Collect Cohesity logs

Supported in:

Overview

This parser extracts fields from Cohesity backup software syslog messages using grok patterns. It handles both standard syslog messages and JSON-formatted logs, mapping extracted fields to the UDM and dynamically assigning an event_type based on the presence of principal and target identifiers.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Cohesity management.

Configure a feed in Google SecOps to ingest the Cohesity logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Cohesity Logs).
  4. Select Webhook as the Source type.
  5. Select Cohesity as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.
  10. Click Generate Secret Key to generate a secret key to authenticate this feed.
  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  12. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
  13. Click Done.

Create an API key for the webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Chronicle API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET

    Recommendation: Specify the API key as a header instead of specifying it in the URL.

  3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

    ENDPOINT_URL?key=API_KEY&secret=SECRET

    Replace the following:

    • ENDPOINT_URL: the feed endpoint URL.
    • API_KEY: the API key to authenticate to Google SecOps.
    • SECRET: the secret key that you generated to authenticate the feed.

Configuring a Webhook in Cohesity for Google SecOps

  1. Sign in to the Cohesity cluster management.
  2. Go to the Protection Jobs section.
  3. Select the protection job for which you want to configure the webhook.
  4. Click Actions menu (three vertical dots) next to the protection job > Edit.
  5. Select the Alerting tab.
  6. Click + Add Webhook.
  7. Specify values for the following parameters:
    • Name: Provide a descriptive name for the webhook (for example, Google SecOps).
    • URL: Enter the Google SecOps <ENDPOINT_URL>.
    • Method: Select POST.
    • Content Type: Select application/json.
    • Payload: This field depends on the specific data you want to send.
    • Enable Webhook: Check the box to enable the webhook.
  8. Save the Configuration: Click Save to apply the webhook configuration to the protection job.

UDM Mapping Table

Log Field UDM Mapping Logic
ClientIP principal.asset.ip Directly mapped from ClientIP field.
ClientIP principal.ip Directly mapped from ClientIP field.
description security_result.description Directly mapped from description field.
DomainName target.asset.hostname Directly mapped from DomainName field.
DomainName target.hostname Directly mapped from DomainName field.
EntityPath target.url Directly mapped from EntityPath field.
host principal.asset.hostname Directly mapped from host field.
host principal.hostname Directly mapped from host field. Copied from the ts field after it's parsed to a timestamp. Determined by parser logic based on the presence of principal_mid_present, target_mid_present, and principal_user_present. Possible values: NETWORK_CONNECTION, USER_UNCATEGORIZED, STATUS_UPDATE, GENERIC_EVENT. Hardcoded to "Cohesity".
product_event_type metadata.product_event_type Directly mapped from product_event_type field. Hardcoded to "COHESITY".
pid principal.process.pid Directly mapped from pid field.
Protocol network.application_protocol Directly mapped from Protocol field, converted to uppercase.
RecordID additional.fields (key: "RecordID", value: RecordID) Directly mapped from RecordID field, nested under additional.fields.
RequestType security_result.detection_fields (key: "RequestType", value: RequestType) Directly mapped from RequestType field, nested under security_result.detection_fields.
Result security_result.summary Directly mapped from Result field.
sha_value additional.fields (key: "SHA256", value: sha_value) Directly mapped from sha_value field, nested under additional.fields.
target_ip target.asset.ip Directly mapped from target_ip field.
target_ip target.ip Directly mapped from target_ip field.
target_port target.port Directly mapped from target_port field, converted to integer.
Timestamp metadata.collected_timestamp Directly mapped from Timestamp field after it's parsed to a timestamp.
ts events.timestamp Directly mapped from ts field after it's parsed to a timestamp.
UserID principal.user.userid Directly mapped from UserID field, converted to string.
UserName principal.user.user_display_name Directly mapped from UserName field.
UserSID principal.user.windows_sid Directly mapped from UserSID field.

Changes

2024-09-24

  • Removed "gsub" to format JSON logs.

2024-09-10

  • Added "gsub" to remove unwanted character from log.
  • Mapped "prin_ip" to "principal.ip".

2024-07-28

  • Mapped "EntityId" and "RegisteredSource.EntityId" to "principal.user.userid".
  • Mapped "Description" and "EventMessage" to "metadata.description".
  • Mapped "IP" to "principal.ip" and "principal.asset.ip".
  • Mapped "User" to "principal.user.user_display_name".
  • Mapped "Action, "Domain, "ServiceContext, "AttributeMap.AttemptNum, "cluster_id, "cluster_name, "ClusterInfo.ClusterId, "ClusterInfo.ClusterName, "TaskId, "EntityName, "EntityType, "BackupJobId, "BackupJobName, "EnvironmentType, "RegisteredSource.EntityName, "RegisteredSource.EntityType, "AttributeMap.BridgeConstituent, "ReplicationTarget.ClusterName, and "ReplicationTarget.ClusterId to "additional.fields".

2024-05-16

  • Newly created parser.