Input format sample
Code Block | ||
---|---|---|
| ||
Date,Device,SrcIP,dstIP,Alert,Country SCANNER_1,2012-01-01T13:43:00,10.0.0.1,66.66.66.66,DUMMY_ALERT_TYPE_1,United States SCANNER_2,2012-02-01T14:21:00,SCANNER_2,10.0.0.2,66.66.66.66,DUMMY_ALERT_TYPE_2,United Kingdom SCANNER_3,2012-03-01T15:17:00,10.0.0.1,99.66.99.66,DUMMY_ALERT_TYPE_3,Netherlands |
Source #1 - fileshare
Code Block | ||
---|---|---|
| ||
{ "description": "For cyber demo", "extractType": "Feed", "file": { "XmlRootLevelValues": [], "domain": "DOMAIN", "password": "PASSWORD", "type": "csv", "username": "USER" }, "isPublic": false, "mediaType": "Log", "searchCycle_secs": 3600, "searchIndexFilter": { "metadataFieldList": "" }, "structuredAnalysis": { "associations": [ { "entity1": "$metadata.info.dstIP", "entity2": "$metadata.info.srcIP", "geo_index": "$SCRIPT( return _doc.metadata.info[0].country + '/country'; )", "time_start": "$SCRIPT( return _doc.metadata.info[0].date; )", "verb": "$SCRIPT( return _doc.metadata.info[0].alert; )", "verb_category": "$SCRIPT( return _doc.metadata.info[0].alert; )" } ], "entities": [ { "dimension": "What", "disambiguated_name": "$metadata.info.srcIP", "type": "PrivateIP" }, { "dimension": "What", "disambiguated_name": "$metadata.info.dstIP", "geotag": { "country": "$SCRIPT( return _doc.metadata.info[0].country; )" }, "ontology_type": "country", "type": "PublicIP" }, { "actual_name": "$metadata.info.country", "dimension": "Where", "disambiguated_name": "$SCRIPT( return _doc.metadata.info[0].country; )", "geotag": { "country": "$SCRIPT( return _doc.metadata.info[0].country; )" }, "ontology_type": "country", "type": "Country" }, { "dimension": "What", "disambiguated_name": "$metadata.info.device", "type": "Sensor" }, { "dimension": "What", "disambiguated_name": "$metadata.info.alert", "type": "AlertType" } ], "publishedDate": "$SCRIPT( return _doc.metadata.info[0].date; )", "script": "", "scriptEngine": "javascript", "title": "$metadata.info.alert @ $metadata.info.date [$metadata.info.device]: $metadata.info.dstIP -> $metadata.info.srcIP" }, "tags": [ "cyber", "structured" ], "title": "Cyber Logs Test", "unstructuredAnalysis": { "meta": [ { "context": "First", "fieldName": "info", "script": "var info = decode(text); info;", "scriptlang": "javascript" } ], "script": "function decode(x)\n{\n var info = {}; \n var rec = x.split(','); \n info.device = rec[0];\n info.date = rec[1];\n info.srcIP = rec[2];\n info.dstIP = rec[3];\n info.alert = rec[4];\n info.country = rec[5];\n return info;\n}", "simpleTextCleanser": [ { "field": "fullText", "flags": "md", "replacement": " , ", "script": ",", "scriptlang": "regex" }, { "field": "description", "flags": "md", "replacement": " , ", "script": ",", "scriptlang": "regex" } ] }, "useExtractor":"none", "useTextExtractor":"none", "url": "smb://FILESHARE:139/cyber_logs/" } |
...
Code Block | ||
---|---|---|
| ||
{ "associations": [{ "assoc_type": "Event", "entity1": "66.66.66.66", "entity1_index": "66.66.66.66/publicip", "entity2": "10.0.0.1", "entity2_index": "10.0.0.1/privateip", "geo_index": "united states/country", "time_start": "20132012-0501-01T13:1643:00", "verb": "DUMMY_ALERT_TYPE_1", "verb_category": "DUMMY_ALERT_TYPE_1" }], "communityId": ["506dc16dfbf042893dd6b8f2"], "created": "Jun 4, 2013 12:54:34 AM UTC", "entities": [ { "actual_name": "10.0.0.1", "dimension": "What", "disambiguated_name": "10.0.0.1", "doccount": 0, "frequency": 1, "index": "10.0.0.1/privateip", "relevance": 0, "totalfrequency": -1, "type": "PrivateIP" }, { "actual_name": "66.66.66.66", "dimension": "What", "disambiguated_name": "66.66.66.66", "doccount": 0, "frequency": 1, "index": "66.66.66.66/publicip", "relevance": 0, "totalfrequency": -1, "type": "PublicIP" }, { "actual_name": "United States", "dimension": "Where", "disambiguated_name": "United States", "doccount": 0, "frequency": 1, "index": "united states/country", "ontology_type": "country", "relevance": 0, "totalfrequency": -1, "type": "Country" }, { "actual_name": "SCANNER_1", "dimension": "What", "disambiguated_name": "SCANNER_1", "doccount": 0, "frequency": 1, "index": "scanner_1/sensor", "relevance": 0, "totalfrequency": -1, "type": "Sensor" }, { "actual_name": "DUMMY_ALERT_TYPE_1", "dimension": "What", "disambiguated_name": "DUMMY_ALERT_TYPE_1", "doccount": 0, "frequency": 1, "index": "dummy_alert_type_1/alerttype", "relevance": 0, "totalfrequency": -1, "type": "AlertType" } ], "fullText": "SCANNER_1 , 2012-01-01T13:43:00 , 10.0.0.1 , 66.66.66.66 , DUMMY_ALERT_TYPE_1 , United States", "mediaType": ["Log"], "metadata": {"info": [{ "alert": "DUMMY_ALERT_TYPE_1 ", "country": "United States", "date": "2012-01-01T13:43:00", "device": "SCANNER_1 ", "dstIP": "66.66.66.66", "srcIP": " 10.0.0.1" }]}, "modified": "Jun 4, 2013 12:54:34 AM UTC", "publishedDate": "January 1, 2012 13:43:00 PM UTC", "source": ["Cyber Logs Test"], "sourceKey": ["INFINITE_ENDPOINT.api.share.get.51ad28a440b4a4f0f757824c.25.26"], "tags": [ "cyber", "structured" ], "title": "DUMMY_ALERT_TYPE_1 @ 2012-01-01T13:43:00 [SCANNER_1 ]: 66.66.66.66 -> 10.0.0.1", "url": "http://INFINITE_ENDPOINT/api/share/get/51ad28a440b4a4f0f757824c#1" } |