Skip to main content
Question

Converting Decimal IP Address to Standard Format in Google SecOps Parser

  • March 17, 2026
  • 2 replies
  • 49 views
manoj610
Forum|alt.badge.img+5

Hello Team,

I am working with logs in Google SecOps where the IP address fields (such as SourceIPV4, TargetIPV4, and AnalyzerIPV4) are received in decimal (integer) format instead of the standard dotted IPv4 format.

For example:
750176699 → expected to be converted to a standard IPv4 format (e.g., x.x.x.x)

Could anyone please advise on how to convert these decimal IP values into normal dotted IPv4 format within the Google SecOps parser (UDM mapping)?

sample log: 

EPO_Events.EPOEvents 20XX-03-XXT05:XX:33 HOST123 EPOEvents
{
"AgentGUID": "XXXX12345678",
"Analyzer": "_1000",
"AnalyzerHostName": "HOST001",
"AnalyzerIPV4": "3232235777",
"AnalyzerIPV6": "AAAAAAAAAAAAAP//wKgBAQ==",
"AnalyzerMAC": "001122AABBCC",
"AnalyzerName": "Drive Encryption",
"AnalyzerVersion": "7.4.0.11",
"AutoGUID": "ABCDEF12-34567890AB",
"AutoID": "123456789",
"DetectedUTC": "2026-03-17T05:48:33",
"ReceivedUTC": "2026-03-17T07:59:05.920",
"ServerID": "SRV01",
"SourceIPV4": "3232235778",
"SourceIPV6": "AAAAAAAAAAAAAP//wKgBAg==",
"TargetIPV4": "3232235779",
"TargetIPV6": "AAAAAAAAAAAAAP//wKgBAw==",
"TenantID": "1",
"TheTimestamp": "AAAAAGKI8Tk=",
"ThreatActionTaken": "None",
"ThreatCategory": "None",
"ThreatEventID": "30017",
"ThreatName": "MDE",
"ThreatSeverity": "1",
"ThreatType": "None"
}

Any guidance, sample parser logic, or transformation approach would be greatly appreciated.

Thanks in advance for your help.

2 replies

TomAtGoogle
Staff
Forum|alt.badge.img+5
  • TomAtGoogle
  • Staff
  • April 1, 2026

Hi  manoj610,

Long story short, it can’t be done in the parser. The simple solution would be to reach back to the EPO team and ask them to add a field with the dot notation. Most McAfee ePO logs provide the IP in multiple formats.

If that is not an option, using Cribl or Bindplane would be the best bet.

Good luck.

    Andres
    • AndresBronze 1
    • Bronze 1
    • April 23, 2026

    AI said, it is a 

    Logstash limitation

    Logstash filters do not provide arithmetic operators:

    • mutate, grok, dissect, translate, cidr, etc.
    • No division, modulo, bitwise ops
    • No expression language

    So without Ruby (or an external processor), this transformation is not possible.

    This is a known and hard limitation, not a missing trick.

    @TomAtGoogle  do you know if there are any plans to get ruby support into gogstash?
    please bear with me, if the ruby question was asked elsewhere already.

    KR
    A.
     

    this would be part  the solution… (as per AI)

    filter {
      ruby {
        code => '
          n = event.get("dec_ip").to_i
          ip = [
            (n >> 24) & 255,
            (n >> 16) & 255,
            (n >> 8) & 255,
            n & 255
          ].join(".")
          event.set("ipv4", ip)
        '
      }
    }

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.