Collect CloudPassage Halo logs
Supported in:
This Logstash parser code transforms CloudPassage Halo JSON log data into a unified data model (UDM). It extracts relevant fields from the raw logs, normalizes timestamps, maps data to UDM fields, and enriches events with additional context like severity and user information.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance.
- Privileged access to CloudPassage Halo.
Configuring an API key in CloudPassage
- Sign in to CloudPassage Halo.
- Go to Settings > Site Administration.
- Click the API Keys tab.
- Click Actions > New Api Key.
- Click Show for your key on the API Keys tab to display values.
- Copy both the Key ID and the Secret Key values.
Set up feeds
There are two different entry points to set up feeds in the Google SecOps platform:
- SIEM Settings > Feeds
- Content Hub > Content Packs
Set up feeds from SIEM Settings > Feeds
To configure a feed, follow these steps:
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example, CloudPassage Logs).
- Select Third party API as the Source type.
- Select Cloud Passage as the Log type.
- Click Next.
- Specify values for the following input parameters:
- Username: enter the Key ID.
- Secret: enter the Secret Key.
- Event Types: type of events to include (if you don't specify event types, default events from the list will be used).
- Click Next.
- Review the feed configuration in the Finalize screen, and then click Submit.
Set up feeds from the Content Hub
Specify values for the following fields:
- Username: enter the Key ID.
- Secret: enter the Secret Key.
- Event Types: type of events to include (if you don't specify event types, default events from the list will be used).
Advanced options
- Feed Name: A prepopulated value that identifies the feed.
- Source Type: Method used to collect logs into Google SecOps.
- Asset Namespace: Namespace associated with the feed.
- Ingestion Labels: Labels applied to all events from this feed.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| actor_country | principal.location.country_or_region | Directly mapped from the actor_country field in the raw log. |
| actor_ip_address | principal.ip | Directly mapped from the actor_ip_address field in the raw log. |
| actor_username | principal.user.userid | Directly mapped from the actor_username field in the raw log. |
| created_at | metadata.event_timestamp | Converted to UDM timestamp format from the created_at field in the raw log. |
| critical | security_result.severity | If critical is true, severity is set to "CRITICAL". Otherwise, it's set to "INFORMATIONAL" for events and calculated based on findings count for scans. |
| id | metadata.product_log_id | Directly mapped from the id field in the raw log for events. |
| message | security_result.description | Extracted description from the message field using grok pattern. |
| name | security_result.summary | Directly mapped from the name field in the raw log for events. |
| policy_name | security_result.detection_fields.policy_name | Directly mapped from the policy_name field in the raw log. |
| rule_name | security_result.rule_name | Directly mapped from the rule_name field in the raw log. |
| scan.created_at | metadata.event_timestamp | Converted to UDM timestamp format from the scan.created_at field in the raw log for scans. |
| scan.critical_findings_count | security_result.description | Used to calculate the description for scan events. Also used to determine the severity level. |
| scan.module | security_result.summary | Used to generate the summary for scan events. Converted to uppercase. |
| scan.non_critical_findings_count | security_result.description | Used to calculate the description for scan events. Also used to determine the severity level. |
| scan.ok_findings_count | security_result.description | Used to calculate the description for scan events. |
| scan.server_hostname | target.hostname | Directly mapped from the scan.server_hostname field in the raw log for scans. |
| scan.status | security_result.summary | Used to generate the summary for scan events. |
| scan.url | metadata.url_back_to_product | Directly mapped from the scan.url field in the raw log for scans. |
| server_group_name | target.group.attribute.labels.server_group_name | Directly mapped from the server_group_name field in the raw log. |
| server_group_path | target.group.product_object_id | Directly mapped from the server_group_path field in the raw log. |
| server_hostname | target.hostname | Directly mapped from the server_hostname field in the raw log for events. |
| server_ip_address | target.ip | Directly mapped from the server_ip_address field in the raw log. |
| server_platform | target.platform | Directly mapped from the server_platform field in the raw log. Converted to uppercase. |
| server_primary_ip_address | target.ip | Directly mapped from the server_primary_ip_address field in the raw log. |
| server_reported_fqdn | network.dns.authority.name | Directly mapped from the server_reported_fqdn field in the raw log. |
| target_username | target.user.userid | Directly mapped from the target_username field in the raw log. |
| metadata.event_type | Set to "SCAN_UNCATEGORIZED" for events and "SCAN_HOST" for scans. | |
| metadata.log_type | Set to "CLOUD_PASSAGE". | |
| metadata.product_name | Set to "HALO". | |
| metadata.vendor_name | Set to "CLOUDPASSAGE". | |
| principal.hostname | Copied from target.hostname. |
|
| security_result.action | Set to "UNKNOWN_ACTION". | |
| security_result.category | Set to "POLICY_VIOLATION". |
Need more help? Get answers from Community members and Google SecOps professionals.