Console
    Contact Us Start free

    Collect the General Dynamics Fidelis XPS logs

    Supported in:

    This document describes how you can collect the General Dynamics Fidelis XPS logs by using a Google Security Operations forwarder.

    For more information, see Data ingestion to Google Security Operations overview .

    An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the FIDELIS_NETWORK ingestion label.

    Configure General Dynamics Fidelis XPS

    1. Sign in to CommandPost to manage your Fidelis XPS appliance.
    2. Select System > Export.
    3. Click the Newtab.
    4. In the Export methodlist, select ArcSight.
    5. In the Destinationfield, enter the Google Security Operations forwarder server IP address and port number, such as 514 .
    6. In the Export alertssection, select Allcheckbox.
    7. In the Export frequencysection, select Every alertcheckbox.
    8. In the Transportsection, select UDPor TCPcheckbox.
    9. In the Save asfield, enter a name for the export configuration.

    10. In the Column listbox, move entries in the Column listso that they appear in the following order:

      • TIME

      • ACTION

      • ALERTUUID

      • APPLICATION_USER

      • COMPONENT

      • COMPR

      • DSTADDR

      • DSTPORT

      • FILENAME

      • FROM

      • GROUP

      • MALWARE NAME

      • MALWARE TYPE

      • MD5

      • POLICY

      • PROTO

      • REQUEST_METHOD

      • REQUEST_AGENT

      • REQUEST_URL

      • RULE

      • SENIP

      • SEVERITY

      • SRCADDR

      • SRCPORT

      • SUMMARY

      • TARGET

      • TO

      • VIOLATION_INFO

      • VLAN_ID

      Fidelis XPS version 8.1 introduces additional data that you can configure to export new data. The new fields include REQUEST_METHOD, REQUEST_AGENT, REQUEST_URL, VIOLATION_INFO, and VLAN_ID.

      VIOLATION_INFOincludes all the data from the Violation informationsection of the Alert detailpage. This data includes matching data that generates alert. It also includes any additional information included within feed data when that data matches. The VIOLATION_INFOcan be large in size. You must enable TCP when using this feature in syslog exports.

    11. Select System > Malware > Malware detection.

    12. Select the Malware detection engineand Automatic malware policycheckboxes.

    13. Click Save.

    Configure the Google Security Operations forwarder to ingest Fidelis Network logs

    1. Select SIEM Settings > Forwarders.
    2. Click Add new forwarder.
    3. Enter a unique name in the Forwarder namefield.
    4. Click Submitand then click Confirm. The forwarder is added and the Add collector configurationwindow appears.
    5. In the Collector namefield, enter a unique name for the collector.
    6. Select Fidelis Networkas the Log type.
    7. Select Syslogas the Collector type.
    8. Configure the following input parameters:
      • Protocol: specify the connection protocol that the collector uses to listen to syslog data.
      • Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
      • Port: specify the target port where the collector resides and listens to syslog data.
    9. Click Submit.

    For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI .

    If you encounter issues when you create forwarders, contact Google Security Operations support .

    Field mapping reference

    This parser processes Fidelis Network logs in SYSLOG, key-value pair, and JSON formats, transforming them into UDM. It extracts fields, handles various log structures, maps to UDM fields.

    UDM mapping table

    Log Field UDM Mapping Logic
    aaction
    		event.idm.read_only_udm.security_result.action_details Directly mapped if not "none" or empty string.
    alert_threat_score
    		event.idm.read_only_udm.security_result.detection_fields[].key : "alert_threat_score", event.idm.read_only_udm.security_result.detection_fields[].value : value of alert_threat_score Directly mapped as a detection field.
    alert_type
    		event.idm.read_only_udm.security_result.detection_fields[].key : "alert_type", event.idm.read_only_udm.security_result.detection_fields[].value : value of alert_type Directly mapped as a detection field.
    answers
    		event.idm.read_only_udm.network.dns.answers[].data Directly mapped for DNS events.
    application_user
    		event.idm.read_only_udm.principal.user.userid Directly mapped.
    asset_os
    		event.idm.read_only_udm.target.platform Normalized to WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM.
    certificate.end_date
    		event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed and converted to timestamp.
    certificate.extended_key_usage
    		event.idm.read_only_udm.additional.fields[].key : "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.extended_key_usage Mapped as an additional field.
    certificate.issuer_name
    		event.idm.read_only_udm.network.tls.server.certificate.issuer Directly mapped.
    certificate.key_length
    		event.idm.read_only_udm.additional.fields[].key : "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.key_length Mapped as an additional field.
    certificate.key_usage
    		event.idm.read_only_udm.additional.fields[].key : "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.key_usage Mapped as an additional field.
    certificate.start_date
    		event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed and converted to timestamp.
    certificate.subject_altname
    		event.idm.read_only_udm.additional.fields[].key : "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.subject_altname Mapped as an additional field.
    certificate.subject_name
    		event.idm.read_only_udm.network.tls.server.certificate.subject Directly mapped.
    certificate.type
    		event.idm.read_only_udm.additional.fields[].key : "Certificate_Type", event.idm.read_only_udm.additional.fields[].value.string_value : value of certificate.type Mapped as an additional field.
    cipher
    		event.idm.read_only_udm.network.tls.cipher Directly mapped.
    client_asset_name
    		event.idm.read_only_udm.principal.application Directly mapped.
    client_asset_subnet
    		event.idm.read_only_udm.additional.fields[].key : "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value : value of client_asset_subnet Mapped as an additional field.
    client_ip
    		event.idm.read_only_udm.principal.ip Directly mapped.
    client_port
    		event.idm.read_only_udm.principal.port Directly mapped and converted to integer.
    ClientIP
    		event.idm.read_only_udm.principal.ip Directly mapped.
    ClientPort
    		event.idm.read_only_udm.principal.port Directly mapped and converted to integer.
    ClientCountry
    		event.idm.read_only_udm.principal.location.country_or_region Directly mapped if not "UNKNOWN" or empty string.
    ClientAssetID
    		event.idm.read_only_udm.principal.asset_id Prefixed with "Asset:" if not "0" or empty string.
    ClientAssetName
    		event.idm.read_only_udm.principal.resource.attribute.labels[].key : "ClientAssetName", event.idm.read_only_udm.principal.resource.attribute.labels[].value : value of ClientAssetName Mapped as a principal resource label.
    ClientAssetRole
    		event.idm.read_only_udm.principal.asset.attribute.roles[].name Directly mapped.
    ClientAssetServices
    		event.idm.read_only_udm.principal.resource.attribute.labels[].key : "ClientAssetServices", event.idm.read_only_udm.principal.resource.attribute.labels[].value : value of ClientAssetServices Mapped as a principal resource label.
    Client
    		event.idm.read_only_udm.principal.resource.attribute.labels[].key : "Client", event.idm.read_only_udm.principal.resource.attribute.labels[].value : value of Client Mapped as a principal resource label.
    Collector
    		event.idm.read_only_udm.security_result.detection_fields[].key : "Collector", event.idm.read_only_udm.security_result.detection_fields[].value : value of Collector Mapped as a detection field.
    command
    		event.idm.read_only_udm.network.http.method Directly mapped for HTTP events.
    Command
    		event.idm.read_only_udm.security_result.detection_fields[].key : "Command", event.idm.read_only_udm.security_result.detection_fields[].value : value of Command Mapped as a detection field.
    Connection
    		event.idm.read_only_udm.security_result.detection_fields[].key : "Connection", event.idm.read_only_udm.security_result.detection_fields[].value : value of Connection Mapped as a detection field.
    DecodingPath
    		event.idm.read_only_udm.security_result.detection_fields[].key : "DecodingPath", event.idm.read_only_udm.security_result.detection_fields[].value : value of DecodingPath Mapped as a detection field.
    dest_country
    		event.idm.read_only_udm.target.location.country_or_region Directly mapped.
    dest_domain
    		event.idm.read_only_udm.target.hostname Directly mapped.
    dest_ip
    		event.idm.read_only_udm.target.ip Directly mapped.
    dest_port
    		event.idm.read_only_udm.target.port Directly mapped and converted to integer.
    Direction
    		event.idm.read_only_udm.security_result.detection_fields[].key : "Direction", event.idm.read_only_udm.security_result.detection_fields[].value : value of Direction Mapped as a detection field.
    dns.host
    		event.idm.read_only_udm.network.dns.questions[].name Directly mapped for DNS events.
    DomainName
    		event.idm.read_only_udm.target.administrative_domain Directly mapped.
    DomainAlexaRank
    		event.idm.read_only_udm.security_result.detection_fields[].key : "DomainAlexaRank", event.idm.read_only_udm.security_result.detection_fields[].value : value of DomainAlexaRank Mapped as a detection field.
    dport
    		event.idm.read_only_udm.target.port Directly mapped and converted to integer.
    dnsresolution.server_fqdn
    		event.idm.read_only_udm.target.hostname Directly mapped.
    Duration
    		event.idm.read_only_udm.security_result.detection_fields[].key : "Duration", event.idm.read_only_udm.security_result.detection_fields[].value : value of Duration Mapped as a detection field.
    Encrypted
    		event.idm.read_only_udm.security_result.detection_fields[].key : "Encrypted", event.idm.read_only_udm.security_result.detection_fields[].value : value of Encrypted Mapped as a detection field.
    Entropy
    		event.idm.read_only_udm.security_result.detection_fields[].key : "Entropy", event.idm.read_only_udm.security_result.detection_fields[].value : value of Entropy Mapped as a detection field.
    event.idm.read_only_udm.additional.fields
    		event.idm.read_only_udm.additional.fields Contains various additional fields based on parser logic.
    event.idm.read_only_udm.metadata.description
    		event.idm.read_only_udm.metadata.description Directly mapped from summary field.
    event.idm.read_only_udm.metadata.event_type
    		event.idm.read_only_udm.metadata.event_type Determined based on various log fields and parser logic. Can be GENERIC_EVENT, NETWORK_CONNECTION, NETWORK_HTTP, NETWORK_SMTP, NETWORK_DNS, STATUS_UPDATE, NETWORK_FLOW.
    event.idm.read_only_udm.metadata.log_type
    		event.idm.read_only_udm.metadata.log_type Set to "FIDELIS_NETWORK".
    event.idm.read_only_udm.metadata.product_name
    		event.idm.read_only_udm.metadata.product_name Set to "FIDELIS_NETWORK".
    event.idm.read_only_udm.metadata.vendor_name
    		event.idm.read_only_udm.metadata.vendor_name Set to "FIDELIS_NETWORK".
    event.idm.read_only_udm.network.application_protocol
    		event.idm.read_only_udm.network.application_protocol Determined based on server_port or protocol field. Can be HTTP, HTTPS, SMTP, SSH, RPC, DNS, NFS, AOLMAIL.
    event.idm.read_only_udm.network.direction
    		event.idm.read_only_udm.network.direction Determined based on direction field or keywords in summary . Can be INBOUND or OUTBOUND.
    event.idm.read_only_udm.network.dns.answers
    		event.idm.read_only_udm.network.dns.answers Populated for DNS events.
    event.idm.read_only_udm.network.dns.id
    		event.idm.read_only_udm.network.dns.id Mapped from number field for DNS events.
    event.idm.read_only_udm.network.dns.questions
    		event.idm.read_only_udm.network.dns.questions Populated for DNS events.
    event.idm.read_only_udm.network.email.from
    		event.idm.read_only_udm.network.email.from Directly mapped from From if it's a valid email address.
    event.idm.read_only_udm.network.email.subject
    		event.idm.read_only_udm.network.email.subject Directly mapped from Subject .
    event.idm.read_only_udm.network.email.to
    		event.idm.read_only_udm.network.email.to Directly mapped from To .
    event.idm.read_only_udm.network.ftp.command
    		event.idm.read_only_udm.network.ftp.command Directly mapped from ftp.command .
    event.idm.read_only_udm.network.http.method
    		event.idm.read_only_udm.network.http.method Directly mapped from http.command or Command .
    event.idm.read_only_udm.network.http.referral_url
    		event.idm.read_only_udm.network.http.referral_url Directly mapped from Referer .
    event.idm.read_only_udm.network.http.response_code
    		event.idm.read_only_udm.network.http.response_code Directly mapped from http.status_code or StatusCode and converted to integer.
    event.idm.read_only_udm.network.http.user_agent
    		event.idm.read_only_udm.network.http.user_agent Directly mapped from http.useragent or UserAgent .
    event.idm.read_only_udm.network.ip_protocol
    		event.idm.read_only_udm.network.ip_protocol Directly mapped from tproto if it's TCP or UDP.
    event.idm.read_only_udm.network.received_bytes
    		event.idm.read_only_udm.network.received_bytes Renamed from event1.server_packet_count and converted to unsigned integer.
    event.idm.read_only_udm.network.sent_bytes
    		event.idm.read_only_udm.network.sent_bytes Renamed from event1.client_packet_count and converted to unsigned integer.
    event.idm.read_only_udm.network.session_duration.seconds
    		event.idm.read_only_udm.network.session_duration.seconds Renamed from event1.session_size and converted to integer.
    event.idm.read_only_udm.network.session_id
    		event.idm.read_only_udm.network.session_id Directly mapped from event1.rel_sesid or UserSessionID .
    event.idm.read_only_udm.network.tls.client.certificate.issuer
    		event.idm.read_only_udm.network.tls.client.certificate.issuer Directly mapped from event1.certificate_issuer_name .
    event.idm.read_only_udm.network.tls.client.certificate.not_after
    		event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed from event1.certificate_end_date and converted to timestamp.
    event.idm.read_only_udm.network.tls.client.certificate.not_before
    		event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed from event1.certificate_start_date and converted to timestamp.
    event.idm.read_only_udm.network.tls.client.certificate.subject
    		event.idm.read_only_udm.network.tls.client.certificate.subject Directly mapped from event1.certificate_subject_name .
    event.idm.read_only_udm.network.tls.client.ja3
    		event.idm.read_only_udm.network.tls.client.ja3 Directly mapped from event1.ja3digest and converted to string.
    event.idm.read_only_udm.network.tls.cipher
    		event.idm.read_only_udm.network.tls.cipher Directly mapped from event1.cipher , CipherSuite , cipher , or event1.tls_ciphersuite .
    event.idm.read_only_udm.network.tls.server.certificate.issuer
    		event.idm.read_only_udm.network.tls.server.certificate.issuer Directly mapped from certificate_issuer_name .
    event.idm.read_only_udm.network.tls.server.certificate.subject
    		event.idm.read_only_udm.network.tls.server.certificate.subject Directly mapped from certificate_subject_name .
    event.idm.read_only_udm.network.tls.server.ja3s
    		event.idm.read_only_udm.network.tls.server.ja3s Directly mapped from event1.ja3sdigest and converted to string.
    event.idm.read_only_udm.network.tls.version
    		event.idm.read_only_udm.network.tls.version Directly mapped from event1.version .
    event.idm.read_only_udm.principal.application
    		event.idm.read_only_udm.principal.application Directly mapped from event1.client_asset_name .
    event.idm.read_only_udm.principal.asset.attribute.roles[].name
    		event.idm.read_only_udm.principal.asset.attribute.roles[].name Directly mapped from ClientAssetRole .
    event.idm.read_only_udm.principal.asset_id
    		event.idm.read_only_udm.principal.asset_id Directly mapped from ClientAssetID or ServerAssetID (prefixed with "Asset:").
    event.idm.read_only_udm.principal.hostname
    		event.idm.read_only_udm.principal.hostname Directly mapped from event1.sld or src_domain .
    event.idm.read_only_udm.principal.ip
    		event.idm.read_only_udm.principal.ip Directly mapped from event1.src_ip6 , client_ip , or ClientIP .
    event.idm.read_only_udm.principal.location.country_or_region
    		event.idm.read_only_udm.principal.location.country_or_region Directly mapped from ClientCountry or src_country if not "UNKNOWN" or empty string.
    event.idm.read_only_udm.principal.port
    		event.idm.read_only_udm.principal.port Directly mapped from event1.sport or client_port and converted to integer.
    event.idm.read_only_udm.principal.resource.attribute.labels
    		event.idm.read_only_udm.principal.resource.attribute.labels Contains various labels based on parser logic.
    event.idm.read_only_udm.principal.user.userid
    		event.idm.read_only_udm.principal.user.userid Directly mapped from ftp.user or AppUser .
    event.idm.read_only_udm.security_result.action
    		event.idm.read_only_udm.security_result.action Determined based on severity . Can be ALLOW, BLOCK, or UNKNOWN_ACTION.
    event.idm.read_only_udm.security_result.action_details
    		event.idm.read_only_udm.security_result.action_details Directly mapped from Action if not "none" or empty string.
    event.idm.read_only_udm.security_result.category
    		event.idm.read_only_udm.security_result.category Set to NETWORK_SUSPICIOUS if malware_type is present.
    event.idm.read_only_udm.security_result.detection_fields
    		event.idm.read_only_udm.security_result.detection_fields Contains various detection fields based on parser logic.
    event.idm.read_only_udm.security_result.rule_name
    		event.idm.read_only_udm.security_result.rule_name Directly mapped from rule_name .
    event.idm.read_only_udm.security_result.severity
    		event.idm.read_only_udm.security_result.severity Determined based on severity . Can be INFORMATIONAL, MEDIUM, ERROR, or CRITICAL.
    event.idm.read_only_udm.security_result.summary
    		event.idm.read_only_udm.security_result.summary Directly mapped from label .
    event.idm.read_only_udm.security_result.threat_name
    		event.idm.read_only_udm.security_result.threat_name Directly mapped from malware_type or parsed from summary if it contains "CVE-".
    event.idm.read_only_udm.target.administrative_domain
    		event.idm.read_only_udm.target.administrative_domain Directly mapped from DomainName .
    event.idm.read_only_udm.target.asset.attribute.roles[].name
    		event.idm.read_only_udm.target.asset.attribute.roles[].name Directly mapped from ServerAssetRole .
    event.idm.read_only_udm.target.file.full_path
    		event.idm.read_only_udm.target.file.full_path Directly mapped from ftp.filename or Filename .
    event.idm.read_only_udm.target.file.md5
    		event.idm.read_only_udm.target.file.md5 Directly mapped from event1.md5 or md5 .
    event.idm.read_only_udm.target.file.mime_type
    		event.idm.read_only_udm.target.file.mime_type Directly mapped from event1.filetype .
    event.idm.read_only_udm.target.file.sha1
    		event.idm.read_only_udm.target.file.sha1 Directly mapped from event1.srvcerthash .
    event.idm.read_only_udm.target.file.sha256
    		event.idm.read_only_udm.target.file.sha256 Directly mapped from event1.sha256 or sha256 .
    event.idm.read_only_udm.target.file.size
    		event.idm.read_only_udm.target.file.size Renamed from event1.filesize and converted to unsigned integer if not 0.
    event.idm.read_only_udm.target.hostname
    		event.idm.read_only_udm.target.hostname Directly mapped from event1.sni , dest_domain , or Host .
    event.idm.read_only_udm.target.ip
    		event.idm.read_only_udm.target.ip Directly mapped from event1.dst_ip6 or server_ip or ServerIP .
    event.idm.read_only_udm.target.location.country_or_region
    		event.idm.read_only_udm.target.location.country_or_region Directly mapped from dest_country or ServerCountry .
    event.idm.read_only_udm.target.platform
    		event.idm.read_only_udm.target.platform Mapped from asset_os after normalization.
    event.idm.read_only_udm.target.platform_version
    		event.idm.read_only_udm.target.platform_version Directly mapped from os_version .
    event.idm.read_only_udm.target.port
    		event.idm.read_only_udm.target.port Directly mapped from event1.dport or server_port and converted to integer.
    event.idm.read_only_udm.target.resource.attribute.labels
    		event.idm.read_only_udm.target.resource.attribute.labels Contains various labels based on parser logic.
    event.idm.read_only_udm.target.url
    		event.idm.read_only_udm.target.url Directly mapped from url or URL .
    event.idm.read_only_udm.target.user.product_object_id
    		event.idm.read_only_udm.target.user.product_object_id Directly mapped from uuid .
    event1.certificate_end_date
    		event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed and converted to timestamp.
    event1.certificate_extended_key_usage
    		event.idm.read_only_udm.additional.fields[].key : "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_extended_key_usage Mapped as an additional field.
    event1.certificate_issuer_name
    		event.idm.read_only_udm.network.tls.client.certificate.issuer Directly mapped.
    event1.certificate_key_length
    		event.idm.read_only_udm.additional.fields[].key : "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_key_length Mapped as an additional field.
    event1.certificate_key_usage
    		event.idm.read_only_udm.additional.fields[].key : "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_key_usage Mapped as an additional field.
    event1.certificate_start_date
    		event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed and converted to timestamp.
    event1.certificate_subject_altname
    		event.idm.read_only_udm.additional.fields[].key : "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.certificate_subject_altname Mapped as an additional field.
    event1.certificate_subject_name
    		event.idm.read_only_udm.network.tls.client.certificate.subject Directly mapped.
    event1.client_asset_name
    		event.idm.read_only_udm.principal.application Directly mapped.
    event1.client_asset_subnet
    		event.idm.read_only_udm.additional.fields[].key : "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value : value of event1.client_asset_subnet Mapped as an additional field.
    event1.client_packet_count
    		event.idm.read_only_udm.network.sent_bytes Converted to unsigned integer and renamed.
    event1.cipher
    		event.idm.read_only_udm.network.tls.cipher Directly mapped.
    event1.direction
    		event.idm.read_only_udm.network.direction Mapped to INBOUND if "s2c" or OUTBOUND if "c2s".
    event1.d

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: