Collect Fortra Digital Guardian DLP logs
Supported in:
This document explains how to collect Fortra Digital Guardian DLP logs to Google Security Operations using a Bindplane agent. The parser code transforms raw JSON formatted logs into a unified data model (UDM). It first extracts fields from the raw JSON, performs data cleaning and normalization, then maps the extracted fields to their corresponding UDM attributes, enriching the data with specific event types based on the identified activity.
Before you begin
- Ensure that you have a Google Security Operations instance.
- Ensure that you are using Windows 2016 or later, or a Linux host with
systemd. - If running behind a proxy, ensure firewall ports are open.
- Ensure that you have privileged access to Fortra Digital Guardian DLP.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Windows installation
- Open the Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) " install_unix.sh
Additional installation resources
- For additional installation options, consult this installation guide .
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
-
Access the configuration file:
- Locate the
config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
-
Edit the
config.yamlfile as follows:receivers : udplog : # Replace the port and IP address as required listen_address : "0.0.0.0:514" exporters : chronicle/chronicle_w_labels : compression : gzip # Adjust the path to the credentials file you downloaded in Step 1 creds : '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id : < customer_id > endpoint : malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization ingestion_labels : log_type : DIGITALGUARDIAN_DLP raw_log_field : body service : pipelines : logs/source0__chronicle_w_labels-0 : receivers : - udplog exporters : - chronicle/chronicle_w_labels -
Replace the port and IP address as required in your infrastructure.
-
Replace
<customer_id>with the actual customer ID. -
Update
/path/to/ingestion-authentication-file.jsonto the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.
Restart the Bindplane agent to apply the changes
-
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart bindplane-agent -
To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Fortra Digital Guardian Syslog Export
- Sign in to the Digital Guardian Management Console.
- Go to Workspace > Data Export > Create Export.
- Select Alertsor Eventsas the data source from the Data Sourceslist.
- Select Syslogas the Export Type.
-
From the Type list, select UDP(you can also select TCP as the transport protocol, depending on your Bindplane configuration).
-
Under the Serverfield, enter the Bindplane agent IP address.
-
In the Portfield, enter
514(you can provide another port, depending on your Bindplane agent configuration). -
Select a severity level, from the Severity Levellist.
-
Select the Is Activecheckbox.
-
Click Next.
-
From the list of available fields, add AllAlert and Event fields for the data export.
-
Select Criteriafor the fields in your data export.
-
Click Next.
-
Select a Groupfor the criteria.
-
Click Next.
-
Click Test Query.
-
Click Next.
-
Click Save.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
Agent Version
|
observer.platform_version | Directly mapped from raw log field Agent Version
. |
|
Application
|
principal.process.command_line | Directly mapped from raw log field Application
if not empty. |
|
Command Line
|
target.process.command_line | Directly mapped from raw log field Command Line
. |
|
Company Name
|
principal.user.company_name | Directly mapped from raw log field Company Name
. |
|
Computer Name
|
principal.hostname | Directly mapped from raw log field Computer Name
. |
|
DNS Hostname
|
target.asset.hostname | Directly mapped from raw log field DNS Hostname
. |
|
Destination Drive Type
|
about.labels.value | Directly mapped from raw log field Destination Drive Type
. The corresponding key is set to Destination Drive Type
. |
|
Destination File Extension
|
target.file.mime_type | Directly mapped from raw log field Destination File Extension
if it's not no extension
or [no extension]
. |
|
Destination File Path
|
target.file.full_path | Directly mapped from raw log field Destination File Path
. |
|
Device GUID
|
src.resource.id | Mapped from raw log field Device GUID
with prefix GUID:
. |
|
Email Sender
|
network.email.from | Directly mapped from raw log field Email Sender
if not empty. |
|
Email Subject
|
network.email.subject | Directly mapped from raw log field Email Subject
if Email Sender
is not empty. |
|
Event Display Name
|
target.resource.type | Directly mapped from raw log field Event Display Name
. |
|
Event Time
|
metadata.event_timestamp.seconds | Converted to timestamp from raw log field Event Time
using formats yyyy-MM-dd HH:mm:ss A
and TIMESTAMP_ISO8601
. |
|
File Description
|
metadata.description | Directly mapped from raw log field File Description
. |
|
File Size
|
about.labels.value | Directly mapped from raw log field File Size
. The corresponding key is set to File Size
. |
|
File Version
|
about.labels.value | Directly mapped from raw log field File Version
. The corresponding key is set to File Version
. |
|
IP Address
|
principal.ip | Directly mapped from raw log field IP Address
if Source IP Address
is empty. |
|
Local Port
|
principal.port | Directly mapped from raw log field Local Port
if not empty and converted to integer. |
|
MAC Address
|
target.mac | Directly mapped from raw log field MAC Address
if not empty. |
|
Machine ID
|
principal.asset.asset_id | Mapped from raw log field Machine ID
with prefix MachineId:
. |
|
Machine Type
|
principal.asset.category | Directly mapped from raw log field Machine Type
. |
|
MD5 Hash
|
target.process.file.md5 | Directly mapped from raw log field MD5 Hash
after converting to lowercase. |
|
Network Direction
|
network.direction | Mapped from raw log field Network Direction
. If Inbound
, set to INBOUND
. If Outbound
, set to OUTBOUND
. |
|
Operation Type
|
security_result.action_details | Directly mapped from raw log field Operation Type
. |
|
Parent Application
|
principal.process.parent_process.command_line | Directly mapped from raw log field Parent Application
if not empty. |
|
Parent MD5 Hash
|
target.process.parent_process.file.md5 | Directly mapped from raw log field Parent MD5 Hash
after converting to lowercase if it matches a hexadecimal string pattern. |
|
Process Domain
|
target.administrative_domain | Directly mapped from raw log field Process Domain
. |
|
Process File Extension
|
target.process.file.mime_type | Directly mapped from raw log field Process File Extension
if it's not no extension
or [no extension]
. |
|
Process Path
|
target.process.file.full_path | Directly mapped from raw log field Process Path
. |
|
Process PID
|
principal.process.pid | Directly mapped from raw log field Process PID
after converting to string. |
|
Product Name
|
metadata.product_name | Directly mapped from raw log field Product Name
. |
|
Product Version
|
metadata.product_version | Directly mapped from raw log field Product Version
. |
|
Protocol
|
network.application_protocol | If HTTP
or HTTPS
, set to HTTPS
. |
|
Printer Name
|
src.resource.name | Directly mapped from raw log field Printer Name
. |
|
Remote Port
|
target.port | Directly mapped from raw log field Remote Port
if not empty and converted to integer. |
|
SHA1 Hash
|
target.process.file.sha1 | Directly mapped from raw log field SHA1 Hash
after converting to lowercase. |
|
SHA256 Hash
|
target.process.file.sha256 | Directly mapped from raw log field SHA256 Hash
after converting to lowercase. |
|
Signature Issuer
|
network.tls.server.certificate.issuer | Directly mapped from raw log field Signature Issuer
. |
|
Signature Subject
|
network.tls.server.certificate.subject | Directly mapped from raw log field Signature Subject
. |
|
Source File Extension
|
src.file.mime_type | Directly mapped from raw log field Source File Extension
if it's not no extension
or [no extension]
. |
|
Source File Path
|
src.file.full_path | Directly mapped from raw log field Source File Path
. |
|
Source IP Address
|
principal.ip | Directly mapped from raw log field Source IP Address
if not empty. |
|
Total Size
|
about.labels.value | Directly mapped from raw log field Total Size
. The corresponding key is set to Total Size
. |
|
URL Path
|
target.url | Directly mapped from raw log field URL Path
. |
|
Unique ID
|
metadata.product_log_id | Directly mapped from raw log field Unique ID
. |
|
User
|
principal.user.userid | Directly mapped from raw log field User
. |
|
Was Detail Blocked
|
security_result.action | If Yes
, set to BLOCK
. If No
, set to ALLOW
. |
|
dg_dst_dev.dev_prdname
|
target.asset.hardware.model | Directly mapped from raw log field dg_dst_dev.dev_prdname
. |
|
dg_dst_dev.dev_sernum
|
target.asset.hardware.serial_number | Directly mapped from raw log field dg_dst_dev.dev_sernum
. |
|
dg_recipients.uad_mr
|
network.email.to | Directly mapped from raw log field dg_recipients.uad_mr
if it matches an email address pattern. |
|
dg_src_dev.dev_prdname
|
principal.asset.hardware.model | Directly mapped from raw log field dg_src_dev.dev_prdname
. |
|
dg_src_dev.dev_sernum
|
principal.asset.hardware.serial_number | Directly mapped from raw log field dg_src_dev.dev_sernum
. |
|
metadata.event_type
|
metadata.event_type | Set to GENERIC_EVENT
initially. Changed based on specific conditions:- NETWORK_HTTP
: if hostname, HTTP/HTTPS protocol, and MAC address are present.- FILE_COPY
: if destination and source file paths exist and Operation Type
is File Copy
.- FILE_MOVE
: if destination and source file paths exist and Operation Type
is File Move
.- FILE_UNCATEGORIZED
: if destination file path, process path/command line exist, and Operation Type
contains File
.- USER_LOGOUT
: if user ID exists and Operation Type
contains Logoff
.- USER_LOGIN
: if user ID exists and Operation Type
contains Logon
.- NETWORK_UNCATEGORIZED
: if process path/command line, process ID, outbound network direction, and MAC address are present.- SCAN_PROCESS
: if process path/command line and process ID are present.- PROCESS_UNCATEGORIZED
: if process path/command line exists. |
|
metadata.log_type
|
metadata.log_type | Set to DIGITALGUARDIAN_DLP
. |
|
metadata.product_log_id
|
metadata.product_log_id | Directly mapped from raw log field Unique ID
. |
|
metadata.product_name
|
metadata.product_name | Directly mapped from raw log field Product Name
. |
|
metadata.product_version
|
metadata.product_version | Directly mapped from raw log field Product Version
. |
|
metadata.vendor_name
|
metadata.vendor_name | Set to DigitalGuardian
. |
|
network.application_protocol
|
network.application_protocol | Set to HTTPS
if Protocol
is HTTP
or HTTPS
. |
|
network.direction
|
network.direction | Mapped from raw log field Network Direction
. If Inbound
, set to INBOUND
. If Outbound
, set to OUTBOUND
. |
|
network.email.from
|
network.email.from | Directly mapped from raw log field Email Sender
if not empty. |
|
network.email.subject
|
network.email.subject | Directly mapped from raw log field Email Subject
if Email Sender
is not empty. |
|
network.email.to
|
network.email.to | Directly mapped from raw log field dg_recipients.uad_mr
if it matches an email address pattern. |
|
network.tls.server.certificate.issuer
|
network.tls.server.certificate.issuer | Directly mapped from raw log field Signature Issuer
. |
|
network.tls.server.certificate.subject
|
network.tls.server.certificate.subject | Directly mapped from raw log field Signature Subject
. |
|
observer.platform_version
|
observer.platform_version | Directly mapped from raw log field Agent Version
. |
|
principal.asset.asset_id
|
principal.asset.asset_id | Mapped from raw log field Machine ID
with prefix MachineId:
. |
|
principal.asset.category
|
principal.asset.category | Directly mapped from raw log field Machine Type
. |
|
principal.asset.hardware.model
|
principal.asset.hardware.model | Directly mapped from raw log field dg_src_dev.dev_prdname
. |
|
principal.asset.hardware.serial_number
|
principal.asset.hardware.serial_number | Directly mapped from raw log field dg_src_dev.dev_sernum
. |
|
principal.hostname
|
principal.hostname | Directly mapped from raw log field Computer Name
. |
|
principal.ip
|
principal.ip | Directly mapped from raw log field Source IP Address
if not empty. Otherwise, mapped from IP Address
if not empty. |
|
principal.port
|
principal.port | Directly mapped from raw log field Local Port
if not empty and converted to integer. |
|
principal.process.command_line
|
principal.process.command_line | Directly mapped from raw log field Application
if not empty. |
|
principal.process.parent_process.command_line
|
principal.process.parent_process.command_line | Directly mapped from raw log field Parent Application
if not empty. |
|
principal.process.parent_process.file.md5
|
principal.process.parent_process.file.md5 | Directly mapped from raw log field Parent MD5 Hash
after converting to lowercase if it matches a hexadecimal string pattern. |
|
principal.process.pid
|
principal.process.pid | Directly mapped from raw log field Process PID
after converting to string. |
|
principal.user.company_name
|
principal.user.company_name | Directly mapped from raw log field Company Name
. |
|
principal.user.userid
|
principal.user.userid | Directly mapped from raw log field User
. |
|
security_result.action
|
security_result.action | If Was Detail Blocked
is Yes
, set to BLOCK
. If Was Detail Blocked
is No
, set to ALLOW
. |
|
security_result.action_details
|
security_result.action_details | Directly mapped from raw log field Operation Type
. |
|
src.file.full_path
|
src.file.full_path | Directly mapped from raw log field Source File Path
. |
|
src.file.mime_type
|
src.file.mime_type | Directly mapped from raw log field Source File Extension
if it's not no extension
or [no extension]
. |
|
src.resource.id
|
src.resource.id | Mapped from raw log field Device GUID
with prefix GUID:
. |
|
src.resource.name
|
src.resource.name | Directly mapped from raw log field Printer Name
. |
|
target.administrative_domain
|
target.administrative_domain | Directly mapped from raw log field Process Domain
. |
|
target.asset.hardware.model
|
target.asset.hardware.model | Directly mapped from raw log field dg_dst_dev.dev_prdname
. |
|
target.asset.hardware.serial_number
|
target.asset.hardware.serial_number | Directly mapped from raw log field dg_dst_dev.dev_sernum
. |
|
target.asset.hostname
|
target.asset.hostname | Directly mapped from raw log field DNS Hostname
. |
|
target.asset.product_object_id
|
target.asset.product_object_id | Directly mapped from raw log field Adapter Name
. |
|
target.file.full_path
|
target.file.full_path | Directly mapped from raw log field Destination File Path
. |
|
target.file.mime_type
|
target.file.mime_type | Directly mapped from raw log field Destination File Extension
if it's not no extension
or [no extension]
. |
|
target.mac
|
target.mac | Directly mapped from raw log field MAC Address
if not empty. |
|
target.port
|
target.port | Directly mapped from raw log field Remote Port
if not empty and converted to integer. |
|
target.process.command_line
|
target.process.command_line | Directly mapped from raw log field Command Line
. |
|
target.process.file.full_path
|
target.process.file.full_path | Directly mapped from raw log field Process Path
. |
|
target.process.file.md5
|
target.process.file.md5 | Directly mapped from raw log field MD5 Hash
after converting to lowercase. |
|
target.process.file.mime_type
|
target.process.file.mime_type | Directly mapped from raw log field Process File Extension
if it's not no extension
or [no extension]
. |
|
target.process.file.sha1
|
target.process.file.sha1 | Directly mapped from raw log field SHA1 Hash
after converting to lowercase. |
|
target.process.file.sha256
|
target.process.file.sha256 | Directly mapped from raw log field SHA256 Hash
after converting to lowercase. |
|
target.process.parent_process.command_line
|
target.process.parent_process.command_line | Directly mapped from raw log field Parent Application
if not empty. |
|
target.process.parent_process.file.md5
|
target.process.parent_process.file.md5 | Directly mapped from raw log field Parent MD5 Hash
after converting to lowercase if it matches a hexadecimal string pattern. |
|
target.resource.type
|
target.resource.type | Directly mapped from raw log field Event Display Name
. |
|
target.url
|
target.url | Directly mapped from raw log field URL Path
. |
|
extensions.auth.type
|
extensions.auth.type | Set to AUTHTYPE_UNSPECIFIED
if Operation Type
is User Logoff
or User Logon
. |
Need more help? Get answers from Community members and Google SecOps professionals.
