Collect Fortra Digital Guardian DLP logs

Supported in:

This document explains how to collect Fortra Digital Guardian DLP logs to Google Security Operations using a Bindplane agent. The parser code transforms raw JSON formatted logs into a unified data model (UDM). It first extracts fields from the raw JSON, performs data cleaning and normalization, then maps the extracted fields to their corresponding UDM attributes, enriching the data with specific event types based on the identified activity.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to Fortra Digital Guardian DLP.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).

  2. Edit the config.yaml file as follows:

    receivers:
    udplog:
        # Replace the port and IP address as required
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: DIGITALGUARDIAN_DLP
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent

  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent

Configure Fortra Digital Guardian Syslog Export

  1. Sign in to the Digital Guardian Management Console.
  2. Go to Workspace > Data Export > Create Export.
  3. Select Alerts or Events as the data source from the Data Sources list.
  4. Select Syslog as the Export Type.

  5. From the Type list, select UDP (you can also select TCP as the transport protocol, depending on your Bindplane configuration).

  6. Under the Server field, enter the Bindplane agent IP address.

  7. In the Port field, enter 514 (you can provide another port, depending on your Bindplane agent configuration).

  8. Select a severity level, from the Severity Level list.

  9. Select the Is Active checkbox.

  10. Click Next.

  11. From the list of available fields, add All Alert and Event fields for the data export.

  12. Select Criteria for the fields in your data export.

  13. Click Next.

  14. Select a Group for the criteria.

  15. Click Next.

  16. Click Test Query.

  17. Click Next.

  18. Click Save.

UDM Mapping Table

Log Field UDM Mapping Logic
Agent Version observer.platform_version Directly mapped from raw log field Agent Version.
Application principal.process.command_line Directly mapped from raw log field Application if not empty.
Command Line target.process.command_line Directly mapped from raw log field Command Line.
Company Name principal.user.company_name Directly mapped from raw log field Company Name.
Computer Name principal.hostname Directly mapped from raw log field Computer Name.
DNS Hostname target.asset.hostname Directly mapped from raw log field DNS Hostname.
Destination Drive Type about.labels.value Directly mapped from raw log field Destination Drive Type. The corresponding key is set to Destination Drive Type.
Destination File Extension target.file.mime_type Directly mapped from raw log field Destination File Extension if it's not no extension or [no extension].
Destination File Path target.file.full_path Directly mapped from raw log field Destination File Path.
Device GUID src.resource.id Mapped from raw log field Device GUID with prefix GUID:.
Email Sender network.email.from Directly mapped from raw log field Email Sender if not empty.
Email Subject network.email.subject Directly mapped from raw log field Email Subject if Email Sender is not empty.
Event Display Name target.resource.type Directly mapped from raw log field Event Display Name.
Event Time metadata.event_timestamp.seconds Converted to timestamp from raw log field Event Time using formats yyyy-MM-dd HH:mm:ss A and TIMESTAMP_ISO8601.
File Description metadata.description Directly mapped from raw log field File Description.
File Size about.labels.value Directly mapped from raw log field File Size. The corresponding key is set to File Size.
File Version about.labels.value Directly mapped from raw log field File Version. The corresponding key is set to File Version.
IP Address principal.ip Directly mapped from raw log field IP Address if Source IP Address is empty.
Local Port principal.port Directly mapped from raw log field Local Port if not empty and converted to integer.
MAC Address target.mac Directly mapped from raw log field MAC Address if not empty.
Machine ID principal.asset.asset_id Mapped from raw log field Machine ID with prefix MachineId:.
Machine Type principal.asset.category Directly mapped from raw log field Machine Type.
MD5 Hash target.process.file.md5 Directly mapped from raw log field MD5 Hash after converting to lowercase.
Network Direction network.direction Mapped from raw log field Network Direction. If Inbound, set to INBOUND. If Outbound, set to OUTBOUND.
Operation Type security_result.action_details Directly mapped from raw log field Operation Type.
Parent Application principal.process.parent_process.command_line Directly mapped from raw log field Parent Application if not empty.
Parent MD5 Hash target.process.parent_process.file.md5 Directly mapped from raw log field Parent MD5 Hash after converting to lowercase if it matches a hexadecimal string pattern.
Process Domain target.administrative_domain Directly mapped from raw log field Process Domain.
Process File Extension target.process.file.mime_type Directly mapped from raw log field Process File Extension if it's not no extension or [no extension].
Process Path target.process.file.full_path Directly mapped from raw log field Process Path.
Process PID principal.process.pid Directly mapped from raw log field Process PID after converting to string.
Product Name metadata.product_name Directly mapped from raw log field Product Name.
Product Version metadata.product_version Directly mapped from raw log field Product Version.
Protocol network.application_protocol If HTTP or HTTPS, set to HTTPS.
Printer Name src.resource.name Directly mapped from raw log field Printer Name.
Remote Port target.port Directly mapped from raw log field Remote Port if not empty and converted to integer.
SHA1 Hash target.process.file.sha1 Directly mapped from raw log field SHA1 Hash after converting to lowercase.
SHA256 Hash target.process.file.sha256 Directly mapped from raw log field SHA256 Hash after converting to lowercase.
Signature Issuer network.tls.server.certificate.issuer Directly mapped from raw log field Signature Issuer.
Signature Subject network.tls.server.certificate.subject Directly mapped from raw log field Signature Subject.
Source File Extension src.file.mime_type Directly mapped from raw log field Source File Extension if it's not no extension or [no extension].
Source File Path src.file.full_path Directly mapped from raw log field Source File Path.
Source IP Address principal.ip Directly mapped from raw log field Source IP Address if not empty.
Total Size about.labels.value Directly mapped from raw log field Total Size. The corresponding key is set to Total Size.
URL Path target.url Directly mapped from raw log field URL Path.
Unique ID metadata.product_log_id Directly mapped from raw log field Unique ID.
User principal.user.userid Directly mapped from raw log field User.
Was Detail Blocked security_result.action If Yes, set to BLOCK. If No, set to ALLOW.
dg_dst_dev.dev_prdname target.asset.hardware.model Directly mapped from raw log field dg_dst_dev.dev_prdname.
dg_dst_dev.dev_sernum target.asset.hardware.serial_number Directly mapped from raw log field dg_dst_dev.dev_sernum.
dg_recipients.uad_mr network.email.to Directly mapped from raw log field dg_recipients.uad_mr if it matches an email address pattern.
dg_src_dev.dev_prdname principal.asset.hardware.model Directly mapped from raw log field dg_src_dev.dev_prdname.
dg_src_dev.dev_sernum principal.asset.hardware.serial_number Directly mapped from raw log field dg_src_dev.dev_sernum.
metadata.event_type metadata.event_type Set to GENERIC_EVENT initially. Changed based on specific conditions:
- NETWORK_HTTP: if hostname, HTTP/HTTPS protocol, and MAC address are present.
- FILE_COPY: if destination and source file paths exist and Operation Type is File Copy.
- FILE_MOVE: if destination and source file paths exist and Operation Type is File Move.
- FILE_UNCATEGORIZED: if destination file path, process path/command line exist, and Operation Type contains File.
- USER_LOGOUT: if user ID exists and Operation Type contains Logoff.
- USER_LOGIN: if user ID exists and Operation Type contains Logon.
- NETWORK_UNCATEGORIZED: if process path/command line, process ID, outbound network direction, and MAC address are present.
- SCAN_PROCESS: if process path/command line and process ID are present.
- PROCESS_UNCATEGORIZED: if process path/command line exists.
metadata.log_type metadata.log_type Set to DIGITALGUARDIAN_DLP.
metadata.product_log_id metadata.product_log_id Directly mapped from raw log field Unique ID.
metadata.product_name metadata.product_name Directly mapped from raw log field Product Name.
metadata.product_version metadata.product_version Directly mapped from raw log field Product Version.
metadata.vendor_name metadata.vendor_name Set to DigitalGuardian.
network.application_protocol network.application_protocol Set to HTTPS if Protocol is HTTP or HTTPS.
network.direction network.direction Mapped from raw log field Network Direction. If Inbound, set to INBOUND. If Outbound, set to OUTBOUND.
network.email.from network.email.from Directly mapped from raw log field Email Sender if not empty.
network.email.subject network.email.subject Directly mapped from raw log field Email Subject if Email Sender is not empty.
network.email.to network.email.to Directly mapped from raw log field dg_recipients.uad_mr if it matches an email address pattern.
network.tls.server.certificate.issuer network.tls.server.certificate.issuer Directly mapped from raw log field Signature Issuer.
network.tls.server.certificate.subject network.tls.server.certificate.subject Directly mapped from raw log field Signature Subject.
observer.platform_version observer.platform_version Directly mapped from raw log field Agent Version.
principal.asset.asset_id principal.asset.asset_id Mapped from raw log field Machine ID with prefix MachineId:.
principal.asset.category principal.asset.category Directly mapped from raw log field Machine Type.
principal.asset.hardware.model principal.asset.hardware.model Directly mapped from raw log field dg_src_dev.dev_prdname.
principal.asset.hardware.serial_number principal.asset.hardware.serial_number Directly mapped from raw log field dg_src_dev.dev_sernum.
principal.hostname principal.hostname Directly mapped from raw log field Computer Name.
principal.ip principal.ip Directly mapped from raw log field Source IP Address if not empty. Otherwise, mapped from IP Address if not empty.
principal.port principal.port Directly mapped from raw log field Local Port if not empty and converted to integer.
principal.process.command_line principal.process.command_line Directly mapped from raw log field Application if not empty.
principal.process.parent_process.command_line principal.process.parent_process.command_line Directly mapped from raw log field Parent Application if not empty.
principal.process.parent_process.file.md5 principal.process.parent_process.file.md5 Directly mapped from raw log field Parent MD5 Hash after converting to lowercase if it matches a hexadecimal string pattern.
principal.process.pid principal.process.pid Directly mapped from raw log field Process PID after converting to string.
principal.user.company_name principal.user.company_name Directly mapped from raw log field Company Name.
principal.user.userid principal.user.userid Directly mapped from raw log field User.
security_result.action security_result.action If Was Detail Blocked is Yes, set to BLOCK. If Was Detail Blocked is No, set to ALLOW.
security_result.action_details security_result.action_details Directly mapped from raw log field Operation Type.
src.file.full_path src.file.full_path Directly mapped from raw log field Source File Path.
src.file.mime_type src.file.mime_type Directly mapped from raw log field Source File Extension if it's not no extension or [no extension].
src.resource.id src.resource.id Mapped from raw log field Device GUID with prefix GUID:.
src.resource.name src.resource.name Directly mapped from raw log field Printer Name.
target.administrative_domain target.administrative_domain Directly mapped from raw log field Process Domain.
target.asset.hardware.model target.asset.hardware.model Directly mapped from raw log field dg_dst_dev.dev_prdname.
target.asset.hardware.serial_number target.asset.hardware.serial_number Directly mapped from raw log field dg_dst_dev.dev_sernum.
target.asset.hostname target.asset.hostname Directly mapped from raw log field DNS Hostname.
target.asset.product_object_id target.asset.product_object_id Directly mapped from raw log field Adapter Name.
target.file.full_path target.file.full_path Directly mapped from raw log field Destination File Path.
target.file.mime_type target.file.mime_type Directly mapped from raw log field Destination File Extension if it's not no extension or [no extension].
target.mac target.mac Directly mapped from raw log field MAC Address if not empty.
target.port target.port Directly mapped from raw log field Remote Port if not empty and converted to integer.
target.process.command_line target.process.command_line Directly mapped from raw log field Command Line.
target.process.file.full_path target.process.file.full_path Directly mapped from raw log field Process Path.
target.process.file.md5 target.process.file.md5 Directly mapped from raw log field MD5 Hash after converting to lowercase.
target.process.file.mime_type target.process.file.mime_type Directly mapped from raw log field Process File Extension if it's not no extension or [no extension].
target.process.file.sha1 target.process.file.sha1 Directly mapped from raw log field SHA1 Hash after converting to lowercase.
target.process.file.sha256 target.process.file.sha256 Directly mapped from raw log field SHA256 Hash after converting to lowercase.
target.process.parent_process.command_line target.process.parent_process.command_line Directly mapped from raw log field Parent Application if not empty.
target.process.parent_process.file.md5 target.process.parent_process.file.md5 Directly mapped from raw log field Parent MD5 Hash after converting to lowercase if it matches a hexadecimal string pattern.
target.resource.type target.resource.type Directly mapped from raw log field Event Display Name.
target.url target.url Directly mapped from raw log field URL Path.
extensions.auth.type extensions.auth.type Set to AUTHTYPE_UNSPECIFIED if Operation Type is User Logoff or User Logon.

Changes

2023-06-02

  • Changed mapping for the field 'dg_recipients.uad_mr' from 'src.user.email_addresses' to 'network.email.to'.

2022-11-30

  • Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.