Hi,
Would like to ask for your help on how can I parse this nested json in a udm
{
"type": "POTENTIAL_RISKY_ACTIVITY",
"startTime": "2024-04-22T10:47:09.000Z",
"endTime": "2024-04-24T14:59:10.212Z",
"compromisedEntities": [
{
"primaryDisplayName": "Computer",
"type": "ENDPOINT"
},
{
"primaryDisplayName": "User 1",
"type": "USER"
},
{
"primaryDisplayName": "User 2,
"type": "USER"
}
],
"alertEvents": [
{
"alertType": "AnomalousRpcAlert",
"eventLabel": "Anomalous RPC (remote services)",
"entities": [
{
"primaryDisplayName": "User 2"
},
{
"primaryDisplayName": "Computer"
}
]
},
{
"alertType": "PassTheHashAlert",
"eventLabel": "Suspicious protocol implementation (valid accounts)",
"entities": [
{
"primaryDisplayName": "User 1"
},
{
"primaryDisplayName": "Computer"
}
]
}
]
}
i tried reading this
https://www.googlecloudcommunity.com/gc/SIEM-Forum/Chronicle-Parser-JSON/m-p/668704
but dont have any idea regarding flattening and extract the logs and use the grok regex
I have a little understanding om how to parse and this is all i got.
This line of parser only extract one logs in udm field, what I want to accomplish is to parse all the data scope under compromisedEntities.primaryDisplayName
for index, compromisedEntity in compromisedEntities {
mutate {
replace => {
"primaryDisplayName_label.key" => "primaryDisplayName"
"primaryDisplayName_label.value" => "%{compromisedEntities.primaryDisplayName}"
}
merge => {
"event.idm.read_only_udm.target.asset.attribute.labels" => "primaryDisplayName_label"
}
}
}
LinkedIn
Twitter
