I like to share how to change the value of a property that does not exist in the payload. The UC is that the payload contains a string, but you like to have a different one as the value in the events of that property. This could arise if you want to have a value you are used to or is commonly used by other log sources instead of the value that is in the payload. An example could be that instead of DNS Record type "A record" there is "host record" in the payload. There are two ways I found out and tested depending on which type of field (a "standard event property" or a CEP="custom event property") you like to change the value. For a standard property you could use an AQL property with the function
REFERENCEMAP('Full_name_lookup', username, 5)
With a custom property you can type the value you like in the field "Format String" in the DSM Editor. This Field does not exist in a CEP. In a CEP this field is called "capture group" and does only accept a capture group.
I also tried to use the regex "conditional replacement". I was able to exchange one value I captured with another value in the payload but, I was not able to exchange it with a value that does not exist in the payload.
If anyone need it I can share more details on how to configure it.
------------------------------
Martin Schmitt
Senior Cyber Defense Consultant
SECUINFRA
Berlin
------------------------------