Solved: Re: Need help to remove `["` from attribute from c... - Fortinet Community

FortiSIEM Discussions

Hello,

I think my problem is relatively simple. I have an attribute "behaviorID"
An example of how I would find it in the raw logs:
"behavior_id":["ad23g22d-ge7h-po87-2345-nn367s296186!7504645180225346638"]

the way its currently being parsed is simple using collectAndSetAttrByJSON:

<attrKeyMap attr="behaviorID" key="behavior_id"/>

What I need to happen is to remove the [" at the start and "] at the end so it only remains:

ad23g22d-ge7h-po87-2345-nn367s296186!7504645180225346638

How do I do that?

I can tell you what I have tried, but perhaps I am overthinking.
1. I changed the parsing instruction to use a variable:

<attrKeyMap attr="_bid" key="behavior_id"/>

2. I am using the collectFieldsByRegex function to assign the string leaving the rest out, but it keeps giving me an error.

<patternDefinitions>
<pattern name="patBID"><![CDATA[\w+-\w+-\w+-\w+-\w+!\w+]]></pattern>
</patternDefinitions>

.....
<collectFieldsByRegex src="$_bid">
<regex><![CDATA[["<_bid2:patBID>"]]]</regex>
</collectFieldsByRegex>

I am not great with Regex but I've created that local pattern to catch everything but the undesired characters. The issue I am having is when trying to use this, the parser won't validate.

The error reads "Error on line 121 at column 30: Premature end of data in tag regex line 115"
Line 121 is: </parsingInstructions>

Line 115 is: <regex><![CDATA[["<_bid2:patBID>"]]]</regex>

So my guess was that the square brackets needed to be escaped so I adjusted to:

<collectFieldsByRegex src="$_bid">
<regex><![CDATA[\["<_bid2:patBID>"\]]]</regex>
</collectFieldsByRegex>

But the error remains the same.

Any help either resolving my error, or any other possible ways to remove the square brackets and quotes from the string will be greatly appreciate it.

265

1 Solution

Some things to try ...

Map the first value to a variable ... ie: _bid .. so the value has the [xxxx]

And then you can try either the "trimAttribute" function or "replaceStringByRegex" ...

<setEventAttribute attr="_bid2">trimAttribute($_bid, "]")</setEventAttribute>

or

<setEventAttribute attr="_bid2">replaceStringByRegex($_bid, "\]", "")</setEventAttribute>

or your original approach.. remove the " values around <_bid2:patBID>

<collectFieldsByRegex src="$_bid">
<regex><![CDATA[\["<_bid2:patBID>"\]]]</regex>
</collectFieldsByRegex>

View solution in original post

257

2 REPLIES 2

Some things to try ...

Map the first value to a variable ... ie: _bid .. so the value has the [xxxx]

And then you can try either the "trimAttribute" function or "replaceStringByRegex" ...

<setEventAttribute attr="_bid2">trimAttribute($_bid, "]")</setEventAttribute>

or

<setEventAttribute attr="_bid2">replaceStringByRegex($_bid, "\]", "")</setEventAttribute>

or your original approach.. remove the " values around <_bid2:patBID>

<collectFieldsByRegex src="$_bid">
<regex><![CDATA[\["<_bid2:patBID>"\]]]</regex>
</collectFieldsByRegex>

258

Thank you cdurkin.

For some reason trying the trimAttribute didn't work.
But the replace string did! I totally forgot about this, I have used it before hehe.

I just had to use it 3 lines of it.

<setEventAttribute attr="_bid2">replaceStringByRegex($_bid, "\[", "")</setEventAttribute>

<setEventAttribute attr="_bid3">replaceStringByRegex($_bid2, "\]", "")</setEventAttribute>

<setEventAttribute attr="behaviorID">replaceStringByRegex($_bid3, "\"", "")</setEventAttribute>

Just in case it helps anyone in the future.

Appreciate your help!

220

Top Kudoed Authors

User

Count

44

23

10

7

5

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Copyright 2024 Fortinet, Inc. All Rights Reserved.