This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Error in Parsing Arrays in JSON Logs for UDM Mapping

Posted on 08-20-2024 08:44 AM
vishnu_manu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hello , 

I have been trying to parse an array from JSON log, where the size of the array is varies in different logs. I have attached the sample of the log below.

vishnu_manu_0-1724166673393.png

I’ve run into an issue that I haven’t been able to resolve when trying to parse "name" from the log and  merge it to the UDM "security_result.threat_feed_name", which accepts string (repeated) values.


Here's the screenshot of the code and error:
vishnu_manu_1-1724167014062.png 
 vishnu_manu_3-1724167068594.png
At a high level, the code uses a "for loop" to fetch all JSON elements from the array as "elem." The "elem.name" is used to parse only the name and then merge it into the UDM.
 
Similarly I'm facing the same error when trying to parse the "confidenceLevel" as "security_result.confidence_score" in the UDM, which accepts float (repeated) values.

I’ve tried various possibilities to solve the error to the best of my knowledge, but I haven’t found a solution yet.
 
If anyone has a solution or suggestion that I can use to resolve this, please share it in a reply.

 

Solved Solved
0 5 412
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
citreno
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

So the problem is that while security_result is repeated threat_feed_name is not, so your first merge won't work, which is what the error indicates. You need to create multiple security_results or something like that ( you can do security_result.about.security_result and do repeated there if you prefer to keep one main security result). You can see the design pattern below. 

 

for feed in reportedFeeds {

mutate {
copy => {
"security_result.threat_feed_name" => "feed.name"
}
}

mutate {
merge => {
"udm.security_result" => "security_result"
}
}

mutate {
remove_field => ["security_result"]
}
}

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5
Top Solution Authors
View all