Solved: Clarification on drop function syntax in a parser - Page 2

JaredBloomberg · 02-01-2024 08:15 AM

Hello,

I was wondering if anyone could add some clarity to the documentation around drop function in the Parser syntax reference?

Per the docs "This function is used to drop all messages that reach this filter logic." which is pretty straightforward but how does this work in the context of a parser extension? I understand that the default parser will process the log data first and then pass to the extension, assuming one exists.

If I add a drop{} to my extension does that mean that it drops all parsing of the log altogether (including whatever the default parser has already done) or just what the extension would have done while the previous parsing from the default parser is still maintained?

Dimarsky

Jared,

The drop filter does exactly what you understand it to do, it stops the parsing of a log and goes on to the next log.

With respect to what happens when you have a parser followed by a parser extension...

If a drop filter is hit in the initial parser the log gets dropped and no further parsing occurs. You will see the raw log in the Chronicle SIEM UI and it will show up as an unparsed log (there will be no UDM associated with it). If there was a parser extension configured for this logtype the parser extension will not execute.

If the initial parser completes and generates a UDM event and there is a parser extension configured, the parser extension runs, and then the parser extension logic hits a drop filter then the UDM generated by the initial parser will still exist and be stored along side the raw log.

I use the term initial parser here to make it clear that the same behavior happens with both a default parser or with a custom parser if you have one in place.

View solution in original post

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Clarification on drop function syntax in a parser