Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Added support for vectra json logs #2694

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

feat: Added support for vectra json logs #2694

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions docs/sources/vendor/Vectra/cognito_json.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Cognito JSON

## Key facts

* MSG Format based filter
* Legacy BSD Format default port 514

## Links

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Technology Add-On for Vectra Detect (JSON) | <https://splunkbase.splunk.com/app/5271> |

## Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
|vectra:cognito:detect:json||
|vectra:cognito:hostscoring:json||
|vectra:cognito:hostdetect:json||
|vectra:cognito:hostlockdown:json||
|vectra:cognito:accountscoring:json||
|vectra:cognito:accountdetect:json||
|vectra:cognito:accountlockdown:json||
|vectra:cognito:campaigns:json||
|vectra:cognito:audit:json||
|vectra:cognito:health:json||

### Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
|vectra_cognito detect_detect |vectra:cognito:detect:json |main|
|vectra_cognito detect_hostscoring |vectra:cognito:hostscoring:json |main|
|vectra_cognito detect_hostdetect |vectra:cognito:hostdetect:json |main|
|vectra_cognito detect_hostlockdown |vectra:cognito:hostlockdown:json |main|
|vectra_cognito detect_accountscoring |vectra:cognito:accountscoring:json |main|
|vectra_cognito detect_accountdetect |vectra:cognito:accountdetect:json |main|
|vectra_cognito detect_accountlockdown |vectra:cognito:accountlockdown:json |main|
|vectra_cognito detect_campaigns |vectra:cognito:campaigns:json |main|
|vectra_cognito detect_audit |vectra:cognito:audit:json |main|
|vectra_cognito detect_health |vectra:cognito:health:json |main|
104 changes: 104 additions & 0 deletions package/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
block parser app-syslog-vectra-json() {
channel {
parser {
regexp-parser(
prefix(".tmp.")
patterns('\"vectra_timestamp\"\:\s\"(?<timestamp>[^\"]+)\"')
template("$MESSAGE")
);
date-parser-nofilter(
format('%s')
template("${.tmp.timestamp}")
);
};

rewrite {
subst('\-\:\s',"",value("MESSAGE"));
};

rewrite {
r_set_splunk_dest_default(
index("main")
sourcetype('vectra:cognito:detect:json')
vendor("vectra")
product("cognito detect")
class('detect')
template("t_msg_only")
);
};

if (message('\"host_\w+\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:hostscoring:json')
class('hostscoring')
condition(message('\"HOST\sSCORING\"'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:hostdetect:json')
class('hostdetect')
condition(message('\"detection_id\"\:'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:hostlockdown:json')
class('hostlockdown')
condition(message('\"success\"\:'))
);
};
} elif (message('\"account_uid\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:accountscoring:json')
class('accountscoring')
condition(message('\"ACCOUNT\sSCORING\"'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:accountdetect:json')
class('accountdetect')
condition(message('\"detection_id\"\:'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:accountlockdown:json')
class('accountlockdown')
condition(message('\"success\"\:'))
);
};
} elif (message('\"campaign_id\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:campaigns:json')
class('campaigns')
);
};
} elif (message('\"role\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:audit:json')
class('audit')
);
};
} elif (message('\"type\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:health:json')
class('health')
);
};
} else {};
};
};

application app-syslog-vectra-json[sc4s-syslog-pgm] {
filter {
program('vectra_json' type(string) flags(prefix));
};
parser { app-syslog-vectra-json(); };
};
104 changes: 104 additions & 0 deletions package/lite/etc/addons/vectra/app-syslog-vectra_json.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
block parser app-syslog-vectra-json() {
channel {
parser {
regexp-parser(
prefix(".tmp.")
patterns('\"vectra_timestamp\"\:\s\"(?<timestamp>[^\"]+)\"')
template("$MESSAGE")
);
date-parser-nofilter(
format('%s')
template("${.tmp.timestamp}")
);
};

rewrite {
subst('\-\:\s',"",value("MESSAGE"));
};

rewrite {
r_set_splunk_dest_default(
index("main")
sourcetype('vectra:cognito:detect:json')
vendor("vectra")
product("cognito detect")
class('detect')
template("t_msg_only")
);
};

if (message('\"host_\w+\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:hostscoring:json')
class('hostscoring')
condition(message('\"HOST\sSCORING\"'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:hostdetect:json')
class('hostdetect')
condition(message('\"detection_id\"\:'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:hostlockdown:json')
class('hostlockdown')
condition(message('\"success\"\:'))
);
};
} elif (message('\"account_uid\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:accountscoring:json')
class('accountscoring')
condition(message('\"ACCOUNT\sSCORING\"'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:accountdetect:json')
class('accountdetect')
condition(message('\"detection_id\"\:'))
);
};
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:accountlockdown:json')
class('accountlockdown')
condition(message('\"success\"\:'))
);
};
} elif (message('\"campaign_id\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:campaigns:json')
class('campaigns')
);
};
} elif (message('\"role\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:audit:json')
class('audit')
);
};
} elif (message('\"type\"\:')) {
rewrite {
r_set_splunk_dest_update_v2(
sourcetype('vectra:cognito:health:json')
class('health')
);
};
} else {};
};
};

application app-syslog-vectra-json[sc4s-syslog-pgm] {
filter {
program('vectra_json' type(string) flags(prefix));
};
parser { app-syslog-vectra-json(); };
};
Loading
Loading