Extractors
Last updated
Last updated
Extractors play a crucial role in the architecture of a SIEM. Their main task is to collect information from diverse data sources, standardize it and put it into a structured form to enable efficient security monitoring and analysis. In doing so, extractors offer a wide range of benefits, from detecting potential security threats to supporting compliance requirements.
Go to "Add Extractor". Now assign a meaningful name and briefly describe what it contains. Use the "Add Matcher" button to define the field from which the desired information is to be extracted.
In the "Source Field Name" section, select the field that is relevant for your purposes. In the "Condition (Regex)" section, enter a recurring string that can be found in all logs of the same type. In the "Pattern (Regex)" section, specify the part of the log from which you want to extract the information. Here you can use the provided regular expressions on the right side.
You can also specify the same information as in the Pattern section in the Condition section. Note, however, that this requires additional CPU resources in most cases.
Once an expression has been matched, a Capturing Group opens where you can specify which standard field the extracted value or expression should be mapped to. Once you have added the extractor, all logs that match the specified pattern will be added to the defined standard field and the value defined as associated will be mapped into it.
