Collect CyberX logs

Supported in:

Google SecOps SIEM

This document describes how you can collect CyberX logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CyberX ingestion label.

Configure CyberX

Sign in to the CyberX UI.
In the CyberX UI, select Forwarding, and then click Create forwarding rule.
To select filters for notifications, do the following:
- In the Protocols section, select the required protocols or click All to select all the protocols.
- In the Severity list, select the lowest severity of alerts to be be sent.
  
  For example, critical and major alerts are sent using notifications if you select Major severity.
- In the Engines section, select the required engines or click All to select all of the engines.
Click Add to add a new notification method.
In the Action list, select an action type from the available actions.

If you add more than one action, multiple notification methods can be created for each rule.
Based on the action you selected, specify the required details in the appropriate fields. For example, if you selected Send to SYSLOG server (CEF), do the following:
- In the Host field, enter the syslog server address.
- In the Timezone field, enter the syslog server timezone.
- In the Port field, enter the syslog server port.
Click Submit.

Similarly, for other actions that you select, specify the required details.

Configure the Google Security Operations forwarder to ingest CyberX logs

In the Google Security Operations menu, select Settings > Forwarders > Add new forwarder.
In the Forwarder name field, enter a unique name for the forwarder.
Click Submit. The forwarder is added and the Add collector configuration window appears.
In the Collector name field, enter a unique name for the collector.
In the Log type field, specify Microsoft CyberX.
Select Syslog as the Collector type.
Configure the following input parameters:
- Protocol: specify the connection protocol that the collector uses to listen for syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser handles CyberX logs in SYSLOG+KV format, transforming them into UDM. It initializes numerous fields to empty strings, performs several substitutions to rename and format key-value pairs within the message field, and then uses grok and kv filters to extract structured data into UDM fields. The parser prioritizes key-value data extraction and falls back to grok patterns if necessary, enriching the UDM event with metadata, principal, target, network, and security result information.

UDM mapping table

Log Field	UDM Mapping	Logic
Access Mask	`security_result.detection_fields.value`	Value of `access_mask` from parsed `access_request_kvdata`
Account Domain	`principal.administrative_domain`	Value of `principal_domain` from parsed `principal_kvdata`
Account Domain	`target.administrative_domain`	Value of `target_domain` from parsed `target_kvdata`
Account Name	`principal.user.userid`	Value of `principal_account_name` from parsed `principal_kvdata`
Account Name	`target.user.userid`	Value of `target_account_name` from parsed `target_kvdata`
action	`security_result.action_details`	Value of `action`
action	`security_result.action`	Derived. If `action` is "accept", "passthrough", "pass", "permit", "detected", or "close", map to "ALLOW". If `action` is "deny", "dropped", or "blocked", map to "BLOCK". If `action` is "timeout", map to "FAIL". Otherwise, map to "UNKNOWN_ACTION".
Algorithm Name	`security_result.detection_fields.value`	Value of `algorithm_name` from parsed `cryptographic_kvdata`
app	`target.application`	Value of `service` if `app_protocol_output` is empty
appcat	`security_result.detection_fields.value`	Value of `appcat`
Application Name	`principal.application`	Value of `application_name`
Authentication Package	`security_result.about.resource.name`	Value of `authentication_package`
Azure Defender for IoT Alert	`security_result.detection_fields.value`	Value of `azure_defender_for_iot_alert`
channel	`security_result.detection_fields.value`	Value of `channel`
Client Address	`principal.ip`, `principal.asset.ip`	Value of `source_ip`
Client Port	`principal.port`	Value of `source_port`
craction	`security_result.detection_fields.value`	Value of `craction`
Credential Manager credentials were backupped	`security_result.description`	Value of `description`
Credential Manager credentials were read.	`security_result.description`	Value of `description`
crscore	`security_result.severity_details`	Value of `crscore`
crlevel	`security_result.severity`, `security_result.severity_details`	Value of `crlevel`. If `crlevel` is "HIGH", "MEDIUM", "LOW", or "CRITICAL", map to the corresponding UDM severity.
Cryptographic Operation	`metadata.description`	Value of `product_desc`
CyberX platform name	`security_result.detection_fields.value`	Value of `cyberx_platform_name`
Description	`security_result.description`	Value of `description` if `Message` is empty
Destination	`target.ip`, `target.asset.ip` or `target.hostname`	If `Destination` is an IP address, map to `target.ip` and `target.asset.ip`. Otherwise, map to `target.hostname`.
Destination Address	`target.ip`, `target.asset.ip`	Value of `destination_ip` from parsed `network_information`
Destination DRA	`target.resource.name`	Value of `destination_dra`
Destination ip	`target.ip`, `target.asset.ip`	Value of `destination_ip`
Destination Port	`target.port`	Value of `destination_port` from parsed `network_information`
devid	`principal.resource.product_object_id`	Value of `devid`
devname	`principal.resource.name`	Value of `devname`
Direction	`network.direction`	If `Direction` is "incoming", "inbound", or "response", map to "INBOUND". If `Direction` is "outgoing", "outbound", or "request", map to "OUTBOUND".
dstip	`target.ip`, `target.asset.ip`	Value of `dstip` if `destination_ip` is empty
dstcountry	`target.location.country_or_region`	Value of `dstcountry`
dstintf	`security_result.detection_fields.value`	Value of `dstintf`
dstintfrole	`security_result.detection_fields.value`	Value of `dstintfrole`
dstosname	`target.platform`	Value of `dstosname` if it is "WINDOWS", "LINUX", or "MAC".
dstport	`target.port`	Value of `dstport` if `destination_port` is empty
dstswversion	`target.platform_version`	Value of `dstswversion`
duration	`network.session_duration.seconds`	Value of `duration`
event_id	`security_result.rule_name`	Used to construct rule name as "EventID: %{event_id}"
event_in_sequence	`security_result.detection_fields.value`	Value of `event_in_sequence`
Filter Run-Time ID	`security_result.detection_fields.value`	Value of `filter_run_time_id` from parsed `filter_information`
Group Membership	`security_result.detection_fields.value`	Value of `group_membership` if `event_id` is not 4627
Group Membership	`target.user.group_identifiers`	Values from parsed `group_membership` if `event_id` is 4627
handle_id	`security_result.detection_fields.value`	Value of `handle_id` from parsed `object_kvdata`
Handle ID	`security_result.detection_fields.value`	Value of `handle_id` from parsed `object_kvdata`
impersonation_level	`security_result.detection_fields.value`	Value of `impersonation_level` from parsed `logon_information_kvdata`
Key Length	`security_result.detection_fields.value`	Value of `key_length` from parsed `auth_kvdata`
Key Name	`security_result.detection_fields.value`	Value of `key_name` from parsed `cryptographic_kvdata`
Key Type	`security_result.detection_fields.value`	Value of `key_type` from parsed `cryptographic_kvdata`
keywords	`security_result.detection_fields.value`	Value of `keywords`
Layer Name	`security_result.detection_fields.value`	Value of `layer_name` from parsed `filter_information`
Layer Run-Time ID	`security_result.detection_fields.value`	Value of `layer_run_time_id` from parsed `filter_information`
logid	`metadata.product_log_id`	Value of `logid`
Logon GUID	`principal.resource.product_object_id`	Value of `logon_guid`
Logon ID	`security_result.detection_fields.value`	Value of `logon_id`
logon_type	`event.idm.read_only_udm.extensions.auth.mechanism`	Derived. If `logon_type` is '3', map to "NETWORK". If '4', map to "BATCH". If '5', map to "SERVICE". If '8', map to "NETWORK_CLEAR_TEXT". If '9', map to "NEW_CREDENTIALS". If '10', map to "REMOTE_INTERACTIVE". If '11', map to "CACHED_INTERACTIVE". Otherwise, if not empty, map to "MECHANISM_OTHER".
Logon Account	`security_result.detection_fields.value`	Value of `logon_id` from grok parse
Logon Process	`security_result.detection_fields.value`	Value of `logon_process` from parsed `auth_kvdata`
Mandatory Label	`security_result.detection_fields.value`	Value of `mandatory_label`
mastersrcmac	`principal.mac`	Value of `mastersrcmac`
Message	`security_result.description`	Value of `Message`
new_process_id	`target.process.pid`	Value of `new_process_id` from parsed `process_kvdata`
new_process_name	`target.process.file.full_path`	Value of `new_process_name` from parsed `process_kvdata`
Object Name	`security_result.detection_fields.value`	Value of `object_name` from parsed `object_kvdata`
Object Server	`security_result.detection_fields.value`	Value of `object_server` from parsed `object_kvdata`
Object Type	`security_result.detection_fields.value`	Value of `object_type` from parsed `object_kvdata`
osname	`principal.platform`	Value of `osname` if it is "WINDOWS", "LINUX", or "MAC".
Package Name (NTLM only)	`security_result.detection_fields.value`	Value of `package_name` from parsed `auth_kvdata`
policyid	`security_result.rule_id`	Value of `policyid`
policyname	`security_result.rule_name`	Value of `policyname`
policytype	`security_result.rule_type`	Value of `policytype`
Process ID	`principal.process.pid`	Value of `process_id`
Process Name	`principal.process.file.full_path`	Value of `creator_process_name` from parsed `process_kvdata`
profile_changed	`security_result.detection_fields.value`	Value of `profile_changed`
Profile Changed	`security_result.detection_fields.value`	Value of `profile_changed` from grok parse
proto	`network.ip_protocol`	If `proto` is "17", map to "UDP". If "6" or `subtype` is "wad", map to "TCP". If "41", map to "IP6IN4". If `service` is "PING" or `proto` is "1" or `service` contains "ICMP", map to "ICMP".
Protocol	`network.application_protocol`	Value of `app_protocol_output` derived from `Protocol`
Provider Name	`security_result.detection_fields.value`	Value of `provider_name` from parsed `provider_kvdata` or `cryptographic_kvdata`
rcvdbyte	`network.received_bytes`	Value of `rcvdbyte`
rcvdpkt	`security_result.detection_fields.value`	Value of `rcvdpkt`
restricted_admin_mode	`security_result.detection_fields.value`	Value of `restricted_admin_mode` from parsed `logon_information_kvdata`
Return Code	`security_result.detection_fields.value`	Value of `return_code` from parsed `cryptographic_kvdata`
response	`security_result.detection_fields.value`	Value of `response`
rule_id	`security_result.rule_id`	Value of `rule_id`
Security ID	`principal.user.windows_sid`	Value of `principal_security_id` from parsed `principal_kvdata`
Security ID	`target.user.windows_sid`	Value of `target_security_id` from parsed `target_kvdata`
sentbyte	`network.sent_bytes`	Value of `sentbyte`
sentpkt	`security_result.detection_fields.value`	Value of `sentpkt`
service	`network.application_protocol` or `target.application`	Value of `app_protocol_output` derived from `service`. If `app_protocol_output` is empty, map to `target.application`.
Service ID	`security_result.detection_fields.value`	Value of `service_id` from parsed `service_kvdata`
Service Name	`security_result.detection_fields.value`	Value of `service_name` from parsed `service_kvdata`
sessionid	`network.session_id`	Value of `sessionid`
Severity	`security_result.severity`, `security_result.severity_details`	If `Severity` is "ERROR" or "CRITICAL", map to the corresponding UDM severity. If "INFO", map to "INFORMATIONAL". If "MINOR", map to "LOW". If "WARNING", map to "MEDIUM". If "MAJOR", map to "HIGH". Also map the raw value to `severity_details`.
severity	`security_result.severity`, `security_result.severity_details`	If `severity` is "1", "2", or "3", map to "LOW". If "4", "5", or "6", map to "MEDIUM". If "7", "8", or "9", map to "HIGH". Also map the raw value to `severity_details`.
Share Name	`security_result.detection_fields.value`	Value of `share_name` from parsed `share_information_kvdata`
Share Path	`security_result.detection_fields.value`	Value of `share_path` from parsed `share_information_kvdata`
Source	`principal.ip`, `principal.asset.ip` or `principal.hostname`, `principal.asset.hostname`	If `Source` is an IP address, map to `principal.ip` and `principal.asset.ip`. Otherwise, map to `principal.hostname` and `principal.asset.hostname`.
Source Address	`principal.ip`, `principal.asset.ip`	Value of `source_ip` from parsed `network_information`
Source DRA	`principal.resource.name`	Value of `source_dra`
Source ip	`principal.ip`	Value of `source_ip`
Source Network Address	`principal.ip`, `principal.asset.ip`	Value of `source_ip`
Source Port	`principal.port`	Value of `source_port` from parsed `network_information`
Source Workstation	`workstation_name`	Value of `source_workstation_name`
srcip	`source_ip`	Value of `srcip` if `source_ip` is empty
srccountry	`principal.location.country_or_region`	Value of `srccountry`
srcmac	`principal.mac`	Value of `srcmac`
srcname	`principal.hostname`, `principal.asset.hostname`	Value of `srcname`
srcport	`source_port`	Value of `srcport` if `source_port` is empty
srcswversion	`principal.platform_version`	Value of `srcswversion`
Status Code	`network.http.response_code`	Value of `status_code`
Token Elevation Type	`security_result.detection_fields.value`	Value of `token_elevation_type`
transited_services	`security_result.detection_fields.value`	Value of `transited_services` from parsed `auth_kvdata`
transip	`principal.nat_ip`	Value of `transip`
transport	`principal.nat_port`	Value of `transport`
type	`metadata.product_event_type`	Used with `subtype` to create `metadata.product_event_type`
Type	`security_result.detection_fields.value`	Value of `Type`
UUID	`metadata.product_log_id`	Value of `UUID`
vd	`principal.administrative_domain`	Value of `vd`
virtual_account	`security_result.detection_fields.value`	Value of `virtual_account` from parsed `logon_information_kvdata`
Workstation Name	`principal.hostname`, `principal.asset.hostname`	Value of `workstation_name` if no other principal identifier is present
`metadata.event_type`	`metadata.event_type`	Derived. If both `principal_present` and `target_present` are true, map to "NETWORK_CONNECTION". If `user_present` is true, map to "USER_RESOURCE_ACCESS". If `principal_present` is true, map to "STATUS_UPDATE". Otherwise, map to "GENERIC_EVENT".
`metadata.log_type`	`metadata.log_type`	Hardcoded to "CYBERX"
`metadata.product_name`	`metadata.product_name`	Hardcoded to "CYBERX"
`metadata.vendor_name`	`metadata.vendor_name`	Hardcoded to "CYBERX"
`metadata.event_timestamp`	`metadata.event_timestamp`	Copied from the top-level `timestamp` field, or derived from `eventtime` or `date` and `time` fields.

Changes

2024-05-15

Modified KV pattern to handle new pattern of SYSLOGS.
Mapped "source_ip2" to "principal.ip" and "principal.asset.ip".
Mapped "destination_ip2" to "target.ip" and "target.asset.ip".
Mapped "Severity" to "security_result.severity_details".
Aligned "principal.ip" and "principal.asset.ip" mappings.
Aligned "target.ip" and "target.asset.ip" mappings.
Aligned "principal.hostname" and "principal.asset.hostname" mappings.
Aligned "target.hostname" and "target.asset.hostname" mappings.

2023-12-06

Newly created parser.