PrevNext
Field Modification
In the following example, an existing field is modified to create a field that can be used for detection by existing Advanced Analytics content.
bytes-domain {
EventTypes =
['dlp-email-alert-out','dlp-email-alert-out-failed','dlp-alert','usb-insert','usb-write','usb-read','dlp-email-alert-in','share-access','print-activity','file-write','file-delete']
Condition = "exists(bytes_unit) && !exists(bytes)"
Map = [
{
Field = "bytes_num"
Value = """replaceAll(bytes_num, ",","")"""
},
{
Field = "bytes"
Value = """Multiply(bytes_num,ReturnIf(ToLower(bytes_unit)='kb',1024,ReturnIf(ToLower(bytes_unit)='mb',1048576,ReturnIf(ToLower(bytes_unit)='gb',1073741824,0))))"""
}
]
}Note
Advanced Analytics content, related to data transfer sizes, operates using bytes (not kilobytes, megabytes, or gigabytes). So, when a value is parsed from a log that is not represented in bytes, the parsed value is modified accordingly. The parsed bytes value (bytes_num) is multiplied by 1024 when the bytes_unit value is in kilobytes, or by 1024*1024=1048576, if the value is in megabytes, and so on.