Does anyone have a parser for ClickUp audit logs in UDM?
BR
Question
Clickup Parser
+8Hopefully someone has a parser to share with you, but if they don’t, here’s a template you can use to get the parser started.
filter {
# Assuming the log is JSON formatted
json {
source => "message"
on_error => "json_failure"
}
# These fields are mandatory and must be set.
mutate {
replace => { "event.idm.read_only_udm.metadata.vendor_name" => "ClickUp" }
replace => { "event.idm.read_only_udm.metadata.product_name" => "Workspace Audit" }
}
# metadata.event_type is a required field. If there's a field in the logs you can key off of, you can use that here. Otherwise you can just use GENERIC_EVENT. This is a enum so can't be a custom string. It must be one of the following listed here: https://docs.cloud.google.com/chronicle/docs/reference/udm-field-list#Metadata.EventType
if [eventType] == "USER_LOGIN" {
mutate {
replace => { "event.idm.read_only_udm.metadata.event_type" => "USER_LOGIN" }
}
} else {
mutate {
replace => { "event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT" }
}
}
# you can set principal (source) or destination (target) fields
mutate {
rename => { "user.email" => "event.idm.read_only_udm.principal.user.email_addresses" }
rename => { "user.username" => "event.idm.read_only_udm.principal.user.userid" }
rename => { "ip_address" => "event.idm.read_only_udm.principal.ip" }
}
# If the event has a result status, that can be stored in security_result fields
if [eventStatus] == "success" {
mutate {
replace => { "event.idm.read_only_udm.security_result.status" => "SUCCESS" }
}
} else {
mutate {
replace => { "event.idm.read_only_udm.security_result.status" => "FAILURE" }
}
}
#Output to UDM
mutate {
merge => { "@output" => "event.idm.read_only_udm" }
}
}
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.