Ultra Cyberfence¶
About¶
Ultra’s CyberFence products are specifically designed to protect vulnerable edge-devices, including IoTs, IoMTs, IIoT, without disrupting network operations in critical infrastructure and tactical communications systems used by military, government, and industrial customers.
Product Details¶
Vendor URL: Ultra Cyberfence
Product Type: NDR
Product Tier: Tier I
Integration Method: Syslog
Integration URL: [Ultra Cyberfence]N/A
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 90%
Data Label: ULTRA_CYBERFENCE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| product_event | metadata.product_event_type |
| description | metadata.description |
| log_id | metadata.product_log_id |
| observer | principal.hostname |
| src_ip | principal.ip |
| src_mac | principal.mac |
| src_subnet | principal.asset.network_domain |
| src_user | principal.user.user_display_name |
| src_port | principal.port |
| _location | target.ip_location |
| dst_ip | target.ip |
| dst_mac | target.mac |
| dst_subnet | target.asset.network_domain |
| dst_port | target.port |
| summary | security_result.summary |
| sr_description | security_result.description |
| sr_rule | security_result.rule_type |
| ip_proto | network.ip_protocol |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all other events | STATUS_UNCATEGORIZED |
| connection | NETWORK_CONNECTION |
Log Sample¶
<30>1 2022-11-02T12:01:17+00:00 Hostname charon - - [meta sequenceId="63"] 09[IKE] IKE_SA peer_data[21741] established between 10.0.0.1[Hostname1]...10.0.0.2[C=US, ST=City, L=City, O=Company, OU=org, CN=desk]
Sample Parsing¶
metadata.product_log_id = ""63""
metadata.event_timestamp.seconds = 1667390475
metadata.event_timestamp.nanos = 0
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.vendor_name = "Ultra Electronics"
metadata.product_name = "Cyberfence"
metadata.product_event_type = "charon"
metadata.description = "IKE_SA peer_data[21741] established"
principal.hostname = "Hostname1"
principal.ip = "10.0.0.1"
principal.asset.hostname = "Hostname1"
principal.asset.ip = "10.0.0.1"
target.ip = "10.0.0.2"
target.asset.ip = "10.0.0.2"
target.ip_location.city = "City"
target.ip_location.country_or_region = "US"
target.ip_location.name = "Company"
target.ip_location.desk_name = "desk"
observer.hostname = "Hostname1"
Parser Alerting¶
This product currently does not have any Parser-based Alerting