feat: Add Object Interpretation to Capture Named Groups - Githubissues

brexhq / substation

Substation is a toolkit for routing, normalizing, and enriching security event and audit logs.

https://substation.readme.io

MIT License

330 stars 21 forks source link

feat: Add Object Interpretation to Capture Named Groups #78

Closed jshlbrd closed 1 year ago

jshlbrd commented 1 year ago

Description

Adds named group support to object interpretation in the Capture processor

Motivation and Context

Okta's audit logs contain unusual pseudo-JSON like this ...

{
    "debugContext": {
        "debugData": {
            "behaviors": "{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=NEGATIVE, New City=NEGATIVE}"
        }
    }
}

... that would be much better if it were like this instead:

{
    "debugContext": {
        "debugData": {
            "behaviors": {
                "New Geo-Location": "NEGATIVE",
                "New Device": "NEGATIVE",
                "New IP": "NEGATIVE",
                "New State": "NEGATIVE",
                "New Country": "NEGATIVE",
                "Velocity": "NEGATIVE",
                "New City": "NEGATIVE"
            }
        }
    }
}

This PR makes that possible by nesting captured fields under the set_key configuration.

How Has This Been Tested?

Added new unit testing.

Types of changes

[ ] Bug fix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

[x] My code follows the code style of this project.
[x] My change requires a change to the documentation.
[x] I have updated the documentation accordingly.