Skip to main content
Skip table of contents

JSON Policy Syntax

LogRhythm SIEM allows you to normalize log messages sent from JSON log sources, making collection easy and standardizing the formatting for the Mediator to ingest the metadata reliably. The introduction of the JSON Policy Builder provides and easy to use, GUI-based experience to normalize JSON rules. For customers who wish to create the normalization files on their own or adjust existing files, the formats and standards are provided below.

Sample JSON Normalization Rule

JSON
{

  "name": "normalization rule name",

  "filter": "@.['@metadata'].['beat'] == 'samplebeat'",

  "schemarule": {

    "fanout": {

      "InputField": null

    },

    "ConvertoJson": [

      "$.['message']"

    ]

  },

  "transforms": [

    {

      "inputrule": "$.@metadata.beat",

      "LRSchemaField": "beatname",

      "type": "String",

      "default": null,

      "alternativefields": [],

      "format": null

    },

    {

      "inputrule": "$.['destination'].['port']",

      "LRSchemaField": "dport",

      "type": "String",

      "default": null,

      "alternativefields": [],

      "format": null,

      "path": {

        "name": ".['destination'].['port']",

        "leaf": "port",

        "depth": 2,

        "seenInLogCount": 2,

        "values": [

          {

            "value": 443,

            "type": "number",

            "count": 2

          }

        ],

        "mappedField": "dport"

      }

    }

  ],

  "subtransforms": [],

  "Lookup": {}

}

 

Required Sections

  • Name

    • This is a common name that should be used to help identify which rule is being used for the normalization.

  • Filter

    • This is the query to make to determine if this policy should be used or not.

    • Filters will starts with @ meaning starting at the root of the JSON object.

    • To combine multiple evaluations together, filters accepts && for and, =~ for contains, and || for or statements.

    • In order for proper evaluation, && comes before the ||

    • To make the filter case insensitive you can include (?i)

    • Sample

      • “filter” : “@.@metadata.beat == ‘okta’”

  • Transforms

    • This is what converts a field in the JSON message to a LogRhythm schema field

o   InputRule – what field in the json message you want to select

o   LRSchemaField – what field this should be mapped to in LogRhythm

o   Type: string, datetime

o   (Optional) Default: if you want a value when this field isn’t populated

o   alternativeFields - ?

o   $ represents root element, $

o   Format is normally used for fields such as date, this should be a .net formatting

o   FanoutParentElement = maps the input Rule to the fanout element called in the schemarule section

Optional Sections

  • Schemarule offers a section to perform advanced operations such as:

    • Fanout which informs the engine to break out each item in that field to be a separate log.

      • if you have “fanout” : “$.log.Records[*]” then each Record will become its own log message

      • Fanning out 2 fields is supported, if 1 field has 5 logs and the other has 10 logs, you’d end up with 50 logs.

    • ConvertoJson can convert a field into a JSON format, while not a miracle worker, it can make fields more json friendly.

  • Subtransforms

o   Condition if that value is true, do a subtransform

o   Exitonmatch - exit or keep evaluating other sub transforms

o   Apply transformation (same format as above)

  • Lookup - this section is similar concept to a binary tree lookup and a good use case for when you want to use tag1 or tag2 fields.

    • inputrule can perform a lookup based on field values. For an example:

      • “inputrule” : “Lookup(vendorinfo,$.response.operationName)

        • This will look in the Lookup section example below for the anticipated value of vendorinfo (in this example, we are expecting “action”), on that match it’ll look for the secondary string to determine what the value should result in.

        • JSON
          "Lookup" : {
            "action" : {
              "create" : "Service Created",
              "update" : "Service Updated",
              "delete" : "Service Deleted"
          }}

LRSchemaField Names

Application

Object

object

The resource (i.e., file) referenced or impacted by activity reported in the log.

 

Object Name

objectname

The descriptive name of the object. Do not use unless Object is also used.

Object Type

objecttype

A category type for the object (e.g., file, image, pdf, etc.).

Hash

hash

The hash value reported in the log. Choose MD5 Sha1 Sha256.

Policy

policy

The specific policy referenced (i.e., Firewall, Proxy) in a log message.

 

Result

result

The outcome of a command operation or action. For example, the result of quarantine might be success.

URL

url

The URL referenced or impacted by activity reported in the log. You may need to override the default regex for URLs that are not HTTP/HTTPS.

User Agent

useragent

The User Agent string from web server logs.

Response Code

responsecode

The explicit and welldefined response code for an action or command captured in a log. Response Code differs from Result in that response code should be well- structured and easily identifiable as a code.

Subject

subject

The subject of an email or the general category of the log.

Version

version

The software or hardware device version described in either the process or object.

Command

command

The specific command executed that has been recorded in the log message.

Reason

reason

The justification for an action or result when not an explicit policy.

Action

action

Field for "what was done" as described in the log. Action is usually a secondary function of a command or process.

Status

status

The vendor's perspective on the state of a system, process, or entity. Status should NOT be used as the result of an action.

Session Type

sessiontype

The type of session described in the log (e.g., console, CLI, web). Unique from IANA Protocol.

Process Name

process

System or application process described by the log message.

Process ID

processid

Numeric ID value for a process.

Parent Process ID

parentprocessid

The parent process ID of a system or application process that is of interest.

Parent Process Name

parentprocessname

The parent process name of a system or application process.

Parent Process Path

parentprocesspath

The full path of a parent process of a system or application process.

Quantity

quantity

A numeric count of something. For example, there are 4 lights (quantity is 4).

Amount

amount

The qualitative description of quantity (percentage or relative numbers) For example, half the lights are on (amount is .5 or 50). Amount is also used for currency.

Size

size

Numeric description of capacity (e.g., disk size) without a specific unit of measurement. Size is generally used as a limit rather than a current measurement. Use Amount for non- specific measurements.

Rate

rate

Defines a number of something per unit of time without a specific unit of measurement. Always expressed as a fraction.

Session

session

Unique user or system session identifier.

 

Duration

The elapsed time reported in a log message, derived from multiple fields. Timestart and Timeend need custom parsing patterns. If log has start/end use Time Start and Time End. If log has elapsed time use Days, Hours, Minutes, Seconds, Milliseconds, Microseconds or Nanoseconds.

Time Start

timestart

MUST be used with Time End

Time End

timeend

MUST be used with Time Start

 

Days

days

Elapsed time in days

Hours

hours

Elapsed time in hours

Minutes

minutes

Elapsed time in minutes

Seconds

seconds

Elapsed time in seconds

Milliseconds

milliseconds

Elapsed time in milliseconds

Microseconds

microseconds

Elapsed time in microseconds

Nanoseconds

nanoseconds

Elapsed time in nanoseconds

 

Kbytes/Packets

The number of bytes sent or received in the context of the Impacted Host.

Bits in

bitsin

In the context of the Impacted Host.

Bits out

bitsout

In the context of the Impacted Host.

Bytes in

bytesin

In the context of the Impacted Host.

Bytes out

bytesout

In the context of the Impacted Host.

Kilobits in

kilobitsin

In the context of the Impacted Host.

Kilobits out

kilobitsout

In the context of the Impacted Host.

Kilobytes in

kilobytesin

In the context of the Impacted Host.

Kilobytes out

kilobytesout

In the context of the Impacted Host.

Megabits in

megabitsin

In the context of the Impacted Host.

Megabits out

megabitsout

In the context of the Impacted Host.

Megabyte in

megabytein

In the context of the Impacted Host.

Megabyte out

megabyteout

In the context of the Impacted Host.

Gigabits in

gigabitsin

In the context of the Impacted Host.

Gigabits out

gigabitsout

In the context of the Impacted Host.

Gigabyte in

gigabytein

In the context of the Impacted Host.

Gigabyte out

gigabyteout

In the context of the Impacted Host.

Petabits in

petabitsin

In the context of the Impacted Host.

Petabits out

petabitsout

In the context of the Impacted Host.

Petabytes in

petabytesin

In the context of the Impacted Host.

Petabytes out

petabytesout

In the context of the Impacted Host.

Bits

bits

In the context of the Impacted Host.

Bytes

bytes

In the context of the Impacted Host.

Kilobits

kilobits

In the context of the Impacted Host.

Kilobytes

kilobytes

In the context of the Impacted Host.

Megabits

megabits

In the context of the Impacted Host.

Megabytes

megabytes

In the context of the Impacted Host.

Gigabits

gigabits

In the context of the Impacted Host.

Gigabytes

gigabytes

In the context of the Impacted Host.

Terabits

terabits

In the context of the Impacted Host.

Terabytes

terabytes

In the context of the Impacted Host.

Petabits

petabits

In the context of the Impacted Host.

Petabytes

petabytes

In the context of the Impacted Host.

Packets in

packetsin

In the context of the Impacted Host.

Packets out

packetsout

In the context of the Impacted Host.

 

Classification Tab

Severity

severity

The vendor's view of the severity of the log.

Vendor Message ID

vmid

Specific vendor for the log used to describe a type of event.

Vendor Info

vendorinfo

Description of a specific vendor log or event identifier for the log. Human readable elaboration that directly correlates to the VMID.

Threat Name

 

threatname

The name of a threat described in the log message (e.g., malware, exploit name, signature name). Do not overload with Policy.

Threat ID

threatid

ID number or unique identifier of a threat. Note that CVE is stored separately.

CVE

 

cve

 

CVE ID (i.e., CVE-1999-0003) from vulnerability scan data.

Host Tab

MAC Address (Origin)

smac

The MAC address from which activity originated (i.e., attacker, client).

MAC Address (Impacted)

dmac

The MAC address that was affected by the activity (i.e., target, server).

Interface (Origin)

sinterface

The network port/interface from which the activity originated (i.e., attacker, client).

Interface (Impacted)

dinterface

The network port/interface that was affected by the activity (i.e., target, server).

 

IP Address (Origin)

sip

The IP address from which activity originated (i.e., attacker, client).

IP Address (Impacted)

dip

The IP address that was affected by the activity (i.e., target, server).

NAT IP Address (Origin)

snatip

The Network Address Translated (NAT) IP address from which activity originated (i.e., attacker, client).

NAT IP Address (Impacted)

dnatip

The Network Address Translated (NAT) IP address that was affected by the activity (i.e., target, server).

Hostname (Origin)

sname

The hostname from which activity originated (i.e., attacker, client).

Hostname (Impacted)

dname

The hostname that was affected by the activity (i.e., target, server).

Serial Number

serialnumber

The hardware or software serial number in a log message. This value should be a permanent unique identifier.

Identity Tab

User (Origin)

login

The originating user or system account of the activity reported in the log.

User (Impacted)

account

The user or system account impacted by activity reported in the log.

Sender

sender

The sender of an email or the "caller number" for a VOIP log. This value must relate to a specific user or unique address in the case of a phone call or email.

Recipient

recipient

The recipient of an email or the dialed number for a VOIP log.

Group

group

The user group or role impacted by activity reported in the log. Do not use for entity group (zone or domain).

Network Tab

Domain (Impacted)

domainimpacted

The Windows or DNS domain name referenced or impacted by activity reported in the log.

Domain (Origin)

domainorigin

The Windows or DNS domain where the logged activity originated.

Protocol

protnum

The IANA protocol by number.

Protocol

protname

The IANA protocol by name.

TCP/UDP Port (Origin)

sport

The port from which activity originated (i.e., client, attacker port).

TCP/UDP Port (Impacted)

dport

The port to which activity was targeted (i.e., server, target port).

NAT TCP/UDP Port (Origin)

snatport

The Network Address Translated (NAT) port from which activity originated (i.e., client, attacker port).

NAT TCP/UDP Port (Impacted)

dnatport

The Network Address Translated (NAT) port to which activity was targeted (i.e., server, target port).

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.