This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can I add custom value to metadata.base_labels.namespaces in parser

Posted on 01-31-2025 05:13 AM
rav1and3
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

I want to add custom namespace for each customer id in CrowdStrike parser. We are ingesting logs from different customer ids from single feed as all the customer ids are belongs to same client. How can I add namespace?

For example:

if [cid] == "xxxxxxxxxxx" {

mutate {

replace => {

  "event.idm.read_only_udm.metadata.base_labels.namespaces" => "example1"

}

}

if [cid] == "yyyyyyyyyyyy" {

mutate {

replace => {

  "event.idm.read_only_udm.metadata.base_labels.namespaces" => "example2"

}

}

@Dimarsky rajukg

2 3 335
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
mwisener
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I'm also researching this, except i'm interested in a parser setting metadata.base_labels.ingestion_kv_labels so that I can have a way to segregate data in the gcp monitoring/metrics.. I don't think that's going to be possible but anyway, came across this you might find useful:

It appears maybe base_labels are not accessible? I'm not sure, but I've this blog about 1,000 times so far to try to tease out more details: https://medium.com/@thatsiemguy/data-rbac-in-chronicle-siem-6cb0ea32294e

For you, looks like base_labels.namespaces are sourced from principal.namespace, src.namespace and target.namespace. I hope google can chime in and clarify base_labels.

"A dynamic Parser based Namespace will override an Ingestion based Namespace, e.g., if a Parser sets principal.namespaces it will supersede the Namespace configured during Ingestion; however, both Namespace values will be stored in the metadata.base_labels.namespaces repeated UDM field."

and looking at his parser, he's updating the namespace in src.namespace, target.namespace and principal.namespace.

Posted on --/--/---- --:-- AM
rav1and3
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

I have used the principal.namespace and then metadata.base_labels.namespaces is populated with value that is assigned to the principal.namespace. But the problem is enrichment is not happening i.e, principal.hostname value is supposed to enriched based on the principal.asset_id value for CrowdStrike EDR logs. Enrichment is working fine in other instances except for one instance. We are using the same CrowdStrike EDR parser in all instances

Posted on --/--/---- --:-- AM
akingscote
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

@mwisener did you figure this out?

We have the exact same problem.

It seems that the "legacy" ingestion API (xxx-malachiteingestion-pa.googleapis.com) works fine, but using the v1Alpha chronicle API (chronicle.googleapis.com) dosent enrich with base_labels.

0 Likes
Top Solution Authors
View all