Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by either use the eval or mask function:


Eval

_raw.toLowerCase()

Cribl Eval _raw:toLowerCase

Cribl eval _raw:toLowerCase

https://docs.cribl.io/stream/eval-function/ 

"The Eval Function adds or removes fields from events. (In Splunk, these are index-time fields.)"


Mask

You can also use Cribls mask function to hit all fields:

Regex = (.*)        <---- 1st Capturing Group (.*), see https://regex101.com/


g1.toLowerCase

Cribl Mask g1.toLowerCase



https://docs.cribl.io/stream/mask-function/

"The Mask Function masks, or replaces, patterns in events. This is especially useful for redacting PII (personally identifiable information) and other sensitive data."



at No comments:
Labels: , ,
Subscribe to: Posts (Atom)

Splunk UseCase for attacks against FortiGate Firewall management interfaces

If you are using Splunk as your SIEM you can try to detect attacks against your FortiGate firewalls by using the following SPL query: index...