Custom Decoder for Sophos XDR
116 views
Skip to first unread message
M Jones
Jun 23, 2022, 4:28:06 PM6/23/22
to Wazuh mailing list
HI,
Im creating a decoder for Sophos XDR logs however it seems JSON decoder is getting to the log before my custom decoder can, is there any way for it to go to JSON then decoded again with my field names?
Log -
{"endpoint_id": "11111111-jimy-2222-2222-222222897f95", "endpoint_type": "server", "source_info": {"ip": "192.168.1.25"}, "customer_id": "222222f2-2222-2222-7777-222222333333", "severity": "low", "name": "Update succeeded", "id": "222222d3-dad2-7777-8888-222222222222", "type": "Event::Endpoint::UpdateSuccess", "group": "UPDATING", "datastream": "event", "rt": "2022-06-22T16:38:06.879Z", "end": "2022-06-22T23:38:06.867Z", "dhost": "Redactedhost1", "suser": "n/a"}
Decoder - (work in progress)
decoder name="sophosxdr">
<prematch>{"endpoint_id":\s"\S*","endpoint_type":\s"\w*"</prematch>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"endpoint_id":\s"(\S*)”</regex>
<order>sx.endpoint_id</order>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"endpoint_type”:\s"(\.*)”</regex>
<order>sx.endpoint_type</order>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"ip":\s"(\d*.\d*.\d*.\d*)”</regex>
<order>sx.agent_ip</order>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"customer_id":\s"(\.*)”</regex>
<order>sx.customer_id</order>
</decoder>
<prematch>{"endpoint_id":\s"\S*","endpoint_type":\s"\w*"</prematch>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"endpoint_id":\s"(\S*)”</regex>
<order>sx.endpoint_id</order>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"endpoint_type”:\s"(\.*)”</regex>
<order>sx.endpoint_type</order>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"ip":\s"(\d*.\d*.\d*.\d*)”</regex>
<order>sx.agent_ip</order>
</decoder>
<decoder name="sophosxdr-fields">
<parent>sophosxdr</parent>
<regex>"customer_id":\s"(\.*)”</regex>
<order>sx.customer_id</order>
</decoder>
Sebastian Dario Bustos
Jun 23, 2022, 8:06:33 PM6/23/22
to Wazuh mailing list
Hello,
Thank you for using Wazuh!
That JSON log is natively decoded by Wazuh, if the log wasn't in JSON format then it will evaluate the rest of the decoders but in this case is always first decoded as JSON if possible.
Are these logs comming straight from the source? or are those being dumped in a local file of an agent and then ingested through a `<localfile>` config?
If these logs are being ingested directly you should check if there is a way for Sophos XDR to format the logs in a plain system like format, then you will be able to use custom decoders for the logs.
That JSON log is natively decoded by Wazuh, if the log wasn't in JSON format then it will evaluate the rest of the decoders but in this case is always first decoded as JSON if possible.
Are these logs comming straight from the source? or are those being dumped in a local file of an agent and then ingested through a `<localfile>` config?
If these logs are being ingested directly you should check if there is a way for Sophos XDR to format the logs in a plain system like format, then you will be able to use custom decoders for the logs.
Let me know.
Regards.
Reply all
Reply to author
Forward
0 new messages