Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change field value to ES allowed value based on criteria

shayhibah
Path Finder
‎08-20-2020 06:19 AM

Hi,

In my logs I have the field name action.

This field can have several values: allow, detect, block and etc.

Since I would like my data will be presented in Enerprise Security dashbords as expected, I need to map the value to the allowed value based on the specific data model.

For example:

 

Email Data Model Allowed Values

 

Intrusion Detection Data Model Allowed Values

 

Action

delivered, blocked, quarantined, deleted

allowed, blocked

 

meaning that when I extract the data in my app, I need to map my action value (for example: allow) to delivered / allowed based on the relevant data model.

How can I do that using my app configuration files?

0 Karma
Reply

alonsocaio
Contributor
‎08-20-2020 06:39 AM

Hi,

You could try creating a lookup table file and a lookup definition containing your input (action field from your logs) and output values (action values allowed in data model)

Your lookup file should be similar to:

action,new_action
ACCEPT,allowed
REJECT,blocked

This way you can map the actions from your log source to the data model.

On your sourcetype configuration you should add a config like below:

LOOKUP-my_lookup_action = my_lookup_action action OUTPUT new_action as action

 Another alternative you could try is to use an eval based extraction:

EVAL-action = case(action=="ACCEPT", "allowed", action=="REJECT", "blocked")
0 Karma
Reply

shayhibah
Path Finder
‎08-20-2020 07:50 AM

Thanks for your response.

Indeed lookup tables can help me to map between the values but how can I choose the value based on the specific data model?

The expected values for each data model is different.

0 Karma
Reply

alonsocaio
Contributor
‎08-20-2020 10:15 AM

Now I understood you question.

Well, I guess I could try to extract two new fields, such as "ids_action" and "email_action", but I think that in this case you would need to change the action field on the data models (IDS data model should use ids_action as action Email data model should use email_action).

You could use an eval field extraction on the data model to reach this result:

On IDS data model:
case(isnotnull(ids_action), ids_action)

On Email data model:
case(isnotnull(email_action), email_action)

I don't know if this is the best practice for this case, but It is something you can try doing.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...