- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
PrevNext
Array Log Sample
The following log sample shows the structure of the JSON log from which the samples of supported array expressions were taken for the section called Manually Enter JSON Path Expressions.
{
"id": "ac2a0b32-bab7-46f1-9ec2-f0fc4da9f243",
"approx_log_time": 1662749160000,
"subscription_code": "4cvpro",
"rules": [
{
"rule_source": "CR",
"rule_id": "r1",
"rule": "rule name",
"rule_reason": "resolved rule reason",
"rule_severity": "correction prority",
"type": "Brute Force",
"rule_usecases": [
"use case1",
"use case2"
],
"tags": [
"t1",
"t2"
],
"mitre_labels": [
{
"technique_key": "T1071",
"technique": "Valid Accounts",
"tactic": "Privilege Escalation",
"tactic_key": "TA0001"
},
{
"technique_key": "T1072",
"technique": "Valid Accounts",
"tactic": "Initial Access",
"tactic_key": "TA0002"
}
]
},
{
"rule_source": "BEAM",
"rule_id": "r2",
"rule": "rule name",
"rule_reason": "resolved rule reason",
"rule_severity": "correction prority",
"type": "Brute Force",
"rule_usecases": [
"use case1",
"use case2"
],
"tags": [
"t1",
"t2"
],
"mitre_labels": [
{
"technique_key": "T1073",
"technique": "Valid Accounts",
"tactic": "Privilege Escalation",
"tactic_key": "TA0003"
},
{
"technique_key": "T1074",
"technique": "Valid Accounts",
"tactic": "Initial Access",
"tactic_key": "TA0004"
}
]
}
],
"activity_type": "rule-trigger",
"vendor": "Exabeam",
"src_vendor": "crowdstrike",
"product": "Correlation Rule",
"src_product": "falcon",
"metadata_tags": [
"Tag1",
"Tag2",
"Tag3"
],
"entities": [
{
"entity_type": "User",
"entity_key": "user_name",
"event_field": "domain_user_name",
"field_value": "foo@acme"
}
]
}