Collect Halcyon Anti-Ransomware logs
Supported in:
This document explains how to ingest Halcyon Anti-Ransomware logs into Google Security Operations using Google Cloud Storage V2.
Halcyon is an anti-ransomware platform that uses AI to detect, prevent, and recover from ransomware attacks. It generates alerts for ransomware detection events, encryption attempts, and recovery actions. The parser maps JSON-formatted log fields to the Unified Data Model (UDM), handling event types such as file operations, user activity, and security results.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- A GCP project with Cloud Storage API enabled
- Permissions to create and manage GCS buckets and IAM policies
- Privileged access to the Halcyon console with log export capabilities
Create Google Cloud Storage bucket
- Go to the Google Cloud Console.
- Select your project or create a new one.
- In the navigation menu, go to Cloud Storage > Buckets.
- Click Create bucket.
Provide the following configuration details:
Setting Value Name your bucket Enter a globally unique name (for example, halcyon-logs)Location type Choose based on your needs (Region, Dual-region, Multi-region) Location Select the location (for example, us-central1)Storage class Standard (recommended for frequently accessed logs) Access control Uniform (recommended) Protection tools Optional: Enable object versioning or retention policy Click Create.
Export Halcyon logs to Google Cloud Storage
Halcyon supports exporting log data in JSON format. Use one of the following approaches to deliver logs to GCS.
Option A: Export logs using the Halcyon API and upload to GCS
- Sign in to the Halcyon management console.
- Go to Settings > API Access and generate an API key with read permissions.
- Copy and save the API Key.
- Use a scheduled script or Cloud Run function to call the Halcyon REST API, fetch event logs, and write them to GCS in JSON format.
Option B: Configure SIEM integration and forward to GCS
- Sign in to the Halcyon management console.
- Go to Settings > Integrations > SIEM.
- Configure the log export destination to write JSON-formatted events to a local directory or intermediate storage.
Use a Cloud Run function to periodically upload logs to your GCS bucket.
- Make sure the exported files are in JSON format.
- Each file should contain one or more event records.
Retrieve the Google SecOps service account
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- Select Google Cloud Storage V2 as the Source type.
- Select Halcyon Anti Ransomware as the Log type.
Click Get Service Account. A unique service account email will be displayed, for example:
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.comCopy this email address. You will use it in the next step.
Grant IAM permissions to the Google SecOps service account
- Go to Cloud Storage > Buckets.
- Click your bucket name.
- Go to the Permissions tab.
- Click Grant access.
- Provide the following configuration details:
- Add principals: Paste the Google SecOps service account email.
- Assign roles: Select Storage Object Viewer.
Click Save.
- If you plan to use the deletion option (delete transferred files), grant Storage Object Admin role instead of Storage Object Viewer.
Configure a feed in Google SecOps to ingest Halcyon Anti-Ransomware logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Halcyon Anti-Ransomware logs). - Select Google Cloud Storage V2 as the Source type.
- Select Halcyon Anti Ransomware as the Log type.
- Click Next.
Specify values for the following input parameters:
Field Value Storage bucket URI gs://halcyon-logs/halcyon/events/Source Deletion Option Select the deletion option according to your preference Maximum File Age (Days) Default is 180 days Asset namespace The asset namespace Ingestion labels The label to be applied to the events from this feed - Replace
halcyon-logswith your actual GCS bucket name. - Always include the trailing slash (
/) at the end of the URI.
- Replace
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| sshd, tty, euid, dataType, filterName, totalOccurrences, occurredAt, count, occurrences.IncorrectPasswords, occurrences.FailedPassword, occurrences.AuthFailure, policyMode, action | additional.fields | Merged with labels created from each field if present; totalOccurrences, count, occurrences fields converted to string |
| dnsArtifact.uri | network.dns.questions | Merged with questions array containing the name |
| asset.id | principal.asset.asset_id | Concatenated as "ASSET:" + asset.id |
| asset.kind | principal.asset.attribute.labels | Merged with asset_kind_label created from asset.kind |
| asset.name | principal.asset.hostname | Value copied directly |
| ipArtifact.ipAddress | principal.asset.ip | Value copied directly |
| summary.applicationName | principal.application | Value copied directly |
| phost, asset.name | principal.hostname | Value from phost if present, overwritten by asset.name if present |
| ipArtifact.ipAddress | principal.ip | Value copied directly |
| process.commandLine | principal.process.command_line | Value copied directly |
| modifiedFilePath, artifact.filePath, process.artifact.filePath, processes.artifact.filePath | principal.process.file.full_path | Value set to modifiedFilePath if present, overwritten by artifact.filePath if present, overwritten by process.artifact.filePath if present, overwritten by processes.artifact.filePath if present (quotes removed for processes.artifact.filePath) |
| lastOccurredAt | principal.process.file.last_seen_time | Converted using date filter with ISO8601 format |
| process.artifact.kind, artifact.kind, primaryProcess.artifact.kind | principal.process.file.mime_type | Value from process.artifact.kind if present, overwritten by artifact.kind if present, overwritten by primaryProcess.artifact.kind if present |
| artifact.sha256, process.artifact.sha256, processes.artifact.sha256 | principal.process.file.sha256 | Value from artifact.sha256 if present, overwritten by process.artifact.sha256 if present, overwritten by processes.artifact.sha256 if present |
| process.parentPid | principal.process.parent_pid | Value copied directly |
| process.pid | principal.process.pid | Value copied directly |
| user_displayname | principal.user.user_display_name | Value copied directly |
| user | principal.user.userid | Value copied directly |
| summary.artifact.filePath | target.file.full_path | Value copied directly |
| summary.artifact.sha256 | target.file.sha256 | Value copied directly |
| primaryProcess.commandLine | target.process.command_line | Value copied directly after removing quotes |
| primaryProcess.kind | target.process.file.mime_type | Value copied directly |
| primaryProcess.parentPid | target.process.parent_process.pid | Value copied directly |
| primaryProcess.pid | target.process.pid | Value copied directly |
| uid | target.user.userid | Value copied directly |
| id | target.asset_id | Concatenated as "ASSET:" + id |
| action | security_result.action | Uppercased if action is "Block" or "Allow" |
| reason.exitCode | security_result.action_details | Value copied directly |
| dxpRule, monitoringReason, tenantId | security_result.detection_fields | Merged with labels created from each field if present; backslashes removed for dxpRule |
| dxpRuleType | security_result.rule_type | Value copied directly |
| ipArtifact.version | security_result.rule_version | Value copied directly |
| msg, reason.cause | security_result.summary | Value from msg if present, overwritten by reason.cause if present |
| timestamp | metadata.event_timestamp | Converted using date filter with formats MMM dd HH:mm:ss or MMM d HH:mm:ss |
| phost, ipArtifact.ipAddress, asset.name, user, uid, summary.artifact.sha256, summary.artifact.filePath | metadata.event_type | Set to FILE_UNCATEGORIZED if has_principal and has_target_file; USER_UNCATEGORIZED if has_principal and has_target; STATUS_UPDATE if has_principal; else GENERIC_EVENT (flags derived from sources) |
| kind | metadata.product_event_type | Value copied directly |
| gupid, guid | metadata.product_log_id | Value from gupid if present, overwritten by guid if present |
| metadata.product_name | Set to "Halcyon Anti Ransomware" | |
| metadata.vendor_name | Set to "Halcyon" |
Need more help? Get answers from Community members and Google SecOps professionals.