Hello,
Working with data parsers. I am hoping to understand which UDM fields are required to be mapped to ensure the GCTI / Fusion / Applied Threat Intel to properly enrichment our data.
Here is an example logs - we have created GROK expressions to extracted relevant fields (e.g. src ip, dst ip, port etc.) but we are unsure of how to map these to the correct UDM fields to ensure enrichment of Applied Threat Intel.
Thanks as always!
{
"insertId": "id",
"jsonPayload": {
"facility": "local7",
"message": "syslog[syslogid]: UI_LOGIN_EVENT: User 'user_name' login, class 'group_type' [00000], ssh-connection 'src_ip1.1.1.1 src_port11111 dst_ip1.1.1.1 dst_port22', client-mode 'mode_type'",
"source_timestamp": "1999-01-31T12:59:59+00:00",
"sysloghost": "syslog_host",
"syslogip": "syslog_ip"
},
"labels": {
"cloud.region": "gcp_region",
"first_observed_timestamp": "1999-01-31T12:59:59Z",
"host.name": "source_hostname",
"last_observed_timestamp": "1999-01-31T12:59:59Z",
"log.file.name": "my_log_filename",
"log.file.path": "my_log_path",
"log_count": "1"
},
"logName": "gcp_log_filename_path",
"receiveTimestamp": "1999-01-31T12:59:59",
"resource": {
"labels": {
"location": "gcp_region",
"namespace": "",
"node_id": "host_node_id",
"project_id": "gcp_project"
},
"type": "generic_node"
},
"severity": "INFO",
"timestamp": "1999-01-31T12:59:59"
}