Collect CyberX logs

Supported in:

This document describes how you can collect CyberX logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CyberX ingestion label.

Configure CyberX

  1. Sign in to the CyberX UI.
  2. In the CyberX UI, select Forwarding, and then click Create forwarding rule.
  3. To select filters for notifications, do the following:

    • In the Protocols section, select the required protocols or click All to select all the protocols.
    • In the Severity list, select the lowest severity of alerts to be be sent.

      For example, critical and major alerts are sent using notifications if you select Major severity.

    • In the Engines section, select the required engines or click All to select all of the engines.

  4. Click Add to add a new notification method.

  5. In the Action list, select an action type from the available actions.

    If you add more than one action, multiple notification methods can be created for each rule.

  6. Based on the action you selected, specify the required details in the appropriate fields. For example, if you selected Send to SYSLOG server (CEF), do the following:

    • In the Host field, enter the syslog server address.
    • In the Timezone field, enter the syslog server timezone.
    • In the Port field, enter the syslog server port.
  7. Click Submit.

    Similarly, for other actions that you select, specify the required details.

Configure the Google Security Operations forwarder to ingest CyberX logs

  1. In the Google Security Operations menu, select Settings > Forwarders > Add new forwarder.
  2. In the Forwarder name field, enter a unique name for the forwarder.
  3. Click Submit. The forwarder is added and the Add collector configuration window appears.
  4. In the Collector name field, enter a unique name for the collector.
  5. In the Log type field, specify Microsoft CyberX.
  6. Select Syslog as the Collector type.
  7. Configure the following input parameters:
    • Protocol: specify the connection protocol that the collector uses to listen for syslog data.
    • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  8. Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles CyberX logs in SYSLOG+KV format, transforming them into UDM. It initializes numerous fields to empty strings, performs several substitutions to rename and format key-value pairs within the message field, and then uses grok and kv filters to extract structured data into UDM fields. The parser prioritizes key-value data extraction and falls back to grok patterns if necessary, enriching the UDM event with metadata, principal, target, network, and security result information.

UDM mapping table

Log Field UDM Mapping Logic
Access Mask security_result.detection_fields.value Value of access_mask from parsed access_request_kvdata
Account Domain principal.administrative_domain Value of principal_domain from parsed principal_kvdata
Account Domain target.administrative_domain Value of target_domain from parsed target_kvdata
Account Name principal.user.userid Value of principal_account_name from parsed principal_kvdata
Account Name target.user.userid Value of target_account_name from parsed target_kvdata
action security_result.action_details Value of action
action security_result.action Derived. If action is "accept", "passthrough", "pass", "permit", "detected", or "close", map to "ALLOW". If action is "deny", "dropped", or "blocked", map to "BLOCK". If action is "timeout", map to "FAIL". Otherwise, map to "UNKNOWN_ACTION".
Algorithm Name security_result.detection_fields.value Value of algorithm_name from parsed cryptographic_kvdata
app target.application Value of service if app_protocol_output is empty
appcat security_result.detection_fields.value Value of appcat
Application Name principal.application Value of application_name
Authentication Package security_result.about.resource.name Value of authentication_package
Azure Defender for IoT Alert security_result.detection_fields.value Value of azure_defender_for_iot_alert
channel security_result.detection_fields.value Value of channel
Client Address principal.ip, principal.asset.ip Value of source_ip
Client Port principal.port Value of source_port
craction security_result.detection_fields.value Value of craction
Credential Manager credentials were backupped security_result.description Value of description
Credential Manager credentials were read. security_result.description Value of description
crscore security_result.severity_details Value of crscore
crlevel security_result.severity, security_result.severity_details Value of crlevel. If crlevel is "HIGH", "MEDIUM", "LOW", or "CRITICAL", map to the corresponding UDM severity.
Cryptographic Operation metadata.description Value of product_desc
CyberX platform name security_result.detection_fields.value Value of cyberx_platform_name
Description security_result.description Value of description if Message is empty
Destination target.ip, target.asset.ip or target.hostname If Destination is an IP address, map to target.ip and target.asset.ip. Otherwise, map to target.hostname.
Destination Address target.ip, target.asset.ip Value of destination_ip from parsed network_information
Destination DRA target.resource.name Value of destination_dra
Destination ip target.ip, target.asset.ip Value of destination_ip
Destination Port target.port Value of destination_port from parsed network_information
devid principal.resource.product_object_id Value of devid
devname principal.resource.name Value of devname
Direction network.direction If Direction is "incoming", "inbound", or "response", map to "INBOUND". If Direction is "outgoing", "outbound", or "request", map to "OUTBOUND".
dstip target.ip, target.asset.ip Value of dstip if destination_ip is empty
dstcountry target.location.country_or_region Value of dstcountry
dstintf security_result.detection_fields.value Value of dstintf
dstintfrole security_result.detection_fields.value Value of dstintfrole
dstosname target.platform Value of dstosname if it is "WINDOWS", "LINUX", or "MAC".
dstport target.port Value of dstport if destination_port is empty
dstswversion target.platform_version Value of dstswversion
duration network.session_duration.seconds Value of duration
event_id security_result.rule_name Used to construct rule name as "EventID: %{event_id}"
event_in_sequence security_result.detection_fields.value Value of event_in_sequence
Filter Run-Time ID security_result.detection_fields.value Value of filter_run_time_id from parsed filter_information
Group Membership security_result.detection_fields.value Value of group_membership if event_id is not 4627
Group Membership target.user.group_identifiers Values from parsed group_membership if event_id is 4627
handle_id security_result.detection_fields.value Value of handle_id from parsed object_kvdata
Handle ID security_result.detection_fields.value Value of handle_id from parsed object_kvdata
impersonation_level security_result.detection_fields.value Value of impersonation_level from parsed logon_information_kvdata
Key Length security_result.detection_fields.value Value of key_length from parsed auth_kvdata
Key Name security_result.detection_fields.value Value of key_name from parsed cryptographic_kvdata
Key Type security_result.detection_fields.value Value of key_type from parsed cryptographic_kvdata
keywords security_result.detection_fields.value Value of keywords
Layer Name security_result.detection_fields.value Value of layer_name from parsed filter_information
Layer Run-Time ID security_result.detection_fields.value Value of layer_run_time_id from parsed filter_information
logid metadata.product_log_id Value of logid
Logon GUID principal.resource.product_object_id Value of logon_guid
Logon ID security_result.detection_fields.value Value of logon_id
logon_type event.idm.read_only_udm.extensions.auth.mechanism Derived. If logon_type is '3', map to "NETWORK". If '4', map to "BATCH". If '5', map to "SERVICE". If '8', map to "NETWORK_CLEAR_TEXT". If '9', map to "NEW_CREDENTIALS". If '10', map to "REMOTE_INTERACTIVE". If '11', map to "CACHED_INTERACTIVE". Otherwise, if not empty, map to "MECHANISM_OTHER".
Logon Account security_result.detection_fields.value Value of logon_id from grok parse
Logon Process security_result.detection_fields.value Value of logon_process from parsed auth_kvdata
Mandatory Label security_result.detection_fields.value Value of mandatory_label
mastersrcmac principal.mac Value of mastersrcmac
Message security_result.description Value of Message
new_process_id target.process.pid Value of new_process_id from parsed process_kvdata
new_process_name target.process.file.full_path Value of new_process_name from parsed process_kvdata
Object Name security_result.detection_fields.value Value of object_name from parsed object_kvdata
Object Server security_result.detection_fields.value Value of object_server from parsed object_kvdata
Object Type security_result.detection_fields.value Value of object_type from parsed object_kvdata
osname principal.platform Value of osname if it is "WINDOWS", "LINUX", or "MAC".
Package Name (NTLM only) security_result.detection_fields.value Value of package_name from parsed auth_kvdata
policyid security_result.rule_id Value of policyid
policyname security_result.rule_name Value of policyname
policytype security_result.rule_type Value of policytype
Process ID principal.process.pid Value of process_id
Process Name principal.process.file.full_path Value of creator_process_name from parsed process_kvdata
profile_changed security_result.detection_fields.value Value of profile_changed
Profile Changed security_result.detection_fields.value Value of profile_changed from grok parse
proto network.ip_protocol If proto is "17", map to "UDP". If "6" or subtype is "wad", map to "TCP". If "41", map to "IP6IN4". If service is "PING" or proto is "1" or service contains "ICMP", map to "ICMP".
Protocol network.application_protocol Value of app_protocol_output derived from Protocol
Provider Name security_result.detection_fields.value Value of provider_name from parsed provider_kvdata or cryptographic_kvdata
rcvdbyte network.received_bytes Value of rcvdbyte
rcvdpkt security_result.detection_fields.value Value of rcvdpkt
restricted_admin_mode security_result.detection_fields.value Value of restricted_admin_mode from parsed logon_information_kvdata
Return Code security_result.detection_fields.value Value of return_code from parsed cryptographic_kvdata
response security_result.detection_fields.value Value of response
rule_id security_result.rule_id Value of rule_id
Security ID principal.user.windows_sid Value of principal_security_id from parsed principal_kvdata
Security ID target.user.windows_sid Value of target_security_id from parsed target_kvdata
sentbyte network.sent_bytes Value of sentbyte
sentpkt security_result.detection_fields.value Value of sentpkt
service network.application_protocol or target.application Value of app_protocol_output derived from service. If app_protocol_output is empty, map to target.application.
Service ID security_result.detection_fields.value Value of service_id from parsed service_kvdata
Service Name security_result.detection_fields.value Value of service_name from parsed service_kvdata
sessionid network.session_id Value of sessionid
Severity security_result.severity, security_result.severity_details If Severity is "ERROR" or "CRITICAL", map to the corresponding UDM severity. If "INFO", map to "INFORMATIONAL". If "MINOR", map to "LOW". If "WARNING", map to "MEDIUM". If "MAJOR", map to "HIGH". Also map the raw value to severity_details.
severity security_result.severity, security_result.severity_details If severity is "1", "2", or "3", map to "LOW". If "4", "5", or "6", map to "MEDIUM". If "7", "8", or "9", map to "HIGH". Also map the raw value to severity_details.
Share Name security_result.detection_fields.value Value of share_name from parsed share_information_kvdata
Share Path security_result.detection_fields.value Value of share_path from parsed share_information_kvdata
Source principal.ip, principal.asset.ip or principal.hostname, principal.asset.hostname If Source is an IP address, map to principal.ip and principal.asset.ip. Otherwise, map to principal.hostname and principal.asset.hostname.
Source Address principal.ip, principal.asset.ip Value of source_ip from parsed network_information
Source DRA principal.resource.name Value of source_dra
Source ip principal.ip Value of source_ip
Source Network Address principal.ip, principal.asset.ip Value of source_ip
Source Port principal.port Value of source_port from parsed network_information
Source Workstation workstation_name Value of source_workstation_name
srcip source_ip Value of srcip if source_ip is empty
srccountry principal.location.country_or_region Value of srccountry
srcmac principal.mac Value of srcmac
srcname principal.hostname, principal.asset.hostname Value of srcname
srcport source_port Value of srcport if source_port is empty
srcswversion principal.platform_version Value of srcswversion
Status Code network.http.response_code Value of status_code
Token Elevation Type security_result.detection_fields.value Value of token_elevation_type
transited_services security_result.detection_fields.value Value of transited_services from parsed auth_kvdata
transip principal.nat_ip Value of transip
transport principal.nat_port Value of transport
type metadata.product_event_type Used with subtype to create metadata.product_event_type
Type security_result.detection_fields.value Value of Type
UUID metadata.product_log_id Value of UUID
vd principal.administrative_domain Value of vd
virtual_account security_result.detection_fields.value Value of virtual_account from parsed logon_information_kvdata
Workstation Name principal.hostname, principal.asset.hostname Value of workstation_name if no other principal identifier is present
metadata.event_type metadata.event_type Derived. If both principal_present and target_present are true, map to "NETWORK_CONNECTION". If user_present is true, map to "USER_RESOURCE_ACCESS". If principal_present is true, map to "STATUS_UPDATE". Otherwise, map to "GENERIC_EVENT".
metadata.log_type metadata.log_type Hardcoded to "CYBERX"
metadata.product_name metadata.product_name Hardcoded to "CYBERX"
metadata.vendor_name metadata.vendor_name Hardcoded to "CYBERX"
metadata.event_timestamp metadata.event_timestamp Copied from the top-level timestamp field, or derived from eventtime or date and time fields.

Changes

2024-05-15

  • Modified KV pattern to handle new pattern of SYSLOGS.
  • Mapped "source_ip2" to "principal.ip" and "principal.asset.ip".
  • Mapped "destination_ip2" to "target.ip" and "target.asset.ip".
  • Mapped "Severity" to "security_result.severity_details".
  • Aligned "principal.ip" and "principal.asset.ip" mappings.
  • Aligned "target.ip" and "target.asset.ip" mappings.
  • Aligned "principal.hostname" and "principal.asset.hostname" mappings.
  • Aligned "target.hostname" and "target.asset.hostname" mappings.

2023-12-06

  • Newly created parser.