Sentinel KQL查询从syslog数据中提取JSON(源代码为CSW / Tetration)

new9mtju  于 2023-05-30  发布在  其他
关注(0)|答案(2)|浏览(361)

以下是从Cisco Secure Workload(以前称为Tetration)进入Sentinel的系统日志消息示例:

Alert[11]: [WARNING] {"keyId":"SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in","eventTime":"1684974923000","alertTime":"1684974949559","alertText":"Agent Inactive: centos7","severity":"MEDIUM","tenantId":"000457","type":"SENSOR","alertDetails":"{\"details\":{\"AgentType\":\"ENFORCER\",\"Bios\":\"57D84D56-0000-0000-7E3C-9DD10F02AFD5\",\"CurrentVersion\":\"3.7.1.40-enforcer\",\"DesiredVersion\":\"\",\"HostName\":\"centos7\",\"IP\":\"1.1.1.1 (Gateway IP)\",\"LastConfigFetchAt\":\"2023-05-03 15:47:53 +0000 UTC\",\"Platform\":\"CentOS-7.9\"},\"agent_uuid\":\"u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm\",\"scope_name\":\"MYLAB\",\"scope_id\":\"f5qeybblv5oktpnte4ccrf5pw\",\"vrf_id\":700457}","rootScopeId":"f5qeybblv5oktpnte4ccrf5pw"}

需要帮助解析此文件,因为当前没有此产品的解析器。看起来有JSON的参与,但不确定我是否应该使用extractjsonparse_json
我已经启动了下面的查询,但是我在提取/过滤值时遇到了麻烦(可能是因为这个查询中缺少JSON解析):

Syslog
| where ProcessName contains "Tetration"
| extend AlertID = extract(????, 1, SyslogMessage) 
| extend Severity = extract(????,1, SyslogMessage)
| extend TenantID = extract(????, 1, SyslogMessage)
| extend IP = extract(????, 1, SyslogMessage)
| extend ScopeName = extract(????, 1, SyslogMessage)

社区可以提供的任何帮助都将不胜感激。

JSON

2条答案

按热度按时间
nxowjjhe

nxowjjhe1#

您可以使用以下组合:

例如:

print input = ```Alert[11]: [WARNING] {"keyId":"SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in","eventTime":"1684974923000","alertTime":"1684974949559","alertText":"Agent Inactive: centos7","severity":"MEDIUM","tenantId":"000457","type":"SENSOR","alertDetails":"{\"details\":{\"AgentType\":\"ENFORCER\",\"Bios\":\"57D84D56-0000-0000-7E3C-9DD10F02AFD5\",\"CurrentVersion\":\"3.7.1.40-enforcer\",\"DesiredVersion\":\"\",\"HostName\":\"centos7\",\"IP\":\"1.1.1.1 (Gateway IP)\",\"LastConfigFetchAt\":\"2023-05-03 15:47:53 +0000 UTC\",\"Platform\":\"CentOS-7.9\"},\"agent_uuid\":\"u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm\",\"scope_name\":\"MYLAB\",\"scope_id\":\"f5qeybblv5oktpnte4ccrf5pw\",\"vrf_id\":700457}","rootScopeId":"f5qeybblv5oktpnte4ccrf5pw"}```
| extend start_position = indexof(input, "{")
| extend input = parse_json(substring(input, start_position))
| project
    AlertID = input.keyId,
    Severity = input.severity,
    TenantID = input.tenantId,
    AlertDetails = parse_json(tostring(input.alertDetails))
| extend
    IP = AlertDetails.details.IP,
    ScopeName = AlertDetails.scope_name
| project-away AlertDetails

| 警报ID|严重程度|租户ID| IP|作用域名称|
| - -----|- -----|- -----|- -----|- -----|
| SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in|中等|000457|1.1.1.1(网关IP)|MYLAB|
或者,您可以使用parse operator

print input = ```Alert[11]: [WARNING] {"keyId":"SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in","eventTime":"1684974923000","alertTime":"1684974949559","alertText":"Agent Inactive: centos7","severity":"MEDIUM","tenantId":"000457","type":"SENSOR","alertDetails":"{\"details\":{\"AgentType\":\"ENFORCER\",\"Bios\":\"57D84D56-0000-0000-7E3C-9DD10F02AFD5\",\"CurrentVersion\":\"3.7.1.40-enforcer\",\"DesiredVersion\":\"\",\"HostName\":\"centos7\",\"IP\":\"1.1.1.1 (Gateway IP)\",\"LastConfigFetchAt\":\"2023-05-03 15:47:53 +0000 UTC\",\"Platform\":\"CentOS-7.9\"},\"agent_uuid\":\"u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm\",\"scope_name\":\"MYLAB\",\"scope_id\":\"f5qeybblv5oktpnte4ccrf5pw\",\"vrf_id\":700457}","rootScopeId":"f5qeybblv5oktpnte4ccrf5pw"}```
| parse input with "Alert[" AlertId "]: [" Severity "] " input:dynamic
| project
    AlertId,
    Severity = input.severity,
    TenantID = input.tenantId,
    AlertDetails = parse_json(tostring(input.alertDetails))
| extend
    IP = AlertDetails.details.IP,
    ScopeName = AlertDetails.scope_name
| project-away AlertDetails

| 警报ID|严重程度|租户ID| IP|作用域名称|
| - -----|- -----|- -----|- -----|- -----|
| 十一|中等|000457|1.1.1.1(网关IP)|MYLAB|

赞(0)分享  回复(0)举报  2023-05-30
pxy2qtax

pxy2qtax2#

谢谢Yoni。下面是我在Sentinel中使用的完整查询(仍在测试,但看起来不错)。

Syslog 
| where ProcessName contains "Tetration"
| take 10
| parse SyslogMessage with "Alert[" AlertId "]: [" Severity "] " input:dynamic
| project
    AlertId,
    AlertText = input.alertText,
    Severity = input.severity,
    TenantID = input.tenantId,
    Type = input.type,
    AlertDetails = parse_json(tostring(input.alertDetails))
| extend
    Host_Name = AlertDetails.details.HostName,
    IP = AlertDetails.details.IP,
    Scope_Name = AlertDetails.scope_name,
    Version = AlertDetails.details.CurrentVersion,
    OS = AlertDetails.details.Platform,
    Agent_ID = AlertDetails.agent_uuid,
    Scope_ID = AlertDetails.scope_id,
    VRF_ID = AlertDetails.vrf_id
| project-away AlertDetails
赞(0)分享  回复(0)举报  2023-05-30
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com