Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Change field value to ES allowed value based on criteria

shayhibah
Path Finder
‎08-20-2020 06:19 AM

Hi,

In my logs I have the field name action.

This field can have several values: allow, detect, block and etc.

Since I would like my data will be presented in Enerprise Security dashbords as expected, I need to map the value to the allowed value based on the specific data model.

For example:

 

Email Data Model Allowed Values

 

Intrusion Detection Data Model Allowed Values

 

Action

delivered, blocked, quarantined, deleted

allowed, blocked

 

meaning that when I extract the data in my app, I need to map my action value (for example: allow) to delivered / allowed based on the relevant data model.

How can I do that using my app configuration files?

0 Karma
Reply

alonsocaio
Contributor
‎08-20-2020 06:39 AM

Hi,

You could try creating a lookup table file and a lookup definition containing your input (action field from your logs) and output values (action values allowed in data model)

Your lookup file should be similar to:

action,new_action
ACCEPT,allowed
REJECT,blocked

This way you can map the actions from your log source to the data model.

On your sourcetype configuration you should add a config like below:

LOOKUP-my_lookup_action = my_lookup_action action OUTPUT new_action as action

 Another alternative you could try is to use an eval based extraction:

EVAL-action = case(action=="ACCEPT", "allowed", action=="REJECT", "blocked")
0 Karma
Reply

shayhibah
Path Finder
‎08-20-2020 07:50 AM

Thanks for your response.

Indeed lookup tables can help me to map between the values but how can I choose the value based on the specific data model?

The expected values for each data model is different.

0 Karma
Reply

alonsocaio
Contributor
‎08-20-2020 10:15 AM

Now I understood you question.

Well, I guess I could try to extract two new fields, such as "ids_action" and "email_action", but I think that in this case you would need to change the action field on the data models (IDS data model should use ids_action as action Email data model should use email_action).

You could use an eval field extraction on the data model to reach this result:

On IDS data model:
case(isnotnull(ids_action), ids_action)

On Email data model:
case(isnotnull(email_action), email_action)

I don't know if this is the best practice for this case, but It is something you can try doing.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...