topic Re: Mapping labels "message" to Incident Context without Regex in Cortex XSOAR Discussions

Mapping labels "message" to Incident Context without Regex

JohnsonJu — Wed, 13 Dec 2023 16:20:21 GMT

Kind of similar to the below link:

LIVEcommunity - Cortex XSOAR Context Issue - LIVEcommunity - 437729 (paloaltonetworks.com)

I've tried mapping content from the Abnormal Security integration and from the Syslog v2 integration. The Abnormal Security integration dumps the raw logs into labels.messages, meanwhile Syslog dumps the whole raw log into details. Is there a way to parse out chunks of data without using regex in every field of the incoming mapper?

Re: Mapping labels "message" to Incident Context without Regex

JohnsonJu — Mon, 18 Dec 2023 18:59:41 GMT

Looks like this is supposed to be auto mapped. Threat logs fetch from the Abnormal Security integration isn't parsing rawJson correctly so it comes in as one message. Campaigns and takeover requests are parsing correctly. Will contact vendor for support.

On a side note, an easier approach than using regex to get the fields from labels.messages is to apply ParseJson transformer and then use Get field transformer to grab the value of the key,value pairs within the json message.