Closed leamese closed 2 months ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
I will just give this a bumb so it will not get forgotten, thanks :).
@leamese Looking at the documentation, query_string
field is available in the ASM module only. Let me know if it is coming for the APM module too.
Also, it would be great if you can provide some sample examples of that field.
Hi,
I'm finding the telemetry streaming for f5_bigip usefull. But some searchable fields are missing to enable better filtereing, searching.
For the APM Module APM Module json can contain "Query_String" : "(u0026(|(sAMAccountName=johndo)(UserPincipleName=Johndo@))(!(userAccountControl:1.2.840....:=2)))" where the sAMAccountname &nd UserPrincipleName would be valuable to us to have a searchable field. can aslo contain: "User_Name" : "johndo"
For the ASM Module json contains the full HTTP Request (post / get / ..). That is saved in the field: "f5_bigip.log.request.detail" example (Fields highlited in bold are fields of intrest): "request":"GET /auth/realms/c_simple/protocol/openid-connect/certs HTTP/1.1\r\nHost: itbqa.gent.be\r\nUser-Agent: Drupal/10.1.5 (+https://www.drupal.org/) GuzzleHttp/7\r\nAccept: application/json\r\nX-Forwarded-For: 77.241.84.205\r\n\r\n
I don't know if it is possible, but you could parse everything because the https headers are seperated by \r\n everytime.
Thanks in advance for looking at this.