Hello everyone!
I am creating a custom parser for json logs and I need to convert domains_list into principal.user.attribute.labels udm event.
"activity_metadata": {
"settings_new_value": {
"block_type": "whitelist",
"domains_list": [
"test.com",
"attack.mitre.org"
]
}, I converted block_type already, using the following code
#Get block_type
mutate {
replace => {
"block_type.value" => "%{activity_metadata.settings_new_value.block_type}"
}
on_error => "block_type_not_set"
}
if ![block_type_not_set] {
mutate {
replace => {
"block_type.key" => "block_type"
}
}
mutate {
merge => {
"token_principal.user.attribute.labels" => "block_type"
}
}
}
However, I can't catch [ "test.com", "attack.mitre.org" ] from domains_list , as it the statedump gives an error
"domains_list_not_set": true,and doesn't parse the data
Here is the code I was using:
#Get domains_list
mutate {
replace => {
"domains_list.value" => "%{activity_metadata.settings_new_value.block_type.domains_list}"
}
on_error => "domains_list_not_set"
}
if ![domains_list_not_set] {
mutate {
replace => {
"domains_list.key" => "domains_list"
}
}
mutate {
merge => {
"token_principal.user.attribute.labels" => "domains_list"
}
}
}
Can you please help me to convert this piece of data inside [] into udm?
Do I need to use regex to do that?
Thank you in advance!
