From c4251bbcc3c2295263007d72a415b8ee4abd2c96 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 16 May 2025 11:04:35 +0530 Subject: [PATCH 1/2] Query syntax fix --- docs/integrations/amazon-aws/cost-explorer.md | 2 +- .../crowdstrike-falcon-endpoint-protection.md | 2 +- docs/metrics/metrics-operators/filter.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/integrations/amazon-aws/cost-explorer.md b/docs/integrations/amazon-aws/cost-explorer.md index 396ea8d563..9e4c2bd2f5 100644 --- a/docs/integrations/amazon-aws/cost-explorer.md +++ b/docs/integrations/amazon-aws/cost-explorer.md @@ -70,7 +70,7 @@ Create a Field Extraction Rule (FER) for AWS Cost Explorer Logs. Learn how to cr ``` * **Parse Expression:** Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “securityprod” alias for an AWS account with ID "123456789" and the “infraprod” alias for an AWS account with ID "987654321", your parse expression would look like: ```sql - json "LinkedAccount" + | json "LinkedAccount" | if (LinkedAccount = "123456789", "securityprod", LinkedAccount ) as LinkedAccount | if (LinkedAccount = "987654321", "infraprod", LinkedAccount ) as LinkedAccount ``` diff --git a/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection.md b/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection.md index 54f9e9a5f2..feaaab3cf6 100644 --- a/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection.md +++ b/docs/integrations/security-threat-detection/crowdstrike-falcon-endpoint-protection.md @@ -178,7 +178,7 @@ _sourceCategory=*Crowdstrike* DetectionSummaryEvent _sourceCategory=*Crowdstrike* AuthActivityAuditEvent (userAuthenticate or twoFactorAuthenticate) | json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time | formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time -| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_tim +| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_time | formatDate(fromMillis(operation_time), "MM/dd/yyyy HH:mm:ss:SSS") as operation_time | where success="true" | count by operation_time, operation_name, src_user, user_ip diff --git a/docs/metrics/metrics-operators/filter.md b/docs/metrics/metrics-operators/filter.md index ffe638d5dd..ed3c1503d7 100644 --- a/docs/metrics/metrics-operators/filter.md +++ b/docs/metrics/metrics-operators/filter.md @@ -53,7 +53,7 @@ The supported functions are: Return the time series in which the average value of the CPU_User metric is greater than 95: ```sql -metric=CPU_User | filter avg > 95` +metric=CPU_User | filter avg > 95 ``` **Example 2** From 0a6908d2882110468e155d8cb9ce621a97f92328 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 16 May 2025 13:24:30 +0530 Subject: [PATCH 2/2] minor fix --- .../fer-templates/akamai-cloud-monitor.md | 2 +- .../fer-templates/apache-access-logs.md | 2 +- .../fer-templates/apache-tomcat-access-log-fer.md | 4 +++- .../fer-templates/apache-tomcat-access-logs.md | 2 +- .../field-extractions/fer-templates/cisco-fwsm-fer.md | 9 ++++++++- .../manage/field-extractions/fer-templates/nginx-logs.md | 2 +- .../field-extractions/fer-templates/varnish-logs.md | 2 +- docs/manage/field-extractions/safend-field-extraction.md | 2 +- 8 files changed, 17 insertions(+), 8 deletions(-) diff --git a/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md b/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md index 95736f16f1..b3c75300be 100644 --- a/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md +++ b/docs/manage/field-extractions/fer-templates/akamai-cloud-monitor.md @@ -79,7 +79,7 @@ description: Parse the common fields in your Akamai Cloud Monitor log using the **Parsing Rule:** ```sql -parse "\"reqMethod\":\"*\"" as method, "\"status\":\"*\"" as status, "\"fwdHost\":\"*\"" as origin +| parse "\"reqMethod\":\"*\"" as method, "\"status\":\"*\"" as status, "\"fwdHost\":\"*\"" as origin | parse "\"bytes\":\"*\"" as bytes, "\"edgeIP\":\"*\"" as edgeip, "\"country\":\"*\"" as country, "\"cookie\":\"*\"" as cookie ``` diff --git a/docs/manage/field-extractions/fer-templates/apache-access-logs.md b/docs/manage/field-extractions/fer-templates/apache-access-logs.md index cb72c12b7e..02faf53ee1 100644 --- a/docs/manage/field-extractions/fer-templates/apache-access-logs.md +++ b/docs/manage/field-extractions/fer-templates/apache-access-logs.md @@ -18,7 +18,7 @@ description: Parse the common fields in your Apache Access Logs using the FER te **Parsing Rule**: ``` -parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" +| parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)\s\"(?.*?)\"\s\"(?.+?)\".*" ``` diff --git a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md index 1dd3f174ec..f846fd563d 100644 --- a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md +++ b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-log-fer.md @@ -19,7 +19,9 @@ description: Create a field extraction rule for Apache Tomcat 7 Access Logs. **Extraction Rule:** ```sql -| parse regex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" | parse regex "\"(?\D{1,7}? )" | parse regex "\"\D{1,7} (?\S{1,2048}? )" | parse regex "\" (?\d{3}? )" | parse regex "\" \d{3} (?\d{1,}? )" | parse regex "\" \d{3} \d{1,} (?\d{1,}?)" +| parse regex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" +| parse regex "\"(?\D{1,7}? )" | parse regex "\"\D{1,7} (?\S{1,2048}? )" | parse regex "\" (?\d{3}? )" | parse regex "\" \d{3} (?\d{1,}? )" +| parse regex "\" \d{3} \d{1,} (?\d{1,}?)" ``` **Resulting Fields:** diff --git a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md index 86ba47a25d..048a3c7e22 100644 --- a/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md +++ b/docs/manage/field-extractions/fer-templates/apache-tomcat-access-logs.md @@ -17,7 +17,7 @@ description: Parse the common fields in your Apache Tomcat Access Logs using the **Parsing Rule**: ```sql -parse regex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" +| parse regex "(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" | parse regex "\"(?\D{1,7}? )" | parse regex "\"\D{1,7} (?\S{1,2048}? )" | parse regex "\" (?\d{3}? )" diff --git a/docs/manage/field-extractions/fer-templates/cisco-fwsm-fer.md b/docs/manage/field-extractions/fer-templates/cisco-fwsm-fer.md index 710f21b3a0..d4cc790df0 100644 --- a/docs/manage/field-extractions/fer-templates/cisco-fwsm-fer.md +++ b/docs/manage/field-extractions/fer-templates/cisco-fwsm-fer.md @@ -147,5 +147,12 @@ _sourceCategory=networking/cisco/fwsm src dst ("Deny inbound" OR "Deny protocol" **Extraction Rule:** ```sql -parse "Deny protocol * " as protocol nodrop | parse ") * " as protocol nodrop | parse regex "%[A-Z]{4}-(?\d)-(?\d{6}):\s" nodrop | parse regex "src\s(?\S+):(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "/(?\d+)\s" nodrop | parse regex "dst\s(?\S+):(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "/(?\d+)\s" nodrop | "firewall-deny" as eventtype | "cisco-firewall" as event +| parse "Deny protocol * " as protocol nodrop | parse ") * " as protocol nodrop +| parse regex "%[A-Z]{4}-(?\d)-(?\d{6}):\s" nodrop +| parse regex "src\s(?\S+):(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop +| parse regex "/(?\d+)\s" nodrop +| parse regex "dst\s(?\S+):(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop +| parse regex "/(?\d+)\s" nodrop +| "firewall-deny" as eventtype +| "cisco-firewall" as event ``` diff --git a/docs/manage/field-extractions/fer-templates/nginx-logs.md b/docs/manage/field-extractions/fer-templates/nginx-logs.md index 41112c1f3a..27cfb3ba9a 100644 --- a/docs/manage/field-extractions/fer-templates/nginx-logs.md +++ b/docs/manage/field-extractions/fer-templates/nginx-logs.md @@ -19,7 +19,7 @@ description: Parse the common fields in your Nginx Logs using the FER template. **Parsing Rule**: ```sql -parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" +| parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)\s\"(?.*?)\"\s\"(?.+?)\".*" ``` diff --git a/docs/manage/field-extractions/fer-templates/varnish-logs.md b/docs/manage/field-extractions/fer-templates/varnish-logs.md index 6412080466..361a83aacd 100644 --- a/docs/manage/field-extractions/fer-templates/varnish-logs.md +++ b/docs/manage/field-extractions/fer-templates/varnish-logs.md @@ -18,7 +18,7 @@ description: Parse the common fields in your Varnish Logs using the FER template **Parsing Rule:** ```sql -parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" +| parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)\s\"(?.*?)\"\s\"(?.+?)\".*" ``` diff --git a/docs/manage/field-extractions/safend-field-extraction.md b/docs/manage/field-extractions/safend-field-extraction.md index a070cec55b..3fa221698b 100644 --- a/docs/manage/field-extractions/safend-field-extraction.md +++ b/docs/manage/field-extractions/safend-field-extraction.md @@ -26,7 +26,7 @@ _sourceCategory=safend **Extraction Rule:** ```sql -parse regex "Action: (?[^,]*)" nodrop +| parse regex "Action: (?[^,]*)" nodrop | parse " * [" as host nodrop | parse "] *:" as alert_type nodrop | parse "User: *," as user nodrop | parse "Computer: *," as computer nodrop