JSON Policy Syntax
LogRhythm SIEM allows you to normalize log messages sent from JSON log sources, making collection easy and standardizing the formatting for the Mediator to ingest the metadata reliably. The introduction of the JSON Policy Builder provides and easy to use, GUI-based experience to normalize JSON rules. For customers who wish to create the normalization files on their own or adjust existing files, the formats and standards are provided below.
Sample JSON Normalization Rule
{
"name": "normalization rule name",
"filter": "@.['@metadata'].['beat'] == 'samplebeat'",
"schemarule": {
"fanout": {
"InputField": null
},
"ConvertoJson": [
"$.['message']"
]
},
"transforms": [
{
"inputrule": "$.@metadata.beat",
"LRSchemaField": "beatname",
"type": "String",
"default": null,
"alternativefields": [],
"format": null
},
{
"inputrule": "$.['destination'].['port']",
"LRSchemaField": "dport",
"type": "String",
"default": null,
"alternativefields": [],
"format": null,
"path": {
"name": ".['destination'].['port']",
"leaf": "port",
"depth": 2,
"seenInLogCount": 2,
"values": [
{
"value": 443,
"type": "number",
"count": 2
}
],
"mappedField": "dport"
}
}
],
"subtransforms": [],
"Lookup": {}
}
Required Sections
Name
This is a common name that should be used to help identify which rule is being used for the normalization.
Filter
This is the query to make to determine if this policy should be used or not.
Filters will starts with @ meaning starting at the root of the JSON object.
To combine multiple evaluations together, filters accepts && for and, =~ for contains, and || for or statements.
In order for proper evaluation, && comes before the ||
To make the filter case insensitive you can include (?i)
Sample
“filter” : “@.@metadata.beat == ‘okta’”
Transforms
This is what converts a field in the JSON message to a LogRhythm schema field
o InputRule – what field in the json message you want to select
o LRSchemaField – what field this should be mapped to in LogRhythm
o Type: string, datetime
o (Optional) Default: if you want a value when this field isn’t populated
o alternativeFields - ?
o $ represents root element, $
o Format is normally used for fields such as date, this should be a .net formatting
o FanoutParentElement = maps the input Rule to the fanout element called in the schemarule section
Optional Sections
Schemarule offers a section to perform advanced operations such as:
Fanout which informs the engine to break out each item in that field to be a separate log.
if you have “fanout” : “$.log.Records[*]” then each Record will become its own log message
Fanning out 2 fields is supported, if 1 field has 5 logs and the other has 10 logs, you’d end up with 50 logs.
ConvertoJson can convert a field into a JSON format, while not a miracle worker, it can make fields more json friendly.
Subtransforms
o Condition if that value is true, do a subtransform
o Exitonmatch - exit or keep evaluating other sub transforms
o Apply transformation (same format as above)
Lookup - this section is similar concept to a binary tree lookup and a good use case for when you want to use tag1 or tag2 fields.
inputrule can perform a lookup based on field values. For an example:
“inputrule” : “Lookup(vendorinfo,$.response.operationName)
This will look in the Lookup section example below for the anticipated value of vendorinfo (in this example, we are expecting “action”), on that match it’ll look for the secondary string to determine what the value should result in.
- JSON
"Lookup" : { "action" : { "create" : "Service Created", "update" : "Service Updated", "delete" : "Service Deleted" }}
LRSchemaField Names
Application
Object | object | The resource (i.e., file) referenced or impacted by activity reported in the log.
|
Object Name | objectname | The descriptive name of the object. Do not use unless Object is also used. |
Object Type | objecttype | A category type for the object (e.g., file, image, pdf, etc.). |
Hash | hash | The hash value reported in the log. Choose MD5 Sha1 Sha256. |
Policy | policy | The specific policy referenced (i.e., Firewall, Proxy) in a log message.
|
Result | result | The outcome of a command operation or action. For example, the result of quarantine might be success. |
URL | url | The URL referenced or impacted by activity reported in the log. You may need to override the default regex for URLs that are not HTTP/HTTPS. |
User Agent | useragent | The User Agent string from web server logs. |
Response Code | responsecode | The explicit and welldefined response code for an action or command captured in a log. Response Code differs from Result in that response code should be well- structured and easily identifiable as a code. |
Subject | subject | The subject of an email or the general category of the log. |
Version | version | The software or hardware device version described in either the process or object. |
Command | command | The specific command executed that has been recorded in the log message. |
Reason | reason | The justification for an action or result when not an explicit policy. |
Action | action | Field for "what was done" as described in the log. Action is usually a secondary function of a command or process. |
Status | status | The vendor's perspective on the state of a system, process, or entity. Status should NOT be used as the result of an action. |
Session Type | sessiontype | The type of session described in the log (e.g., console, CLI, web). Unique from IANA Protocol. |
Process Name | process | System or application process described by the log message. |
Process ID | processid | Numeric ID value for a process. |
Parent Process ID | parentprocessid | The parent process ID of a system or application process that is of interest. |
Parent Process Name | parentprocessname | The parent process name of a system or application process. |
Parent Process Path | parentprocesspath | The full path of a parent process of a system or application process. |
Quantity | quantity | A numeric count of something. For example, there are 4 lights (quantity is 4). |
Amount | amount | The qualitative description of quantity (percentage or relative numbers) For example, half the lights are on (amount is .5 or 50). Amount is also used for currency. |
Size | size | Numeric description of capacity (e.g., disk size) without a specific unit of measurement. Size is generally used as a limit rather than a current measurement. Use Amount for non- specific measurements. |
Rate | rate | Defines a number of something per unit of time without a specific unit of measurement. Always expressed as a fraction. |
Session | session | Unique user or system session identifier. |
Duration
The elapsed time reported in a log message, derived from multiple fields. Timestart and Timeend need custom parsing patterns. If log has start/end use Time Start and Time End. If log has elapsed time use Days, Hours, Minutes, Seconds, Milliseconds, Microseconds or Nanoseconds.
Time Start | timestart | MUST be used with Time End |
Time End | timeend | MUST be used with Time Start
|
Days | days | Elapsed time in days |
Hours | hours | Elapsed time in hours |
Minutes | minutes | Elapsed time in minutes |
Seconds | seconds | Elapsed time in seconds |
Milliseconds | milliseconds | Elapsed time in milliseconds |
Microseconds | microseconds | Elapsed time in microseconds |
Nanoseconds | nanoseconds | Elapsed time in nanoseconds |
Kbytes/Packets
The number of bytes sent or received in the context of the Impacted Host.
Bits in | bitsin | In the context of the Impacted Host. |
Bits out | bitsout | In the context of the Impacted Host. |
Bytes in | bytesin | In the context of the Impacted Host. |
Bytes out | bytesout | In the context of the Impacted Host. |
Kilobits in | kilobitsin | In the context of the Impacted Host. |
Kilobits out | kilobitsout | In the context of the Impacted Host. |
Kilobytes in | kilobytesin | In the context of the Impacted Host. |
Kilobytes out | kilobytesout | In the context of the Impacted Host. |
Megabits in | megabitsin | In the context of the Impacted Host. |
Megabits out | megabitsout | In the context of the Impacted Host. |
Megabyte in | megabytein | In the context of the Impacted Host. |
Megabyte out | megabyteout | In the context of the Impacted Host. |
Gigabits in | gigabitsin | In the context of the Impacted Host. |
Gigabits out | gigabitsout | In the context of the Impacted Host. |
Gigabyte in | gigabytein | In the context of the Impacted Host. |
Gigabyte out | gigabyteout | In the context of the Impacted Host. |
Petabits in | petabitsin | In the context of the Impacted Host. |
Petabits out | petabitsout | In the context of the Impacted Host. |
Petabytes in | petabytesin | In the context of the Impacted Host. |
Petabytes out | petabytesout | In the context of the Impacted Host. |
Bits | bits | In the context of the Impacted Host. |
Bytes | bytes | In the context of the Impacted Host. |
Kilobits | kilobits | In the context of the Impacted Host. |
Kilobytes | kilobytes | In the context of the Impacted Host. |
Megabits | megabits | In the context of the Impacted Host. |
Megabytes | megabytes | In the context of the Impacted Host. |
Gigabits | gigabits | In the context of the Impacted Host. |
Gigabytes | gigabytes | In the context of the Impacted Host. |
Terabits | terabits | In the context of the Impacted Host. |
Terabytes | terabytes | In the context of the Impacted Host. |
Petabits | petabits | In the context of the Impacted Host. |
Petabytes | petabytes | In the context of the Impacted Host. |
Packets in | packetsin | In the context of the Impacted Host. |
Packets out | packetsout | In the context of the Impacted Host. |
Classification Tab
Severity | severity | The vendor's view of the severity of the log. |
Vendor Message ID | vmid | Specific vendor for the log used to describe a type of event. |
Vendor Info | vendorinfo | Description of a specific vendor log or event identifier for the log. Human readable elaboration that directly correlates to the VMID. |
Threat Name
| threatname | The name of a threat described in the log message (e.g., malware, exploit name, signature name). Do not overload with Policy. |
Threat ID | threatid | ID number or unique identifier of a threat. Note that CVE is stored separately. |
CVE
| cve
| CVE ID (i.e., CVE-1999-0003) from vulnerability scan data. |
Host Tab
MAC Address (Origin) | smac | The MAC address from which activity originated (i.e., attacker, client). |
MAC Address (Impacted) | dmac | The MAC address that was affected by the activity (i.e., target, server). |
Interface (Origin) | sinterface | The network port/interface from which the activity originated (i.e., attacker, client). |
Interface (Impacted) | dinterface | The network port/interface that was affected by the activity (i.e., target, server).
|
IP Address (Origin) | sip | The IP address from which activity originated (i.e., attacker, client). |
IP Address (Impacted) | dip | The IP address that was affected by the activity (i.e., target, server). |
NAT IP Address (Origin) | snatip | The Network Address Translated (NAT) IP address from which activity originated (i.e., attacker, client). |
NAT IP Address (Impacted) | dnatip | The Network Address Translated (NAT) IP address that was affected by the activity (i.e., target, server). |
Hostname (Origin) | sname | The hostname from which activity originated (i.e., attacker, client). |
Hostname (Impacted) | dname | The hostname that was affected by the activity (i.e., target, server). |
Serial Number | serialnumber | The hardware or software serial number in a log message. This value should be a permanent unique identifier. |
Identity Tab
User (Origin) | login | The originating user or system account of the activity reported in the log. |
User (Impacted) | account | The user or system account impacted by activity reported in the log. |
Sender | sender | The sender of an email or the "caller number" for a VOIP log. This value must relate to a specific user or unique address in the case of a phone call or email. |
Recipient | recipient | The recipient of an email or the dialed number for a VOIP log. |
Group | group | The user group or role impacted by activity reported in the log. Do not use for entity group (zone or domain). |
Network Tab
Domain (Impacted) | domainimpacted | The Windows or DNS domain name referenced or impacted by activity reported in the log. |
Domain (Origin) | domainorigin | The Windows or DNS domain where the logged activity originated. |
Protocol | protnum | The IANA protocol by number. |
Protocol | protname | The IANA protocol by name. |
TCP/UDP Port (Origin) | sport | The port from which activity originated (i.e., client, attacker port). |
TCP/UDP Port (Impacted) | dport | The port to which activity was targeted (i.e., server, target port). |
NAT TCP/UDP Port (Origin) | snatport | The Network Address Translated (NAT) port from which activity originated (i.e., client, attacker port). |
NAT TCP/UDP Port (Impacted) | dnatport | The Network Address Translated (NAT) port to which activity was targeted (i.e., server, target port). |