json field extraction in SumoLogic AWS Guardduty template not working

Comments

1 comment

  • Official comment
    Avatar
    Matt Sullivan

    I tried your code vs. some sample data. It does seem to work, just that elements in the service.action field will vary based on the action so the nodrop keeps a lot of messages with empty ip and localPort fields. If you append these two lines to the end of your query, hopefully you do see ip and localport for at least some of the messages

    | count ip, localPort
    | order by _count

    If you want to exclude messages that don't have service.action, you could remove the nodrop statements and the json parse will act as a filter. additionally you could include the target action name in the scoping section of the query as keywords to the search.

    The % fyi is just a way to allow field names with normally disallowed characters in the syntax, in this case the period.  The article describing probably could be easier to find but it's here: https://help.sumologic.com/05Search/Get-Started-with-Search/Search-Basics/Reference_a_Field_with_Special_Characters .

    Sorry to hear that there was pain involved. 

     

    Comment actions Permalink

Please sign in to leave a comment.