I did a parser for logs from bitdefender, on google secops chronicle there is already a prebuilt parser. some logs have been successfully parsed to udm event, but some have errors.
Here are the logs that have errors:
{
"module": "hd",
"product_installed": "BEST",
"user": {
"name": "SYSTEM",
"sid": "S-1-5-18"
},
"malware_type": "file",
"malware_name": "Gen:Illusion.PUP.BruteForce.1.08@DA6FEA89.D.2010100",
"hash": "44D5FBC622B56B3DD5D888C64188759D00C72BD52E3FEF729C1787868A1536EB",
"final_status": "still present",
"file_path": "F:\\\\XXX\\\\XXX\\\\XXX\\\\XXX\\\\XXX\\\\XXX",
}
I got some error on:
generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "field type check failed: field backstory.File.sha256 \\"44D5FBC622B56B3DD5D888C64188759D00C72BD52E3FEF729C1787868A1536EB\\" does not match type HASH regexp ^[0-9a-f]+$: invalid argument"
I tried to make a change with parser extension on the section of "fileHash"
here is a configuration "fileHash" from prebuilt parser before I change
grok {
match => {
"fileHash" => "(?P<_hash>^[0-9a-f]+$)"
}
on_error => "file_is_not_hash"
}
if [file_is_not_hash] and [fileHash] != "" {
mutate {
replace => {
"about.file.full_path" => "%{fileHash}"
}
}
} else if [fileHash] != "" {
mutate {
rename => {
"fileHash" => "about.file.sha256"
}
}
}
and here is a configuration "fileHash" from prebuilt parser which I edited in the parser extension
grok {
match => {
"fileHash" => "(?P<_hash>^[0-9a-fA-F]+$)"
}
on_error => "file_is_not_hash"
}
if [file_is_not_hash] and [fileHash] != "" {
mutate {
replace => {
"about.file.full_path" => "%{fileHash}"
}
}
} else if [fileHash] != "" {
mutate {
rename => {
"fileHash" => "about.file.sha256"
}
}
}
After I changed the configuration of grok regex, the error is still there.
Can you guys help me please