Map files can be used to run additional processing on event data. Sometimes I want to keep the original field untouched but run run some extra processing or extract information into another field.
The location of this file will be $ArcSight_Connector_Location$\current\user\agent\map\
The file will be titled map.X.properties, X being the next iteration of map file you have. By default 1 and 2 already exist so it's safe to name the file map.3.properties
In this scenario I want to move data from deviceCustomString1 to requestContext. I have some firewall events which present the Context in deviceCustomString4 but my Rules are looking for this data in requestContext. The file looks like this:
set.expr(deviceCustomString1).event.requestContext
"__regexToken(deviceCustomString1,""(.*)"")"
The .* in red is the RegEx string. This example will take everything in deviceCustomString1 and dump it into requestContext.
No comments:
Post a Comment