Hi,
having JSON formatted events there are parts of the event with the same key like:
events: [ [-]
{ [-]
classifications: [ [+]
]
data: { [-]
rewrite_sql: select * from users where username='ZAP' UNION ALL select NULL -- ' and password='ZAP';
rewrite_with_sql: SELECT NULL LIMIT 0;
}
stack: [ [-]
]
type: Rewrite
}
{ [-]
classifications: [ [+]
]
data: { [-]
corpusType: SQL
infected: select * from users where username='ZAP' UNION ALL select NULL -- ' and password='ZAP';
injectedPart: ZAP' UNION ALL select NULL --
}
stack: [ [-]
]
type: Injection
}
]
My search looks like this:
source="rasp logs" | spath | rename events{}.type as "Event_Type", events{}.data.corpusType as "Attack_Type", id as "Event ID" | eval x=mvzip(Event_Type,Attack_Type) | mvexpand x | eval x = split(x,",") | eval RASP_Event_Action=mvindex(x,0) | eval Event_Type=mvindex(x,1) | table "Event ID", "Event_Type", RASP_Event_Action
but my table looks like this:
c58b842a-2b70-4077-a7fa-e2e4bdb04688 SQL Rewrite
c58b842a-2b70-4077-a7fa-e2e4bdb04688
c58b842a-2b70-4077-a7fa-e2e4bdb04688 SQL Injection
c58b842a-2b70-4077-a7fa-e2e4bdb04688
I would like to have my table formatted like this
c58b842a-2b70-4077-a7fa-e2e4bdb04688 SQL Injection
.............................................SQL Rewrite (dots only to make the display correct)
happy to get any idea to move to the right direction
... View more