Cohesity DataProtect¶
About¶
Cohesity DataProtect is a high-performance, software-defined backup and recovery solution designed for the cloud era. Designed for hyperscale, it offers the most comprehensive policy-based protection for both traditional and modern data sources. DataProtect converges multiple-point products into a single software that can be deployed as on-premises or consumed as a service.
Product Details¶
Vendor URL: Cohesity DataProtect
Product Type: Backup
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Cohesity DataProtect
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 80-90%
Data Label: COHESITY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action,desc | security_result.description |
| additional.COMMAND,command,process | target.process.command_line |
| additional.dest_process_id,pid,_ResourceId,instance_id,json_data.resource.labels.instance_id | target.process.pid |
| additional.dest.dvchost,dvc,Hostname,relayHostname | intermediary.hostname |
| additional.duser,target.user.userid,username | target.user.userid |
| additional.file_name,additional.TTY | target.process.file.full_path |
| additional.PWD,process,ProcessName | principal.process.file.full_path |
| command | principal.process.command_line |
| dstPort,targetPort | target.port |
| dvc,Hostname,relayIp | intermediary.ip |
| dvc,targetHostname | target.hostname |
| dvc,targetIp | target.ip |
| filepath,pwd | target.file.full_path |
| json_data.labels.compute.googleapis.com/resource_name | target.resource.name |
| json_data.resource.labels.project_id | target.asset.attribute.cloud.project.id |
| json_data.resource.labels.zone | target.asset.attribute.cloud.availability_zone |
| metadata.description,action,SyslogMessage | metadata.description |
| metadata.product_name,eventType,ProcessName,op | metadata.product_event_type |
| outcome,hasing_algo,proto,reason | security_result.summary |
| principal.hostname,dvc,srcHostName,Computer,source | principal.hostname |
| principal.ip,dvc,srcIp,HostIP | principal.ip |
| principal.port,srcPort | principal.port |
| principal.user.userid,userId,username | principal.user.userid |
| process | target.application |
| process | target.application |
| processId | principal.process.pid |
| protocol | network.ip_protocol |
| received_bytes | network.received_bytes |
| security_result.action | security_result.action |
| security_result.severity,log_level,SeverityLevel | security_result.severity |
| sent_bytes | network.sent_bytes |
| sessionId | network.session_id |
| targetEmail | network.email.to |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all other events | GENERIC_EVENT |
| CRYPTO_SESSION,sftp-server,Connection | NETWORK_CONNECTION |
| LOGIN,USER_AUTH,USER_LOGIN,Authentication failed,Started,Starting,opened | USER_LOGIN |
| SERVICE_START | RESOURCE_CREATION,SERVICE_START |
| SERVICE_STOP | RESOURCE_DELETION,SERVICE_STOP |
| smtpd | NETWORK_CONNECTION,NETWORK_SMTP |
| systemd-logind | USER_UNCATEGORIZED |
| USER_ACCT,Starting Session | USER_UNCATEGORIZED |
| USER_LOGOUT,session closed | USER_LOGOUT |
Log Sample¶
<14>Sep 29 00:10:23 node dataprotection_events: {"EventMessage" : "Finishing backup task", "Timestamp" : "2021-09-29T07:10:23.288Z", "ClusterInfo" : {"ClusterId" : "clusterid", "ClusterName" : "clustername"}, "EventType" : "kBackup", "EnvironmentType" : "kView", "RegisteredSource" : {"EntityType" : "kView", "EntityId" : "entityid", "EntityName" : "DefaultStorageDomain"}, "BackupJobName" : "SQL_Backups", "BackupJobId" : "19", "Entities" : [{"EntityType" : "kView", "EntityId" : "entityid", "EntityName" : "sql_backups"}], "TaskId" : "163642", "AttributeMap" : {}}
Sample Parsing¶
metadata.event_timestamp = "2021-09-29T00:10:23Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "Unix OS"
metadata.product_event_type = "dataprotection_events"
metadata.ingested_timestamp = "2021-09-29T07:11:22.975382Z"
principal.platform = "LINUX"
intermediary.hostname = "node"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon