Console
    Contact Us Start free

    Collect Claroty CTD logs

    Supported in:

    This document explains how to ingest Claroty Continuous Threat Detection (CTD) logs to Google Security Operations by using Bindplane.

    Before you begin

    • Ensure that you have a Google Security Operations instance.
    • Ensure that you are using Windows 2016 or later, or a Linux host with systemd .
    • If running behind a proxy, ensure firewall ports are open.
    • Ensure that you have privileged access to Claroty CTD.

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Windows installation

    1. Open the Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    Additional installation resources

    Configure the Bindplane agent to ingest Syslog and send to Google SecOps

    1. Access the configuration file:

      1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
      2. Open the file using a text editor (for example, nano , vi , or Notepad).

    2. Edit the config.yaml file as follows:

        receivers 
 : 
  
 udplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
< customer_id 
>  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 ingestion_labels 
 : 
  
 log_type 
 : 
  
 CLAROTY_CTD 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels

    3. Replace the port and IP address as required in your infrastructure.

    4. Replace <customer_id> with the actual customer ID.

    5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
bindplane-agent

    • To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

       net stop BindPlaneAgent && net start BindPlaneAgent

    Configure Syslog on Claroty Continuous Threat Detection (CTD)

    1. Sign in to the Claroty CTDWeb UI.
    2. Go to Menu > Integrations > Syslog.
    3. Repeat the following steps for each syslog message contenttype:
      • Alerts
      • Events
      • Health Monitoring
      • Insights
      • Activity Logs
      • Vulnerabilities
    4. Click +to add a new configuration.
    5. In the Message Contentmenu, select the required content to export.
    6. Provide the following configuration details:
      • Category: select All.
      • Type: select Select Alltypes.
      • Format: select CEF (Latest).
      • System URL: do not update the system URL/IP, unless you're behind a proxy server.
      • Send to: select External Syslog server (e.g SIEM, SOAR systems).
      • Vendor: select Other.
      • Syslog Server IP: enter the Bindplane agent IP address.
      • Port: enter the Bindplane agent port (for example, 514 ).
      • Protocol: select UDP(other options include TCP, TLS, or mTLS, depending on your Bindplane configuration).
    7. Click Save.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    CtdRealTime
    		 metadata.event_timestamp Parsed using MMM dd yyyy HH:mm:ss from CtdRealTime and used as the event timestamp.
    CtdTimeGenerated
    		 metadata.event_timestamp If CtdRealTime is empty, parsed using MMM dd yyyy HH:mm:ss from CtdTimeGenerated to set the event timestamp.
    CtdMessage
    		 metadata.description Sets metadata.description from the CtdMessage field.
    CtdMessage
    		 security_result.description Sets security_result.description from the CtdMessage field when applicable.
    Port (from CtdMessage KV)
    		 principal.port Extracted from the key Port in CtdMessage; converted to integer and set as principal.port.
    Category (from CtdMessage KV)
    		 security_result.detection_fields (Category_label) Extracted from CtdMessage as key Category and merged into detection fields.
    Access (from CtdMessage KV)
    		 security_result.detection_fields (Access_label) Extracted from CtdMessage as key Access and merged into detection fields.
    CtdSite
    		 principal.hostname Maps CtdSite to principal.hostname.
    CtdSite
    		 principal.asset.hostname Maps CtdSite to principal.asset.hostname.
    CtdCpu
    		 principal.resource.attribute.labels (CtdCpu_label) Creates a label with key CtdCpu using CtdCpu's value and merges it into principal.resource.attribute.labels.
    CtdMem
    		 principal.resource.attribute.labels (CtdMem_label) Creates a label with key CtdMem using CtdMem's value and merges it into principal.resource.attribute.labels.
    CtdUsedOptIcsranger
    		 principal.resource.attribute.labels (CtdUsedOptIcsranger_label) Creates a label from CtdUsedOptIcsranger and merges it.
    CtdUsedVar
    		 principal.resource.attribute.labels (CtdUsedVar_label) Creates a label from CtdUsedVar and merges it.
    CtdUsedTmp
    		 principal.resource.attribute.labels (CtdUsedTmp_label) Creates a label from CtdUsedTmp and merges it.
    CtdUsedEtc
    		 principal.resource.attribute.labels (CtdUsedEtc_label) Creates a label from CtdUsedEtc and merges it.
    CtdBusyFd
    		 principal.resource.attribute.labels (CtdBusyFd_label) Creates a label from CtdBusyFd and merges it.
    CtdBusySda
    		 principal.resource.attribute.labels (CtdBusySda_label) Creates a label from CtdBusySda and merges it.
    CtdBusySdaA
    		 principal.resource.attribute.labels (CtdBusySdaA_label) Creates a label from CtdBusySdaA and merges it.
    CtdBusySdaB
    		 principal.resource.attribute.labels (CtdBusySdaB_label) Creates a label from CtdBusySdaB and merges it.
    CtdBusySr
    		 principal.resource.attribute.labels (CtdBusySr_label) Creates a label from CtdBusySr and merges it.
    CtdBusyDm
    		 principal.resource.attribute.labels (CtdBusyDm_label) Creates a label from CtdBusyDm and merges it.
    CtdBusyDmA
    		 principal.resource.attribute.labels (CtdBusyDmA_label) Creates a label from CtdBusyDmA and merges it.
    CtdQuPreprocessingNg
    		 principal.resource.attribute.labels (CtdQuPreprocessingNg_label) Creates a label from CtdQuPreprocessingNg and merges it.
    CtdQuBaselineTracker
    		 principal.resource.attribute.labels (CtdQuBaselineTracker_label) Creates a label from CtdQuBaselineTracker and merges it.
    CtdQuBridge
    		 principal.resource.attribute.labels (CtdQuBridge_label) Creates a label from CtdQuBridge and merges it.
    CtdQuCentralBridge
    		 principal.resource.attribute.labels (CtdQuCentralBridge_label) Creates a label from CtdQuCentralBridge and merges it.
    CtdQuConcluding
    		 principal.resource.attribute.labels (CtdQuConcluding_label) Creates a label from CtdQuConcluding and merges it.
    CtdQuDiodeFeeder
    		 principal.resource.attribute.labels (CtdQuDiodeFeeder_label) Creates a label from CtdQuDiodeFeeder and merges it.
    CtdQuDissector
    		 principal.resource.attribute.labels (CtdQuDissector_label) Creates a label from CtdQuDissector and merges it.
    CtdQuDissectorA
    		 principal.resource.attribute.labels (CtdQuDissectorA_label) Creates a label from CtdQuDissectorA and merges it.
    CtdQuDissectorNg
    		 principal.resource.attribute.labels (CtdQuDissectorNg_label) Creates a label from CtdQuDissectorNg and merges it.
    CtdQuIndicatorService
    		 principal.resource.attribute.labels (CtdQuIndicatorService_label) Creates a label from CtdQuIndicatorService and merges it.
    CtdQuLeecher
    		 principal.resource.attribute.labels (CtdQuLeecher_label) Creates a label from CtdQuLeecher and merges it.
    CtdQuMonitor
    		 principal.resource.attribute.labels (CtdQuMonitor_label) Creates a label from CtdQuMonitor and merges it.
    CtdQuNetworkStatistics
    		 principal.resource.attribute.labels (CtdQuNetworkStatistics_label) Creates a label from CtdQuNetworkStatistics and merges it.
    CtdQuPackets
    		 principal.resource.attribute.labels (CtdQuPackets_label) Creates a label from CtdQuPackets and merges it.
    CtdQuPacketsErrors
    		 principal.resource.attribute.labels (CtdQuPacketsErrors_label) Creates a label from CtdQuPacketsErrors and merges it.
    CtdQuPreprocessing
    		 principal.resource.attribute.labels (CtdQuPreprocessing_label) Creates a label from CtdQuPreprocessing and merges it.
    CtdQuPriorityProcessing
    		 principal.resource.attribute.labels (CtdQuPriorityProcessing_label) Creates a label from CtdQuPriorityProcessing and merges it.
    CtdQuProcessing
    		 principal.resource.attribute.labels (CtdQuProcessing_label) Creates a label from CtdQuProcessing and merges it.
    CtdQuProcessingHigh
    		 principal.resource.attribute.labels (CtdQuProcessingHigh_label) Creates a label from CtdQuProcessingHigh and merges it.
    CtdQuZordonUpdates
    		 principal.resource.attribute.labels (CtdQuZordonUpdates_label) Creates a label from CtdQuZordonUpdates and merges it.
    CtdQuStatisticsNg
    		 principal.resource.attribute.labels (CtdQuStatisticsNg_label) Creates a label from CtdQuStatisticsNg and merges it.
    CtdQueuePurge
    		 principal.resource.attribute.labels (CtdQueuePurge_label) Creates a label from CtdQueuePurge and merges it.
    CtdQuSyslogAlerts
    		 principal.resource.attribute.labels (CtdQuSyslogAlerts_label) Creates a label from CtdQuSyslogAlerts and merges it.
    CtdQuSyslogEvents
    		 principal.resource.attribute.labels (CtdQuSyslogEvents_label) Creates a label from CtdQuSyslogEvents and merges it.
    CtdQuSyslogInsights
    		 principal.resource.attribute.labels (CtdQuSyslogInsights_label) Creates a label from CtdQuSyslogInsights and merges it.
    CtdRdDissector
    		 principal.resource.attribute.labels (CtdRdDissector_label) Creates a label from CtdRdDissector and merges it.
    CtdRdDissectorA
    		 principal.resource.attribute.labels (CtdRdDissectorA_label) Creates a label from CtdRdDissectorA and merges it.
    CtdRdDissectorNg
    		 principal.resource.attribute.labels (CtdRdDissectorNg_label) Creates a label from CtdRdDissectorNg and merges it.
    CtdRdPreprocessing
    		 principal.resource.attribute.labels (CtdRdPreprocessing_label) Creates a label from CtdRdPreprocessing and merges it.
    CtdRdPreprocessingNg
    		 principal.resource.attribute.labels (CtdRdPreprocessingNg_label) Creates a label from CtdRdPreprocessingNg and merges it.
    CtdSvcMariaDb
    		 principal.resource.attribute.labels (CtdSvcMariaDb_label) Creates a label from CtdSvcMariaDb and merges it.
    CtdSvcPostgres
    		 principal.resource.attribute.labels (CtdSvcPostgres_label) Creates a label from CtdSvcPostgres and merges it.
    CtdSvcRedis
    		 principal.resource.attribute.labels (CtdSvcRedis_label) Creates a label from CtdSvcRedis and merges it.
    CtdSvcRabbitMq
    		 principal.resource.attribute.labels (CtdSvcRabbitMq_label) Creates a label from CtdSvcRabbitMq and merges it.
    CtdSvcIcsranger
    		 principal.resource.attribute.labels (CtdSvcIcsranger_label) Creates a label from CtdSvcIcsranger and merges it.
    CtdSvcWatchdog
    		 principal.resource.attribute.labels (CtdSvcWatchdog_label) Creates a label from CtdSvcWatchdog and merges it.
    CtdSvcFirewalld
    		 principal.resource.attribute.labels (CtdSvcFirewalld_label) Creates a label from CtdSvcFirewalld and merges it.
    CtdSvcNetunnel
    		 principal.resource.attribute.labels (CtdSvcNetunnel_label) Creates a label from CtdSvcNetunnel and merges it.
    CtdSvcJwthenticator
    		 principal.resource.attribute.labels (CtdSvcJwthenticator_label) Creates a label from CtdSvcJwthenticator and merges it.
    CtdSvcDocker
    		 principal.resource.attribute.labels (CtdSvcDocker_label) Creates a label from CtdSvcDocker and merges it.
    CtdExceptions
    		 principal.resource.attribute.labels (CtdExceptions_label) Creates a label from CtdExceptions and merges it.
    CtdInputPacketDrops
    		 principal.resource.attribute.labels (CtdInputPacketDrops_label) Creates a label from CtdInputPacketDrops and merges it.
    CtdOutputPacketDrops
    		 principal.resource.attribute.labels (CtdOutputPacketDrops_label) Creates a label from CtdOutputPacketDrops and merges it.
    CtdFullOutputPacketDrops
    		 principal.resource.attribute.labels (CtdFullOutputPacketDrops_label) Creates a label from CtdFullOutputPacketDrops and merges it.
    CtdDissectorNgPacketDrops
    		 principal.resource.attribute.labels (CtdDissectorNgPacketDrops_label) Creates a label from CtdDissectorNgPacketDrops and merges it.
    CtdTagArtifactsDropsPreprocessor
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsPreprocessor_label) Creates a label from CtdTagArtifactsDropsPreprocessor and merges it.
    CtdTagArtifactsDropsPreprocessorSum
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsPreprocessorSum_label) Creates a label from CtdTagArtifactsDropsPreprocessorSum and merges it.
    CtdTagArtifactsDropsProcessor
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsProcessor_label) Creates a label from CtdTagArtifactsDropsProcessor and merges it.
    CtdTagArtifactsDropsProcessorSum
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsProcessorSum_label) Creates a label from CtdTagArtifactsDropsProcessorSum and merges it.
    CtdTagArtifactsDropsSniffer
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsSniffer_label) Creates a label from CtdTagArtifactsDropsSniffer and merges it.
    CtdTagArtifactsDropsSnifferSum
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsSnifferSum_label) Creates a label from CtdTagArtifactsDropsSnifferSum and merges it.
    CtdTagArtifactsDropsDissectorPypy
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsDissectorPypy_label) Creates a label from CtdTagArtifactsDropsDissectorPypy and merges it.
    CtdTagArtifactsDropsDissectorPypySum
    		 principal.resource.attribute.labels (CtdTagArtifactsDropsDissectorPypySum_label) Creates a label from CtdTagArtifactsDropsDissectorPypySum and merges it.
    CtdCapsaverFolderCleanup
    		 principal.resource.attribute.labels (CtdCapsaverFolderCleanup_label) Creates a label from CtdCapsaverFolderCleanup and merges it.
    CtdCapsaverUtilzationTest
    		 principal.resource.attribute.labels (CtdCapsaverUtilzationTest_label) Creates a label from CtdCapsaverUtilzationTest and merges it.
    CtdYaraScannerTest
    		 principal.resource.attribute.labels (CtdYaraScannerTest_label) Creates a label from CtdYaraScannerTest and merges it.
    CtdWrkrWorkersStop
    		 principal.resource.attribute.labels (CtdWrkrWorkersStop_label) Creates a label from CtdWrkrWorkersStop and merges it.
    CtdWrkrWorkersRestart
    		 principal.resource.attribute.labels (CtdWrkrWorkersRestart_label) Creates a label from CtdWrkrWorkersRestart and merges it.
    CtdWrkrActiveExecuter
    		 principal.resource.attribute.labels (CtdWrkrActiveExecuter_label) Creates a label from CtdWrkrActiveExecuter and merges it.
    CtdWrkrSensor
    		 principal.resource.attribute.labels (CtdWrkrSensor_label) Creates a label from CtdWrkrSensor and merges it.
    CtdWrkrAuthentication
    		 principal.resource.attribute.labels (CtdWrkrAuthentication_label) Creates a label from CtdWrkrAuthentication and merges it.
    CtdWrkrMitre
    		 principal.resource.attribute.labels (CtdWrkrMitre_label) Creates a label from CtdWrkrMitre and merges it.
    CtdWrkrNotifications
    		 principal.resource.attribute.labels (CtdWrkrNotifications_label) Creates a label from CtdWrkrNotifications and merges it.
    CtdWrkrProcessor
    		 principal.resource.attribute.labels (CtdWrkrProcessor_label) Creates a label from CtdWrkrProcessor and merges it.
    CtdWrkrCloudAgent
    		 principal.resource.attribute.labels (CtdWrkrCloudAgent_label) Creates a label from CtdWrkrCloudAgent and merges it.
    CtdWrkrCloudClient
    		 principal.resource.attribute.labels (CtdWrkrCloudClient_label) Creates a label from CtdWrkrCloudClient and merges it.
    CtdWrkrScheduler
    		 principal.resource.attribute.labels (CtdWrkrScheduler_label) Creates a label from CtdWrkrScheduler and merges it.
    CtdWrkrknownThreats
    		 principal.resource.attribute.labels (CtdWrkrknownThreats_label) Creates a label from CtdWrkrknownThreats and merges it.
    CtdWrkrCacher
    		 principal.resource.attribute.labels (CtdWrkrCacher_label) Creates a label from CtdWrkrCacher and merges it.
    CtdWrkrInsights
    		 principal.resource.attribute.labels (CtdWrkrInsights_label) Creates a label from CtdWrkrInsights and merges it.
    CtdWrkrActive
    		 principal.resource.attribute.labels (CtdWrkrActive_label) Creates a label from CtdWrkrActive and merges it.
    CtdWrkrEnricher
    		 principal.resource.attribute.labels (CtdWrkrEnricher_label) Creates a label from CtdWrkrEnricher and merges it.
    CtdWrkrIndicators
    		 principal.resource.attribute.labels (CtdWrkrIndicators_label) Creates a label from CtdWrkrIndicators and merges it.
    CtdWrkrIndicatorsApi
    		 principal.resource.attribute.labels (CtdWrkrIndicatorsApi_label) Creates a label from CtdWrkrIndicatorsApi and merges it.
    CtdWrkrConcluder
    		 principal.resource.attribute.labels (CtdWrkrConcluder_label) Creates a label from CtdWrkrConcluder and merges it.
    CtdWrkrPreprocessor
    		 principal.resource.attribute.labels (CtdWrkrPreprocessor_label) Creates a label from CtdWrkrPreprocessor and merges it.
    CtdWrkrLeecher
    		 principal.resource.attribute.labels (CtdWrkrLeecher_label) Creates a label from CtdWrkrLeecher and merges it.
    CtdWrkrSyncManager
    		 principal.resource.attribute.labels (CtdWrkrSyncManager_label) Creates a label from CtdWrkrSyncManager and merges it.
    CtdWrkrBridge
    		 principal.resource.attribute.labels (CtdWrkrBridge_label) Creates a label from CtdWrkrBridge and merges it.
    CtdWrkrWebRanger
    		 principal.resource.attribute.labels (CtdWrkrWebRanger_label) Creates a label from CtdWrkrWebRanger and merges it.
    CtdWrkrWebWs
    		 principal.resource.attribute.labels (CtdWrkrWebWs_label) Creates a label from CtdWrkrWebWs and merges it.
    CtdWrkrWebAuth
    		 principal.resource.attribute.labels (CtdWrkrWebAuth_label) Creates a label from CtdWrkrWebAuth and merges it.
    CtdWrkrWebNginx
    		 principal.resource.attribute.labels (CtdWrkrWebNginx_label) Creates a label from CtdWrkrWebNginx and merges it.
    CtdWrkrConfigurator
    		 principal.resource.attribute.labels (CtdWrkrConfigurator_label) Creates a label from CtdWrkrConfigurator and merges it.
    CtdWrkrConfiguratorNginx
    		 principal.resource.attribute.labels (CtdWrkrConfiguratorNginx_label) Creates a label from CtdWrkrConfiguratorNginx and merges it.
    CtdWrkrCapsaver
    		 principal.resource.attribute.labels (CtdWrkrCapsaver_label) Creates a label from CtdWrkrCapsaver and merges it.
    CtdWrkrBaselineTracker
    		 principal.resource.attribute.labels (CtdWrkrBaselineTracker_label) Creates a label from CtdWrkrBaselineTracker and merges it.
    CtdWrkrDissector
    		 principal.resource.attribute.labels (CtdWrkrDissector_label) Creates a label from CtdWrkrDissector and merges it.
    CtdWrkrDissectorA
    		 principal.resource.attribute.labels (CtdWrkrDissectorA_label) Creates a label from CtdWrkrDissectorA and merges it.
    CtdWrkrDissectorNg
    		 principal.resource.attribute.labels (CtdWrkrDissectorNg_label) Creates a label from CtdWrkrDissectorNg and merges it.
    CtdWrkrPreprocessing
    		 principal.resource.attribute.labels (CtdWrkrPreprocessing_label) Creates a label from CtdWrkrPreprocessing and merges it.
    CtdWrkrPreprocessingNg
    		 principal.resource.attribute.labels (CtdWrkrPreprocessingNg_label) Creates a label from CtdWrkrPreprocessingNg and merges it.
    CtdWrkrStatisticsNg
    		 principal.resource.attribute.labels (CtdWrkrStatisticsNg_label) Creates a label from CtdWrkrStatisticsNg and merges it.
    CtdWrkrSyslogAlerts
    		 principal.resource.attribute.labels (CtdWrkrSyslogAlerts_label) Creates a label from CtdWrkrSyslogAlerts and merges it.
    CtdWrkrSyslogEvents
    		 principal.resource.attribute.labels (CtdWrkrSyslogEvents_label) Creates a label from CtdWrkrSyslogEvents and merges it.
    CtdWrkrSyslogInsights
    		 principal.resource.attribute.labels (CtdWrkrSyslogInsights_label) Creates a label from CtdWrkrSyslogInsights and merges it.
    CtdWrkrRdDissector
    		 principal.resource.attribute.labels (CtdWrkrRdDissector_label) Creates a label from CtdWrkrRdDissector and merges it.
    CtdWrkrRdDissectorA
    		 principal.resource.attribute.labels (CtdWrkrRdDissectorA_label) Creates a label from CtdWrkrRdDissectorA and merges it.
    CtdSensorName
    		 principal.resource.attribute.labels (CtdSensorName_label) Creates a label from CtdSensorName and merges it.
    CtdCtrlSite
    		 principal.resource.attribute.labels (CtdCtrlSite_label) Creates a label from CtdCtrlSite and merges it.
    CtdLoopCallDurationBaselineTrackerWrkerHandleNetworkStatistics
    		 principal.resource.attribute.labels (CtdLoopCallDurationBaselineTrackerWrkerHandleNetworkStatistics_label) Creates a label from CtdLoopCallDurationBaselineTrackerWrkerHandleNetworkStatistics and merges it.
    CtdDissectionCoverage
    		 principal.resource.attribute.labels (CtdDissectionCoverage_label) Creates a label from CtdDissectionCoverage and merges it.
    CtdDissectionEfficiencyModbus
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyModbus_label) Creates a label from CtdDissectionEfficiencyModbus and merges it.
    CtdDissectionEfficiencySmb
    		 principal.resource.attribute.labels (CtdDissectionEfficiencySmb_label) Creates a label from CtdDissectionEfficiencySmb and merges it.
    CtdDissectionEfficiencyDcerpc
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyDcerpc_label) Creates a label from CtdDissectionEfficiencyDcerpc and merges it.
    CtdDissectionEfficiencyZabbix
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyZabbix_label) Creates a label from CtdDissectionEfficiencyZabbix and merges it.
    CtdDissectionEfficiencyFactorytalkRna
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyFactorytalkRna_label) Creates a label from CtdDissectionEfficiencyFactorytalkRna and merges it.
    CtdDissectionEfficiencySsl
    		 principal.resource.attribute.labels (CtdDissectionEfficiencySsl_label) Creates a label from CtdDissectionEfficiencySsl and merges it.
    CtdDissectionEfficiencyVrrpProtocolMatcher
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyVrrpProtocolMatcher_label) Creates a label from CtdDissectionEfficiencyVrrpProtocolMatcher and merges it.
    CtdDissectionEfficiencyRdp
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyRdp_label) Creates a label from CtdDissectionEfficiencyRdp and merges it.
    CtdDissectionEfficiencySsh
    		 principal.resource.attribute.labels (CtdDissectionEfficiencySsh_label) Creates a label from CtdDissectionEfficiencySsh and merges it.
    CtdDissectionEfficiencyHttp
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyHttp_label) Creates a label from CtdDissectionEfficiencyHttp and merges it.
    CtdDissectionEfficiencyTcpHttp
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyTcpHttp_label) Creates a label from CtdDissectionEfficiencyTcpHttp and merges it.
    CtdDissectionEfficiencyLdap
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyLdap_label) Creates a label from CtdDissectionEfficiencyLdap and merges it.
    CtdDissectionEfficiencyJrmi
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyJrmi_label) Creates a label from CtdDissectionEfficiencyJrmi and merges it.
    CtdDissectionEfficiencyGeIfix
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyGeIfix_label) Creates a label from CtdDissectionEfficiencyGeIfix and merges it.
    CtdDissectionEfficiencyLlc
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyLlc_label) Creates a label from CtdDissectionEfficiencyLlc and merges it.
    CtdDissectionEfficiencyMatrikonNopc
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyMatrikonNopc_label) Creates a label from CtdDissectionEfficiencyMatrikonNopc and merges it.
    CtdDissectionEfficiencyVnc
    		 principal.resource.attribute.labels (CtdDissectionEfficiencyVnc_label) Creates a label from CtdDissectionEfficiencyVnc and merges it.
    CtdUnhandledEvents
    		 principal.resource.attribute.labels (CtdUnhandledEvents_label) Creates a label from CtdUnhandledEvents and merges it.
    CtdConcludeTime
    		 principal.resource.attribute.labels (CtdConcludeTime_label) Creates a label from CtdConcludeTime and merges it.
    CtdMysqlQuery
    		 principal.resource.attribute.labels (CtdMysqlQuery_label) Creates a label from CtdMysqlQuery and merges it.
    CtdPostgresQuery
    		 principal.resource.attribute.labels (CtdPostgresQuery_label) Creates a label from CtdPostgresQuery and merges it.
    CtdPsqlIdleSessions
    		 principal.resource.attribute.labels (CtdPsqlIdleSessions_label) Creates a label from CtdPsqlIdleSessions and merges it.
    CtdPsqlIdleInTransactionSessions
    		 principal.resource.attribute.labels (CtdPsqlIdleInTransactionSessions_label) Creates a label from CtdPsqlIdleInTransactionSessions and merges it.
    CtdSnifferStatus
    		 principal.resource.attribute.labels (CtdSnifferStatus_label) Creates a label from CtdSnifferStatus and merges it.
    CtdLoopCallDurationPollObjects
    		 principal.resource.attribute.labels (CtdLoopCallDurationPollObjects_label) Creates a label from CtdLoopCallDurationPollObjects and merges it.
    CtdLoopCallDurationCloudClientWrkrBaseRunCloudConnected
    		 principal.resource.attribute.labels (CtdLoopCallDurationCloudClientWrkrBaseRunCloudConnected_label) Creates a label from CtdLoopCallDurationCloudClientWrkrBaseRunCloudConnected and merges it.
    CtdSnifferStatusCentral
    		 principal.resource.attribute.labels (CtdSnifferStatusCentral_label) Creates a label from CtdSnifferStatusCentral and merges it.
    CtdSnifferStatusSite
    		 principal.resource.attribute.labels (CtdSnifferStatusSite_label) Creates a label from CtdSnifferStatusSite and merges it.
    CtdWrkrMailer
    		 principal.resource.attribute.labels (CtdWrkrMailer_label) Creates a label from CtdWrkrMailer and merges it.
    CtdDroppedEntities
    		 principal.resource.attribute.labels (CtdDroppedEntities_label) Creates a label from CtdDroppedEntities and merges it.
    externalId
    		 metadata.product_log_id Maps externalId to metadata.product_log_id.
    proto
    		 protocol_number_src Converts proto to uppercase and assigns it to protocol_number_src for lookup.
    protocol_number_src
    		 ip_protocol_out; app_protocol_out Initializes ip_protocol_out to UNKNOWN_IP_PROTOCOL and app_protocol_out to UNKNOWN_APPLICATION_PROTOCOL , then updates based on lookup.
    ip_protocol_out
    		 network.ip_protocol Sets network.ip_protocol from ip_protocol_out.
    app_protocol_out
    		 network.application_protocol Sets network.application_protocol from app_protocol_out.
    CtdExternalId
    		 metadata.product_log_id Overwrites metadata.product_log_id with CtdExternalId if provided.
    CtdDeviceExternalId
    		 principal.resource.attribute.labels (ctd_device_label) Creates a label from CtdDeviceExternalId (prefixed with CtdDeviceExternalId ) and merges it.
    (if has_principal_device is true and ctdeventtype = Login )
    		security_result.category; security_result.action For Login events, sets security_result.category to AUTH_VIOLATION and action to BLOCK .
    (if has_principal_device is true and ctdeventtype = Memory Reset )
    		security_result.category Sets security_result.category to SOFTWARE_SUSPICIOUS .
    (if target_machine_id_present is true, has_principal_device is true, and ctdeventtype in [ Known Threat Alert , Known Threat Event , Man-in-the-Middle Attack , Suspicious Activity ])
    		security_result.category Sets security_result.category to NETWORK_MALICIOUS .
    (if target_machine_id_present is true, has_principal_device is true, and ctdeventtype = Suspicious File Transfer )
    		security_result.category Sets security_result.category to NETWORK_SUSPICIOUS .
    (if target_machine_id_present is true, has_principal_device is true, and ctdeventtype = Denial Of Service )
    		security_result.category Sets security_result.category to NETWORK_DENIAL_OF_SERVICE .
    (if has_principal_device is true and ctdeventtype in [ Host Scan , Port Scan ])
    		security_result.category Sets security_result.category to NETWORK_RECON .
    (if target_machine_id_present is true, has_principal_device is true, and ctdeventtype in [ Policy Rule Match , Policy Violation Alert , Policy Violation ])
    		security_result.category Sets security_result.category to POLICY_VIOLATION .
    (default if has_principal_device is true)
    		security_result.category Sets security_result.category to NETWORK_SUSPICIOUS by default.
    Derived security_result_category
    		 security_result.category Merges the derived security category into security_result.category.
    Derived security_result_action
    		 security_result.action Merges the derived security action into security_result.action (if set).
    cs6 (with cs6Label CTDlink )
    		 metadata.url_back_to_product; security_result.url_back_to_product Sets URL fields from cs6 for back-linking to product details.
    cs1 (with cs1Label SourceAssetType )
    		 principal.asset.category; principal.asset.type Sets principal.asset.category from cs1 and determines principal.asset.type based on its value.
    cs2 (with cs2Label DestAssetType )
    		 target.asset.category; target.asset.type Sets target.asset.category from cs2 and determines target.asset.type based on its value.
    cfp1 (with cfp1Label CVEScore )
    		 vulns.vulnerabilities.cvss_base_score Sets vulns.vulnerabilities.cvss_base_score (converted to float) and marks vul_fields_present true.
    cs6 (with cs6Label CVE )
    		 vulns.vulnerabilities.cve_id Sets vulns.vulnerabilities.cve_id and marks vul_fields_present true.
    cn1 (with cn1Label IndicatorScore )
    		 security_result.confidence_score Extracts indicator score from cn1, converts to float, and assigns it as the confidence score.
    filepath
    		 about.file.full_path; security_result.about.file.full_path Maps filepath to about.file.full_path and security_result.about.file.full_path.
    (if eventclass = HealthCheck and cs1Label = Site )
    		intermediary.location.name Sets intermediary.location.name from cs1 when used as a site identifier.
    cn1 (with cn1Label)
    		 additional.fields (cn1_label) Creates an additional field label from cn1 and merges it into additional.fields.
    cs1 (with cs1Label)
    		 additional.fields (cs1_label) Creates an additional field label from cs1 and merges it into additional.fields.
    cs2 (with cs2Label)
    		 additional.fields (cs2_label) Creates an additional field label from cs2 and merges it into additional.fields.
    cs3 (with cs3Label)
    		 additional.fields (cs3_label) Creates an additional field label from cs3 and merges it.
    cs4 (with cs4Label)
    		 additional.fields (cs4_label) Creates an additional field label from cs4 and merges it.
    cs6 (with cs6Label)
    		 additional.fields (cs6_label) Creates an additional field label from cs6 and merges it.
    (for Insight events based on event_name and vul_fields_present)
    		event_type Derives event_type for Insight events (e.g. SCAN_VULN_HOST, STATUS_UNCATEGORIZED, STATUS_UPDATE).
    (for Event/Alert events based on ctdeventtype, has_principal_device, etc.)
    		event_type; (optionally target.resource.type or auth.type) Derives event_type for Event/Alert events such as DEVICE_CONFIG_UPDATE, DEVICE_PROGRAM_DOWNLOAD/UPLOAD, NETWORK_UNCATEGORIZED, USER_RESOURCE_CREATION, SCAN_HOST, SCAN_NETWORK, SETTING_MODIFICATION, USER_LOGIN, NETWORK_CONNECTION or STATUS_UPDATE.
    (if event_type remains empty)
    		event_type Sets event_type to NETWORK_CONNECTION, USER_RESOURCE_ACCESS, or STATUS_UPDATE based on available flags.
    event_type (final)
    		 metadata.event_type Copies the final event_type into metadata.event_type; defaults to GENERIC_EVENT if empty.
    device_vendor
    		 metadata.vendor_name Sets metadata.vendor_name from device_vendor; defaults to CLAROTY if missing.
    device_product
    		 metadata.product_name Sets metadata.product_name from device_product; defaults to CTD if missing.
    device_version
    		 metadata.product_version Sets metadata.product_version from device_version.
    security_description (if matching ET TROJAN … )
    		 security_result.threat_name Extracts threat_name using the pattern ET TROJAN (?P<threat_name>\S+) from security_description and maps it to security_result.threat_name.
    metadata
    		 event.idm.read_only_udm.metadata Renames metadata to event.idm.read_only_udm.metadata.
    principal
    		 event.idm.read_only_udm.principal Renames principal to event.idm.read_only_udm.principal.
    target
    		 event.idm.read_only_udm.target Renames target to event.idm.read_only_udm.target.
    network
    		 event.idm.read_only_udm.network Renames network to event.idm.read_only_udm.network.
    additional
    		 event.idm.read_only_udm.additional Renames additional to event.idm.read_only_udm.additional.
    security_result
    		 event.idm.read_only_udm.security_result Merges security_result into event.idm.read_only_udm.security_result.
    about
    		 event.idm.read_only_udm.about Merges about into event.idm.read_only_udm.about.
    intermediary
    		 event.idm.read_only_udm.intermediary Merges intermediary into event.idm.read_only_udm.intermediary.
    vulns.vulnerabilities
    		 event.idm.read_only_udm.extensions.vulns.vulnerabilities Merges vulns.vulnerabilities into event.idm.read_only_udm.extensions.vulns.vulnerabilities.
    @output
    		 event Merges the complete UDM event structure into the final event field.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: