Hi,
In my logs I have the field name action.
This field can have several values: allow, detect, block and etc.
Since I would like my data will be presented in Enerprise Security dashbords as expected, I need to map the value to the allowed value based on the specific data model.
For example:
| Email Data Model Allowed Values
| Intrusion Detection Data Model Allowed Values
|
Action | delivered, blocked, quarantined, deleted | allowed, blocked |
meaning that when I extract the data in my app, I need to map my action value (for example: allow) to delivered / allowed based on the relevant data model.
How can I do that using my app configuration files?
Hi,
You could try creating a lookup table file and a lookup definition containing your input (action field from your logs) and output values (action values allowed in data model)
Your lookup file should be similar to:
action,new_action
ACCEPT,allowed
REJECT,blocked
This way you can map the actions from your log source to the data model.
On your sourcetype configuration you should add a config like below:
LOOKUP-my_lookup_action = my_lookup_action action OUTPUT new_action as action
Another alternative you could try is to use an eval based extraction:
EVAL-action = case(action=="ACCEPT", "allowed", action=="REJECT", "blocked")
Thanks for your response.
Indeed lookup tables can help me to map between the values but how can I choose the value based on the specific data model?
The expected values for each data model is different.
Now I understood you question.
Well, I guess I could try to extract two new fields, such as "ids_action" and "email_action", but I think that in this case you would need to change the action field on the data models (IDS data model should use ids_action as action Email data model should use email_action).
You could use an eval field extraction on the data model to reach this result:
On IDS data model:
case(isnotnull(ids_action), ids_action)
On Email data model:
case(isnotnull(email_action), email_action)
I don't know if this is the best practice for this case, but It is something you can try doing.