd | principal.administrative_domain |
Value of vd |
virtual_account | security_result.detection_fields.value |
Value of virtual_account from parsed logon_information_kvdata |
Workstation Name | principal.hostname , principal.asset.hostname |
Value of workstation_name if no other principal identifier is present |
metadata.event_type |
metadata.event_type |
Derived. If both principal_present and target_present are true, map to "NETWORK_CONNECTION". If user_present is true, map to "USER_RESOURCE_ACCESS". If principal_present is true, map to "STATUS_UPDATE". Otherwise, map to "GENERIC_EVENT". |
metadata.log_type |
metadata.log_type |
Hardcoded to "CYBERX" |
metadata.product_name |
metadata.product_name |
Hardcoded to "CYBERX" |
metadata.vendor_name |
metadata.vendor_name |
Hardcoded to "CYBERX" |
metadata.event_timestamp |
metadata.event_timestamp |
Copied from the top-level timestamp field, or derived from eventtime or date and time fields. |
Changes
2024-05-15
- Modified KV pattern to handle new pattern of SYSLOGS.
- Mapped "source_ip2" to "principal.ip" and "principal.asset.ip".
- Mapped "destination_ip2" to "target.ip" and "target.asset.ip".
- Mapped "Severity" to "security_result.severity_details".
- Aligned "principal.ip" and "principal.asset.ip" mappings.
- Aligned "target.ip" and "target.asset.ip" mappings.
- Aligned "principal.hostname" and "principal.asset.hostname" mappings.
- Aligned "target.hostname" and "target.asset.hostname" mappings.
2023-12-06
- Newly created parser.