Collect CloudPassage Halo logs
Supported in:
This Logstash parser code transforms CloudPassage Halo JSON log data into a unified data model (UDM). It extracts relevant fields from the raw logs, normalizes timestamps, maps data to UDM fields, and enriches events with additional context like severity and user information.
Before you begin
- Ensure that you have a Google SecOps instance.
- Ensure that you have privileged access to CloudPassage Halo.
Configuring an API key in CloudPassage
- Sign in to CloudPassage Halo.
- Go to Settings > Site Administration.
- Click the API Keys tab.
- Click Actions > New Api Key.
- Click Show for your key on the API Keys tab to display values.
- Copy both the Key ID and the Secret Key values.
Configure a feed in Google SecOps to ingest CloudPassage logs
- Click Add new.
- In the Feed name field, enter a name for the feed (for example, CloudPassage Logs).
- Select Third party API as the Source type.
- Select Cloud Passage as the Log type.
- Click Next.
- Specify values for the following input parameters:
- Username: enter the Key ID.
- Secret: enter the Secret Key.
- Event Types: type of events to include (if you don't specify event types, default events from the list will be used).
- Asset namespace: the asset namespace.
- Ingestion labels: the label applied to the events from this feed.
- Click Next.
- Review the feed configuration in the Finalize screen, and then click Submit.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| actor_country | principal.location.country_or_region | Directly mapped from the actor_country field in the raw log. |
| actor_ip_address | principal.ip | Directly mapped from the actor_ip_address field in the raw log. |
| actor_username | principal.user.userid | Directly mapped from the actor_username field in the raw log. |
| created_at | metadata.event_timestamp | Converted to UDM timestamp format from the created_at field in the raw log. |
| critical | security_result.severity | If critical is true, severity is set to "CRITICAL". Otherwise, it's set to "INFORMATIONAL" for events and calculated based on findings count for scans. |
| id | metadata.product_log_id | Directly mapped from the id field in the raw log for events. |
| message | security_result.description | Extracted description from the message field using grok pattern. |
| name | security_result.summary | Directly mapped from the name field in the raw log for events. |
| policy_name | security_result.detection_fields.policy_name | Directly mapped from the policy_name field in the raw log. |
| rule_name | security_result.rule_name | Directly mapped from the rule_name field in the raw log. |
| scan.created_at | metadata.event_timestamp | Converted to UDM timestamp format from the scan.created_at field in the raw log for scans. |
| scan.critical_findings_count | security_result.description | Used to calculate the description for scan events. Also used to determine the severity level. |
| scan.module | security_result.summary | Used to generate the summary for scan events. Converted to uppercase. |
| scan.non_critical_findings_count | security_result.description | Used to calculate the description for scan events. Also used to determine the severity level. |
| scan.ok_findings_count | security_result.description | Used to calculate the description for scan events. |
| scan.server_hostname | target.hostname | Directly mapped from the scan.server_hostname field in the raw log for scans. |
| scan.status | security_result.summary | Used to generate the summary for scan events. |
| scan.url | metadata.url_back_to_product | Directly mapped from the scan.url field in the raw log for scans. |
| server_group_name | target.group.attribute.labels.server_group_name | Directly mapped from the server_group_name field in the raw log. |
| server_group_path | target.group.product_object_id | Directly mapped from the server_group_path field in the raw log. |
| server_hostname | target.hostname | Directly mapped from the server_hostname field in the raw log for events. |
| server_ip_address | target.ip | Directly mapped from the server_ip_address field in the raw log. |
| server_platform | target.platform | Directly mapped from the server_platform field in the raw log. Converted to uppercase. |
| server_primary_ip_address | target.ip | Directly mapped from the server_primary_ip_address field in the raw log. |
| server_reported_fqdn | network.dns.authority.name | Directly mapped from the server_reported_fqdn field in the raw log. |
| target_username | target.user.userid | Directly mapped from the target_username field in the raw log. |
| metadata.event_type | Set to "SCAN_UNCATEGORIZED" for events and "SCAN_HOST" for scans. | |
| metadata.log_type | Set to "CLOUD_PASSAGE". | |
| metadata.product_name | Set to "HALO". | |
| metadata.vendor_name | Set to "CLOUDPASSAGE". | |
| principal.hostname | Copied from target.hostname. |
|
| security_result.action | Set to "UNKNOWN_ACTION". | |
| security_result.category | Set to "POLICY_VIOLATION". | |
| is_alert | Set to true if security_result.severity is "CRITICAL". |
|
| is_significant | Set to true if security_result.severity is "CRITICAL". |
Changes
2022-06-30
- Enhancement
- Mapped "policy_name" to "security_result.detection_fields".
- Mapped "server_group_name" to "target.group.attribute.labels".
- Mapped "server_group_path" to "target.group.product_object_id".
- Added grok pattern to get "description".