Skip to main content

We have built a custom parser and mapped some of our fields to additional fields. Parser is active in SecOps.  Below are the additional fields mapping. Our requirement is to create a tile in SIEM with the  fields dns_host_addr, dns_name, dns_response_time. All these fields have to be included in the table view. Please let us know the steps to create a tabular view with all of these fields. 

mutate {
replace => {
"dns_host_addr" => "%{msg.dns_host_addr}"
}
on_error => "DNS_Host_address_replace_error"
}

if ![DNS_Host_address_replace_error] {
mutate {
replace => {
"additional_dnshostaddr" => ""
}
}
mutate {
replace => {
"additional_dnshostaddr.key" => "dns_host_addr"
"additional_dnshostaddr.value.string_value" => "%{dns_host_addr}"
}
on_error => "dns_host_addr_key_value_failed"
}
mutate {
merge => {
"event.idm.read_only_udm.additional.fields" => "additional_dnshostaddr"
}
on_error => "DNS_Host_address_merge_error"
}
}
mutate {
replace => {
"dns_resp_time" => "%{msg.dns_response_time}"
}
on_error => "DNS_Response_time_replace_error"
}

if ![DNS_Response_time_replace_error] {
mutate {
replace => {
"additional_dnsresptime" => ""
}
}
mutate {
replace => {
"additional_dnsresptime.key" => "dns_response_time"
"additional_dnsresptime.value.string_value" => "%{dns_resp_time}"
}
on_error => "dns_resp_time_key_value_replace_failed"
}
mutate {
merge => {
"event.idm.read_only_udm.additional.fields" => "additional_dnsresptime"
}
on_error => "dns_resp_time_merge_error"
}
}
mutate {
replace => {
"dns_name" => "%{msg.dns_name}"
}
on_error => "DNS_Name_replace_error"
}

if ![DNS_Name_replace_error] {
mutate {
replace => {
"additional_dnsname" => ""
}
}
mutate {
replace => {
"additional_dnsname.key" => "dns_name"
"additional_dnsname.value.string_value" => "%{dns_name}"
}
on_error => "dns_name_key_value_replace_failed"
}
mutate {
merge => {
"event.idm.read_only_udm.additional.fields" => "additional_dnsname"
}
on_error => "dns_name_merge_failed"
}
}

Are you using the Native Dashboards (new feature that is in Preview)?  


If so, in your query you can create a field like this:



$code = additional.fields["additional_dnsname"]

Are you using the Native Dashboards (new feature that is in Preview)?  


If so, in your query you can create a field like this:



$code = additional.fields["additional_dnsname"]


We are not using Native dashboards. To get the native dashboard view, We have created a role in GCP with the below permissions and attached it our project.

chronicle.analytics.list
chronicle.nativeDashboards.create
chronicle.nativeDashboards.delete
chronicle.nativeDashboards.duplicate
chronicle.nativeDashboards.get
chronicle.nativeDashboards.list
chronicle.nativeDashboards.update
chronicle.operations.cancel

Even after that we didn't get the native dashboard view.  Is native dashboard the only solution to solve this issue ? Please let us know how to proceed forward to address this issue.

Native dashboards is in preview.  You will see that option in the Dashboards section within Chronicle UI if it is enabled for your tenant.  If not, please request your account team to enable it for you.  I am not sure how I can display the additional field.key as a column header in the Looker dashboard.  I will take a look into this.

Hi @Arthy,

One way to solve this use case, is by utilising a table calculation, with the below example formula:

if(${events__additional__fields.key} = "dns_response_time", ${events__additional__fields.value__string_value}, "")

 

This will output another column with the data in additional.fields.value based on a key being a certain value, otherwise the row will contain "" (null). You would create a separate table calculation for each additional.fields.key and value pair you want to display.

Hope this helps!

Kind Regards,

Ayman

Even though Ayman's solution gives you the results in separate column headers, unfortunately, it still gives you 2 different rows one for each additional field assuming you are selecting 2 different additional fields.  There is no way to see both in the same row.   This is not an issue with the Native dashboards which is in Public Preview so we can easily turn this on in your tenant.

Even though Ayman's solution gives you the results in separate column headers, unfortunately, it still gives you 2 different rows one for each additional field assuming you are selecting 2 different additional fields.  There is no way to see both in the same row.   This is not an issue with the Native dashboards which is in Public Preview so we can easily turn this on in your tenant.


I believe it would be possible to use 'Concat' combined with if statements to output these 3 values into one column if required. If the row output is showing two rows, but because the newly created Measure is blank, you can add a filter to filter out events where that custom measure is blank.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.