Collect Fidelis Network logs

Supported in:

This document explains how to ingest Fidelis Network logs to Google Security Operations using Bindplane.

Fidelis Network is a network detection and response (NDR) solution that provides deep content inspection, session-level analysis, and automated threat response. It monitors network traffic in real-time to detect advanced threats, data exfiltration attempts, and policy violations across all ports and protocols. The parser extracts fields from Fidelis Network syslog formatted logs using KV and JSON patterns. It then maps these values to the Unified Data Model (UDM). It also sets default metadata values for the event source and type.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • Windows Server 2016 or later, or Linux host with systemd
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
  • Privileged access to the Fidelis Network CommandPost web interface

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.

  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.

  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sc query observiq-otel-collector

The service should show as RUNNING.

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sudo systemctl status observiq-otel-collector

The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

  • Linux:

    sudo systemctl status observiq-otel-collector

  • Windows:

    notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

    receivers:
  tcplog:
    listen_address: "0.0.0.0:514"

exporters:
  chronicle/chronicle_w_labels:
    compression: gzip
    creds_file_path: '/path/to/ingestion-authentication-file.json'
    customer_id: 'YOUR_CUSTOMER_ID'
    endpoint: malachiteingestion-pa.googleapis.com
    log_type: 'FIDELIS_NETWORK'
    raw_log_field: body
    ingestion_labels:

service:
  pipelines:
    logs/source0__chronicle_w_labels-0:
      receivers:
        - tcplog
      exporters:
        - chronicle/chronicle_w_labels

Configuration parameters

Replace the following placeholders:

  • Receiver configuration:

    • tcplog: Use udplog for UDP syslog or tcplog for TCP syslog
    • 0.0.0.0: IP address to listen on (0.0.0.0 to listen on all interfaces)
    • 514: Port number to listen on (standard syslog port)

  • Exporter configuration:

    • creds_file_path: Full path to ingestion authentication file:
      • Linux: /etc/bindplane-agent/ingestion-auth.json
      • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
    • YOUR_CUSTOMER_ID: Customer ID from the Get customer ID section
    • endpoint: Regional endpoint URL:
      • US: malachiteingestion-pa.googleapis.com
      • Europe: europe-malachiteingestion-pa.googleapis.com
      • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
      • See Regional Endpoints for complete list
    • log_type: Log type exactly as it appears in Chronicle (FIDELIS_NETWORK)

Save the configuration file

  • After editing, save the file:
    • Linux: Press Ctrl+O, then Enter, then Ctrl+X
    • Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

  1. Run the following command:

    sudo systemctl restart observiq-otel-collector

  2. Verify the service is running:

    sudo systemctl status observiq-otel-collector

  3. Check logs for errors:

    sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows:

  1. Choose one of the following options:

    • Command Prompt or PowerShell as administrator:
    net stop observiq-otel-collector && net start observiq-otel-collector
    • Services console:
      1. Press Win+R, type services.msc, and press Enter.
      2. Locate observIQ OpenTelemetry Collector.
      3. Right-click and select Restart.

  2. Verify the service is running:

    sc query observiq-otel-collector

  3. Check logs for errors:

    type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure Fidelis Network syslog forwarding

  1. Sign in to the Fidelis Network CommandPost web interface.
  2. Go to System > Export > Syslog.
  3. Click Add Syslog Server.
  4. Provide the following configuration details:
    • Name: Enter a descriptive name (for example, Google-SecOps-Bindplane).
    • IP Address/Hostname: Enter the IP address of the Bindplane agent host.
    • Port: Enter 514.
    • Protocol: Select TCP.
    • Format: Select CEF (Common Event Format) or Syslog based on your parsing requirements.
    • Facility: Select LOCAL0 (or your preferred facility).
    • Severity: Select Informational (or your preferred severity level).
  5. In the Alert Types section, select the events to forward:
    • Alert events
    • Malware events
    • DLP events
    • DNS events
    • Session events
  6. Click Save.
  7. Verify syslog messages are being sent by checking the Bindplane agent logs.

UDM mapping table

Log Field UDM Mapping Logic
aaction event.idm.read_only_udm.security_result.action_details Directly mapped if not "none" or empty string.
alert_threat_score event.idm.read_only_udm.security_result.detection_fields[].key: "alert_threat_score", event.idm.read_only_udm.security_result.detection_fields[].value: value of alert_threat_score Directly mapped as a detection field.
alert_type event.idm.read_only_udm.security_result.detection_fields[].key: "alert_type", event.idm.read_only_udm.security_result.detection_fields[].value: value of alert_type Directly mapped as a detection field.
answers event.idm.read_only_udm.network.dns.answers[].data Directly mapped for DNS events.
application_user event.idm.read_only_udm.principal.user.userid Directly mapped.
asset_os event.idm.read_only_udm.target.platform Normalized to WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM.
certificate.end_date event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed and converted to timestamp.
certificate.extended_key_usage event.idm.read_only_udm.additional.fields[].key: "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.extended_key_usage Mapped as an additional field.
certificate.issuer_name event.idm.read_only_udm.network.tls.server.certificate.issuer Directly mapped.
certificate.key_length event.idm.read_only_udm.additional.fields[].key: "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.key_length Mapped as an additional field.
certificate.key_usage event.idm.read_only_udm.additional.fields[].key: "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.key_usage Mapped as an additional field.
certificate.start_date event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed and converted to timestamp.
certificate.subject_altname event.idm.read_only_udm.additional.fields[].key: "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.subject_altname Mapped as an additional field.
certificate.subject_name event.idm.read_only_udm.network.tls.server.certificate.subject Directly mapped.
certificate.type event.idm.read_only_udm.additional.fields[].key: "Certificate_Type", event.idm.read_only_udm.additional.fields[].value.string_value: value of certificate.type Mapped as an additional field.
cipher event.idm.read_only_udm.network.tls.cipher Directly mapped.
client_asset_name event.idm.read_only_udm.principal.application Directly mapped.
client_asset_subnet event.idm.read_only_udm.additional.fields[].key: "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value: value of client_asset_subnet Mapped as an additional field.
client_ip event.idm.read_only_udm.principal.ip Directly mapped.
client_port event.idm.read_only_udm.principal.port Directly mapped and converted to integer.
ClientIP event.idm.read_only_udm.principal.ip Directly mapped.
ClientPort event.idm.read_only_udm.principal.port Directly mapped and converted to integer.
ClientCountry event.idm.read_only_udm.principal.location.country_or_region Directly mapped if not "UNKNOWN" or empty string.
ClientAssetID event.idm.read_only_udm.principal.asset_id Prefixed with "Asset:" if not "0" or empty string.
ClientAssetName event.idm.read_only_udm.principal.resource.attribute.labels[].key: "ClientAssetName", event.idm.read_only_udm.principal.resource.attribute.labels[].value: value of ClientAssetName Mapped as a principal resource label.
ClientAssetRole event.idm.read_only_udm.principal.asset.attribute.roles[].name Directly mapped.
ClientAssetServices event.idm.read_only_udm.principal.resource.attribute.labels[].key: "ClientAssetServices", event.idm.read_only_udm.principal.resource.attribute.labels[].value: value of ClientAssetServices Mapped as a principal resource label.
Client event.idm.read_only_udm.principal.resource.attribute.labels[].key: "Client", event.idm.read_only_udm.principal.resource.attribute.labels[].value: value of Client Mapped as a principal resource label.
Collector event.idm.read_only_udm.security_result.detection_fields[].key: "Collector", event.idm.read_only_udm.security_result.detection_fields[].value: value of Collector Mapped as a detection field.
command event.idm.read_only_udm.network.http.method Directly mapped for HTTP events.
Command event.idm.read_only_udm.security_result.detection_fields[].key: "Command", event.idm.read_only_udm.security_result.detection_fields[].value: value of Command Mapped as a detection field.
Connection event.idm.read_only_udm.security_result.detection_fields[].key: "Connection", event.idm.read_only_udm.security_result.detection_fields[].value: value of Connection Mapped as a detection field.
DecodingPath event.idm.read_only_udm.security_result.detection_fields[].key: "DecodingPath", event.idm.read_only_udm.security_result.detection_fields[].value: value of DecodingPath Mapped as a detection field.
dest_country event.idm.read_only_udm.target.location.country_or_region Directly mapped.
dest_domain event.idm.read_only_udm.target.hostname Directly mapped.
dest_ip event.idm.read_only_udm.target.ip Directly mapped.
dest_port event.idm.read_only_udm.target.port Directly mapped and converted to integer.
Direction event.idm.read_only_udm.security_result.detection_fields[].key: "Direction", event.idm.read_only_udm.security_result.detection_fields[].value: value of Direction Mapped as a detection field.
dns.host event.idm.read_only_udm.network.dns.questions[].name Directly mapped for DNS events.
DomainName event.idm.read_only_udm.target.administrative_domain Directly mapped.
DomainAlexaRank event.idm.read_only_udm.security_result.detection_fields[].key: "DomainAlexaRank", event.idm.read_only_udm.security_result.detection_fields[].value: value of DomainAlexaRank Mapped as a detection field.
dport event.idm.read_only_udm.target.port Directly mapped and converted to integer.
dnsresolution.server_fqdn event.idm.read_only_udm.target.hostname Directly mapped.
Duration event.idm.read_only_udm.security_result.detection_fields[].key: "Duration", event.idm.read_only_udm.security_result.detection_fields[].value: value of Duration Mapped as a detection field.
Encrypted event.idm.read_only_udm.security_result.detection_fields[].key: "Encrypted", event.idm.read_only_udm.security_result.detection_fields[].value: value of Encrypted Mapped as a detection field.
Entropy event.idm.read_only_udm.security_result.detection_fields[].key: "Entropy", event.idm.read_only_udm.security_result.detection_fields[].value: value of Entropy Mapped as a detection field.
event.idm.read_only_udm.additional.fields event.idm.read_only_udm.additional.fields Contains various additional fields based on parser logic.
event.idm.read_only_udm.metadata.description event.idm.read_only_udm.metadata.description Directly mapped from summary field.
event.idm.read_only_udm.metadata.event_type event.idm.read_only_udm.metadata.event_type Determined based on various log fields and parser logic. Can be GENERIC_EVENT, NETWORK_CONNECTION, NETWORK_HTTP, NETWORK_SMTP, NETWORK_DNS, STATUS_UPDATE, NETWORK_FLOW.
event.idm.read_only_udm.metadata.log_type event.idm.read_only_udm.metadata.log_type Set to "FIDELIS_NETWORK".
event.idm.read_only_udm.metadata.product_name event.idm.read_only_udm.metadata.product_name Set to "FIDELIS_NETWORK".
event.idm.read_only_udm.metadata.vendor_name event.idm.read_only_udm.metadata.vendor_name Set to "FIDELIS_NETWORK".
event.idm.read_only_udm.network.application_protocol event.idm.read_only_udm.network.application_protocol Determined based on server_port or protocol field. Can be HTTP, HTTPS, SMTP, SSH, RPC, DNS, NFS, AOLMAIL.
event.idm.read_only_udm.network.direction event.idm.read_only_udm.network.direction Determined based on direction field or keywords in summary. Can be INBOUND or OUTBOUND.
event.idm.read_only_udm.network.dns.answers event.idm.read_only_udm.network.dns.answers Populated for DNS events.
event.idm.read_only_udm.network.dns.id event.idm.read_only_udm.network.dns.id Mapped from number field for DNS events.
event.idm.read_only_udm.network.dns.questions event.idm.read_only_udm.network.dns.questions Populated for DNS events.
event.idm.read_only_udm.network.email.from event.idm.read_only_udm.network.email.from Directly mapped from From if it's a valid email address.
event.idm.read_only_udm.network.email.subject event.idm.read_only_udm.network.email.subject Directly mapped from Subject.
event.idm.read_only_udm.network.email.to event.idm.read_only_udm.network.email.to Directly mapped from To.
event.idm.read_only_udm.network.ftp.command event.idm.read_only_udm.network.ftp.command Directly mapped from ftp.command.
event.idm.read_only_udm.network.http.method event.idm.read_only_udm.network.http.method Directly mapped from http.command or Command.
event.idm.read_only_udm.network.http.referral_url event.idm.read_only_udm.network.http.referral_url Directly mapped from Referer.
event.idm.read_only_udm.network.http.response_code event.idm.read_only_udm.network.http.response_code Directly mapped from http.status_code or StatusCode and converted to integer.
event.idm.read_only_udm.network.http.user_agent event.idm.read_only_udm.network.http.user_agent Directly mapped from http.useragent or UserAgent.
event.idm.read_only_udm.network.ip_protocol event.idm.read_only_udm.network.ip_protocol Directly mapped from tproto if it's TCP or UDP.
event.idm.read_only_udm.network.received_bytes event.idm.read_only_udm.network.received_bytes Renamed from event1.server_packet_count and converted to unsigned integer.
event.idm.read_only_udm.network.sent_bytes event.idm.read_only_udm.network.sent_bytes Renamed from event1.client_packet_count and converted to unsigned integer.
event.idm.read_only_udm.network.session_duration.seconds event.idm.read_only_udm.network.session_duration.seconds Renamed from event1.session_size and converted to integer.
event.idm.read_only_udm.network.session_id event.idm.read_only_udm.network.session_id Directly mapped from event1.rel_sesid or UserSessionID.
event.idm.read_only_udm.network.tls.client.certificate.issuer event.idm.read_only_udm.network.tls.client.certificate.issuer Directly mapped from event1.certificate_issuer_name.
event.idm.read_only_udm.network.tls.client.certificate.not_after event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed from event1.certificate_end_date and converted to timestamp.
event.idm.read_only_udm.network.tls.client.certificate.not_before event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed from event1.certificate_start_date and converted to timestamp.
event.idm.read_only_udm.network.tls.client.certificate.subject event.idm.read_only_udm.network.tls.client.certificate.subject Directly mapped from event1.certificate_subject_name.
event.idm.read_only_udm.network.tls.client.ja3 event.idm.read_only_udm.network.tls.client.ja3 Directly mapped from event1.ja3digest and converted to string.
event.idm.read_only_udm.network.tls.cipher event.idm.read_only_udm.network.tls.cipher Directly mapped from event1.cipher, CipherSuite, cipher, or event1.tls_ciphersuite.
event.idm.read_only_udm.network.tls.server.certificate.issuer event.idm.read_only_udm.network.tls.server.certificate.issuer Directly mapped from certificate_issuer_name.
event.idm.read_only_udm.network.tls.server.certificate.subject event.idm.read_only_udm.network.tls.server.certificate.subject Directly mapped from certificate_subject_name.
event.idm.read_only_udm.network.tls.server.ja3s event.idm.read_only_udm.network.tls.server.ja3s Directly mapped from event1.ja3sdigest and converted to string.
event.idm.read_only_udm.network.tls.version event.idm.read_only_udm.network.tls.version Directly mapped from event1.version.
event.idm.read_only_udm.principal.application event.idm.read_only_udm.principal.application Directly mapped from event1.client_asset_name.
event.idm.read_only_udm.principal.asset.attribute.roles[].name event.idm.read_only_udm.principal.asset.attribute.roles[].name Directly mapped from ClientAssetRole.
event.idm.read_only_udm.principal.asset_id event.idm.read_only_udm.principal.asset_id Directly mapped from ClientAssetID or ServerAssetID (prefixed with "Asset:").
event.idm.read_only_udm.principal.hostname event.idm.read_only_udm.principal.hostname Directly mapped from event1.sld or src_domain.
event.idm.read_only_udm.principal.ip event.idm.read_only_udm.principal.ip Directly mapped from event1.src_ip6, client_ip, or ClientIP.
event.idm.read_only_udm.principal.location.country_or_region event.idm.read_only_udm.principal.location.country_or_region Directly mapped from ClientCountry or src_country if not "UNKNOWN" or empty string.
event.idm.read_only_udm.principal.port event.idm.read_only_udm.principal.port Directly mapped from event1.sport or client_port and converted to integer.
event.idm.read_only_udm.principal.resource.attribute.labels event.idm.read_only_udm.principal.resource.attribute.labels Contains various labels based on parser logic.
event.idm.read_only_udm.principal.user.userid event.idm.read_only_udm.principal.user.userid Directly mapped from ftp.user or AppUser.
event.idm.read_only_udm.security_result.action event.idm.read_only_udm.security_result.action Determined based on severity. Can be ALLOW, BLOCK, or UNKNOWN_ACTION.
event.idm.read_only_udm.security_result.action_details event.idm.read_only_udm.security_result.action_details Directly mapped from Action if not "none" or empty string.
event.idm.read_only_udm.security_result.category event.idm.read_only_udm.security_result.category Set to NETWORK_SUSPICIOUS if malware_type is present.
event.idm.read_only_udm.security_result.detection_fields event.idm.read_only_udm.security_result.detection_fields Contains various detection fields based on parser logic.
event.idm.read_only_udm.security_result.rule_name event.idm.read_only_udm.security_result.rule_name Directly mapped from rule_name.
event.idm.read_only_udm.security_result.severity event.idm.read_only_udm.security_result.severity Determined based on severity. Can be INFORMATIONAL, MEDIUM, ERROR, or CRITICAL.
event.idm.read_only_udm.security_result.summary event.idm.read_only_udm.security_result.summary Directly mapped from label.
event.idm.read_only_udm.security_result.threat_name event.idm.read_only_udm.security_result.threat_name Directly mapped from malware_type or parsed from summary if it contains "CVE-".
event.idm.read_only_udm.target.administrative_domain event.idm.read_only_udm.target.administrative_domain Directly mapped from DomainName.
event.idm.read_only_udm.target.asset.attribute.roles[].name event.idm.read_only_udm.target.asset.attribute.roles[].name Directly mapped from ServerAssetRole.
event.idm.read_only_udm.target.file.full_path event.idm.read_only_udm.target.file.full_path Directly mapped from ftp.filename or Filename.
event.idm.read_only_udm.target.file.md5 event.idm.read_only_udm.target.file.md5 Directly mapped from event1.md5 or md5.
event.idm.read_only_udm.target.file.mime_type event.idm.read_only_udm.target.file.mime_type Directly mapped from event1.filetype.
event.idm.read_only_udm.target.file.sha1 event.idm.read_only_udm.target.file.sha1 Directly mapped from event1.srvcerthash.
event.idm.read_only_udm.target.file.sha256 event.idm.read_only_udm.target.file.sha256 Directly mapped from event1.sha256 or sha256.
event.idm.read_only_udm.target.file.size event.idm.read_only_udm.target.file.size Renamed from event1.filesize and converted to unsigned integer if not 0.
event.idm.read_only_udm.target.hostname event.idm.read_only_udm.target.hostname Directly mapped from event1.sni, dest_domain, or Host.
event.idm.read_only_udm.target.ip event.idm.read_only_udm.target.ip Directly mapped from event1.dst_ip6 or server_ip or ServerIP.
event.idm.read_only_udm.target.location.country_or_region event.idm.read_only_udm.target.location.country_or_region Directly mapped from dest_country or ServerCountry.
event.idm.read_only_udm.target.platform event.idm.read_only_udm.target.platform Mapped from asset_os after normalization.
event.idm.read_only_udm.target.platform_version event.idm.read_only_udm.target.platform_version Directly mapped from os_version.
event.idm.read_only_udm.target.port event.idm.read_only_udm.target.port Directly mapped from event1.dport or server_port and converted to integer.
event.idm.read_only_udm.target.resource.attribute.labels event.idm.read_only_udm.target.resource.attribute.labels Contains various labels based on parser logic.
event.idm.read_only_udm.target.url event.idm.read_only_udm.target.url Directly mapped from url or URL.
event.idm.read_only_udm.target.user.product_object_id event.idm.read_only_udm.target.user.product_object_id Directly mapped from uuid.
event1.certificate_end_date event.idm.read_only_udm.network.tls.client.certificate.not_after Parsed and converted to timestamp.
event1.certificate_extended_key_usage event.idm.read_only_udm.additional.fields[].key: "Extended Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_extended_key_usage Mapped as an additional field.
event1.certificate_issuer_name event.idm.read_only_udm.network.tls.client.certificate.issuer Directly mapped.
event1.certificate_key_length event.idm.read_only_udm.additional.fields[].key: "Key Length", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_key_length Mapped as an additional field.
event1.certificate_key_usage event.idm.read_only_udm.additional.fields[].key: "Key Usage", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_key_usage Mapped as an additional field.
event1.certificate_start_date event.idm.read_only_udm.network.tls.client.certificate.not_before Parsed and converted to timestamp.
event1.certificate_subject_altname event.idm.read_only_udm.additional.fields[].key: "Certificate Alternate Name", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.certificate_subject_altname Mapped as an additional field.
event1.certificate_subject_name event.idm.read_only_udm.network.tls.client.certificate.subject Directly mapped.
event1.client_asset_name event.idm.read_only_udm.principal.application Directly mapped.
event1.client_asset_subnet event.idm.read_only_udm.additional.fields[].key: "client_asset_subnet", event.idm.read_only_udm.additional.fields[].value.string_value: value of event1.client_asset_subnet Mapped as an additional field.
event1.client_packet_count event.idm.read_only_udm.network.sent_bytes Converted to unsigned integer and renamed.
event1.cipher event.idm.read_only_udm.network.tls.cipher Directly mapped.
event1.direction event.idm.read_only_udm.network.direction Mapped to INBOUND if "s2c" or OUTBOUND if "c2s".
event1.dport event.idm.read_only_udm.target.port The value of event1.dport from the raw log is converted to an integer and mapped to the target.port field.
event1.dst_ip6 event.idm.read_only_udm.target.ip The value of event1.dst_ip6 from the raw log is mapped to the target.ip field.
event1.filetype event.idm.read_only_udm.target.file.mime_type The value of event1.filetype from the raw log is mapped to the target.file.mime_type field.
event1.filesize event.idm.read_only_udm.target.file.size The value of event1.filesize from the raw log is converted to an unsigned integer and mapped to the target.file.size field if not 0.
event1.ja3digest event.idm.read_only_udm.network.tls.client.ja3 The value of event1.ja3digest from the raw log is converted to a string and mapped to the network.tls.client.ja3 field.
event1.ja3sdigest event.idm.read_only_udm.network.tls.server.ja3s The value of event1.ja3sdigest from the raw log is converted to a string and mapped to the network.tls.server.ja3s field.
event1.md5 event.idm.read_only_udm.target.file.md5 The value of event1.md5 from the raw log is mapped to the target.file.md5 field.
event1.rel_sesid event.idm.read_only_udm.network.session_id The value of event1.rel_sesid from the raw log is mapped to the network.session_id field.
event1.server_packet_count event.idm.read_only_udm.network.received_bytes The value of event1.server_packet_count from the raw log is converted to an unsigned integer and mapped to the network.received_bytes field.
event1.session_size event.idm.read_only_udm.network.session_duration.seconds The value of event1.session_size from the raw log is converted to an integer and mapped to the network.session_duration.seconds field.
event1.sha256 event.idm.read_only_udm.target.file.sha256 The value of event1.sha256 from the raw log is mapped to the target.file.sha256 field.
event1.sld event.idm.read_only_udm.principal.hostname The value of event1.sld from the raw log is mapped to the principal.hostname field.
event1.sni event.idm.read_only_udm.target.hostname The value of event1.sni from the raw log is mapped to the target.hostname field.
event1.sport event.idm.read_only_udm.principal.port The value of event1.sport from the raw log is converted to an integer and mapped to the principal.port field.
event1.src_ip6 event.idm.read_only_udm.principal.ip The value of event1.src_ip6 from the raw log is mapped to the principal.ip field.
event1.srvcerthash event.idm.read_only_udm.target.file.sha1 The value of event1.srvcerthash from the raw log is mapped to the target.file.sha1 field.
event1.tls_ciphersuite event.idm.read_only_udm.network.tls.cipher The value of event1.tls_ciphersuite from the raw log is mapped to the network.tls.cipher field.
event1.version event.idm.read_only_udm.network.tls.version The value of event1.version from the raw log is mapped to the network.tls.version field.
Filename event.idm.read_only_udm.target.file.full_path The value of Filename from the raw log is mapped to the target.file.full_path field.
From event.idm.read_only_udm.network.email.from The value of From from the raw log is mapped to the network.email.from field if it is a valid email address.
ftp.command event.idm.read_only_udm.network.ftp.command The value of ftp.command from the raw log is mapped to the network.ftp.command field.
ftp.filename event.idm.read_only_udm.target.file.full_path The value of ftp.filename from the raw log is mapped to the target.file.full_path field.
ftp.user event.idm.read_only_udm.principal.user.userid The value of ftp.user from the raw log is mapped to the principal.user.userid field.
Host event.idm.read_only_udm.target.hostname The value of Host from the raw log is mapped to the target.hostname field.
http.command event.idm.read_only_udm.network.http.method The value of http.command from the raw log is mapped to the network.http.method field.
http.status_code event.idm.read_only_udm.network.http.response_code The value of http.status_code from the raw log is converted to an integer and mapped to the network.http.response_code field.
http.useragent event.idm.read_only_udm.network.http.user_agent The value of http.useragent from the raw log is mapped to the network.http.user_agent field.
label event.idm.read_only_udm.security_result.summary The value of label from the raw log is mapped to the security_result.summary field.
malware_type event.idm.read_only_udm.security_result.threat_name The value of malware_type from the raw log is mapped to the security_result.threat_name field.
md5 event.idm.read_only_udm.target.file.md5 The value of md5 from the raw log is mapped to the target.file.md5 field.
number event.idm.read_only_udm.network.dns.id The value of number from the raw log is mapped to the network.dns.id field for DNS events.
os_version event.idm.read_only_udm.target.platform_version The value of os_version from the raw log is mapped to the target.platform_version field.
Referer event.idm.read_only_udm.network.http.referral_url The value of Referer from the raw log is mapped to the network.http.referral_url field.
rule_name event.idm.read_only_udm.security_result.rule_name The value of rule_name from the raw log is mapped to the security_result.rule_name field.
server_ip event.idm.read_only_udm.target.ip The value of server_ip from the raw log is mapped to the target.ip field.
server_port event.idm.read_only_udm.target.port The value of server_port from the raw log is converted to an integer and mapped to the target.port field.
ServerAssetID event.idm.read_only_udm.principal.asset_id The value of ServerAssetID from the raw log is prefixed with "Asset:" and mapped to the principal.asset_id field if not "0" or empty.
ServerAssetRole event.idm.read_only_udm.target.asset.attribute.roles[].name The value of ServerAssetRole from the raw log is mapped to the target.asset.attribute.roles[].name field.
ServerCountry event.idm.read_only_udm.target.location.country_or_region The value of ServerCountry from the raw log is mapped to the target.location.country_or_region field.
ServerIP event.idm.read_only_udm.target.ip The value of ServerIP from the raw log is mapped to the target.ip field.
sha256 event.idm.read_only_udm.target.file.sha256 The value of sha256 from the raw log is mapped to the target.file.sha256 field.
src_country event.idm.read_only_udm.principal.location.country_or_region The value of src_country from the raw log is mapped to the principal.location.country_or_region field if not "UNKNOWN" or empty.
src_domain event.idm.read_only_udm.principal.hostname The value of src_domain from the raw log is mapped to the principal.hostname field.
StatusCode event.idm.read_only_udm.network.http.response_code The value of StatusCode from the raw log is converted to an integer and mapped to the network.http.response_code field.
Subject event.idm.read_only_udm.network.email.subject The value of Subject from the raw log is mapped to the network.email.subject field.
summary event.idm.read_only_udm.metadata.description The value of summary from the raw log is mapped to the metadata.description field.
To event.idm.read_only_udm.network.email.to The value of To from the raw log is mapped to the network.email.to field.
tproto event.idm.read_only_udm.network.ip_protocol The value of tproto from the raw log is mapped to the network.ip_protocol field if it is TCP or UDP.
url event.idm.read_only_udm.target.url The value of url from the raw log is mapped to the target.url field.
URL event.idm.read_only_udm.target.url The value of URL from the raw log is mapped to the target.url field.
UserAgent event.idm.read_only_udm.network.http.user_agent The value of UserAgent from the raw log is mapped to the network.http.user_agent field.
UserSessionID event.idm.read_only_udm.network.session_id The value of UserSessionID from the raw log is mapped to the network.session_id field.
uuid event.idm.read_only_udm.target.user.product_object_id The value of uuid from the raw log is mapped to the target.user.product_object_id field.
N/A event.idm.read_only_udm.metadata.log_type Set to "FIDELIS_NETWORK".
N/A event.idm.read_only_udm.metadata.product_name Set to "FIDELIS_NETWORK".
N/A event.idm.read_only_udm.metadata.vendor_name Set to "FIDELIS_NETWORK".

Need more help? Get answers from Community members and Google SecOps professionals.