Skip to main content
Question

issues with Fidelis Networks API which pulls logs to Google SecOps

  • November 12, 2025
  • 3 replies
  • 49 views
NASEEF
Forum|alt.badge.img+8

We’re currently encountering an issue with the Fidelis Networks API integration for Google SecOps. The logs being pulled appear in a JSON-wrapped CEF format, and the CEF structure seems malformed, causing parsing errors in Google SecOps.

We’ve referred to the official documentation
Doc: https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/fidelis-network

 but several of the described steps do not appear in our console.

Could you please advise if there’s a validated configuration or an alternate method to successfully ingest Fidelis logs into Google SecOps?

Thank you for your assistance.

matthewnichols

3 replies

chrisproudley
Staff
Forum|alt.badge.img+4

Hi ​@NASEEF, which steps are missing in your console? I just ran through the steps and can’t see any missing. Fidelis Network / NDR is obviously a very old/long-running platform with many iterations. Can you share what version of Fidelis you are running please? Better yet, can you share a section of the CEF log output, including any parts that appear malformed?

Aravind3
Forum|alt.badge.img+8
  • Aravind3Bronze 2
  • Bronze 2
  • November 13, 2025

Hi ​@chrisproudley ,
Thank you for your response,
This is the format which we are getting.

{
"appname": "CEF",
"facility": 4,
"hostname": "MASKED-XXXX",
"message": "CEF:0|Fidelis Cybersecurity|direct5000|9.8.1|FSS_Reverse Tunnel|FSS_Reverse Tunnel|2| act=alert cs2=MASKED_URL cs2Label=linkback dst=MASKED_IP dpt=443 cs6=default cs6Label=group cs1=FSS_Anomalous Network Activity,FSS_Whitelist_Trusted_Scanners cs1Label=policy proto=SMB dvc=MASKED_IP dvchost=MASKED_HOST sev=2 src=10.xx.4.xx spt=3xx10 msg=Possible reverse tunnel detected from 10.xx.4.xx to x.xx.xx.xxx target=SMB rt=MASKED_TIME reason=[{"F.Ports.Server.SSL":[{"matched":"true","Session":"\u003cn\\/a\u003e"}]},{"F.TCP.Direction.C2S":[{"matched":"true","Session":"\u003cn\\/a\u003e"}]},{"F.IP.Internal.Src":[{"matched":"true","Organization":[{"Match On":"src_ip in [192.168.0.0\\/16,10.0.0.0\\/8,172.16.0.0\\/12];src_ipv6 in [FD00::\\/8,FC00::\\/8];"}]}]},{"F.IP.Internal.Dst":[{"matched":"false"}]},{"F.DecodingPath.HTTP":[{"matched":"false"}]},{"F.DecodingPath.SSL":[{"matched":"false"}]},{"F.Decrypted":[{"matched":"false"}]},{"F.Protocol.Mail.Google":[{"matched":"false"}]},{"F.Protocol.IM.Any":[{"matched":"false"}]},{"F.Protocol.WebSocket":[{"matched":"false"}]},{"F.Protocol.Sharepoint":[{"matched":"false"}]},{"F.Protocol.SIP":[{"matched":"false"}]},{"F.Protocol.FIX":[{"matched":"false"}]},{"F.UnknownProtocol":[{"matched":"false"}]},{"Whitelist.QualysGuard.Scans_F_Deprecated_FSS":[{"matched":"false"}]},{"Whitelist.Site.AuthorizedScanners_F_Deprecated_FSS":[{"matched":"false"}]},{"Protocol.HTTP.UserAgent.QualysTest_F_Deprecated_FSS":[{"matched":"false"}]}]",
"priority": 33
}

Is there a problem from our end while configuring? Because we didn’t see step 10 in “Configure General Dynamics Fidelis XPS” from the Doc: https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/fidelis-network .

 

Aravind3
Forum|alt.badge.img+8
  • Aravind3Bronze 2
  • Bronze 2
  • November 14, 2025

Hi ​@chrisproudley ,

The version 9.8.1 is being used.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.