12-13-2023 08:20 AM
Kind of similar to the below link:
LIVEcommunity - Cortex XSOAR Context Issue - LIVEcommunity - 437729 (paloaltonetworks.com)
I've tried mapping content from the Abnormal Security integration and from the Syslog v2 integration. The Abnormal Security integration dumps the raw logs into labels.messages, meanwhile Syslog dumps the whole raw log into details. Is there a way to parse out chunks of data without using regex in every field of the incoming mapper?
12-18-2023 10:59 AM
Looks like this is supposed to be auto mapped. Threat logs fetch from the Abnormal Security integration isn't parsing rawJson correctly so it comes in as one message. Campaigns and takeover requests are parsing correctly. Will contact vendor for support.
On a side note, an easier approach than using regex to get the fields from labels.messages is to apply ParseJson transformer and then use Get field transformer to grab the value of the key,value pairs within the json message.
12-18-2023 10:59 AM
Looks like this is supposed to be auto mapped. Threat logs fetch from the Abnormal Security integration isn't parsing rawJson correctly so it comes in as one message. Campaigns and takeover requests are parsing correctly. Will contact vendor for support.
On a side note, an easier approach than using regex to get the fields from labels.messages is to apply ParseJson transformer and then use Get field transformer to grab the value of the key,value pairs within the json message.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
