I am feeding in Entity-data from Microsoft-AD & CMDB DB.
I see the data has lot of info, but out of the box parsing is limited to few fields only.
Can anyone suggest how to extend the parsing of Entity dataset? Like "Canonical name" in ASSET entity & Pwd last reset for a USER entity
Hi,
You would need to add a parser extension on top of the existing parser, from the parser management select "Add Extension" and then you could upload your sample log by clicking on the pencil icon on the left panel and use either one of 2 options ;
a) Using the UI to build some simple parsers -I think up to 10 fields- based on pre-defined conditions (like if Canonical Name != "" then map Canonical Name into target.hostname UDM field), this is a simple but limited approach, make sure to pick an un-used UDM field as a destination, and you could use a repeated field as long as only the last level is repeated.
b) Use the CBN parser code snippet, you could add your own parser code that will be executed with the pre-built parser.
You could always modify the existing parser and use your custom one, but I would not recommend doing so until without testing on a dev-data source/environment once you are comfortable with the parser syntax.
Thanks for the help AbdElHafez.
I am able to extract the dataset I was looking for and can see it getting parsed using "Legacy search option"
Could you also suggest how I could make this info visible as an enriched info for an asset during UDM search. It's not visible in the enriched dataset for an asset in UDM search
Thanks for the help AbdElHafez.
I am able to extract the dataset I was looking for and can see it getting parsed using "Legacy search option"
Could you also suggest how I could make this info visible as an enriched info for an asset during UDM search. It's not visible in the enriched dataset for an asset in UDM search
For the example you listed ;
a. you coulad add the password reset time to entity.user.last_password_change_time field (needs to be cast by date).
b. but for the canonical name it will require some extra effort, you would need to add a section in the parser to build a asset entity relation and populate one of the repeated or non-filled asset fields, may add it to the asset.labels list.
If your canonicla name looks like this "http://acme.local/Users/John%20Doe" then you could use a suitable user entity field and add it there instead of the asset entity.
For example since you have AD - or any of the technologies listed in ; https://cloud.google.com/chronicle/docs/ingestion/ingestion-entities - then you need to add your parser extension on top of Microsoft AD ingestion label parser, then use your own parser extension to populate an available entity field like the ones I suggested earlier, however the parser extension UI has some limitations especially when it comes to repeated fields like labels, if you could highlight the mapping you need I may be able to help you further with the parser google logstash
The entity data model relationships are defined in a figure within ; https://cloud.google.com/chronicle/docs/event-processing/udm-overview
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.