This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Entity mapping in parsers

Posted on 09-02-2024 03:05 AM
vishnu_manu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Has anyone tried to map entities in the parser ? (Ex. entity.user.user_id, entity.url, entity.hostname, etc...).

What is the possible solution to parse IP, Hostname, URL, etc.. as entities ?

0 5 368
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

Yes, you can map entity fields in a parsers, along with UDM. A common parser that does this is the Okta user context parser if you're looking for an example. 

-mike

mikewilusz_0-1725280123844.png

 

0 Likes

Posted on --/--/---- --:-- AM
vishnu_manu
Bronze 4
Bronze 4
In response to mikewilusz
Reply posted on --/--/---- --:-- AM

Hello,

I tried the similar syntax shown above,

my code is,

        if message =~ "PanOSUserIdentifiedBySource" {
        grok {
            match => {
                "message" => ".*PanOSUserIdentifiedBySource=%{DATA:tuid} .*"
            }
            on_error => "gili_gili"
        }
        mutate {
            replace => {
                "event.idm.entity.entity.user.userid" => "%{tuid}"
            }
        }
    }
I received an error
vishnu_manu_0-1725282916970.png

I've also tried by declaring product_name, vendor_name, metadata.entity_type. Still error is seen.

0 Likes

Posted on --/--/---- --:-- AM
AbdElHafez
Staff
In response to vishnu_manu
Reply posted on --/--/---- --:-- AM

@vishnu_manu your grok statement is missing the overwrite to assign the captured token to the variable tuid , plus I think you mistakenly repeated entity in the replace statement.
I would also recommend using statedump after each problematic block to see the error tags or what values are being tokenized.
You could start focusing on tokenizing the variables first before writing the UDM event, and you could try using simpler examples first.

0 Likes

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

You can use this example from GitHub to see a full example, along with the required metadata fields being set: https://github.com/goog-cmmartin/thatsiemguy/blob/main/misp/chronicle_parser/misp_ioc.conf

-mike

Posted on --/--/---- --:-- AM
vishnu_manu
Bronze 4
Bronze 4
In response to mikewilusz
Reply posted on --/--/---- --:-- AM

Mike,

Thanks for the github repo.

Lets say I bring in logs from an endpoint management tool, where the logs will be from an API call which returns the entities of a host (hostname, username, mac, IP, agents installed, etc...).

By using the above github repo as reference, I will parse all the entities which is required.

Will this help me in enriching other missing entities in other log sources ? for example I have a firewall log, where only the hostname and username is present in the log. Will it enrich the remaining entites associated to the host and username like mac and its associated IP ?

0 Likes
Top Solution Authors
View all