Collect the General Dynamics Fidelis XPS logs

Supported in:

This document describes how you can collect the General Dynamics Fidelis XPS logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the FIDELIS_NETWORK ingestion label.

Configure General Dynamics Fidelis XPS

  1. Sign in to CommandPost to manage your Fidelis XPS appliance.
  2. Select System > Export.
  3. Click the New tab.
  4. In the Export method list, select ArcSight.
  5. In the Destination field, enter the Google Security Operations forwarder server IP address and port number, such as 514.
  6. In the Export alerts section, select All checkbox.
  7. In the Export frequency section, select Every alert checkbox.
  8. In the Transport section, select UDP or TCP checkbox.
  9. In the Save as field, enter a name for the export configuration.
  10. In the Column list box, move entries in the Column list so that they appear in the following order:

    • TIME

    • ACTION

    • ALERTUUID

    • APPLICATION_USER

    • COMPONENT

    • COMPR

    • DSTADDR

    • DSTPORT

    • FILENAME

    • FROM

    • GROUP

    • MALWARE NAME

    • MALWARE TYPE

    • MD5

    • POLICY

    • PROTO

    • REQUEST_METHOD

    • REQUEST_AGENT

    • REQUEST_URL

    • RULE

    • SENIP

    • SEVERITY

    • SRCADDR

    • SRCPORT

    • SUMMARY

    • TARGET

    • TO

    • VIOLATION_INFO

    • VLAN_ID

    Fidelis XPS version 8.1 introduces additional data that you can configure to export new data. The new fields include REQUEST_METHOD, REQUEST_AGENT, REQUEST_URL, VIOLATION_INFO, and VLAN_ID.

    VIOLATION_INFO includes all the data from the Violation information section of the Alert detail page. This data includes matching data that generates alert. It also includes any additional information included within feed data when that data matches. The VIOLATION_INFO can be large in size. You must enable TCP when using this feature in syslog exports.

  11. Select System > Malware > Malware detection.

  12. Select the Malware detection engine and Automatic malware policy checkboxes.

  13. Click Save.

Configure the Google Security Operations forwarder to ingest Fidelis Network logs

  1. Select SIEM Settings > Forwarders.
  2. Click Add new forwarder.
  3. Enter a unique name in the Forwarder name field.
  4. Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, enter a unique name for the collector.
  6. Select Fidelis Network as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following input parameters:
    • Protocol: specify the connection protocol that the collector uses to listen to syslog data.
    • Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
    • Port: specify the target port where the collector resides and listens to syslog data.
  9. Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser processes Fidelis Network logs in SYSLOG, key-value pair, and JSON formats, transforming them into UDM. It extracts fields, handles various log structures, maps to UDM fields, and enriches events with labels like _is_alert and _is_significant based on severity and threat indicators.

UDM mapping table

Log Field UDM Mapping Logic
aaction event.idm.read_only_udm.security_result.action_details Directly mapped if not "none" or empty string.
alert_threat_score event.idm.read_only_udm.security_result.detection_fields[].key: "alert_threat_score", event.idm.read_only_udm.security_result.detection_fields[].value: value of alert_threat_score Directly mapped as a detection field.
alert_type event.idm.read_only_udm.security_result.detection_fields[].key: "alert_type", event.idm.read_only_udm.security_result.detection_fields[].value: value of alert_type Directly mapped as a detection field.
answers event.idm.read_only_udm.network.dns.answers[].data Directly mapped for DNS events.
application_user event.idm.read_only_udm.principal.user.userid Directly mapped.
asset_os event.idm.read_only_udm.target.platform Normalized to WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM.
certificate.end_date event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed and converted to timestamp.
certificate.extended_key_usage event.idm.read_only_udm.additional.fields[].key: "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.extended_key_usage Mapped as an additional field.
certificate.issuer_name event.idm.read_only_udm.network.tls.server.certificate.issuer Directly mapped.
certificate.key_length event.idm.read_only_udm.additional.fields[].key: "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.key_length Mapped as an additional field.
certificate.key_usage event.idm.read_only_udm.additional.fields[].key: "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.key_usage Mapped as an additional field.
certificate.start_date event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed and converted to timestamp.
certificate.subject_altname event.idm.read_only_udm.additional.fields[].key: "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.subject_altname Mapped as an additional field.
certificate.subject_name event.idm.read_only_udm.network.tls.server.certificate.subject Directly mapped.
certificate.type event.idm.read_only_udm.additional.fields[].key: "Certificate_Type", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.type Mapped as an additional field.
cipher event.idm.read_only_udm.network.tls.cipher Directly mapped.
client_asset_name event.idm.read_only_udm.principal.application Directly mapped.
client_asset_subnet event.idm.read_only_udm.additional.fields[].key: "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value: value of client_asset_subnet Mapped as an additional field.
client_ip event.idm.read_only_udm.principal.ip Directly mapped.
client_port event.idm.read_only_udm.principal.port Directly mapped and converted to integer.
ClientIP event.idm.read_only_udm.principal.ip Directly mapped.
ClientPort event.idm.read_only_udm.principal.port Directly mapped and converted to integer.
ClientCountry event.idm.read_only_udm.principal.location.country_or_region Directly mapped if not "UNKNOWN" or empty string.
ClientAssetID event.idm.read_only_udm.principal.asset_id Prefixed with "Asset:" if not "0" or empty string.
ClientAssetName event.idm.read_only_udm.principal.resource.attribute.labels[].key: "ClientAssetName", event.idm.read_only_udm.principal.resource.attribute.labels[].value: value of ClientAssetName Mapped as a principal resource label.
ClientAssetRole event.idm.read_only_udm.principal.asset.attribute.roles[].name Directly mapped.
ClientAssetServices event.idm.read_only_udm.principal.resource.attribute.labels[].key: "ClientAssetServices", event.idm.read_only_udm.principal.resource.attribute.labels[].value: value of ClientAssetServices Mapped as a principal resource label.
Client event.idm.read_only_udm.principal.resource.attribute.labels[].key: "Client", event.idm.read_only_udm.principal.resource.attribute.labels[].value: value of Client Mapped as a principal resource label.
Collector event.idm.read_only_udm.security_result.detection_fields[].key: "Collector", event.idm.read_only_udm.security_result.detection_fields[].value: value of Collector Mapped as a detection field.
command event.idm.read_only_udm.network.http.method Directly mapped for HTTP events.
Command event.idm.read_only_udm.security_result.detection_fields[].key: "Command", event.idm.read_only_udm.security_result.detection_fields[].value: value of Command Mapped as a detection field.
Connection event.idm.read_only_udm.security_result.detection_fields[].key: "Connection", event.idm.read_only_udm.security_result.detection_fields[].value: value of Connection Mapped as a detection field.
DecodingPath event.idm.read_only_udm.security_result.detection_fields[].key: "DecodingPath", event.idm.read_only_udm.security_result.detection_fields[].value: value of DecodingPath Mapped as a detection field.
dest_country event.idm.read_only_udm.target.location.country_or_region Directly mapped.
dest_domain event.idm.read_only_udm.target.hostname Directly mapped.
dest_ip event.idm.read_only_udm.target.ip Directly mapped.
dest_port event.idm.read_only_udm.target.port Directly mapped and converted to integer.
Direction event.idm.read_only_udm.security_result.detection_fields[].key: "Direction", event.idm.read_only_udm.security_result.detection_fields[].value: value of Direction Mapped as a detection field.
dns.host event.idm.read_only_udm.network.dns.questions[].name Directly mapped for DNS events.
DomainName event.idm.read_only_udm.target.administrative_domain Directly mapped.
DomainAlexaRank event.idm.read_only_udm.security_result.detection_fields[].key: "DomainAlexaRank", event.idm.read_only_udm.security_result.detection_fields[].value: value of DomainAlexaRank Mapped as a detection field.
dport event.idm.read_only_udm.target.port Directly mapped and converted to integer.
dnsresolution.server_fqdn event.idm.read_only_udm.target.hostname Directly mapped.
Duration event.idm.read_only_udm.security_result.detection_fields[].key: "Duration", event.idm.read_only_udm.security_result.detection_fields[].value: value of Duration Mapped as a detection field.
Encrypted event.idm.read_only_udm.security_result.detection_fields[].key: "Encrypted", event.idm.read_only_udm.security_result.detection_fields[].value: value of Encrypted Mapped as a detection field.
Entropy event.idm.read_only_udm.security_result.detection_fields[].key: "Entropy", event.idm.read_only_udm.security_result.detection_fields[].value: value of Entropy Mapped as a detection field.
event.idm.is_alert event.idm.is_alert Set to true if severity is Critical or malware_type is present (except for "Threat Hunt" label).
event.idm.is_significant event.idm.is_significant Set to true if severity is Critical or malware_type is present (except for "Threat Hunt" label).
event.idm.read_only_udm.additional.fields event.idm.read_only_udm.additional.fields Contains various additional fields based on parser logic.
event.idm.read_only_udm.metadata.description event.idm.read_only_udm.metadata.description Directly mapped from summary field.
event.idm.read_only_udm.metadata.event_type event.idm.read_only_udm.metadata.event_type Determined based on various log fields and parser logic. Can be GENERIC_EVENT, NETWORK_CONNECTION, NETWORK_HTTP, NETWORK_SMTP, NETWORK_DNS, STATUS_UPDATE, NETWORK_FLOW.
event.idm.read_only_udm.metadata.log_type event.idm.read_only_udm.metadata.log_type Set to "FIDELIS_NETWORK".
event.idm.read_only_udm.metadata.product_name event.idm.read_only_udm.metadata.product_name Set to "FIDELIS_NETWORK".
event.idm.read_only_udm.metadata.vendor_name event.idm.read_only_udm.metadata.vendor_name Set to "FIDELIS_NETWORK".
event.idm.read_only_udm.network.application_protocol event.idm.read_only_udm.network.application_protocol Determined based on server_port or protocol field. Can be HTTP, HTTPS, SMTP, SSH, RPC, DNS, NFS, AOLMAIL.
event.idm.read_only_udm.network.direction event.idm.read_only_udm.network.direction Determined based on direction field or keywords in summary. Can be INBOUND or OUTBOUND.
event.idm.read_only_udm.network.dns.answers event.idm.read_only_udm.network.dns.answers Populated for DNS events.
event.idm.read_only_udm.network.dns.id event.idm.read_only_udm.network.dns.id Mapped from number field for DNS events.
event.idm.read_only_udm.network.dns.questions event.idm.read_only_udm.network.dns.questions Populated for DNS events.
event.idm.read_only_udm.network.email.from event.idm.read_only_udm.network.email.from Directly mapped from From if it's a valid email address.
event.idm.read_only_udm.network.email.subject event.idm.read_only_udm.network.email.subject Directly mapped from Subject.
event.idm.read_only_udm.network.email.to event.idm.read_only_udm.network.email.to Directly mapped from To.
event.idm.read_only_udm.network.ftp.command event.idm.read_only_udm.network.ftp.command Directly mapped from ftp.command.
event.idm.read_only_udm.network.http.method event.idm.read_only_udm.network.http.method Directly mapped from http.command or Command.
event.idm.read_only_udm.network.http.referral_url event.idm.read_only_udm.network.http.referral_url Directly mapped from Referer.
event.idm.read_only_udm.network.http.response_code event.idm.read_only_udm.network.http.response_code Directly mapped from http.status_code or StatusCode and converted to integer.
event.idm.read_only_udm.network.http.user_agent event.idm.read_only_udm.network.http.user_agent Directly mapped from http.useragent or UserAgent.
event.idm.read_only_udm.network.ip_protocol event.idm.read_only_udm.network.ip_protocol Directly mapped from tproto if it's TCP or UDP.
event.idm.read_only_udm.network.received_bytes event.idm.read_only_udm.network.received_bytes Renamed from event1.server_packet_count and converted to unsigned integer.
event.idm.read_only_udm.network.sent_bytes event.idm.read_only_udm.network.sent_bytes Renamed from event1.client_packet_count and converted to unsigned integer.
event.idm.read_only_udm.network.session_duration.seconds event.idm.read_only_udm.network.session_duration.seconds Renamed from event1.session_size and converted to integer.
event.idm.read_only_udm.network.session_id event.idm.read_only_udm.network.session_id Directly mapped from event1.rel_sesid or UserSessionID.
event.idm.read_only_udm.network.tls.client.certificate.issuer event.idm.read_only_udm.network.tls.client.certificate.issuer Directly mapped from event1.certificate_issuer_name.
event.idm.read_only_udm.network.tls.client.certificate.not_after event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed from event1.certificate_end_date and converted to timestamp.
event.idm.read_only_udm.network.tls.client.certificate.not_before event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed from event1.certificate_start_date and converted to timestamp.
event.idm.read_only_udm.network.tls.client.certificate.subject event.idm.read_only_udm.network.tls.client.certificate.subject Directly mapped from event1.certificate_subject_name.
event.idm.read_only_udm.network.tls.client.ja3 event.idm.read_only_udm.network.tls.client.ja3 Directly mapped from event1.ja3digest and converted to string.
event.idm.read_only_udm.network.tls.cipher event.idm.read_only_udm.network.tls.cipher Directly mapped from event1.cipher, CipherSuite, cipher, or event1.tls_ciphersuite.
event.idm.read_only_udm.network.tls.server.certificate.issuer event.idm.read_only_udm.network.tls.server.certificate.issuer Directly mapped from certificate_issuer_name.
event.idm.read_only_udm.network.tls.server.certificate.subject event.idm.read_only_udm.network.tls.server.certificate.subject Directly mapped from certificate_subject_name.
event.idm.read_only_udm.network.tls.server.ja3s event.idm.read_only_udm.network.tls.server.ja3s Directly mapped from event1.ja3sdigest and converted to string.
event.idm.read_only_udm.network.tls.version event.idm.read_only_udm.network.tls.version Directly mapped from event1.version.
event.idm.read_only_udm.principal.application event.idm.read_only_udm.principal.application Directly mapped from event1.client_asset_name.
event.idm.read_only_udm.principal.asset.attribute.roles[].name event.idm.read_only_udm.principal.asset.attribute.roles[].name Directly mapped from ClientAssetRole.
event.idm.read_only_udm.principal.asset_id event.idm.read_only_udm.principal.asset_id Directly mapped from ClientAssetID or ServerAssetID (prefixed with "Asset:").
event.idm.read_only_udm.principal.hostname event.idm.read_only_udm.principal.hostname Directly mapped from event1.sld or src_domain.
event.idm.read_only_udm.principal.ip event.idm.read_only_udm.principal.ip Directly mapped from event1.src_ip6, client_ip, or ClientIP.
event.idm.read_only_udm.principal.location.country_or_region event.idm.read_only_udm.principal.location.country_or_region Directly mapped from ClientCountry or src_country if not "UNKNOWN" or empty string.
event.idm.read_only_udm.principal.port event.idm.read_only_udm.principal.port Directly mapped from event1.sport or client_port and converted to integer.
event.idm.read_only_udm.principal.resource.attribute.labels event.idm.read_only_udm.principal.resource.attribute.labels Contains various labels based on parser logic.
event.idm.read_only_udm.principal.user.userid event.idm.read_only_udm.principal.user.userid Directly mapped from ftp.user or AppUser.
event.idm.read_only_udm.security_result.action event.idm.read_only_udm.security_result.action Determined based on severity. Can be ALLOW, BLOCK, or UNKNOWN_ACTION.
event.idm.read_only_udm.security_result.action_details event.idm.read_only_udm.security_result.action_details Directly mapped from Action if not "none" or empty string.
event.idm.read_only_udm.security_result.category event.idm.read_only_udm.security_result.category Set to NETWORK_SUSPICIOUS if malware_type is present.
event.idm.read_only_udm.security_result.detection_fields event.idm.read_only_udm.security_result.detection_fields Contains various detection fields based on parser logic.
event.idm.read_only_udm.security_result.rule_name event.idm.read_only_udm.security_result.rule_name Directly mapped from rule_name.
event.idm.read_only_udm.security_result.severity event.idm.read_only_udm.security_result.severity Determined based on severity. Can be INFORMATIONAL, MEDIUM, ERROR, or CRITICAL.
event.idm.read_only_udm.security_result.summary event.idm.read_only_udm.security_result.summary Directly mapped from label.
event.idm.read_only_udm.security_result.threat_name event.idm.read_only_udm.security_result.threat_name Directly mapped from malware_type or parsed from summary if it contains "CVE-".
event.idm.read_only_udm.target.administrative_domain event.idm.read_only_udm.target.administrative_domain Directly mapped from DomainName.
event.idm.read_only_udm.target.asset.attribute.roles[].name event.idm.read_only_udm.target.asset.attribute.roles[].name Directly mapped from ServerAssetRole.
event.idm.read_only_udm.target.file.full_path event.idm.read_only_udm.target.file.full_path Directly mapped from ftp.filename or Filename.
event.idm.read_only_udm.target.file.md5 event.idm.read_only_udm.target.file.md5 Directly mapped from event1.md5 or md5.
event.idm.read_only_udm.target.file.mime_type event.idm.read_only_udm.target.file.mime_type Directly mapped from event1.filetype.
event.idm.read_only_udm.target.file.sha1 event.idm.read_only_udm.target.file.sha1 Directly mapped from event1.srvcerthash.
event.idm.read_only_udm.target.file.sha256 event.idm.read_only_udm.target.file.sha256 Directly mapped from event1.sha256 or sha256.
event.idm.read_only_udm.target.file.size event.idm.read_only_udm.target.file.size Renamed from event1.filesize and converted to unsigned integer if not 0.
event.idm.read_only_udm.target.hostname event.idm.read_only_udm.target.hostname Directly mapped from event1.sni, dest_domain, or Host.
event.idm.read_only_udm.target.ip event.idm.read_only_udm.target.ip Directly mapped from event1.dst_ip6 or server_ip or ServerIP.
event.idm.read_only_udm.target.location.country_or_region event.idm.read_only_udm.target.location.country_or_region Directly mapped from dest_country or ServerCountry.
event.idm.read_only_udm.target.platform event.idm.read_only_udm.target.platform Mapped from asset_os after normalization.
event.idm.read_only_udm.target.platform_version event.idm.read_only_udm.target.platform_version Directly mapped from os_version.
event.idm.read_only_udm.target.port event.idm.read_only_udm.target.port Directly mapped from event1.dport or server_port and converted to integer.
event.idm.read_only_udm.target.resource.attribute.labels event.idm.read_only_udm.target.resource.attribute.labels Contains various labels based on parser logic.
event.idm.read_only_udm.target.url event.idm.read_only_udm.target.url Directly mapped from url or URL.
event.idm.read_only_udm.target.user.product_object_id event.idm.read_only_udm.target.user.product_object_id Directly mapped from uuid.
event1.certificate_end_date event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed and converted to timestamp.
event1.certificate_extended_key_usage event.idm.read_only_udm.additional.fields[].key: "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_extended_key_usage Mapped as an additional field.
event1.certificate_issuer_name event.idm.read_only_udm.network.tls.client.certificate.issuer Directly mapped.
event1.certificate_key_length event.idm.read_only_udm.additional.fields[].key: "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_key_length Mapped as an additional field.
event1.certificate_key_usage event.idm.read_only_udm.additional.fields[].key: "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_key_usage Mapped as an additional field.
event1.certificate_start_date event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed and converted to timestamp.
event1.certificate_subject_altname event.idm.read_only_udm.additional.fields[].key: "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_subject_altname Mapped as an additional field.
event1.certificate_subject_name event.idm.read_only_udm.network.tls.client.certificate.subject Directly mapped.
event1.client_asset_name event.idm.read_only_udm.principal.application Directly mapped.
event1.client_asset_subnet event.idm.read_only_udm.additional.fields[].key: "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.client_asset_subnet Mapped as an additional field.
event1.client_packet_count event.idm.read_only_udm.network.sent_bytes Converted to unsigned integer and renamed.
event1.cipher event.idm.read_only_udm.network.tls.cipher Directly mapped.
event1.direction event.idm.read_only_udm.network.direction Mapped to INBOUND if "s2c" or OUTBOUND if "c2s".
`event1.d

Changes

2024-06-04

  • Added support for a new pattern of JSON logs.
  • Mapped "protocol" to "network.application_protocol".
  • Mapped "alert_type" to "security_result.detection_fields".

2023-09-04

  • Enhancement -
  • Mapped "event1.sld" to "principal.hostname".
  • Mapped "event1.sni" to "target.hostname".
  • Mapped "event1.src_ip6" to "principal.ip".
  • Mapped "event1.dst_ip6" to "target.ip".
  • Mapped "event1.sport" to "principal.port".
  • Mapped "event1.dport" to "target.port".
  • Mapped "event1.cipher" to "network.tls.cipher".
  • Mapped "event1.tproto" to "network.ip_protocol".
  • Mapped "event1.client_asset_name" to "principal.application".
  • Mapped "event1.direction" to "network.direction".
  • Mapped "event1.rel_sesid" to "network.session_id".
  • Mapped "event1.tls_ciphersuite" to "network.tls.cipher".
  • Mapped "event1.ja3sdigest" to "network.tls.server.ja3s".
  • Mapped "event1.ja3digest" to "network.tls.client.ja3".
  • Mapped "event1.srvcerthash" to "target.file.sha1".
  • Mapped "event1.sha256" to "target.file.sha256".
  • Mapped "event1.md5" to "target.file.md5".
  • Mapped "event1.filetype" to "target.file.mime_type".
  • Mapped "event1.filesize" to "target.file.size".
  • Mapped "event1.certificate_issuer_name" to "network.tls.client.certificate.issuer".
  • Mapped "event1.certificate_subject_name" to "network.tls.client.certificate.subject".
  • Mapped "event1.certificate_start_date" to "network.tls.client.certificate.not_before".
  • Mapped "event1.certificate_end_date" to "network.tls.client.certificate.not_after".
  • Mapped "event1.client_packet_count" to "network.sent_bytes".
  • Mapped "event1.server_packet_count" to "network.received_bytes".
  • Mapped "event1.session_size" to "network.session_duration.seconds".
  • Mapped "event1.server_asset_subnet" to "read_only_udm.additional.fields".
  • Mapped "event1.client_asset_subnet" to "read_only_udm.additional.fields".
  • Mapped "event1.sha1hash" to "read_only_udm.additional.fields".
  • Mapped "event1.type" to "read_only_udm.additional.fields".
  • Mapped "event1.histbuf" to "read_only_udm.additional.fields".
  • Mapped "event1.sen_name" to "read_only_udm.additional.fields".
  • Mapped "event1.certificate_subject_altname" to "read_only_udm.additional.fields".
  • Mapped "event1.certificate_key_usage" to "read_only_udm.additional.fields".
  • Mapped "event1.certificate_key_length" to "read_only_udm.additional.fields".
  • Mapped "event1.certificate_extended_key_usage" to "read_only_udm.additional.fields".
  • Mapped "event1.version" to "network.tls.version".

2023-05-19

  • Enhancement -
  • Mapped "exe_richsignaturehash", "exe_richsignaturepvhash", "alert_threat_score" to "security_result.detection_fields".