Conditions for forwarding data to an extra normalizer

Support

Support for business applications

Kaspersky XDR Expert

Managing Kaspersky Unified Monitoring and Analysis Platform

User guide

KUMA resources

Normalizers

Conditions for forwarding data to an extra normalizer

May 15, 2024

ID 265135

Get as PDF

When creating additional event parsing rules, you can specify the conditions. When these conditions are met, the events are sent to the created parsing rule for processing. Conditions can be specified in the Additional event parsing window, on the Extra normalization conditions tab. This tab is not available for the basic parsing rules.

Available settings:

Use raw event — If you want to send a raw event for extra normalization, select Yes in the Keep raw event drop-down list. The default value is No. We recommend passing a raw event to normalizers of json and xml types. If you want to send a raw event for extra normalization to the second, third, etc nesting levels, at each nesting level, select Yes in the Keep raw event drop-down list.
Field to pass into normalizer—indicates the event field if you want only events with fields configured in normalizer settings to be sent for additional parsing.
If this field is blank, the full event is sent to the extra normalizer for processing.
Set of filters—used to define complex conditions that must be met by the events received by the normalizer.
You can use the Add condition button to add a string containing fields for identifying the condition (see below).

You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT. You can add other condition groups and individual conditions to filter groups.

You can swap conditions and condition groups by dragging them by the icon; you can also delete them using the icon.

Filter condition settings:

Left operand and Right operand—used to specify the values to be processed by the operator.
In the left operand, you must specify the source field of events coming into the normalizer. For example, if the eventType - DeviceEventClass mapping is configured in the Basic event parsing window, then in the Additional event parsing window on the Extra normalization conditions tab, you must specify eventType in the left operand field of the filter. Data is processed only as text strings.
Operators:
- = – full match of the left and right operands.
- startsWith – the left operand starts with the characters specified in the right operand.
- endsWith – the left operand ends with the characters specified in the right operand.
- match – the left operand matches the regular expression (RE2) specified in the right operand.
- in – the left operand matches one of the values specified in the right operand.

The incoming data can be converted by clicking the wrench-new button. The Conversion window opens, where you can use the Add conversion button to create the rules for converting the source data before any actions are performed on them. In the Conversion window, you can swap the added rules by dragging them by the DragIcon icon; you can also delete them using the cross-black icon.

Available conversions

Conversions are changes that can be applied to a value before it gets written to the event field. The conversion type is selected from a drop-down list.

Available conversions:

lower—is used to make all characters of the value lowercase
upper—is used to make all characters of the value uppercase
regexp – used to convert a value using the regular expression RE2. When this conversion type is selected, the field appears where regular expression should be added.
substring—is used to extract characters in the position range specified in the Start and End fields. These fields appear when this conversion type is selected.
replace—is used to replace specified character sequence with the other character sequence. When this type of conversion is selected, new fields appear:
- Replace chars—in this field you can specify the character sequence that should be replaced.
- With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
trim—used to simultaneously remove the characters specified in the Chars field from the leading and end positions of the value. The field appears when this type of conversion is selected. For example, a trim conversion with the Micromon value applied to Microsoft-Windows-Sysmon results in soft-Windows-Sys.
append is used to add the characters specified in the Constant field to the end of the event field value. The field appears when this type of conversion is selected.
prepend—used to prepend the characters specified in the Constant field to the start of the event field value. The field appears when this type of conversion is selected.
replace with regexp—is used to replace RE2 regular expression results with the character sequence.
- Expression—in this field you can specify the regular expression which results that should be replaced.
- With chars—in this field you can specify the characters sequence should be used instead of replaced characters.
Converting encoded strings to text:
- decodeHexString—used to convert a HEX string to text.
- decodeBase64String—used to convert a Base64 string to text.
- decodeBase64URLString—used to convert a Base64url string to text.
When converting a corrupted string or if conversion error occur, corrupted data may be written to the event field.

During event enrichment, if the length of the encoded string exceeds the size of the field of the normalized event, the string is truncated and is not decoded.

If the length of the decoded string exceeds the size of the event field into which the decoded value is to be written, such a string is truncated to fit the size of the event field.

Conversions when using the extended event schema

Whether or not a conversion can be used depends on the type of extended event schema field being used:

For an additional field of the "String" type, all types of conversions are available.
For fields of the "Number" and "Float" types, the following types of conversions are available: regexp, substring, replace, trim, append, prepend, replaceWithRegexp, decodeHexString, decodeBase64String, decodeBase64URLString.
For fields of "Array of strings", "Array of numbers", and "Array of floats" types, the following types of conversions are available: append, prepend.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.