Collect Dope Security SWG logs

Supported in:

Google secops SIEM

This document explains how to ingest Dope Security SWG logs into Google Security Operations using Amazon S3.

Dope Security dope.swg is an endpoint-based secure web gateway that provides real-time web filtering, malware protection, and cloud application control. Each dope.endpoint sends web transaction logs to the dope.cloud every 15 minutes, which are then automatically exported to your AWS S3 bucket in compressed GZIP JSONL format for SIEM integration.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Privileged access to Dope Security dope.console
Privileged access to AWS(S3, IAM)
Your Dope Security tenant must be in the same AWS region as your S3 bucket (verify region in Settings > SIEMpage)

Configure Dope Security SIEM integration

To configure Dope Security SIEM integration, do the following:

Sign in to the dope.consoleat https://console.dope.security
Go to Settings > SIEM > SIEM Integration Settings.
In the SIEM Typelist, select AWS S3.
Note the AWS Regiondisplayed on the right side of the page (for example, US-EAST-2).

Note: Your AWS S3 bucket must be created in this exact region. The region is determined by your Dope Security tenant's data residency location.
Leave this page open because you will return to complete the configuration after setting up AWS S3.

Configure AWS S3 bucket and IAM for Google SecOps

Create an Amazon S3 bucket. For more information, see Creating a bucket .
When creating the bucket, ensure that the Regionmatches the region shown in the Dope Security SIEM Integration page (for example, US East (Ohio) us-east-2).
Save bucket Namefor future reference (for example, chronicle-dope-swg-logs ).

Note: Do not enable KMS encryption on this S3 bucket. Dope Security does not support KMS-encrypted buckets at this time.
Create a User. For more information, see Creating an IAM user .
Select the Useryou created.
Select Security credentialstab.
Click Create Access Keyin the Access Keyssection.
Select Third-party serviceas Use case.
Click Next.
Optional: Add a description tag.
Click Create access key.
Click Download .csv fileto save the Access Keyand Secret Access Keyfor future reference.
Click Done.
Select Permissionstab.
Click Add permissionsin Permissions policiessection.
Select Add permissions.
Select Attach policies directly.
Search for AmazonS3FullAccesspolicy.
Select the policy.
Click Next.
Click Add permissions.

Configure Dope Security Amazon S3 connection

Return to the dope.consoleat the Settings > SIEM > SIEM Integration Settingspage.
In the S3 Bucket Namefield, enter the name of your S3 bucket (for example, chronicle-dope-swg-logs ).
In the right pane, you will see a Bucket Policysection with a pre-generated JSON policy.
Click Copynext to the policy JSON to copy it to your clipboard.
In a new browser tab, go to the AWS S3 Console.
Select your S3 bucket (for example, chronicle-dope-swg-logs ).
Go to Permissionstab.
Scroll down to Bucket policysection.
Click Edit.
Paste the policy JSON that you copied from the dope.console into the Policytext area.
Click Save changes.
Return to the dope.consolebrowser tab.
Click Syncat the bottom of the SIEM Integration Settings page.
Wait for the synchronization to complete.
Verify that a green checkmark appears next to the S3 Bucket Namefield.
Verify that the Last Synchronizationtimestamp appears in the top right corner of the page.

Note: If synchronization fails, check for the following common errors: AWS S3 bucket not found, AWS S3 bucket is not in the correct region, AWS S3 access policy is not set, or AWS S3 access policy is incorrect. The SIEM Integration page displays the specific error message.

Configure a feed in Google SecOps to ingest Dope Security SWG logs

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
Enter a unique name for the Feed name(for example, Dope Security SWG Logs ).
Select Amazon S3 V2as the Source type.
Select DOPE_SWGas the Log type.
Click Nextand then click Submit.
Specify values for the following fields:
- S3 URI: s3://chronicle-dope-swg-logs/ (replace with your bucket name)
- Source deletion option: Select the deletion option according to your preference
- Maximum File Age: Include files modified in the last number of days (default is 180 days)
- Access Key ID: User access key with access to the S3 bucket (from step 12 of AWS configuration)
- Secret Access Key: User secret key with access to the S3 bucket (from step 12 of AWS configuration)
- Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account.
Click Nextand then click Submit.

Log data format reference

Dope Security exports logs in JSONL (JSON Lines) format with GZIP compression. Each log entry contains the following key fields:

Field	Description
Timestamp	ISO 8601 timestamp of when the web transaction was requested
Duration	Connection duration in milliseconds
Matched Destination	Domain that the dope category was matched against
Destination IP	Destination IP address for the requested URL
Tenant ID	Customer's dope.cloud unique tenant ID
Agent ID	Unique agent ID for the dope.endpoint
User	Logged-in user on the dope.endpoint
OIDC User	Email address for authenticated user (when OIDC authentication is enabled)
Categories	Matched dope category numbers (0-88) for the requested URL
Verdict	Policy verdict: Allow (0), Block (1), Warning (2), or Bypass (3)
Data Sent	Amount of data sent in the connection (bytes)
Data Received	Amount of data received in the connection (bytes)
Policy Type	Type of policy applied: Web, Cloud Application Control (CAC), Custom Category, Bypass, or Malware
Block Detail	For block verdicts: dope category, custom category, cloud application, or malware type
Filename	Name of any downloaded file
File Hash	File hash for downloaded files
Process Name	Name of the process making the URL request
URL	Complete requested URL
Policy Name	Name of the policy applied
Protocol	Protocol used (for example, HTTP/2, HTTP/1.1)
Hostname	Device hostname
HTTP Request Method	HTTP request method (for example, GET, POST, PUT)
Process Call Tree	Parent-child relationships from process spawn operations with command arguments

For the complete category and verdict mappings, see the Dope Security Category & Verdict Mappings documentation.

UDM mapping table

Log Field	UDM Mapping	Logic
policy.categories, request.processTree	additional.fields	Merged as list from policy.categories and request.processTree in JSON
timestamp	metadata.event_timestamp	Parsed as ISO8601 timestamp in both JSON and CSV
	metadata.event_type	Set to NETWORK_HTTP if has_principal, has_target, has_http in JSON; else NETWORK_CONNECTION if has_principal and has_target; else USER_UNCATEGORIZED if has_user; else STATUS_UPDATE if has_principal; else GENERIC_EVENT; set to NETWORK_HTTP in CSV
schemaVersion	metadata.product_version	Value copied directly from schemaVersion in JSON
request.httpVersion	network.http.user_agent	Value copied directly from request.httpVersion in JSON
bandwidth.dataReceivedInBytes, bytes_received	network.received_bytes	Converted to uinteger from bandwidth.dataReceivedInBytes in JSON or bytes_received in CSV if not empty and not 0
bandwidth.dataSentInBytes, bytes_sent	network.sent_bytes	Converted to uinteger from bandwidth.dataSentInBytes in JSON or bytes_sent in CSV if not empty and not 0
request.duration	network.session_duration.seconds	Converted to integer from request.duration in JSON
endpoint.agentID, endpoint_id	principal.asset.asset_id	Prefixed with DS: from endpoint.agentID in JSON or endpoint_id in CSV
endpoint.tenantID	principal.asset.attribute.cloud.project.id	Value copied directly from endpoint.tenantID in JSON
endpoint.deviceName	principal.asset.hostname	Value copied directly from endpoint.deviceName in JSON
endpoint.deviceName, endpoint_hostname	principal.hostname	Value from endpoint.deviceName in JSON or endpoint_hostname in CSV
request.processName	principal.process.command_line	Value copied directly from request.processName in JSON
process_name	principal.process.file.names	Value copied directly from process_name in CSV
sso_user, user	principal.user.account_type	Set to DOMAIN_ACCOUNT_TYPE if sso_user not empty, else LOCAL_ACCOUNT_TYPE in CSV
endpoint.oidcUser	principal.user.email_addresses	Merged if endpoint.oidcUser matches email regex in JSON
endpoint.oidcUser	principal.user.user_display_name	Value copied directly if endpoint.oidcUser does not match email regex in JSON
endpoint.user, sso_user, user	principal.user.userid	Value from endpoint.user in JSON; from sso_user if not empty else user in CSV
security_result	security_result	Merged from security_result in JSON
policy.verdict, verdict	security_result.action	Set to BLOCK if 1, ALLOW if 0, CHALLENGE if 2 from policy.verdict in JSON or verdict in CSV
categories	security_result.action_details	Value copied directly from categories in CSV
policy.policyName	security_result.rule_name	Value copied directly from policy.policyName in JSON
policy.policyType	security_result.rule_type	Value copied directly from policy.policyType in JSON
file_name	target.file.names	Value copied directly from file_name in CSV
file_hash	target.file.sha256	Value copied directly from file_hash in CSV
destination.matchedDestination, domain	target.hostname	Value from destination.matchedDestination if not IP in JSON; from domain in CSV
destination.matchedDestination, destination.destinationIP, ip	target.ip	Value from destination.matchedDestination or destination.destinationIP if IP in JSON; from ip in CSV
destination.url, url	target.url	Value from destination.url in JSON; from url in CSV
	metadata.product_name	Set to "DOPE_SWG" in JSON; "SWG" in CSV
	metadata.vendor_name	Set to "DOPE_SWG" in JSON; "Dope Security" in CSV

Need more help? Get answers from Community members and Google SecOps professionals.