Collector Development Topics
there are many specific patterns of strings that appear commonly in event data that aren't easily parsed by normal JS methods. To assist with this problem,
the Sentinel SDK ships with a set of extensions to the String class that provide additional parsing capabilities.
Use these extensions to parse LDAP DNs, name-value pair constructs, tokenized arrays with embedded quoted text, Base64-encoded text, and so forth.
Here's a quick summary of the enhanced String methods we've created within the SDK:
- This method removes whitespace from the beginning and end of a string.
- Much like the regular
split()his method splits a string into substrings based on a delimiter character; however, this version knows about quoted values and escaped characters.
- This method converts a string in name-value pair format into a hash where each value can be retrieved by its name; name-value (or key-value) pairs are very common in event data.
- This method inserts a substring into the specified string.
- This method calculates a one-way hash on an input string.
- This method converts an IP address in a number of input forms into the standard dotted-quad IPv4 notation used by Sentinel.
- This method converts the string from Base64 encoding to a regular string.
- This method converts a standard path (for example
C:\WINDOWS\system32\etc) into a normalized form.
- This method converts an LDAP-formatted string into an object with separate attributes to contain the CN and the rest of the container structure.
- This method converts a standard RFC822 e-mail address to normalized form.
- This method converts a fully qualified domain (DNS) name into a normalized form.
- This method converts various forms of NT Domain user representations into normalized form.
- This method extracts some commonly-referenced information from standard syslog headers.
If you have ideas for other enhancements that would help parse common patterns, please let us know in the Forums.
- Back to Develop to Sentinel
Collector Development Guide
- Getting Started
- Initial Build
- Plug-in Contents
- Data Parsing
- Build Process
- Event Construction
- Connector Interaction
- Common Code
- Additional Information