Zimperium
Syslog
// Description:
// Process alerts / events from Zimperium Syslog integration
// Data input format: ({ obj, size, source }) or ( doc )
function main({obj, size, source}) {
// Event selection criteria
let msg = obj["@message"]
if (!msg){
return {"status":"abort"}
}
let s = indexOf(msg, "zimperium.com dataexport")
if (s < 0){
return {"status":"abort"}
}
let ss = subString(msg, s, len(msg))
// printf("%s",ss)
let s2 = indexOf(ss, "- {")
if (s2 < 27){
return {"status":"abort"}
}
let etype = subString(ss, 27, s2-1)
// printf("|%s|",etype)
// Output field settings
obj["@type"] = "event"
obj["@parser"] = "fpl-ZimperiumMTDSyslog"
obj["@parserVersion"] = "20240107-1"
obj["@event_type"]="zimperium"
obj["@eventType"]="ZimperiumMTDSyslog"
let tags = ["ZimperiumMTD",etype]
obj["@tags"] = tags
let m = subString(ss, s2+2, len(ss))
// printf("|%s|",m)
let f = {}
try {
f = parseJson(m)
// printf("%v",f)
} catch (e) {
obj["@parserError"] = sprintf("(%s) - %s", e.name, e.message)
return {"status":"abort"}
}
obj["@zimperium"] = f
return {"status":"pass"}
}
function parseArray(s) {
let items = []
if (len(s) < 3) {
return items
}
let ss = subString(s, 1, len(s) - 1)
let x = split(ss, ",")
for i, v = range x {
let vv = subString(v, 2, len(v) - 1)
// printf("%s",vv)
items = append(items, vv)
}
return items
}
Updated 8 months ago