Console
    Contact Us Start free

    Collect CloudPassage Halo logs

    Supported in:

    This Logstash parser code transforms CloudPassage Halo JSON log data into a unified data model (UDM). It extracts relevant fields from the raw logs, normalizes timestamps, maps data to UDM fields, and enriches events with additional context like severity and user information.

    Before you begin

    Ensure that you have the following prerequisites:

    • Google SecOps instance.
    • Privileged access to CloudPassage Halo.

    Configuring an API key in CloudPassage

    1. Sign in to CloudPassage Halo.
    2. Go to Settings > Site Administration.
    3. Click the API Keystab.
    4. Click Actions > New Api Key.
    5. Click Showfor your key on the API Keystab to display values.
    6. Copy both the Key IDand the Secret Keyvalues.

    Set up feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed (for example, CloudPassage Logs).
    5. Select Third party APIas the Source type.
    6. Select Cloud Passageas the Log type.
    7. Click Next.
    8. Specify values for the following input parameters:
      • Username: enter the Key ID.
      • Secret: enter the Secret Key.
      • Event Types: type of events to include (if you don't specify event types, default events from the list will be used).
    9. Click Next.
    10. Review the feed configuration in the Finalizescreen, and then click Submit.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    actor_country
    		 principal.location.country_or_region Directly mapped from the actor_country field in the raw log.
    actor_ip_address
    		 principal.ip Directly mapped from the actor_ip_address field in the raw log.
    actor_username
    		 principal.user.userid Directly mapped from the actor_username field in the raw log.
    created_at
    		 metadata.event_timestamp Converted to UDM timestamp format from the created_at field in the raw log.
    critical
    		 security_result.severity If critical is true, severity is set to "CRITICAL". Otherwise, it's set to "INFORMATIONAL" for events and calculated based on findings count for scans.
    id
    		 metadata.product_log_id Directly mapped from the id field in the raw log for events.
    message
    		 security_result.description Extracted description from the message field using grok pattern.
    name
    		 security_result.summary Directly mapped from the name field in the raw log for events.
    policy_name
    		 security_result.detection_fields.policy_name Directly mapped from the policy_name field in the raw log.
    rule_name
    		 security_result.rule_name Directly mapped from the rule_name field in the raw log.
    scan.created_at
    		 metadata.event_timestamp Converted to UDM timestamp format from the scan.created_at field in the raw log for scans.
    scan.critical_findings_count
    		 security_result.description Used to calculate the description for scan events. Also used to determine the severity level.
    scan.module
    		 security_result.summary Used to generate the summary for scan events. Converted to uppercase.
    scan.non_critical_findings_count
    		 security_result.description Used to calculate the description for scan events. Also used to determine the severity level.
    scan.ok_findings_count
    		 security_result.description Used to calculate the description for scan events.
    scan.server_hostname
    		 target.hostname Directly mapped from the scan.server_hostname field in the raw log for scans.
    scan.status
    		 security_result.summary Used to generate the summary for scan events.
    scan.url
    		 metadata.url_back_to_product Directly mapped from the scan.url field in the raw log for scans.
    server_group_name
    		 target.group.attribute.labels.server_group_name Directly mapped from the server_group_name field in the raw log.
    server_group_path
    		 target.group.product_object_id Directly mapped from the server_group_path field in the raw log.
    server_hostname
    		 target.hostname Directly mapped from the server_hostname field in the raw log for events.
    server_ip_address
    		 target.ip Directly mapped from the server_ip_address field in the raw log.
    server_platform
    		 target.platform Directly mapped from the server_platform field in the raw log. Converted to uppercase.
    server_primary_ip_address
    		 target.ip Directly mapped from the server_primary_ip_address field in the raw log.
    server_reported_fqdn
    		 network.dns.authority.name Directly mapped from the server_reported_fqdn field in the raw log.
    target_username
    		 target.user.userid Directly mapped from the target_username field in the raw log.
    		metadata.event_type Set to "SCAN_UNCATEGORIZED" for events and "SCAN_HOST" for scans.
    		metadata.log_type Set to "CLOUD_PASSAGE".
    		metadata.product_name Set to "HALO".
    		metadata.vendor_name Set to "CLOUDPASSAGE".
    		principal.hostname Copied from target.hostname .
    		security_result.action Set to "UNKNOWN_ACTION".
    		security_result.category Set to "POLICY_VIOLATION".

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: