DNS Header Flag fields that are boolean, can I convert this to ECS by just having one object
Teach me, oh Pipeline Wizards.... I have DNS Header Flag fields coming in that are boolean, like `aa: false`, `ra: true`, `rd: true`, `tc: false`, etc. I would like to convert this to ECS by just having one object (`dns.header_flags`) with an array of the header flag names show in an array if their above referenced field value is `true`. So the JSON would end up being structured like this. ```"dns": { "header_flags": [ "rd","rd" ],``` And the false fields would be dropped. I would also like to be able to do this in one function instead of a function with a filter for each potential Header Flag Field.
Answers
-
This is a Corelight Log and here is a sample log.
0 -
Do you have a reliable list of flags to watch for? (eg, will it always be AA, RA, RD, TC?) Or are we going to need a pattern to id when a flag shows up?
0 -
looks like a list
0 -
Agreed. Checking the Corelight Doc to validate.
0 -
Corelight only list a subset, but official DNS Docs looks like they describe the same 7 that the ECS Docs show. https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-12
0 -
eval statement with `dns.header_flags` => ```[AA ? 'AA' : null, TC ? 'TC' : null, RD ? 'RD' : null, RA ? 'RA' : null, AD ? 'AD' : null, CD ? 'CD' : null, DO ? 'DO' : null].filter(Boolean)```
0 -
Pardon my ignorance, but I don't understand how to implement this. Could you elaborate a little further?
0 -
surely
0 -
» Add an Eval function » Click the +Add Field button first i'll create a new field for `dns` if it doesn't exist yet
0 -
next, add a header_flags child with the payload i showed above:
0 -
An eval for dns already exists, currently with: `{'response_code': rcode_name, 'id': trans_id, 'answers': {'data': answers, 'ttl': TTLs}, 'question': {'name': query, 'class': qclass_name, 'type': qtype_name}}`
0 -
So I assume I could just add to that.
0 -
yes
0 -
if dns is sure to exist already, you can skip that part. just add the `dns.header_flags` entry
0 -
I'm assuming I can just add it to the existing expression by just calling `header_flag` as a nested objects, like I have already done in the above code with `'question': {'name': query, 'class': qclass_name, 'type': qtype_name}`? So I would end up with something like `{'response_code': rcode_name, 'id': trans_id, 'answers': {'data': answers, 'ttl': TTLs}, 'question': {'name': query, 'class': qclass_name, 'type': qtype_name}, 'header_flags': [AA ? 'AA' : null, TC ? 'TC' : null, RD ? 'RD' : null, RA ? 'RA' : null, AD ? 'AD' : null, CD ? 'CD' : null, DO ? 'DO' : null].filter(Boolean)}` ?
0 -
you can do it all in one shot. might be easier to have it broken up for readability/management reasons. totally up to you
0 -
This is true. And I actually have some other pipelines in which that advise would help to look a little cleaner. I have some pretty wild eval expressions for HTTP Request Header parsing.
0 -
Let me cook all that up and test it and I'll let you know if I have any further questions. And thanks for your Wizardly GOAT Knowledge.
0 -
happy to help. good luck!
0 -
<@ULBGHDPNY> Worked like a charm!
0 -
Now, to curve my ignorance, do you have any documentation I can read to learn myself up on this expression syntax and function?
0 -
I prefer to learn what I have implemented instead of just copy/paste whenever possible.
0 -
My JavaScript Expression knowledge is close to `null`
0 -
this is a good place to start: https://sandbox.cribl.io/course/expressions
0 -
Is this particular technique covered in that course?
0 -
the really great thing about Cribl using JS for its processing language is it's so easy to code by ~google~ duckduckgo
0 -
no, it's more generic. will help with the basics
0 -
Yeah, I was more looking for keywords of how to ~google~ presearch the particular technique.
0