SumoLogic · JV0812 · May 23, 2025 · May 16, 2025 · May 16, 2025 · May 23, 2025
@@ -70,7 +70,7 @@ Create a Field Extraction Rule (FER) for AWS Cost Explorer Logs. Learn how to cr
   ```
 * **Parse Expression:** Enter a parse expression to create an “account” field that maps to the alias you set for each sub account. For example, if you used the “securityprod” alias for an AWS account with ID "123456789" and the “infraprod” alias for an AWS account with ID "987654321", your parse expression would look like:
   ```sql
-  json "LinkedAccount"
+  | json "LinkedAccount"
   | if (LinkedAccount = "123456789",  "securityprod", LinkedAccount ) as LinkedAccount
   | if (LinkedAccount = "987654321",  "infraprod", LinkedAccount ) as LinkedAccount
   ```

@@ -178,7 +178,7 @@ _sourceCategory=*Crowdstrike*  DetectionSummaryEvent
 _sourceCategory=*Crowdstrike*  AuthActivityAuditEvent (userAuthenticate or twoFactorAuthenticate)
 | json "metadata.eventType", "metadata.customerIDString", "metadata.eventCreationTime" as event_type, customer_id, event_time
 | formatDate(fromMillis(event_time), "MM/dd/yyyy HH:mm:ss:SSS") as event_time
-| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_tim
+| json "event.UserId", "event.UserIp", "event.OperationName", "event.ServiceName", "event.Success", "event.UTCTimestamp" as src_user, user_ip, operation_name, service_name, success, operation_time
 | formatDate(fromMillis(operation_time), "MM/dd/yyyy HH:mm:ss:SSS") as operation_time
 | where success="true"
 | count by operation_time, operation_name, src_user, user_ip

@@ -79,7 +79,7 @@ description: Parse the common fields in your Akamai Cloud Monitor log using the
 **Parsing Rule:**
 
 ```sql
-parse "\"reqMethod\":\"*\"" as method, "\"status\":\"*\"" as status, "\"fwdHost\":\"*\"" as origin
+| parse "\"reqMethod\":\"*\"" as method, "\"status\":\"*\"" as status, "\"fwdHost\":\"*\"" as origin
 | parse "\"bytes\":\"*\"" as bytes, "\"edgeIP\":\"*\"" as edgeip, "\"country\":\"*\"" as country, "\"cookie\":\"*\"" as cookie
 ```
 

@@ -18,7 +18,7 @@ description: Parse the common fields in your Apache Access Logs using the FER te
 **Parsing Rule**:
 
 ```
-parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
+| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"
 ```
 

@@ -19,7 +19,9 @@ description: Create a field extraction rule for Apache Tomcat 7 Access Logs.
 **Extraction Rule:**
 
 ```sql
-| parse regex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" | parse regex "\"(?<method>\D{1,7}? )" | parse regex "\"\D{1,7} (?<url>\S{1,2048}? )" | parse regex "\" (?<status>\d{3}? )" | parse regex "\" \d{3} (?<time_taken>\d{1,}? )" | parse regex "\" \d{3} \d{1,} (?<bytes_sent>\d{1,}?)"
+| parse regex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" 
+| parse regex "\"(?<method>\D{1,7}? )" | parse regex "\"\D{1,7} (?<url>\S{1,2048}? )" | parse regex "\" (?<status>\d{3}? )" | parse regex "\" \d{3} (?<time_taken>\d{1,}? )" 
+| parse regex "\" \d{3} \d{1,} (?<bytes_sent>\d{1,}?)"
 ```
 
 **Resulting Fields:**

@@ -17,7 +17,7 @@ description: Parse the common fields in your Apache Tomcat Access Logs using the
 **Parsing Rule**:
 
 ```sql
-parse regex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )"
+| parse regex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )"
 | parse regex "\"(?<method>\D{1,7}? )"
 | parse regex "\"\D{1,7} (?<url>\S{1,2048}? )"
 | parse regex "\" (?<status>\d{3}? )"

@@ -147,5 +147,12 @@ _sourceCategory=networking/cisco/fwsm src dst ("Deny inbound" OR "Deny protocol"
 **Extraction Rule:**
 
 ```sql
-parse "Deny protocol * " as protocol nodrop | parse ") * " as protocol nodrop | parse regex "%[A-Z]{4}-(?<severity>\d)-(?<msg_code>\d{6}):\s" nodrop | parse regex "src\s(?<src_dom>\S+):(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "/(?<src_port>\d+)\s" nodrop | parse regex "dst\s(?<dest_dom>\S+):(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "/(?<dest_port>\d+)\s" nodrop | "firewall-deny" as eventtype | "cisco-firewall" as event
+| parse "Deny protocol * " as protocol nodrop | parse ") * " as protocol nodrop 
+| parse regex "%[A-Z]{4}-(?<severity>\d)-(?<msg_code>\d{6}):\s" nodrop 
+| parse regex "src\s(?<src_dom>\S+):(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop 
+| parse regex "/(?<src_port>\d+)\s" nodrop 
+| parse regex "dst\s(?<dest_dom>\S+):(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop 
+| parse regex "/(?<dest_port>\d+)\s" nodrop 
+| "firewall-deny" as eventtype 
+| "cisco-firewall" as event
 ```
@@ -19,7 +19,7 @@ description: Parse the common fields in your Nginx Logs using the FER template.
 **Parsing Rule**:
 
 ```sql
-parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
+| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"
 ```
 

@@ -18,7 +18,7 @@ description: Parse the common fields in your Varnish Logs using the FER template
 **Parsing Rule:**
 
 ```sql
-parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
+| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
 | parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"
 ```
 

@@ -26,7 +26,7 @@ _sourceCategory=safend
 **Extraction Rule:**
 
 ```sql
-parse regex "Action: (?<action>[^,]*)" nodrop
+| parse regex "Action: (?<action>[^,]*)" nodrop
 | parse " * [" as host nodrop | parse "] *:" as alert_type nodrop
 | parse "User: *," as user nodrop
 | parse "Computer: *," as computer nodrop