Collect the General Dynamics Fidelis XPS logs
This document describes how you can collect the General Dynamics Fidelis XPS logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations overview.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser with the FIDELIS_NETWORK ingestion label.
Configure General Dynamics Fidelis XPS
- Sign in to CommandPost to manage your Fidelis XPS appliance.
- Select System > Export.
- Click the New tab.
- In the Export method list, select ArcSight.
- In the Destination field, enter the Google Security Operations forwarder server IP address and
port number, such as 514.
- In the Export alerts section, select All checkbox.
- In the Export frequency section, select Every alert checkbox.
- In the Transport section, select UDP or TCP checkbox.
- In the Save as field, enter a name for the export configuration.
- In the Column list box, move entries in the Column list so that they appear in the following order: - TIME 
- ACTION 
- ALERTUUID 
- APPLICATION_USER 
- COMPONENT 
- COMPR 
- DSTADDR 
- DSTPORT 
- FILENAME 
- FROM 
- GROUP 
- MALWARE NAME 
- MALWARE TYPE 
- MD5 
- POLICY 
- PROTO 
- REQUEST_METHOD 
- REQUEST_AGENT 
- REQUEST_URL 
- RULE 
- SENIP 
- SEVERITY 
- SRCADDR 
- SRCPORT 
- SUMMARY 
- TARGET 
- TO 
- VIOLATION_INFO 
- VLAN_ID 
 - Fidelis XPS version 8.1 introduces additional data that you can configure to export new data. The new fields include REQUEST_METHOD, REQUEST_AGENT, REQUEST_URL, VIOLATION_INFO, and VLAN_ID. - VIOLATION_INFO includes all the data from the Violation information section of the Alert detail page. This data includes matching data that generates alert. It also includes any additional information included within feed data when that data matches. The VIOLATION_INFO can be large in size. You must enable TCP when using this feature in syslog exports. 
- Select System > Malware > Malware detection. 
- Select the Malware detection engine and Automatic malware policy checkboxes. 
- Click Save. 
Configure the Google Security Operations forwarder to ingest Fidelis Network logs
- Select SIEM Settings > Forwarders.
- Click Add new forwarder.
- Enter a unique name in the Forwarder name field.
- Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, enter a unique name for the collector.
- Select Fidelis Network as the Log type.
- Select Syslog as the Collector type.
- Configure the following input parameters:
- Protocol: specify the connection protocol that the collector uses to listen to syslog data.
- Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
- Port: specify the target port where the collector resides and listens to syslog data.
 
- Click Submit.
For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.
If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser processes Fidelis Network logs in SYSLOG, key-value pair, and JSON formats, transforming them into UDM. It extracts fields, handles various log structures, maps to UDM fields.
UDM mapping table
| Log Field | UDM Mapping | Logic | 
|---|---|---|
| aaction | event.idm.read_only_udm.security_result.action_details | Directly mapped if not "none" or empty string. | 
| alert_threat_score | event.idm.read_only_udm.security_result.detection_fields[].key: "alert_threat_score",event.idm.read_only_udm.security_result.detection_fields[].value: value ofalert_threat_score | Directly mapped as a detection field. | 
| alert_type | event.idm.read_only_udm.security_result.detection_fields[].key: "alert_type",event.idm.read_only_udm.security_result.detection_fields[].value: value ofalert_type | Directly mapped as a detection field. | 
| answers | event.idm.read_only_udm.network.dns.answers[].data | Directly mapped for DNS events. | 
| application_user | event.idm.read_only_udm.principal.user.userid | Directly mapped. | 
| asset_os | event.idm.read_only_udm.target.platform | Normalized to WINDOWS, LINUX, MAC, or UNKNOWN_PLATFORM. | 
| certificate.end_date | event.idm.read_only_udm.network.tls.client.certificate.not_after | Parsed and converted to timestamp. | 
| certificate.extended_key_usage | event.idm.read_only_udm.additional.fields[].key: "Extended Key Usage",event.idm.read_only_udm.additional.fields[].value.string_value: value ofcertificate.extended_key_usage | Mapped as an additional field. | 
| certificate.issuer_name | event.idm.read_only_udm.network.tls.server.certificate.issuer | Directly mapped. | 
| certificate.key_length | event.idm.read_only_udm.additional.fields[].key: "Key Length",event.idm.read_only_udm.additional.fields[].value.string_value: value ofcertificate.key_length | Mapped as an additional field. | 
| certificate.key_usage | event.idm.read_only_udm.additional.fields[].key: "Key Usage",event.idm.read_only_udm.additional.fields[].value.string_value: value ofcertificate.key_usage | Mapped as an additional field. | 
| certificate.start_date | event.idm.read_only_udm.network.tls.client.certificate.not_before | Parsed and converted to timestamp. | 
| certificate.subject_altname | event.idm.read_only_udm.additional.fields[].key: "Certificate Alternate Name",event.idm.read_only_udm.additional.fields[].value.string_value: value ofcertificate.subject_altname | Mapped as an additional field. | 
| certificate.subject_name | event.idm.read_only_udm.network.tls.server.certificate.subject | Directly mapped. | 
| certificate.type | event.idm.read_only_udm.additional.fields[].key: "Certificate_Type",event.idm.read_only_udm.additional.fields[].value.string_value: value ofcertificate.type | Mapped as an additional field. | 
| cipher | event.idm.read_only_udm.network.tls.cipher | Directly mapped. | 
| client_asset_name | event.idm.read_only_udm.principal.application | Directly mapped. | 
| client_asset_subnet | event.idm.read_only_udm.additional.fields[].key: "client_asset_subnet",event.idm.read_only_udm.additional.fields[].value.string_value: value ofclient_asset_subnet | Mapped as an additional field. | 
| client_ip | event.idm.read_only_udm.principal.ip | Directly mapped. | 
| client_port | event.idm.read_only_udm.principal.port | Directly mapped and converted to integer. | 
| ClientIP | event.idm.read_only_udm.principal.ip | Directly mapped. | 
| ClientPort | event.idm.read_only_udm.principal.port | Directly mapped and converted to integer. | 
| ClientCountry | event.idm.read_only_udm.principal.location.country_or_region | Directly mapped if not "UNKNOWN" or empty string. | 
| ClientAssetID | event.idm.read_only_udm.principal.asset_id | Prefixed with "Asset:" if not "0" or empty string. | 
| ClientAssetName | event.idm.read_only_udm.principal.resource.attribute.labels[].key: "ClientAssetName",event.idm.read_only_udm.principal.resource.attribute.labels[].value: value ofClientAssetName | Mapped as a principal resource label. | 
| ClientAssetRole | event.idm.read_only_udm.principal.asset.attribute.roles[].name | Directly mapped. | 
| ClientAssetServices | event.idm.read_only_udm.principal.resource.attribute.labels[].key: "ClientAssetServices",event.idm.read_only_udm.principal.resource.attribute.labels[].value: value ofClientAssetServices | Mapped as a principal resource label. | 
| Client | event.idm.read_only_udm.principal.resource.attribute.labels[].key: "Client",event.idm.read_only_udm.principal.resource.attribute.labels[].value: value ofClient | Mapped as a principal resource label. | 
| Collector | event.idm.read_only_udm.security_result.detection_fields[].key: "Collector",event.idm.read_only_udm.security_result.detection_fields[].value: value ofCollector | Mapped as a detection field. | 
| command | event.idm.read_only_udm.network.http.method | Directly mapped for HTTP events. | 
| Command | event.idm.read_only_udm.security_result.detection_fields[].key: "Command",event.idm.read_only_udm.security_result.detection_fields[].value: value ofCommand | Mapped as a detection field. | 
| Connection | event.idm.read_only_udm.security_result.detection_fields[].key: "Connection",event.idm.read_only_udm.security_result.detection_fields[].value: value ofConnection | Mapped as a detection field. | 
| DecodingPath | event.idm.read_only_udm.security_result.detection_fields[].key: "DecodingPath",event.idm.read_only_udm.security_result.detection_fields[].value: value ofDecodingPath | Mapped as a detection field. | 
| dest_country | event.idm.read_only_udm.target.location.country_or_region | Directly mapped. | 
| dest_domain | event.idm.read_only_udm.target.hostname | Directly mapped. | 
| dest_ip | event.idm.read_only_udm.target.ip | Directly mapped. | 
| dest_port | event.idm.read_only_udm.target.port | Directly mapped and converted to integer. | 
| Direction | event.idm.read_only_udm.security_result.detection_fields[].key: "Direction",event.idm.read_only_udm.security_result.detection_fields[].value: value ofDirection | Mapped as a detection field. | 
| dns.host | event.idm.read_only_udm.network.dns.questions[].name | Directly mapped for DNS events. | 
| DomainName | event.idm.read_only_udm.target.administrative_domain | Directly mapped. | 
| DomainAlexaRank | event.idm.read_only_udm.security_result.detection_fields[].key: "DomainAlexaRank",event.idm.read_only_udm.security_result.detection_fields[].value: value ofDomainAlexaRank | Mapped as a detection field. | 
| dport | event.idm.read_only_udm.target.port | Directly mapped and converted to integer. | 
| dnsresolution.server_fqdn | event.idm.read_only_udm.target.hostname | Directly mapped. | 
| Duration | event.idm.read_only_udm.security_result.detection_fields[].key: "Duration",event.idm.read_only_udm.security_result.detection_fields[].value: value ofDuration | Mapped as a detection field. | 
| Encrypted | event.idm.read_only_udm.security_result.detection_fields[].key: "Encrypted",event.idm.read_only_udm.security_result.detection_fields[].value: value ofEncrypted | Mapped as a detection field. | 
| Entropy | event.idm.read_only_udm.security_result.detection_fields[].key: "Entropy",event.idm.read_only_udm.security_result.detection_fields[].value: value ofEntropy | Mapped as a detection field. | 
| event.idm.read_only_udm.additional.fields | event.idm.read_only_udm.additional.fields | Contains various additional fields based on parser logic. | 
| event.idm.read_only_udm.metadata.description | event.idm.read_only_udm.metadata.description | Directly mapped from summaryfield. | 
| event.idm.read_only_udm.metadata.event_type | event.idm.read_only_udm.metadata.event_type | Determined based on various log fields and parser logic. Can be GENERIC_EVENT, NETWORK_CONNECTION, NETWORK_HTTP, NETWORK_SMTP, NETWORK_DNS, STATUS_UPDATE, NETWORK_FLOW. | 
| event.idm.read_only_udm.metadata.log_type | event.idm.read_only_udm.metadata.log_type | Set to "FIDELIS_NETWORK". | 
| event.idm.read_only_udm.metadata.product_name | event.idm.read_only_udm.metadata.product_name | Set to "FIDELIS_NETWORK". | 
| event.idm.read_only_udm.metadata.vendor_name | event.idm.read_only_udm.metadata.vendor_name | Set to "FIDELIS_NETWORK". | 
| event.idm.read_only_udm.network.application_protocol | event.idm.read_only_udm.network.application_protocol | Determined based on server_portorprotocolfield. Can be HTTP, HTTPS, SMTP, SSH, RPC, DNS, NFS, AOLMAIL. | 
| event.idm.read_only_udm.network.direction | event.idm.read_only_udm.network.direction | Determined based on directionfield or keywords insummary. Can be INBOUND or OUTBOUND. | 
| event.idm.read_only_udm.network.dns.answers | event.idm.read_only_udm.network.dns.answers | Populated for DNS events. | 
| event.idm.read_only_udm.network.dns.id | event.idm.read_only_udm.network.dns.id | Mapped from numberfield for DNS events. | 
| event.idm.read_only_udm.network.dns.questions | event.idm.read_only_udm.network.dns.questions | Populated for DNS events. | 
| event.idm.read_only_udm.network.email.from | event.idm.read_only_udm.network.email.from | Directly mapped from Fromif it's a valid email address. | 
| event.idm.read_only_udm.network.email.subject | event.idm.read_only_udm.network.email.subject | Directly mapped from Subject. | 
| event.idm.read_only_udm.network.email.to | event.idm.read_only_udm.network.email.to | Directly mapped from To. | 
| event.idm.read_only_udm.network.ftp.command | event.idm.read_only_udm.network.ftp.command | Directly mapped from ftp.command. | 
| event.idm.read_only_udm.network.http.method | event.idm.read_only_udm.network.http.method | Directly mapped from http.commandorCommand. | 
| event.idm.read_only_udm.network.http.referral_url | event.idm.read_only_udm.network.http.referral_url | Directly mapped from Referer. | 
| event.idm.read_only_udm.network.http.response_code | event.idm.read_only_udm.network.http.response_code | Directly mapped from http.status_codeorStatusCodeand converted to integer. | 
| event.idm.read_only_udm.network.http.user_agent | event.idm.read_only_udm.network.http.user_agent | Directly mapped from http.useragentorUserAgent. | 
| event.idm.read_only_udm.network.ip_protocol | event.idm.read_only_udm.network.ip_protocol | Directly mapped from tprotoif it's TCP or UDP. | 
| event.idm.read_only_udm.network.received_bytes | event.idm.read_only_udm.network.received_bytes | Renamed from event1.server_packet_countand converted to unsigned integer. | 
| event.idm.read_only_udm.network.sent_bytes | event.idm.read_only_udm.network.sent_bytes | Renamed from event1.client_packet_countand converted to unsigned integer. | 
| event.idm.read_only_udm.network.session_duration.seconds | event.idm.read_only_udm.network.session_duration.seconds | Renamed from event1.session_sizeand converted to integer. | 
| event.idm.read_only_udm.network.session_id | event.idm.read_only_udm.network.session_id | Directly mapped from event1.rel_sesidorUserSessionID. | 
| event.idm.read_only_udm.network.tls.client.certificate.issuer | event.idm.read_only_udm.network.tls.client.certificate.issuer | Directly mapped from event1.certificate_issuer_name. | 
| event.idm.read_only_udm.network.tls.client.certificate.not_after | event.idm.read_only_udm.network.tls.client.certificate.not_after | Parsed from event1.certificate_end_dateand converted to timestamp. | 
| event.idm.read_only_udm.network.tls.client.certificate.not_before | event.idm.read_only_udm.network.tls.client.certificate.not_before | Parsed from event1.certificate_start_dateand converted to timestamp. | 
| event.idm.read_only_udm.network.tls.client.certificate.subject | event.idm.read_only_udm.network.tls.client.certificate.subject | Directly mapped from event1.certificate_subject_name. | 
| event.idm.read_only_udm.network.tls.client.ja3 | event.idm.read_only_udm.network.tls.client.ja3 | Directly mapped from event1.ja3digestand converted to string. | 
| event.idm.read_only_udm.network.tls.cipher | event.idm.read_only_udm.network.tls.cipher | Directly mapped from event1.cipher,CipherSuite,cipher, orevent1.tls_ciphersuite. | 
| event.idm.read_only_udm.network.tls.server.certificate.issuer | event.idm.read_only_udm.network.tls.server.certificate.issuer | Directly mapped from certificate_issuer_name. | 
| event.idm.read_only_udm.network.tls.server.certificate.subject | event.idm.read_only_udm.network.tls.server.certificate.subject | Directly mapped from certificate_subject_name. | 
| event.idm.read_only_udm.network.tls.server.ja3s | event.idm.read_only_udm.network.tls.server.ja3s | Directly mapped from event1.ja3sdigestand converted to string. | 
| event.idm.read_only_udm.network.tls.version | event.idm.read_only_udm.network.tls.version | Directly mapped from event1.version. | 
| event.idm.read_only_udm.principal.application | event.idm.read_only_udm.principal.application | Directly mapped from event1.client_asset_name. | 
| event.idm.read_only_udm.principal.asset.attribute.roles[].name | event.idm.read_only_udm.principal.asset.attribute.roles[].name | Directly mapped from ClientAssetRole. | 
| event.idm.read_only_udm.principal.asset_id | event.idm.read_only_udm.principal.asset_id | Directly mapped from ClientAssetIDorServerAssetID(prefixed with "Asset:"). | 
| event.idm.read_only_udm.principal.hostname | event.idm.read_only_udm.principal.hostname | Directly mapped from event1.sldorsrc_domain. | 
| event.idm.read_only_udm.principal.ip | event.idm.read_only_udm.principal.ip | Directly mapped from event1.src_ip6,client_ip, orClientIP. | 
| event.idm.read_only_udm.principal.location.country_or_region | event.idm.read_only_udm.principal.location.country_or_region | Directly mapped from ClientCountryorsrc_countryif not "UNKNOWN" or empty string. | 
| event.idm.read_only_udm.principal.port | event.idm.read_only_udm.principal.port | Directly mapped from event1.sportorclient_portand converted to integer. | 
| event.idm.read_only_udm.principal.resource.attribute.labels | event.idm.read_only_udm.principal.resource.attribute.labels | Contains various labels based on parser logic. | 
| event.idm.read_only_udm.principal.user.userid | event.idm.read_only_udm.principal.user.userid | Directly mapped from ftp.userorAppUser. | 
| event.idm.read_only_udm.security_result.action | event.idm.read_only_udm.security_result.action | Determined based on severity. Can be ALLOW, BLOCK, or UNKNOWN_ACTION. | 
| event.idm.read_only_udm.security_result.action_details | event.idm.read_only_udm.security_result.action_details | Directly mapped from Actionif not "none" or empty string. | 
| event.idm.read_only_udm.security_result.category | event.idm.read_only_udm.security_result.category | Set to NETWORK_SUSPICIOUS if malware_typeis present. | 
| event.idm.read_only_udm.security_result.detection_fields | event.idm.read_only_udm.security_result.detection_fields | Contains various detection fields based on parser logic. | 
| event.idm.read_only_udm.security_result.rule_name | event.idm.read_only_udm.security_result.rule_name | Directly mapped from rule_name. | 
| event.idm.read_only_udm.security_result.severity | event.idm.read_only_udm.security_result.severity | Determined based on severity. Can be INFORMATIONAL, MEDIUM, ERROR, or CRITICAL. | 
| event.idm.read_only_udm.security_result.summary | event.idm.read_only_udm.security_result.summary | Directly mapped from label. | 
| event.idm.read_only_udm.security_result.threat_name | event.idm.read_only_udm.security_result.threat_name | Directly mapped from malware_typeor parsed fromsummaryif it contains "CVE-". | 
| event.idm.read_only_udm.target.administrative_domain | event.idm.read_only_udm.target.administrative_domain | Directly mapped from DomainName. | 
| event.idm.read_only_udm.target.asset.attribute.roles[].name | event.idm.read_only_udm.target.asset.attribute.roles[].name | Directly mapped from ServerAssetRole. | 
| event.idm.read_only_udm.target.file.full_path | event.idm.read_only_udm.target.file.full_path | Directly mapped from ftp.filenameorFilename. | 
| event.idm.read_only_udm.target.file.md5 | event.idm.read_only_udm.target.file.md5 | Directly mapped from event1.md5ormd5. | 
| event.idm.read_only_udm.target.file.mime_type | event.idm.read_only_udm.target.file.mime_type | Directly mapped from event1.filetype. | 
| event.idm.read_only_udm.target.file.sha1 | event.idm.read_only_udm.target.file.sha1 | Directly mapped from event1.srvcerthash. | 
| event.idm.read_only_udm.target.file.sha256 | event.idm.read_only_udm.target.file.sha256 | Directly mapped from event1.sha256orsha256. | 
| event.idm.read_only_udm.target.file.size | event.idm.read_only_udm.target.file.size | Renamed from event1.filesizeand converted to unsigned integer if not 0. | 
| event.idm.read_only_udm.target.hostname | event.idm.read_only_udm.target.hostname | Directly mapped from event1.sni,dest_domain, orHost. | 
| event.idm.read_only_udm.target.ip | event.idm.read_only_udm.target.ip | Directly mapped from event1.dst_ip6orserver_iporServerIP. | 
| event.idm.read_only_udm.target.location.country_or_region | event.idm.read_only_udm.target.location.country_or_region | Directly mapped from dest_countryorServerCountry. | 
| event.idm.read_only_udm.target.platform | event.idm.read_only_udm.target.platform | Mapped from asset_osafter normalization. | 
| event.idm.read_only_udm.target.platform_version | event.idm.read_only_udm.target.platform_version | Directly mapped from os_version. | 
| event.idm.read_only_udm.target.port | event.idm.read_only_udm.target.port | Directly mapped from event1.dportorserver_portand converted to integer. | 
| event.idm.read_only_udm.target.resource.attribute.labels | event.idm.read_only_udm.target.resource.attribute.labels | Contains various labels based on parser logic. | 
| event.idm.read_only_udm.target.url | event.idm.read_only_udm.target.url | Directly mapped from urlorURL. | 
| event.idm.read_only_udm.target.user.product_object_id | event.idm.read_only_udm.target.user.product_object_id | Directly mapped from uuid. | 
| event1.certificate_end_date | event.idm.read_only_udm.network.tls.client.certificate.not_after | Parsed and converted to timestamp. | 
| event1.certificate_extended_key_usage | event.idm.read_only_udm.additional.fields[].key: "Extended Key Usage",event.idm.read_only_udm.additional.fields[].value.string_value: value ofevent1.certificate_extended_key_usage | Mapped as an additional field. | 
| event1.certificate_issuer_name | event.idm.read_only_udm.network.tls.client.certificate.issuer | Directly mapped. | 
| event1.certificate_key_length | event.idm.read_only_udm.additional.fields[].key: "Key Length",event.idm.read_only_udm.additional.fields[].value.string_value: value ofevent1.certificate_key_length | Mapped as an additional field. | 
| event1.certificate_key_usage | event.idm.read_only_udm.additional.fields[].key: "Key Usage",event.idm.read_only_udm.additional.fields[].value.string_value: value ofevent1.certificate_key_usage | Mapped as an additional field. | 
| event1.certificate_start_date | event.idm.read_only_udm.network.tls.client.certificate.not_before | Parsed and converted to timestamp. | 
| event1.certificate_subject_altname | event.idm.read_only_udm.additional.fields[].key: "Certificate Alternate Name",event.idm.read_only_udm.additional.fields[].value.string_value: value ofevent1.certificate_subject_altname | Mapped as an additional field. | 
| event1.certificate_subject_name | event.idm.read_only_udm.network.tls.client.certificate.subject | Directly mapped. | 
| event1.client_asset_name | event.idm.read_only_udm.principal.application | Directly mapped. | 
| event1.client_asset_subnet | event.idm.read_only_udm.additional.fields[].key: "client_asset_subnet",event.idm.read_only_udm.additional.fields[].value.string_value: value ofevent1.client_asset_subnet | Mapped as an additional field. | 
| event1.client_packet_count | event.idm.read_only_udm.network.sent_bytes | Converted to unsigned integer and renamed. | 
| event1.cipher | event.idm.read_only_udm.network.tls.cipher | Directly mapped. | 
| event1.direction | event.idm.read_only_udm.network.direction | Mapped to INBOUND if "s2c" or OUTBOUND if "c2s". | 
| event1.d | 
Need more help? Get answers from Community members and Google SecOps professionals.