Fluency SIEM APIs

FPL access to the following internal utilities are provided. These functions interact with internal built-in SIEM commands, normally used during data processing and parsing.

geoip

• geoip(ip_address)
  • return an object with all the fields.
  • return an empty object if the address is not internet IP address

let info = geoip("8.8.8.8")
// OR
let {city, country, isp} = geoip("8.8.8.8")

{
  "city": "Mountain View",
  "country": "United States",
  "countryCode": "US",
  "isp": "Google LLC",
  "latitude": 37.4223,
  "longitude": -122.085,
  "org": "Level 3"
}

decoder_CSV

• decoder_CSV(csvText)
  • decodes CSV formatted string

let text = "2023-09-25 14:53:35","field1", "field2"
let fields = decoder_CSV(text)
// ["2023-09-25 14:53:35", "field1", "field2"]

decoder_CEF

• decoder_CEF(cefText)
  • decodes CEF formatted string
  • return a object of the following fields:
  • SignatureID
  • Name
  • Severity
  • Vendor
  • Product
  • Version
  • Fields

let cef = `CEF:0|Imperva Inc|Attack Analytics|0|1|SQL Injection attack by several IPs using an unknown bot |MINOR|msg=On host "www.google.com" start=1646830802431 end=1646831309201 cs4=CloudWAF cs4Label=ImpervaAAPlatform`
let m = decoder_cef(cef)
///
{
  "Fields": {
    "msg": "On host \"www.google.com\""
    "ImpervaAAPlatform": "CloudWAF",
    "start": "1646830802431"
  },
  "Name": "SQL Injection attack by several IPs using an unknown bot ",
  "Product": "Attack Analytics",
  "Severity": "MINOR",
  "SignatureID": "1",
  "Vendor": "Imperva Inc",
  "Version": "0"
}
// CEF:2 format
let cef2 = `CEF:2|SentinelOne|Mgmt|ip=127.0.0.1|eventID=5126|eventDesc=SentinelOne: Device Control connected USB|eventSeverity=1|...`

decoder_QuotedKeyValue

• decoder_QuotedKeyValue(text)
  • decode quoted key value format k1="v1" k2="v2" …​

decoder_MixedKeyValue

• decoder_MixedKeyValue(text)
  • decode key value pair where some value are quoted k1=v1 k2="v2 v3"