Parse JSON file from Emerging Threats rules.

xfaith · ‎05-08-2020

So I am trying to parse the description of the ET Rules which is downloaded as json.gz So it should be a JSON file but it's not taking the default JSON sourcetype, it's showing it as one file.

The beginning of the file starts with a {
Its rule starts like this "2012742":{

And each rule ends like this: :"2012742"},

I have tried to do line breaks, indexed extractions=json,
I thought BREAK_AFTER= },

But I am not good with regex and so it's not working.

Thanks for any assistance.

xfaith · ‎05-09-2020

Thanks.

Using it to provide details on the the ET rules sets I use on sensors. Trying to tie in rules/usage/and details of the rules together. Hoping that it gives a better view of the total rule sets instead of just loading the newest ones. I want to see what they are, which are disabled, which are enabled, and what they do.

I have something like it being used for Snort Rules, just could not figure out how to use it for the ET Description. Will give this a try soon.

to4kawa · ‎05-08-2020

[ ET_json ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=none
KV_MODE=json
SHOULD_LINEMERGE=false
category=Structured
description=json
disabled=false
pulldown_type=true
LINE_BREAKER=(({|,)\"\d+\":){
SEDCMD-trim = s/}}/}/g
TRUNCATE=0
DATETIME_CONFIG=CURRENT

What do you use this data for? Please tell me.

creation date is better for _time ,I think.
but you should modify indexes.conf

I don't know much about it, so I decided to stay in the present for now

https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-...

Parse JSON file from Emerging Threats rules.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms