Here's an interesting problem that came from a partner of ours this week. How do you map forcepoint_security CEF logs to the matching category name provided as a feed? The further complication was that the event.type metakey contained a numerical reference that might overlap with other device types so it was important to match on both the device.type and the event.type columns before writing meta.
First thought was to use a feed, multi column feeds can be created with multiple callbacks however the UI currently throws an error when attempting to upload the XML which means you need to follow this KB reference and push out the feed manually on each decoder from the CLI (not a scalable solution for the partner).
A request is being opened shortly to address this issue so that in the future hopefully this can be accomplished in the UI for these situations.
Until then ...
This was a CEF message format so there is no specific parser that exists for forcepoint_security events which we could have used to add a VALUEMAP property to to include the string of matches for the category to event.id information. However the CEF-custom.xml parser didn't let us define a new VALUEMAP that would have looked like this:
So that was off the table which left Lua as the option to use multiple callbacks before writing the matched data.
The Lua parser is included in the attachment and has the table of event.type to category matches in a table that is used after matching the device.type and event.type before writing the category out to the metakey called category.
When installed on the log decoder(s) via the parsers tab it will show up in this section of the config window:
and when the parsers reload after uploading you will see these types of events matched for the event.type
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.