LinkedIn
Twitter
1 ACCEPTED SOLUTION
@Aswin_Asokan In that case the security_result field is probably more suitable.
Please try this version ;
filter {
json { source => "message" array_function => "split_columns" }
mutate {replace => {"ipDedupRegex" => " "}}
mutate {replace => {"hostDedupRegex" => " "}}
mutate {replace => {"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"}}
mutate {replace => {"event1.idm.read_only_udm.metadata.vendor_name" => "Cisco"}}
mutate {replace => {"event1.idm.read_only_udm.metadata.product_name" => "XDR"}}
for k,v in target.data map {
for k2,v2 in v.device map {
if [v2][type] == "ip" {
if [v2][value] !~ ipDedupRegex {
if k=="0" {
mutate {replace => {"ipDedupRegex" => "%{v2.value}"}}
}
else {
mutate {replace => {"ipDedupRegex" => "%{ipDedupRegex}|%{v2.value}"}}
}
mutate {merge => {"ipList_" => "v2.value"}}
}
mutate {replace => {"ip_" => "%{v2.value}"}}
mutate {merge => {"security_result_.about.ip" => "ip_"}}
#mutate {rename => {"ip_list" => "zz"}}
#statedump {}
}
else if [v2][type] == "hostname" {
if [v2][value] !~ hostDedupRegex {
if k=="0" {
mutate {replace => {"hostDedupRegex" => "%{v2.value}"}}
}
else {
mutate {replace => {"hostDedupRegex" => "%{hostDedupRegex}|%{v2.value}"}}
}
mutate {merge => {"hostList_" => "v2.value"}}
}
mutate {replace => {"security_result_.about.hostname" => "%{v2.value}"}}
#mutate {rename => {"host_" => "about_.hostname"}}
#statedump {}
}
#mutate {rename => {"about" => "x.about"}}
#mutate {merge => {"about_" => "about"}}
#mutate {rename => {"about_" => "x.about_"}}
}
#mutate {rename => {"about" => "x"}}
mutate {merge => {"event1.idm.read_only_udm.security_result" => "security_result_"}}
#mutate {rename => {"security_result" => "event1.idm.read_only_udm.security_result"}}
mutate {replace => {"security_result_" => ""}}
#mutate {replace => {"about_" => "about"}}
}
#mutate {merge => {"about_" => "about"}}
statedump {}
mutate {
merge => {
"@output" => "event1"
}
}
#SecurityResult
}
I left some unused tokens "hostList_" and "ipList_" in case you needed them separate.
i.e. This mapping below is more consistent, however looking at the type of logs you are trying to ingest I feel it would fit more in the asset context logs not the event ones ;
filter {
json { source => "message" array_function => "split_columns"}
mutate {convert => {"target.total_count" => "string"}}
mutate {replace => {"count" => "%{target.total_count}"}}
for k,v in target.data map {
mutate {replace => {"event1" => ""}}
mutate {replace => {"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"}}
for k2,v2 in v.device map {
if [v2][type] == "ip" {
mutate {replace => {"ip" => "%{v2.value}"}}
mutate {merge => {"event1.idm.read_only_udm.target.ip" => "ip"}}
}
if [v2][type] == "hostname"{
mutate {replace => {"host" => "%{v2.value}"}}
mutate {rename => {"v2.value" => "event1.idm.read_only_udm.target.hostname"}}
}
}
mutate {
merge => {
"@output" => "event1"
}
}
statedump {label=>"outerLoop"}
}
statedump {}
}
@Aswin_Asokan In that case the security_result field is probably more suitable.
Please try this version ;
filter {
json { source => "message" array_function => "split_columns" }
mutate {replace => {"ipDedupRegex" => " "}}
mutate {replace => {"hostDedupRegex" => " "}}
mutate {replace => {"event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"}}
mutate {replace => {"event1.idm.read_only_udm.metadata.vendor_name" => "Cisco"}}
mutate {replace => {"event1.idm.read_only_udm.metadata.product_name" => "XDR"}}
for k,v in target.data map {
for k2,v2 in v.device map {
if [v2][type] == "ip" {
if [v2][value] !~ ipDedupRegex {
if k=="0" {
mutate {replace => {"ipDedupRegex" => "%{v2.value}"}}
}
else {
mutate {replace => {"ipDedupRegex" => "%{ipDedupRegex}|%{v2.value}"}}
}
mutate {merge => {"ipList_" => "v2.value"}}
}
mutate {replace => {"ip_" => "%{v2.value}"}}
mutate {merge => {"security_result_.about.ip" => "ip_"}}
#mutate {rename => {"ip_list" => "zz"}}
#statedump {}
}
else if [v2][type] == "hostname" {
if [v2][value] !~ hostDedupRegex {
if k=="0" {
mutate {replace => {"hostDedupRegex" => "%{v2.value}"}}
}
else {
mutate {replace => {"hostDedupRegex" => "%{hostDedupRegex}|%{v2.value}"}}
}
mutate {merge => {"hostList_" => "v2.value"}}
}
mutate {replace => {"security_result_.about.hostname" => "%{v2.value}"}}
#mutate {rename => {"host_" => "about_.hostname"}}
#statedump {}
}
#mutate {rename => {"about" => "x.about"}}
#mutate {merge => {"about_" => "about"}}
#mutate {rename => {"about_" => "x.about_"}}
}
#mutate {rename => {"about" => "x"}}
mutate {merge => {"event1.idm.read_only_udm.security_result" => "security_result_"}}
#mutate {rename => {"security_result" => "event1.idm.read_only_udm.security_result"}}
mutate {replace => {"security_result_" => ""}}
#mutate {replace => {"about_" => "about"}}
}
#mutate {merge => {"about_" => "about"}}
statedump {}
mutate {
merge => {
"@output" => "event1"
}
}
#SecurityResult
}
I left some unused tokens "hostList_" and "ipList_" in case you needed them separate.
