Can Sentinel's KQL query extract JSON from syslog data from CSW / Tetration on Centos?

user21962463
May 26, 2023
263 views
0 votes
2 Answers

Below is an example syslog message coming into Sentinel from Cisco Secure Workload (formerly Tetration):

Alert[11]: [WARNING] {"keyId":"SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in","eventTime":"1684974923000","alertTime":"1684974949559","alertText":"Agent Inactive: centos7","severity":"MEDIUM","tenantId":"000457","type":"SENSOR","alertDetails":"{"details":{"AgentType":"ENFORCER","Bios":"57D84D56-0000-0000-7E3C-9DD10F02AFD5","CurrentVersion":"3.7.1.40-enforcer","DesiredVersion":"","HostName":"centos7","IP":"1.1.1.1 (Gateway IP)","LastConfigFetchAt":"2023-05-03 15:47:53 +0000 UTC","Platform":"CentOS-7.9"},"agent_uuid":"u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm","scope_name":"MYLAB","scope_id":"f5qeybblv5oktpnte4ccrf5pw","vrf_id":700457}","rootScopeId":"f5qeybblv5oktpnte4ccrf5pw"}

Need assistance in parsing this as there is currently no existing parsers for this product. Looks like there’s JSON involved but not certain if I should be using extractjson or parse_json.

I’ve started the following query but am having trouble with extracting/filtering values (likely because the JSON parsing is missing from this query):

Syslog
| where ProcessName contains "Tetration"
| extend AlertID = extract(????, 1, SyslogMessage) 
| extend Severity = extract(????,1, SyslogMessage)
| extend TenantID = extract(????, 1, SyslogMessage)
| extend IP = extract(????, 1, SyslogMessage)
| extend ScopeName = extract(????, 1, SyslogMessage)

Any assistance the community can provide would be greatly appreciated.

Answers

Chosen as BEST ANSWER

Thanks Yoni. Here's the full query I'm using in Sentinel (still testing but looking good).

Syslog 
| where ProcessName contains "Tetration"
| take 10
| parse SyslogMessage with "Alert[" AlertId "]: [" Severity "] " input:dynamic
| project
    AlertId,
    AlertText = input.alertText,
    Severity = input.severity,
    TenantID = input.tenantId,
    Type = input.type,
    AlertDetails = parse_json(tostring(input.alertDetails))
| extend
    Host_Name = AlertDetails.details.HostName,
    IP = AlertDetails.details.IP,
    Scope_Name = AlertDetails.scope_name,
    Version = AlertDetails.details.CurrentVersion,
    OS = AlertDetails.details.Platform,
    Agent_ID = AlertDetails.agent_uuid,
    Scope_ID = AlertDetails.scope_id,
    VRF_ID = AlertDetails.vrf_id
| project-away AlertDetails

(Edit)

you could use a combination of:

for example:

print input = ```Alert[11]: [WARNING] {"keyId":"SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in","eventTime":"1684974923000","alertTime":"1684974949559","alertText":"Agent Inactive: centos7","severity":"MEDIUM","tenantId":"000457","type":"SENSOR","alertDetails":"{"details":{"AgentType":"ENFORCER","Bios":"57D84D56-0000-0000-7E3C-9DD10F02AFD5","CurrentVersion":"3.7.1.40-enforcer","DesiredVersion":"","HostName":"centos7","IP":"1.1.1.1 (Gateway IP)","LastConfigFetchAt":"2023-05-03 15:47:53 +0000 UTC","Platform":"CentOS-7.9"},"agent_uuid":"u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm","scope_name":"MYLAB","scope_id":"f5qeybblv5oktpnte4ccrf5pw","vrf_id":700457}","rootScopeId":"f5qeybblv5oktpnte4ccrf5pw"}```
| extend start_position = indexof(input, "{")
| extend input = parse_json(substring(input, start_position))
| project
    AlertID = input.keyId,
    Severity = input.severity,
    TenantID = input.tenantId,
    AlertDetails = parse_json(tostring(input.alertDetails))
| extend
    IP = AlertDetails.details.IP,
    ScopeName = AlertDetails.scope_name
| project-away AlertDetails

AlertID	Severity	TenantID	IP	ScopeName
SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in	MEDIUM	000457	1.1.1.1 (Gateway IP)	MYLAB

or, you could use the parse operator:

print input = ```Alert[11]: [WARNING] {"keyId":"SEN::u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm-upgrade_srv_check_in","eventTime":"1684974923000","alertTime":"1684974949559","alertText":"Agent Inactive: centos7","severity":"MEDIUM","tenantId":"000457","type":"SENSOR","alertDetails":"{"details":{"AgentType":"ENFORCER","Bios":"57D84D56-0000-0000-7E3C-9DD10F02AFD5","CurrentVersion":"3.7.1.40-enforcer","DesiredVersion":"","HostName":"centos7","IP":"1.1.1.1 (Gateway IP)","LastConfigFetchAt":"2023-05-03 15:47:53 +0000 UTC","Platform":"CentOS-7.9"},"agent_uuid":"u0mvypu37b9fwimpr4zn168c2ht159n6xdhwtaanm","scope_name":"MYLAB","scope_id":"f5qeybblv5oktpnte4ccrf5pw","vrf_id":700457}","rootScopeId":"f5qeybblv5oktpnte4ccrf5pw"}```
| parse input with "Alert[" AlertId "]: [" Severity "] " input:dynamic
| project
    AlertId,
    Severity = input.severity,
    TenantID = input.tenantId,
    AlertDetails = parse_json(tostring(input.alertDetails))
| extend
    IP = AlertDetails.details.IP,
    ScopeName = AlertDetails.scope_name
| project-away AlertDetails

AlertId	Severity	TenantID	IP	ScopeName
11	MEDIUM	000457	1.1.1.1 (Gateway IP)	MYLAB

Please signup or login to give your own answer.

Click here to cancel reply.

Can Sentinel’s KQL query extract JSON from syslog data from CSW / Tetration on Centos?

Answers