Collect the General Dynamics Fidelis XPS logs
This document describes how you can collect the General Dynamics Fidelis XPS logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations overview.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser with the FIDELIS_NETWORK
ingestion label.
Configure General Dynamics Fidelis XPS
- Sign in to CommandPost to manage your Fidelis XPS appliance.
- Select System > Export.
- Click the New tab.
- In the Export method list, select ArcSight.
- In the Destination field, enter the Google Security Operations forwarder server IP address and
port number, such as
514
. - In the Export alerts section, select All checkbox.
- In the Export frequency section, select Every alert checkbox.
- In the Transport section, select UDP or TCP checkbox.
- In the Save as field, enter a name for the export configuration.
In the Column list box, move entries in the Column list so that they appear in the following order:
TIME
ACTION
ALERTUUID
APPLICATION_USER
COMPONENT
COMPR
DSTADDR
DSTPORT
FILENAME
FROM
GROUP
MALWARE NAME
MALWARE TYPE
MD5
POLICY
PROTO
REQUEST_METHOD
REQUEST_AGENT
REQUEST_URL
RULE
SENIP
SEVERITY
SRCADDR
SRCPORT
SUMMARY
TARGET
TO
VIOLATION_INFO
VLAN_ID
Fidelis XPS version 8.1 introduces additional data that you can configure to export new data. The new fields include REQUEST_METHOD, REQUEST_AGENT, REQUEST_URL, VIOLATION_INFO, and VLAN_ID.
VIOLATION_INFO includes all the data from the Violation information section of the Alert detail page. This data includes matching data that generates alert. It also includes any additional information included within feed data when that data matches. The VIOLATION_INFO can be large in size. You must enable TCP when using this feature in syslog exports.
Select System > Malware > Malware detection.
Select the Malware detection engine and Automatic malware policy checkboxes.
Click Save.
Configure the Google Security Operations forwarder to ingest Fidelis Network logs
- Select SIEM Settings > Forwarders.
- Click Add new forwarder.
- Enter a unique name in the Forwarder name field.
- Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, enter a unique name for the collector.
- Select Fidelis Network as the Log type.
- Select Syslog as the Collector type.
- Configure the following input parameters:
- Protocol: specify the connection protocol that the collector uses to listen to syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
- Port: specify the target port where the collector resides and listens to syslog data.
- Click Submit.
For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.
If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser processes Fidelis Network logs in SYSLOG, key-value pair, and JSON formats, transforming them into UDM. It extracts fields, handles various log structures, maps to UDM fields, and enriches events with labels like _is_alert
and _is_significant
based on severity and threat indicators.
UDM mapping table
Log Field | UDM Mapping | Logic |
---|---|---|
aaction |
event.idm.read_only_udm.security_result.action_details |
Directly mapped if not "none" or empty string. |
alert_threat_score |
event.idm.read_only_udm.security_result.detection_fields[].key : "alert_threat_score", event.idm.read_only_udm.security_result.detection_fields[].value : value of alert_threat_score |
Directly mapped as a detection field. |
alert_type |
event.idm.read_only_udm.security_result.detection_fields[].key : "alert_type", event.idm.read_only_udm.security_result.detection_fields[].value : value of alert_type |
Directly mapped as a detection field. |
answers |
event.idm.read_only_udm.network.dns.answers[].data |
Directly mapped for DNS events. |
application_user |
event.idm.read_only_udm.principal.user.userid |
Directly mapped. |
asset_os |
event.idm.read_only_udm.target.platform |
Normalized to WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM. |
certificate.end_date |
event.idm.read_only_udm.network.tls.client.certificate.not_after |
Parsed and converted to timestamp. |
certificate.extended_key_usage |
event.idm.read_only_udm.additional.fields[].key : "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.extended_key_usage |
Mapped as an additional field. |
certificate.issuer_name |
event.idm.read_only_udm.network.tls.server.certificate.issuer |
Directly mapped. |
certificate.key_length |
event.idm.read_only_udm.additional.fields[].key : "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.key_length |
Mapped as an additional field. |
certificate.key_usage |
event.idm.read_only_udm.additional.fields[].key : "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.key_usage |
Mapped as an additional field. |
certificate.start_date |
event.idm.read_only_udm.network.tls.client.certificate.not_before |
Parsed and converted to timestamp. |
certificate.subject_altname |
event.idm.read_only_udm.additional.fields[].key : "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.subject_altname |
Mapped as an additional field. |
certificate.subject_name |
event.idm.read_only_udm.network.tls.server.certificate.subject |
Directly mapped. |
certificate.type |
event.idm.read_only_udm.additional.fields[].key : "Certificate_Type", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.type |
Mapped as an additional field. |
cipher |
event.idm.read_only_udm.network.tls.cipher |
Directly mapped. |
client_asset_name |
event.idm.read_only_udm.principal.application |
Directly mapped. |
client_asset_subnet |
event.idm.read_only_udm.additional.fields[].key : "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value : value of client_asset_subnet |
Mapped as an additional field. |
client_ip |
event.idm.read_only_udm.principal.ip |
Directly mapped. |
client_port |
event.idm.read_only_udm.principal.port |
Directly mapped and converted to integer. |
ClientIP |
event.idm.read_only_udm.principal.ip |
Directly mapped. |
ClientPort |
event.idm.read_only_udm.principal.port |
Directly mapped and converted to integer. |
ClientCountry |
event.idm.read_only_udm.principal.location.country_or_region |
Directly mapped if not "UNKNOWN" or empty string. |
ClientAssetID |
event.idm.read_only_udm.principal.asset_id |
Prefixed with "Asset:" if not "0" or empty string. |
ClientAssetName |
event.idm.read_only_udm.principal.resource.attribute.labels[].key : "ClientAssetName", event.idm.read_only_udm.principal.resource.attribute.labels[].value : value of ClientAssetName |
Mapped as a principal resource label. |
ClientAssetRole |
event.idm.read_only_udm.principal.asset.attribute.roles[].name |
Directly mapped. |
ClientAssetServices |
event.idm.read_only_udm.principal.resource.attribute.labels[].key : "ClientAssetServices", event.idm.read_only_udm.principal.resource.attribute.labels[].value : value of ClientAssetServices |
Mapped as a principal resource label. |
Client |
event.idm.read_only_udm.principal.resource.attribute.labels[].key : "Client", event.idm.read_only_udm.principal.resource.attribute.labels[].value : value of Client |
Mapped as a principal resource label. |
Collector |
event.idm.read_only_udm.security_result.detection_fields[].key : "Collector", event.idm.read_only_udm.security_result.detection_fields[].value : value of Collector |
Mapped as a detection field. |
command |
event.idm.read_only_udm.network.http.method |
Directly mapped for HTTP events. |
Command |
event.idm.read_only_udm.security_result.detection_fields[].key : "Command", event.idm.read_only_udm.security_result.detection_fields[].value : value of Command |
Mapped as a detection field. |
Connection |
event.idm.read_only_udm.security_result.detection_fields[].key : "Connection", event.idm.read_only_udm.security_result.detection_fields[].value : value of Connection |
Mapped as a detection field. |
DecodingPath |
event.idm.read_only_udm.security_result.detection_fields[].key : "DecodingPath", event.idm.read_only_udm.security_result.detection_fields[].value : value of DecodingPath |
Mapped as a detection field. |
dest_country |
event.idm.read_only_udm.target.location.country_or_region |
Directly mapped. |
dest_domain |
event.idm.read_only_udm.target.hostname |
Directly mapped. |
dest_ip |
event.idm.read_only_udm.target.ip |
Directly mapped. |
dest_port |
event.idm.read_only_udm.target.port |
Directly mapped and converted to integer. |
Direction |
event.idm.read_only_udm.security_result.detection_fields[].key : "Direction", event.idm.read_only_udm.security_result.detection_fields[].value : value of Direction |
Mapped as a detection field. |
dns.host |
event.idm.read_only_udm.network.dns.questions[].name |
Directly mapped for DNS events. |
DomainName |
event.idm.read_only_udm.target.administrative_domain |
Directly mapped. |
DomainAlexaRank |
event.idm.read_only_udm.security_result.detection_fields[].key : "DomainAlexaRank", event.idm.read_only_udm.security_result.detection_fields[].value : value of DomainAlexaRank |
Mapped as a detection field. |
dport |
event.idm.read_only_udm.target.port |
Directly mapped and converted to integer. |
dnsresolution.server_fqdn |
event.idm.read_only_udm.target.hostname |
Directly mapped. |
Duration |
event.idm.read_only_udm.security_result.detection_fields[].key : "Duration", event.idm.read_only_udm.security_result.detection_fields[].value : value of Duration |
Mapped as a detection field. |
Encrypted |
event.idm.read_only_udm.security_result.detection_fields[].key : "Encrypted", event.idm.read_only_udm.security_result.detection_fields[].value : value of Encrypted |
Mapped as a detection field. |
Entropy |
event.idm.read_only_udm.security_result.detection_fields[].key : "Entropy", event.idm.read_only_udm.security_result.detection_fields[].value : value of Entropy |
Mapped as a detection field. |
event.idm.is_alert |
event.idm.is_alert |
Set to true if severity is Critical or malware_type is present (except for "Threat Hunt" label). |
event.idm.is_significant |
event.idm.is_significant |
Set to true if severity is Critical or malware_type is present (except for "Threat Hunt" label). |
event.idm.read_only_udm.additional.fields |
event.idm.read_only_udm.additional.fields |
Contains various additional fields based on parser logic. |
event.idm.read_only_udm.metadata.description |
event.idm.read_only_udm.metadata.description |
Directly mapped from summary field. |
event.idm.read_only_udm.metadata.event_type |
event.idm.read_only_udm.metadata.event_type |
Determined based on various log fields and parser logic. Can be GENERIC_EVENT, NETWORK_CONNECTION, NETWORK_HTTP, NETWORK_SMTP, NETWORK_DNS, STATUS_UPDATE, NETWORK_FLOW. |
event.idm.read_only_udm.metadata.log_type |
event.idm.read_only_udm.metadata.log_type |
Set to "FIDELIS_NETWORK". |
event.idm.read_only_udm.metadata.product_name |
event.idm.read_only_udm.metadata.product_name |
Set to "FIDELIS_NETWORK". |
event.idm.read_only_udm.metadata.vendor_name |
event.idm.read_only_udm.metadata.vendor_name |
Set to "FIDELIS_NETWORK". |
event.idm.read_only_udm.network.application_protocol |
event.idm.read_only_udm.network.application_protocol |
Determined based on server_port or protocol field. Can be HTTP, HTTPS, SMTP, SSH, RPC, DNS, NFS, AOLMAIL. |
event.idm.read_only_udm.network.direction |
event.idm.read_only_udm.network.direction |
Determined based on direction field or keywords in summary . Can be INBOUND or OUTBOUND. |
event.idm.read_only_udm.network.dns.answers |
event.idm.read_only_udm.network.dns.answers |
Populated for DNS events. |
event.idm.read_only_udm.network.dns.id |
event.idm.read_only_udm.network.dns.id |
Mapped from number field for DNS events. |
event.idm.read_only_udm.network.dns.questions |
event.idm.read_only_udm.network.dns.questions |
Populated for DNS events. |
event.idm.read_only_udm.network.email.from |
event.idm.read_only_udm.network.email.from |
Directly mapped from From if it's a valid email address. |
event.idm.read_only_udm.network.email.subject |
event.idm.read_only_udm.network.email.subject |
Directly mapped from Subject . |
event.idm.read_only_udm.network.email.to |
event.idm.read_only_udm.network.email.to |
Directly mapped from To . |
event.idm.read_only_udm.network.ftp.command |
event.idm.read_only_udm.network.ftp.command |
Directly mapped from ftp.command . |
event.idm.read_only_udm.network.http.method |
event.idm.read_only_udm.network.http.method |
Directly mapped from http.command or Command . |
event.idm.read_only_udm.network.http.referral_url |
event.idm.read_only_udm.network.http.referral_url |
Directly mapped from Referer . |
event.idm.read_only_udm.network.http.response_code |
event.idm.read_only_udm.network.http.response_code |
Directly mapped from http.status_code or StatusCode and converted to integer. |
event.idm.read_only_udm.network.http.user_agent |
event.idm.read_only_udm.network.http.user_agent |
Directly mapped from http.useragent or UserAgent . |
event.idm.read_only_udm.network.ip_protocol |
event.idm.read_only_udm.network.ip_protocol |
Directly mapped from tproto if it's TCP or UDP. |
event.idm.read_only_udm.network.received_bytes |
event.idm.read_only_udm.network.received_bytes |
Renamed from event1.server_packet_count and converted to unsigned integer. |
event.idm.read_only_udm.network.sent_bytes |
event.idm.read_only_udm.network.sent_bytes |
Renamed from event1.client_packet_count and converted to unsigned integer. |
event.idm.read_only_udm.network.session_duration.seconds |
event.idm.read_only_udm.network.session_duration.seconds |
Renamed from event1.session_size and converted to integer. |
event.idm.read_only_udm.network.session_id |
event.idm.read_only_udm.network.session_id |
Directly mapped from event1.rel_sesid or UserSessionID . |
event.idm.read_only_udm.network.tls.client.certificate.issuer |
event.idm.read_only_udm.network.tls.client.certificate.issuer |
Directly mapped from event1.certificate_issuer_name . |
event.idm.read_only_udm.network.tls.client.certificate.not_after |
event.idm.read_only_udm.network.tls.client.certificate.not_after |
Parsed from event1.certificate_end_date and converted to timestamp. |
event.idm.read_only_udm.network.tls.client.certificate.not_before |
event.idm.read_only_udm.network.tls.client.certificate.not_before |
Parsed from event1.certificate_start_date and converted to timestamp. |
event.idm.read_only_udm.network.tls.client.certificate.subject |
event.idm.read_only_udm.network.tls.client.certificate.subject |
Directly mapped from event1.certificate_subject_name . |
event.idm.read_only_udm.network.tls.client.ja3 |
event.idm.read_only_udm.network.tls.client.ja3 |
Directly mapped from event1.ja3digest and converted to string. |
event.idm.read_only_udm.network.tls.cipher |
event.idm.read_only_udm.network.tls.cipher |
Directly mapped from event1.cipher , CipherSuite , cipher , or event1.tls_ciphersuite . |
event.idm.read_only_udm.network.tls.server.certificate.issuer |
event.idm.read_only_udm.network.tls.server.certificate.issuer |
Directly mapped from certificate_issuer_name . |
event.idm.read_only_udm.network.tls.server.certificate.subject |
event.idm.read_only_udm.network.tls.server.certificate.subject |
Directly mapped from certificate_subject_name . |
event.idm.read_only_udm.network.tls.server.ja3s |
event.idm.read_only_udm.network.tls.server.ja3s |
Directly mapped from event1.ja3sdigest and converted to string. |
event.idm.read_only_udm.network.tls.version |
event.idm.read_only_udm.network.tls.version |
Directly mapped from event1.version . |
event.idm.read_only_udm.principal.application |
event.idm.read_only_udm.principal.application |
Directly mapped from event1.client_asset_name . |
event.idm.read_only_udm.principal.asset.attribute.roles[].name |
event.idm.read_only_udm.principal.asset.attribute.roles[].name |
Directly mapped from ClientAssetRole . |
event.idm.read_only_udm.principal.asset_id |
event.idm.read_only_udm.principal.asset_id |
Directly mapped from ClientAssetID or ServerAssetID (prefixed with "Asset:"). |
event.idm.read_only_udm.principal.hostname |
event.idm.read_only_udm.principal.hostname |
Directly mapped from event1.sld or src_domain . |
event.idm.read_only_udm.principal.ip |
event.idm.read_only_udm.principal.ip |
Directly mapped from event1.src_ip6 , client_ip , or ClientIP . |
event.idm.read_only_udm.principal.location.country_or_region |
event.idm.read_only_udm.principal.location.country_or_region |
Directly mapped from ClientCountry or src_country if not "UNKNOWN" or empty string. |
event.idm.read_only_udm.principal.port |
event.idm.read_only_udm.principal.port |
Directly mapped from event1.sport or client_port and converted to integer. |
event.idm.read_only_udm.principal.resource.attribute.labels |
event.idm.read_only_udm.principal.resource.attribute.labels |
Contains various labels based on parser logic. |
event.idm.read_only_udm.principal.user.userid |
event.idm.read_only_udm.principal.user.userid |
Directly mapped from ftp.user or AppUser . |
event.idm.read_only_udm.security_result.action |
event.idm.read_only_udm.security_result.action |
Determined based on severity . Can be ALLOW, BLOCK, or UNKNOWN_ACTION. |
event.idm.read_only_udm.security_result.action_details |
event.idm.read_only_udm.security_result.action_details |
Directly mapped from Action if not "none" or empty string. |
event.idm.read_only_udm.security_result.category |
event.idm.read_only_udm.security_result.category |
Set to NETWORK_SUSPICIOUS if malware_type is present. |
event.idm.read_only_udm.security_result.detection_fields |
event.idm.read_only_udm.security_result.detection_fields |
Contains various detection fields based on parser logic. |
event.idm.read_only_udm.security_result.rule_name |
event.idm.read_only_udm.security_result.rule_name |
Directly mapped from rule_name . |
event.idm.read_only_udm.security_result.severity |
event.idm.read_only_udm.security_result.severity |
Determined based on severity . Can be INFORMATIONAL, MEDIUM, ERROR, or CRITICAL. |
event.idm.read_only_udm.security_result.summary |
event.idm.read_only_udm.security_result.summary |
Directly mapped from label . |
event.idm.read_only_udm.security_result.threat_name |
event.idm.read_only_udm.security_result.threat_name |
Directly mapped from malware_type or parsed from summary if it contains "CVE-". |
event.idm.read_only_udm.target.administrative_domain |
event.idm.read_only_udm.target.administrative_domain |
Directly mapped from DomainName . |
event.idm.read_only_udm.target.asset.attribute.roles[].name |
event.idm.read_only_udm.target.asset.attribute.roles[].name |
Directly mapped from ServerAssetRole . |
event.idm.read_only_udm.target.file.full_path |
event.idm.read_only_udm.target.file.full_path |
Directly mapped from ftp.filename or Filename . |
event.idm.read_only_udm.target.file.md5 |
event.idm.read_only_udm.target.file.md5 |
Directly mapped from event1.md5 or md5 . |
event.idm.read_only_udm.target.file.mime_type |
event.idm.read_only_udm.target.file.mime_type |
Directly mapped from event1.filetype . |
event.idm.read_only_udm.target.file.sha1 |
event.idm.read_only_udm.target.file.sha1 |
Directly mapped from event1.srvcerthash . |
event.idm.read_only_udm.target.file.sha256 |
event.idm.read_only_udm.target.file.sha256 |
Directly mapped from event1.sha256 or sha256 . |
event.idm.read_only_udm.target.file.size |
event.idm.read_only_udm.target.file.size |
Renamed from event1.filesize and converted to unsigned integer if not 0. |
event.idm.read_only_udm.target.hostname |
event.idm.read_only_udm.target.hostname |
Directly mapped from event1.sni , dest_domain , or Host . |
event.idm.read_only_udm.target.ip |
event.idm.read_only_udm.target.ip |
Directly mapped from event1.dst_ip6 or server_ip or ServerIP . |
event.idm.read_only_udm.target.location.country_or_region |
event.idm.read_only_udm.target.location.country_or_region |
Directly mapped from dest_country or ServerCountry . |
event.idm.read_only_udm.target.platform |
event.idm.read_only_udm.target.platform |
Mapped from asset_os after normalization. |
event.idm.read_only_udm.target.platform_version |
event.idm.read_only_udm.target.platform_version |
Directly mapped from os_version . |
event.idm.read_only_udm.target.port |
event.idm.read_only_udm.target.port |
Directly mapped from event1.dport or server_port and converted to integer. |
event.idm.read_only_udm.target.resource.attribute.labels |
event.idm.read_only_udm.target.resource.attribute.labels |
Contains various labels based on parser logic. |
event.idm.read_only_udm.target.url |
event.idm.read_only_udm.target.url |
Directly mapped from url or URL . |
event.idm.read_only_udm.target.user.product_object_id |
event.idm.read_only_udm.target.user.product_object_id |
Directly mapped from uuid . |
event1.certificate_end_date |
event.idm.read_only_udm.network.tls.client.certificate.not_after |
Parsed and converted to timestamp. |
event1.certificate_extended_key_usage |
event.idm.read_only_udm.additional.fields[].key : "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_extended_key_usage |
Mapped as an additional field. |
event1.certificate_issuer_name |
event.idm.read_only_udm.network.tls.client.certificate.issuer |
Directly mapped. |
event1.certificate_key_length |
event.idm.read_only_udm.additional.fields[].key : "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_key_length |
Mapped as an additional field. |
event1.certificate_key_usage |
event.idm.read_only_udm.additional.fields[].key : "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_key_usage |
Mapped as an additional field. |
event1.certificate_start_date |
event.idm.read_only_udm.network.tls.client.certificate.not_before |
Parsed and converted to timestamp. |
event1.certificate_subject_altname |
event.idm.read_only_udm.additional.fields[].key : "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_subject_altname |
Mapped as an additional field. |
event1.certificate_subject_name |
event.idm.read_only_udm.network.tls.client.certificate.subject |
Directly mapped. |
event1.client_asset_name |
event.idm.read_only_udm.principal.application |
Directly mapped. |
event1.client_asset_subnet |
event.idm.read_only_udm.additional.fields[].key : "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.client_asset_subnet |
Mapped as an additional field. |
event1.client_packet_count |
event.idm.read_only_udm.network.sent_bytes |
Converted to unsigned integer and renamed. |
event1.cipher |
event.idm.read_only_udm.network.tls.cipher |
Directly mapped. |
event1.direction |
event.idm.read_only_udm.network.direction |
Mapped to INBOUND if "s2c" or OUTBOUND if "c2s". |
`event1.d |
Changes
2024-06-04
- Added support for a new pattern of JSON logs.
- Mapped "protocol" to "network.application_protocol".
- Mapped "alert_type" to "security_result.detection_fields".
2023-09-04
- Enhancement -
- Mapped "event1.sld" to "principal.hostname".
- Mapped "event1.sni" to "target.hostname".
- Mapped "event1.src_ip6" to "principal.ip".
- Mapped "event1.dst_ip6" to "target.ip".
- Mapped "event1.sport" to "principal.port".
- Mapped "event1.dport" to "target.port".
- Mapped "event1.cipher" to "network.tls.cipher".
- Mapped "event1.tproto" to "network.ip_protocol".
- Mapped "event1.client_asset_name" to "principal.application".
- Mapped "event1.direction" to "network.direction".
- Mapped "event1.rel_sesid" to "network.session_id".
- Mapped "event1.tls_ciphersuite" to "network.tls.cipher".
- Mapped "event1.ja3sdigest" to "network.tls.server.ja3s".
- Mapped "event1.ja3digest" to "network.tls.client.ja3".
- Mapped "event1.srvcerthash" to "target.file.sha1".
- Mapped "event1.sha256" to "target.file.sha256".
- Mapped "event1.md5" to "target.file.md5".
- Mapped "event1.filetype" to "target.file.mime_type".
- Mapped "event1.filesize" to "target.file.size".
- Mapped "event1.certificate_issuer_name" to "network.tls.client.certificate.issuer".
- Mapped "event1.certificate_subject_name" to "network.tls.client.certificate.subject".
- Mapped "event1.certificate_start_date" to "network.tls.client.certificate.not_before".
- Mapped "event1.certificate_end_date" to "network.tls.client.certificate.not_after".
- Mapped "event1.client_packet_count" to "network.sent_bytes".
- Mapped "event1.server_packet_count" to "network.received_bytes".
- Mapped "event1.session_size" to "network.session_duration.seconds".
- Mapped "event1.server_asset_subnet" to "read_only_udm.additional.fields".
- Mapped "event1.client_asset_subnet" to "read_only_udm.additional.fields".
- Mapped "event1.sha1hash" to "read_only_udm.additional.fields".
- Mapped "event1.type" to "read_only_udm.additional.fields".
- Mapped "event1.histbuf" to "read_only_udm.additional.fields".
- Mapped "event1.sen_name" to "read_only_udm.additional.fields".
- Mapped "event1.certificate_subject_altname" to "read_only_udm.additional.fields".
- Mapped "event1.certificate_key_usage" to "read_only_udm.additional.fields".
- Mapped "event1.certificate_key_length" to "read_only_udm.additional.fields".
- Mapped "event1.certificate_extended_key_usage" to "read_only_udm.additional.fields".
- Mapped "event1.version" to "network.tls.version".
2023-05-19
- Enhancement -
- Mapped "exe_richsignaturehash", "exe_richsignaturepvhash", "alert_threat_score" to "security_result.detection_fields".