Parse and Copy from Description field to Summary
Issue #896
resolved
Hello @fcarmario ,
We have a client that receives alerts with same Summary "Qradar Offense Alert" and they need to parse line from Description value in the Description field and make it as a Summary.
I achieved it with Leading Delimiter: Description:\s and Trailing Delimiter: \sEvent count.
But the trick is we have 3 types of Description content like you see in the screenshot and they are:
1) Description: Non-Browser Client
2) Description: Exploit Followed by Suspicious Host Activity - Chained
containing Success Audit: The domain controller validated the credentials for an account
3) Description: Resolving Error
preceded by Built UDP connection
First one works well with above delimiters I provided but for 2nd and 3rd it parses full Description where we only need "Exploit Followed by Suspicious Host Activity - Chained" and "Resolving Error" and nothing after "containing" and "preceded" keywords.
Please let me know if I you are able to understand by requirement.
Nikhil
Comments (8)
-
reporter
-
reporter
This worked well by creating 3 post-functions with trailing delimiters as \sEvent count, \scontaining and \s*preceded and all first occurrences. But there is a trick again where Description: for few issues is:
Description: IRC Connections preceded by Local IRC Server Detected containing Built TCP connection or Description: IRC Connections containing Local IRC Server Detected preceded by Built TCP connection
So, can we have conditional execution in such cases as it checks for the first occurrence and parsing "IRC Connections preceded by Local IRC Server Detected" or "IRC Connections containing Local IRC Server Detected"?
Attaching my post-functions:
Nikhil
-
repo owner
Hi @nikhil_dsv,
I'm not completely sure I have understood your problem.
I think that you may want to avoid executing the post-function when
"IRC Connections"substring is present in Description. To do it you should use the following boolean expression in parameter Conditional execution:%{00001} !~ "IRC Connections"where
%{00001}is field code for Description. -
reporter
Nope, that's not the problem. Can we have a quick call to explain?
Nikhil
-
repo owner
Ok, I'm at Skype now.
-
reporter
- attached Text to Parse.txt
Please use this text to test to only copy the first line after "Description: " leading delimiter
-
repo owner
Hi @nikhil_dsv,
You can use only one "Parse field for extracting data" post-function with the following delimiters and format of value to be extracted:
-
reporter
- changed status to resolved
Resolved
- Log in to comment
Please let me know if you find any workaround for this requirement.