Reindex SentinelOne Agent log through a new ingest pipeline to rename network_interfaces field

Chaviru · June 7, 2024, 6:31am

I am currently working with SentinelOne agent logs in my Elasticsearch Stack. And I need to reindex my managed SentinelOne agent index to a new index through a pipeline where I need to rename some fields from the log and remove other fields. Most of the fields can be renamed and removed. But, I have an issue with the "sentinel_one.agent.network_interfaces" section in the entry. I discovered that network_interfaces field is mapped as an array. Some logs only have one network interfaces and some logs have multiple interfaces. I need to rename this network_interfaces field such that I need to take the interface name and the ip address. But as this field is an array it is not possible to rename the "sentinel_one.agent.network_interfaces.inet" and "sentinel_one.agent.network_interfaces.name" fields. And also when there is multiple interfaces I need to seperately get the relevant name and the respective inet of each interface name. Please suggest me a way to resolve this.

The following is a part of a sample log only containing the network_interfaces section with multiple interfaces;

"network_interfaces": [
          {
            "inet": [
              "172.x.x.x"
            ],
            "name": "vEthernet (Default Switch)",
            "inet6": [
              "fe80::1011:7740:ceee:25b9"
            ],
            "id": "1956333661853176584"
          },
          {
            "inet": [
              "192.168.1.100"
            ],
            "name": "Ethernet 2",
            "inet6": [
              "2407:c00:d003:b77e:6e1d:563a:9a3b:f7f6",
              "2407:c00:d003:b77e:71c8:3174:991d:7f83",
              "fe80::a06:8098:96bb:4da0"
            ],
            "id": "1967209057289748437",
            "gateway": {
              "ip": "192.168.1.1",
              "mac": "00-37-37-37-37-37"
            }
          },
          {
            "inet": [
              "192.168.135.77"
            ],
            "name": "Wi-Fi",
            "inet6": [
              "fe80::a480:a4c4:4715:cae6"
            ],
            "id": "1966816165801690397",
            "gateway": {
              "ip": "192.168.135.254",
              "mac": "74-78-A6-DB-1E-67"
            }
          },
          {
            "inet": [
              "192.168.254.1"
            ],
            "name": "VMware Network Adapter VMnet8",
            "inet6": [
              "fe80::3349:63c5:8b28:1c12"
            ],
            "id": "1966444259045462075"
          },
          {
            "inet": [
              "192.168.56.1"
            ],
            "name": "VirtualBox Host-Only Network",
            "inet6": [
              "fe80::9c29:cfb9:927:2cf8"
            ],
            "id": "1966444259037073465"
          },
          {
            "inet": [
              "192.168.159.1"
            ],
            "name": "VMware Network Adapter VMnet1",
            "inet6": [
              "fe80::69a6:cc30:4997:8e50"
            ],
            "id": "1966444259028684856"
          }
        ]

Following is a part of a sample log which contains only network_interfaces section with a single interface;

"network_interfaces": [
          {
            "inet": [
              "192.168.21.85"
            ],
            "name": "Wi-Fi 2",
            "inet6": [
              "fe80::4fbf:4d3e:26b8:cfb3"
            ],
            "id": "1967215846836153836",
            "gateway": {
              "ip": "192.168.21.254",
              "mac": "00-00-00-00-00-00"
            }
          }
        ]