vrl 0.32.0

Vector Remap Language
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

{
  "anchor": "parse_cef",
  "name": "parse_cef",
  "category": "Parse",
  "description": "Parses the `value` in CEF (Common Event Format) format. Ignores everything up to CEF header. Empty values are returned as empty strings. Surrounding quotes are removed from values.",
  "arguments": [
    {
      "name": "value",
      "description": "The string to parse.",
      "required": true,
      "type": [
        "string"
      ]
    },
    {
      "name": "translate_custom_fields",
      "description": "Toggles translation of custom field pairs to `key:value`.",
      "required": false,
      "type": [
        "boolean"
      ],
      "default": "false"
    }
  ],
  "return": {
    "types": [
      "object"
    ]
  },
  "internal_failure_reasons": [
    "`value` is not a properly formatted CEF string."
  ],
  "examples": [
    {
      "title": "Parse output generated by PTA",
      "source": "parse_cef!(\n    \"CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.1.1.1 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=2.2.2.2 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=None\"\n)\n",
      "return": {
        "cefVersion": "0",
        "deviceVendor": "CyberArk",
        "deviceProduct": "PTA",
        "deviceVersion": "12.6",
        "deviceEventClassId": "1",
        "name": "Suspected credentials theft",
        "severity": "8",
        "suser": "mike2@prod1.domain.com",
        "shost": "prod1.domain.com",
        "src": "1.1.1.1",
        "duser": "andy@dev1.domain.com",
        "dhost": "dev1.domain.com",
        "dst": "2.2.2.2",
        "cs1Label": "ExtraData",
        "cs1": "None",
        "cs2Label": "EventID",
        "cs2": "52b06812ec3500ed864c461e",
        "deviceCustomDate1Label": "detectionDate",
        "deviceCustomDate1": "1388577900000",
        "cs3Label": "PTAlink",
        "cs3": "https://1.1.1.1/incidents/52b06812ec3500ed864c461e",
        "cs4Label": "ExternalLink",
        "cs4": "None"
      }
    },
    {
      "title": "Ignore syslog header",
      "source": "parse_cef!(\n    \"Sep 29 08:26:10 host CEF:1|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232\"\n)\n",
      "return": {
        "cefVersion": "1",
        "deviceVendor": "Security",
        "deviceProduct": "threatmanager",
        "deviceVersion": "1.0",
        "deviceEventClassId": "100",
        "name": "worm successfully stopped",
        "severity": "10",
        "src": "10.0.0.1",
        "dst": "2.1.2.2",
        "spt": "1232"
      }
    },
    {
      "title": "Translate custom fields",
      "source": "parse_cef!(\n    \"CEF:0|Dev|firewall|2.2|1|Connection denied|5|c6a1=2345:0425:2CA1:0000:0000:0567:5673:23b5 c6a1Label=Device IPv6 Address\",\n    translate_custom_fields: true\n)\n",
      "return": {
        "cefVersion": "0",
        "deviceVendor": "Dev",
        "deviceProduct": "firewall",
        "deviceVersion": "2.2",
        "deviceEventClassId": "1",
        "name": "Connection denied",
        "severity": "5",
        "Device IPv6 Address": "2345:0425:2CA1:0000:0000:0567:5673:23b5"
      }
    },
    {
      "title": "Parse CEF with only header",
      "source": "parse_cef!(\"CEF:1|Security|threatmanager|1.0|100|worm successfully stopped|10|\")",
      "return": {
        "cefVersion": "1",
        "deviceVendor": "Security",
        "deviceProduct": "threatmanager",
        "deviceVersion": "1.0",
        "deviceEventClassId": "100",
        "name": "worm successfully stopped",
        "severity": "10"
      }
    },
    {
      "title": "Parse CEF with empty value",
      "source": "parse_cef!(\"CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft||suser=mike2@prod1.domain.com shost= src=1.1.1.1\")",
      "return": {
        "cefVersion": "0",
        "deviceVendor": "CyberArk",
        "deviceProduct": "PTA",
        "deviceVersion": "12.6",
        "deviceEventClassId": "1",
        "name": "Suspected credentials theft",
        "severity": "",
        "suser": "mike2@prod1.domain.com",
        "shost": "",
        "src": "1.1.1.1"
      }
    },
    {
      "title": "Parse CEF with escapes",
      "source": "parse_cef!(s'CEF:0|security|threatmanager|1.0|100|Detected a \\| in message. No action needed.|10|src=10.0.0.1 msg=Detected a threat.\\n No action needed act=blocked a \\= dst=1.1.1.1')",
      "return": {
        "cefVersion": "0",
        "deviceVendor": "security",
        "deviceProduct": "threatmanager",
        "deviceVersion": "1.0",
        "deviceEventClassId": "100",
        "name": "Detected a | in message. No action needed.",
        "severity": "10",
        "src": "10.0.0.1",
        "msg": "Detected a threat.\n No action needed",
        "act": "blocked a =",
        "dst": "1.1.1.1"
      }
    }
  ],
  "notices": [
    "All values are returned as strings. We recommend manually coercing values to desired\ntypes as you see fit."
  ],
  "pure": true
}