Skip to main content
Question

invalid_argument: unknown or unset entity type for IP_ADDRESS

  • June 18, 2026
  • 0 replies
  • 0 views
Rmoss
Forum|alt.badge.img+5

Good Day.
I am trying to parse the following threat inetl log with IP_ADDRESS and I am getting:
LOG_PARSING_GENERATED_INVALID_EVENT: "generic::invalid_argument: unknown or unset entity type"

If the log is a MD5, SHA1 or SHA256 or DOMAIN_NAME event then the parser works.

The log is as follows:
{
  "id": "2105",
  "event_id": "102",
  "object_id": "343",
  "object_relation": "ip-dst",
  "category": "Network activity",
  "type": "ip-dst",
  "to_ids": true,
  "uuid": "c4e7ea82-b7bc-414b-8d68-7b1d5739182f",
  "timestamp": "1609421134",
  "distribution": "5",
  "sharing_group_id": "0",
  "comment": "",
  "deleted": false,
  "disable_correlation": false,
  "first_seen": null,
  "last_seen": null,
  "value": "1.1.1.1"
}


The parser is as follows:
filter {
  mutate {
    replace => {
      "id"           => ""
      "type"         => ""
      "value"        => ""
      "confidence"   => ""
      "category"     => ""
      "timestamp"    => ""
      "entity_type"  => ""
      "entity_event" => ""
      "uuid"         => ""
    }
  }

  json {
    source         => "message"
    array_function => "split_columns"
  }

  mutate {
    replace => {
      "event.idm.entity.metadata.vendor_name"       => "IOC"
      "event.idm.entity.metadata.product_name"      => "IOC"
      "event.idm.entity.metadata.description"       => "%{category}"
      "event.idm.entity.metadata.product_entity_id" => "%{uuid}"
    }
  }

  if [type] == "sha256" {
    mutate {
      replace => {
        "event.idm.entity.metadata.entity_type" => "FILE"
        "event.idm.entity.entity.file.sha256"   => "%{value}"
      }
    }
  } 
  else if [type] == "sha1" {
    mutate {
      replace => {
        "event.idm.entity.metadata.entity_type" => "FILE"
        "entity_event.entity.resource.type"     => "%{type}"
      }
    }
  } 
  else if [type] == "domain" {
    mutate {
      replace => {
        "event.idm.entity.metadata.entity_type" => "DOMAIN_NAME"
        "event.idm.entity.entity.hostname"      => "%{value}"
      }
    }
  } 
  else if [type] == "md5" {
    mutate {
      replace => {
        "event.idm.entity.metadata.entity_type" => "FILE"
        "event.idm.entity.entity.file.md5"      => "%{value}"
      }
    }
  }
  # else if [type] in ["uri", "url", "link"] {
  #   mutate {
  #     replace => {
  #       "event.idm.entity.metadata.entity_type" => "URL"
  #       "event.idm.entity.entity.url"           => "%{value}"
  #     }
  #   }
  # }


else if [type] == "ip-dst" and [value] != "" {
  mutate {
    replace => {
      "event.idm.entity.metadata.entity_type" => "IP_ADDRESS"
    }
  }

  if [event][idm][entity][metadata][entity_type] == "IP_ADDRESS" {
    mutate {
      merge => {
        "event.idm.entity.entity.ip" => "value"
      }
      on_error => "value_empty"
    }

    mutate {
      convert => {
        "value" => "bytes"
      }
      on_error => "failed_to_convert_value"
    }

    mutate {
      rename => {
        "value" => "event.ioc.ip_and_ports.ip_address"
      }
      on_error => "value_not_found"
    }
  }
}
  statedump {}

  mutate {
    merge => { "@output" => "event" }
  }
}

Terms & ConditionsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.