Teach me, oh Pipeline Wizards....I have DNS Header Flag fields coming in that are boolean, like `aa: false`, `ra: true`, `rd: true`, `tc: false`, etc. I would like to convert this to ECS by just having one object (`dns.header_flags`) with an array of the header flag names show in an array if their above referenced field value is `true`. So the JSON would end up being structured like this.```"dns": { "header_flags": [ "rd","rd" ],```And the false fields would be dropped. I would also like to be able to do this in one function instead of a function with a filter for each potential Header Flag Field.
Page 1 / 2
This is a Corelight Log and here is a sample log.
Do you have a reliable list of flags to watch for? (eg, will it always be AA, RA, RD, TC?) Or are we going to need a pattern to id when a flag shows up?
looks like a list
Agreed. Checking the Corelight Doc to validate.
Corelight only list a subset, but official DNS Docs looks like they describe the same 7 that the ECS Docs show.https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-12
eval statement with `dns.header_flags` =>```[AA ? 'AA' : null,TC ? 'TC' : null,RD ? 'RD' : null,RA ? 'RA' : null,AD ? 'AD' : null,CD ? 'CD' : null,DO ? 'DO' : null].filter(Boolean)```
Pardon my ignorance, but I don't understand how to implement this. Could you elaborate a little further?
surely
» Add an Eval function» Click the +Add Field buttonfirst i'll create a new field for `dns` if it doesn't exist yet
next, add a header_flags child with the payload i showed above:
An eval for dns already exists, currently with:`{'response_code': rcode_name, 'id': trans_id, 'answers': {'data': answers, 'ttl': TTLs}, 'question': {'name': query, 'class': qclass_name, 'type': qtype_name}}`
So I assume I could just add to that.
yes
if dns is sure to exist already, you can skip that part. just add the `dns.header_flags` entry
I'm assuming I can just add it to the existing expression by just calling `header_flag` as a nested objects, like I have already done in the above code with `'question': {'name': query, 'class': qclass_name, 'type': qtype_name}`? So I would end up with something like `{'response_code': rcode_name, 'id': trans_id, 'answers': {'data': answers, 'ttl': TTLs}, 'question': {'name': query, 'class': qclass_name, 'type': qtype_name}, 'header_flags': [AA ? 'AA' : null, TC ? 'TC' : null, RD ? 'RD' : null, RA ? 'RA' : null, AD ? 'AD' : null, CD ? 'CD' : null, DO ? 'DO' : null].filter(Boolean)}` ?
you can do it all in one shot. might be easier to have it broken up for readability/management reasons. totally up to you
This is true. And I actually have some other pipelines in which that advise would help to look a little cleaner. I have some pretty wild eval expressions for HTTP Request Header parsing. 
Let me cook all that up and test it and I'll let you know if I have any further questions. And thanks for your Wizardly GOAT Knowledge. 
happy to help. good luck!
<@ULBGHDPNY> Worked like a charm!
Now, to curve my ignorance, do you have any documentation I can read to learn myself up on this expression syntax and function?
I prefer to learn what I have implemented instead of just copy/paste whenever possible. 
My JavaScript Expression knowledge is close to `null`
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.