Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Custom Event and Flow Properties

 

JSA normalizes standard information that is parsed by the DSM, such as user names, IP addresses, and ports.

Some event sources send unique information that is not normalized. You can use custom properties to extract that data from the event or flow payload, and then use the non-normalized data in custom rules, searches, and reports.

The type of custom property that you create depends on the method that you want to use to define the non-normalized data in the payload.

Extraction-based Properties

Create an extraction-based property when you want to use a regex or JSON expression to parse the property values from the event or flow payloads.

For example, you have a report that shows all the users who changed other user's permissions on an Oracle server. The report uses normalized data to show the list of users who made the permission changes and the number of changes they made. The user account that was changed is not normalized and cannot be shown in the report. You can create a regex-based custom property to extract this information from the logs, and then use the property in searches and reports.

When the event or flow is parsed, the expression pattern is tested against each payload until the pattern matches. The first pattern to match the event or flow payload determines the data to be extracted.

When you define custom regex patterns, follow the regex rules as defined by the Java programming language. To learn more about regex rules, you can view regex tutorials on the web.

Calculation-based Properties

Create a calculation-based property when you want to do calculations on existing numeric event and flow properties. For example, you can create a calculation-based property that divides one numeric property by another numeric property to display a percentage value.

AQL-based Properties

Create an AQL-based property when you want to combine multiple extraction and calculation-based properties into a single property. For example, you can use AQL-based custom properties to combine extraction-based URLs, virus names, or secondary user names into a single property.

Note

The AQL expression can include AQL functions.

It does not support expressions that use SELECT, FROM, or database names.

You cannot use aggregate functions, such as SUM or GROUP, or other AQL-based custom properties.