Parse inner objects and assign all value to fields

Elastic Stack Logstash
1

Hi,

Below is my complete json events.

{
  "_index": "text_2019.05",
  "_type": "doc",
  "_id": "K7cldmoBJfAjCSoFDrmP",
  "_version": 1,
  "_score": null,
  "_size": 2494,
  "_source": {
    "@timestamp": "2019-05-02T01:25:01.138Z",
    "event_msg": "*** has detected a threat against your company.",
    "event_detailedMsg": "The application DropboxHelperInstaller has escalated privileges.",
    "event_email": "Email: itsupport",
    "event_severity": "Severity: Monitored",
    "event_url": "*****",
    "event_name": "Name: Sugis-MacBook.local",
    "event_threadscore": "Threat score: 4",
    "@version": "1",
    "event_incidentid": "Incident id: FYHGYDSF",
    "event_priority": "Monitored alert priority >=4",
    "event_ostype": "Type and OS: MAC MAC OS X 10.11.6",
    "event_policy": "Group: *****",
    "notification": {
      "threatInfo": {
        "indicators": [
          {
            "indicatorName": "PRIVILEGE_ESCALATE",
            "applicationName": "DropboxHelperInstaller",
            "sha256Hash": "cbc8f2c703e5c0103d9248ce7c8366ee277ef4a0a846b3d7c47e35c804a16b40"
          },
          {
            "indicatorName": "UNKNOWN_APP",
            "applicationName": "DropboxHelperInstaller",
            "sha256Hash": "cbc8f2c703e5c0103d9248ce7c8366ee277ef4a0a846b3d7c47e35c804a16b40"
          }
        ],
        "time": 1556760031555,
        "threatCause": {
          "reputation": "NOT_LISTED",
          "actorProcessPPid": "476-1556759512152-532",
          "originSourceType": "UNKNOWN",
          "causeEventId": "6fbfd9626c7811e9ae06cd4b551c81da",
          "threatCategory": "NEW_MALWARE",
          "reason": "R_ESCALATE",
          "actor": "cbc8f2c703e5c0103d9248ce7c8366ee277ef4a0a846b3d7c47e35c804a16b40",
          "actorName": "",
          "actorType": null
        },
        "score": 4,
        "summary": "The application DropboxHelperInstaller has escalated privileges.",
        "incidentId": "FYHGYDSF"
      },
      "type": "THREAT",
      "url": "****",
      "eventDescription": "[Monitored alert priority >=4] [***** has detected a threat against your company.] [*****] [The application DropboxHelperInstaller has escalated privileges.] [Incident id: FYHGYDSF] [Threat score: 4] [Group:*****] [Email: itsupport] [Name: Sugis-MacBook.local] [Type and OS: MAC MAC OS X 10.11.6] [Severity: Monitored]\n",
      "eventTime": 1556759477805,
      "deviceInfo": {
        "deviceId": 1766584,
        "groupName": "*****",
        "deviceHostName": null,
        "externalIpAddress": "****",
        "deviceName": "******",
        "deviceType": "MAC",
        "internalIpAddress": "****",
        "deviceVersion": "MAC OS X 10.11.6",
        "email": "itsupport",
        "targetPriorityType": "MEDIUM",
        "targetPriorityCode": 0
      },
      "ruleName": "Monitored alert priority >=4"
    }
  },
  "fields": {
    "@timestamp": [
      "2019-05-02T01:25:01.138Z"
    ]
  },
  "sort": [
    1556760301138
  ]
}

I want to read the inner objects of "notification.threatInfo.indicators.indicatorName" and store all the value of indicatorName in some field. that field value will looks like "newfield: ["value1", "value2", "value3"]

Can some one let me know, how to achieve this. thank you.

2

I would do that using

    ruby {
        code => '
            a = []
            event.get("[notification][threatInfo][indicators]").each { |v|
                a << v["indicatorName"]
            }
            event.set("newField", a)
        '
    }
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.