Collect JFrog Artifactory logs

Supported in:

This parser handles two different JFrog Artifactory log formats. It uses grok patterns to identify and extract fields from each format. It then maps those fields to the UDM, handling JSON payloads within one of the formats and dropping logs that don't match either format.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to JFrog.

Configure a feed in Google SecOps to ingest the JFrog Artifactory logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, JFrog Artifactory Logs).
  4. Select Webhook as the Source type.
  5. Select JFrog Artifactory as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.
  10. Click Generate Secret Key to generate a secret key to authenticate this feed.
  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  12. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
  13. Click Done.

Create an API key for the webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET

    Recommendation: Specify the API key as a header instead of specifying it in the URL.

  3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

    ENDPOINT_URL?key=API_KEY&secret=SECRET

    Replace the following:

    • ENDPOINT_URL: the feed endpoint URL.
    • API_KEY: the API key to authenticate to Google SecOps.
    • SECRET: the secret key that you generated to authenticate the feed.

Create a webhook in JFrog Artifactory to send data to Google SecOps

  1. Sign in to the JFrog instance using your administrator credentials.
  2. Go to Administration > General > Webhooks.
  3. Click + New Webhook.

  4. Configure the following webhook settings:

    • Webhook Key: Provide a descriptive name (for example, Google SecOps).

    • URL: Enter the <ENDPOINT_URL> of the Google SecOps API endpoint.

    • Events: Select the Artifactory events that should trigger the webhook, choose the events relevant to your security monitoring needs (for example, deployed, downloaded, deleted).

    • Domain: If you are using a virtual repository, select the relevant domain. Otherwise, leave this field as Any Local.

    • Repository: Select the specific repository or leave it as Any Remote or Any Local, depending on your requirements.

  5. Click Test, it will send a test event to Google SecOps.

  6. Click Save.

UDM Mapping Table

Log Field UDM Mapping Logic
action read_only_udm.metadata.product_event_type The value of action from the raw log is converted to lowercase and mapped.
datetime read_only_udm.metadata.event_timestamp The raw log's datetime field is parsed and converted to a timestamp.
hostname read_only_udm.principal.hostname Directly mapped from the raw log's hostname field.
id read_only_udm.metadata.product_log_id Directly mapped from the raw log's id field (from JSON payload).
ip read_only_udm.principal.ip Directly mapped from the raw log's ip field. Hardcoded to "USER_RESOURCE_ACCESS". Hardcoded to "JFROG_ARTIFACTORY". Hardcoded to "Artifactory". Hardcoded to "JFROG".
owner read_only_udm.principal.user.userid Mapped if username is not present in the raw log (from JSON payload).
repo_name read_only_udm.target.resource.name Directly mapped from the raw log's repo_name field.
repo_type read_only_udm.target.resource.resource_subtype Directly mapped from the raw log's repo_type field.
scope read_only_udm.target.resource.name Directly mapped from the raw log's scope field (from JSON payload).
scope read_only_udm.target.resource.resource_subtype Hardcoded to "scope" if scope is present in the raw log.
sequenceId read_only_udm.metadata.product_log_id Quotes are removed from the sequenceId field and then mapped.
subject read_only_udm.about.labels.key Hardcoded to "subject" if subject is present in the raw log.
subject read_only_udm.about.labels.value Directly mapped from the raw log's subject field (from JSON payload).
type read_only_udm.metadata.product_event_type Directly mapped from the raw log's type field (from JSON payload).
user read_only_udm.principal.user.userid Directly mapped from the raw log's user field.
username read_only_udm.principal.user.userid Directly mapped from the raw log's username field (from JSON payload).

Changes

2024-09-23

  • Enhancement:
  • Added support to parse the unparsed logs.
  • Mapped "target_ip" to "target.ip" and "target.asset.ip".
  • Mapped "desc" to "metadata.description".
  • Mapped "method" to "network.http.method".
  • Mapped "url" to "target.url".
  • Mapped "prin_url" to "principal.url".
  • Mapped "response_code" to "network.http.response_code".
  • Mapped "RequestMethod" to "network.http.method".
  • Mapped "RequestPath" to "target.url".
  • Mapped "DownstreamContentSize" and "DownstreamStatus" to "Additional.Fields".
  • Mapped "ServiceAddr" to "principal.hostname" and "principal.port".
  • Mapped "ClientAddr" to "target.ip" and "target.port".
  • Mapped "user_agent" to "network.http.user_agent".
  • Mapped "level" to "security_result.severity".
  • Mapped "msg" to "security_result.description".
  • Mapped "protocol" to "network.application_protocol".

2023-08-25

  • Newly created parser.