I want to add a field management_address to its respective device_address..

Basudev Raut

May 04, 2021 06:18

Hi,
I have a case where Analyst uses the management IP, however there is a NAT address on the client side. The device address configured in the logs provide client IPs.

So I am looking to add a field management_address that we will define based on the device_address
ie: when an event has device_address=192.168.1.1 add field management_address=10.10.10.10

I've looked into a few ways to do this. Enrichment source I didn't see a good way to go about it. Adding a custom normalizer would be possible, but would have to add a signature for every IP <:ALL>192.168.1.1<:ALL> and then add keyvalue management_address=10.10.10.10
Label package would also be do-able and easier than norm signatures, but that would put the new IP in a label, rather than within the normalized event.

Wondering if anyone has come up with any other solutions or ideas.

1 comment

Date Votes

Rupsan Shrestha May 04, 2021 06:23

Greetings!

You could use dynamic enrichment for the above mentioned use case. You can create an enrichment source from a CSV where there is a mapping of the device_address with its respective management address.
Something like:
device_address, management address
192.168.1.1, 10.10.10.10
192.168.1.2, 10.10.10.20
..... and so on

You can then configure an enrichment policy with following entries;
key_present: device_ip
enrichment source: <Uploaded_CSV>
source: device_ip, operation: equals, event_key:device_ip

This will add management IP as a enriched field for the device IP if it equals the respective management IP in the uploaded CSV

Please sign in to leave a comment.