Below is an example syslog message coming into Sentinel from Cisco Secure Workload (formerly Tetration):
Alert[11]: [WARNING] {"keyId":"SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in","eventTime":"1684974923000","alertTime":"1684974949559","alertText":"Agent Inactive: centos7","severity":"MEDIUM","tenantId":"000457","type":"SENSOR","alertDetails":"{"details":{"AgentType":"ENFORCER","Bios":"57D84D56-0000-0000-7E3C-9DD10F02AFD5","CurrentVersion":"3.7.1.40-enforcer","DesiredVersion":"","HostName":"centos7","IP":"1.1.1.1 (Gateway IP)","LastConfigFetchAt":"2023-05-03 15:47:53 +0000 UTC","Platform":"CentOS-7.9"},"agent_uuid":"u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm","scope_name":"MYLAB","scope_id":"f5qeybblv5oktpnte4ccrf5pw","vrf_id":700457}","rootScopeId":"f5qeybblv5oktpnte4ccrf5pw"}
Need assistance in parsing this as there is currently no existing parsers for this product. Looks like there’s JSON involved but not certain if I should be using extractjson or parse_json.
I’ve started the following query but am having trouble with extracting/filtering values (likely because the JSON parsing is missing from this query):
Syslog
| where ProcessName contains "Tetration"
| extend AlertID = extract(????, 1, SyslogMessage)
| extend Severity = extract(????,1, SyslogMessage)
| extend TenantID = extract(????, 1, SyslogMessage)
| extend IP = extract(????, 1, SyslogMessage)
| extend ScopeName = extract(????, 1, SyslogMessage)
Any assistance the community can provide would be greatly appreciated.
2
Answers
Thanks Yoni. Here's the full query I'm using in Sentinel (still testing but looking good).
you could use a combination of:
indexof()
functionsubstring()
functionparse_json()
function.for example:
or, you could use the
parse
operator: