I did a parser for logs from bitdefender, on google secops chronicle there is already a prebuilt parser. some logs have been successfully parsed to udm event, but some have errors.

Here are the logs that have errors:

{
  "module": "hd",
  "product_installed": "BEST",
  "user": {
    "name": "SYSTEM",
    "sid": "S-1-5-18"
  },
  "malware_type": "file",
  "malware_name": "Gen:Illusion.PUP.BruteForce.1.08@DA6FEA89.D.2010100",
  "hash": "44D5FBC622B56B3DD5D888C64188759D00C72BD52E3FEF729C1787868A1536EB",
  "final_status": "still present",
  "file_path": "F:\\XXX\\XXX\\XXX\\XXX\\XXX\\XXX",

}

I got some error on:

generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "field type check failed: field backstory.File.sha256 \"44D5FBC622B56B3DD5D888C64188759D00C72BD52E3FEF729C1787868A1536EB\" does not match type HASH regexp ^[0-9a-f]+$: invalid argument"

I tried to make a change with parser extension on the section of "fileHash"

here is a configuration "fileHash" from prebuilt parser before I change

grok {
  match => {
    "fileHash" => "(?P<_hash>^[0-9a-f]+$)"
  }
  on_error => "file_is_not_hash"
}

if [file_is_not_hash] and [fileHash] != "" {
  mutate {
    replace => {
      "about.file.full_path" => "%{fileHash}"
    }
  }
} else if [fileHash] != "" {
  mutate {
    rename => {
      "fileHash" => "about.file.sha256"
    }
  }
}

and here is a configuration "fileHash"  from prebuilt parser which I edited in the parser extension

grok {
  match => {
    "fileHash" => "(?P<_hash>^[0-9a-fA-F]+$)"
  }
  on_error => "file_is_not_hash"
}

if [file_is_not_hash] and [fileHash] != "" {
  mutate {
    replace => {
      "about.file.full_path" => "%{fileHash}"
    }
  }
} else if [fileHash] != "" {
  mutate {
    rename => {
      "fileHash" => "about.file.sha256"
    }
  }
}

After I changed the configuration of grok regex, the error is still there.

Can you guys help me please