docs/ref/modules/engine/ref-helper-functions.md
This documentation provides an overview of the auxiliary functions available. Auxiliary functions are modular components designed to perform specific operations on decoders or rules. Depending on their purpose, they are categorized into transformation, filter, or mapping functions.
field: array_contains(element, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| element | object, array, number, string, boolean | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Checks if all elements are present in a given array. It supports multiple data types, including objects, arrays, numbers, strings, and boolean values. As a variadic function, it accepts multiple elements as search arguments. A test passes if all provided elements exist in the target array. If at least one element is missing, the validation fails. This behavior makes it useful for filtering lists based on the presence of specific values.
arrayAll specified elements are present in the target array.
check:
- target_field: array_contains('dracut', 'vz-start', 'thin-provisioning-tools')
{
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was successful
At least one specified element ("iscsi") is missing from the target array.
check:
- target_field: array_contains($element, 'vz-start', 'iscsi')
{
"element": "dracut",
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was performed with errors
All specified numbers are present in the target array.
check:
- target_field: array_contains(2, 1, 5)
{
"target_field": [
1,
2,
3,
4,
5
]
}
The check was successful
All specified objects are present in the target array.
check:
- target_field: array_contains($element, {'key1': 'value1'}, {'key2': 'value2'})
{
"element": {
"key": "value"
},
"target_field": [
{
"key": "value"
},
{
"key1": "value1"
},
{
"key2": "value2"
}
]
}
The check was successful
At least one specified object is missing from the target array.
check:
- target_field: array_contains({'key': 'value'}, {'key-non-exists': 'value-non-exists'}, {'keyn': 'valuen'})
{
"target_field": [
{
"key": "value"
},
{
"key1": "value1"
},
{
"key2": "value2"
}
]
}
The check was performed with errors
The specified object, number, and string are all present in the target array.
check:
- target_field: array_contains($element, 1, 'value')
{
"element": {
"key": "value"
},
"target_field": [
{
"key": "value"
},
1,
"value"
]
}
The check was successful
field: array_contains_any(element, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| element | object, array, number, string, boolean | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Checks whether at least one of the provided elements is present in a given array. It supports multiple data types, including objects, arrays, numbers, strings, and boolean values. As a variadic function, it accepts multiple elements as search arguments. A test passes if at least one provided element exists in the target array. If none of the elements are found, the validation fails. This behavior makes it useful for filtering lists based on partial matches.
arrayAll specified elements are present in the target array.
check:
- target_field: array_contains_any('dracut', 'vz-start', 'thin-provisioning-tools')
{
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was successful
At least one specified element ("dracut") is present in the target array.
check:
- target_field: array_contains_any($element, 'hello', 'wazuh')
{
"element": "dracut",
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was successful
At least one specified number (1) is present in the target array.
check:
- target_field: array_contains_any(7, 1, 8)
{
"target_field": [
1,
2,
3,
4,
5
]
}
The check was successful
At least one specified object is present in the target array.
check:
- target_field: array_contains_any($element, {'key-non-exists': 'value-non-exists'}, {'keyn': 'valuen'})
{
"element": {
"key": "value"
},
"target_field": [
{
"key": "value"
},
{
"key1": "value1"
},
{
"key2": "value2"
}
]
}
The check was successful
At least one specified element (1000) is present in the target array.
check:
- target_field: array_contains_any({'keyn': 'valuen'}, 1000, 'valuen')
{
"target_field": [
{
"key": "value"
},
1000,
"value"
]
}
The check was successful
field: array_not_contains(element, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| element | object, array, number, string, boolean | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Determines whether one or more elements are absent from a given array. It supports multiple data types, including objects, arrays, numbers, strings, and boolean values. As a variadic function, it accepts multiple elements as search arguments. A test passes if none of the provided elements exist in the target array. If all elements in the array are found, validation fails. This behavior is useful for filtering lists by excluding specific values.
arrayAll specified elements are present in the target array.
check:
- target_field: array_not_contains('dracut', 'vz-start', 'thin-provisioning-tools')
{
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was performed with errors
At least one specified element ("iscsi") is missing from the target array.
check:
- target_field: array_not_contains($element, 'vz-start', 'iscsi')
{
"element": "dracut",
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was successful
All specified numbers are present in the target array.
check:
- target_field: array_not_contains(2, 1, 5)
{
"target_field": [
1,
2,
3,
4,
5
]
}
The check was performed with errors
All specified objects are present in the target array, causing the test to fail.
check:
- target_field: array_not_contains($element, {'key1': 'value1'}, {'key2': 'value2'})
{
"element": {
"key": "value"
},
"target_field": [
{
"key": "value"
},
{
"key1": "value1"
},
{
"key2": "value2"
}
]
}
The check was performed with errors
At least one specified object is missing from the target array.
check:
- target_field: array_not_contains({'key': 'value'}, {'key-non-exists': 'value-non-exists'}, {'keyn': 'valuen'})
{
"target_field": [
{
"key": "value"
},
{
"key1": "value1"
},
{
"key2": "value2"
}
]
}
The check was successful
The specified object, number, and string are all present in the target array.
check:
- target_field: array_not_contains($element, 1, 'value')
{
"element": {
"key": "value"
},
"target_field": [
{
"key": "value"
},
1,
"value"
]
}
The check was performed with errors
field: array_not_contains_any(element, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| element | object, array, number, string, boolean | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Checks whether none of the provided elements are present in a given array. It supports multiple data types, including objects, arrays, numbers, strings, and boolean values. As a variadic function, it accepts multiple elements as search arguments. A test passes if none of the provided elements exist in the target array. If at least one element is found, the validation fails. This behavior makes it useful for filtering lists to exclude specific values.
arrayAll specified elements are present in the target array.
check:
- target_field: array_not_contains_any('dracut', 'vz-start', 'thin-provisioning-tools')
{
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was performed with errors
At least one specified element ("dracut") is present in the target array.
check:
- target_field: array_not_contains_any($element, 'hello', 'wazuh')
{
"element": "dracut",
"target_field": [
"mkinitramfs",
"cryptroot",
"framebuffer",
"dracut",
"thin-provisioning-tools",
"lvm2",
"vz-start"
]
}
The check was performed with errors
At least one specified number (1) is present in the target array.
check:
- target_field: array_not_contains_any(7, 1, 8)
{
"target_field": [
1,
2,
3,
4,
5
]
}
The check was performed with errors
At least one specified object is present in the target array.
check:
- target_field: array_not_contains_any($element, {'key-non-exists': 'value-non-exists'}, {'keyn': 'valuen'})
{
"element": {
"key": "value"
},
"target_field": [
{
"key": "value"
},
{
"key1": "value1"
},
{
"key2": "value2"
}
]
}
The check was performed with errors
At least one specified element (1000) is present in the target array.
check:
- target_field: array_not_contains_any({'keyn': 'valuen'}, 1000, 'valuen')
{
"target_field": [
{
"key": "value"
},
1000,
"value"
]
}
The check was performed with errors
No elements are present in the array.
check:
- target_field: array_not_contains_any($element, 10, 'valuen')
{
"element": {
"key1": "value1"
},
"target_field": [
{
"key": "value"
},
1000,
"value"
]
}
The check was successful
field: binary_and(hexadecimal)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| hexadecimal | string | value | Any hexadecimal |
| Type | Possible values |
|---|---|
| string | Any hexadecimal |
Transforms the hexadecimal value into an unsigned integer and performs the AND bit by bit with the field hexadecimal transformed to unsigned int. If it is other than 0x0 then the operation evaluates to true.
undefinedSuccess binary and
check:
- target_field: binary_and('0x4F1')
{
"target_field": "0x1"
}
The check was successful
field: contains(searched_value)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| searched_value | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checks if the value stored in the field contains the value provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false.
undefinedSuccess contains
check:
- target_field: contains('hello')
{
"target_field": "hello wazuh!"
}
The check was successful
Failure contains
check:
- target_field: contains($searched_value)
{
"searched_value": "hello!",
"target_field": "hello wazuh!"
}
The check was performed with errors
Failure contains
check:
- target_field: contains('world')
{
"target_field": "hello wazuh!"
}
The check was performed with errors
field: ends_with(conteined)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| conteined | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checks if the string stored in the field ends with the value provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false.
stringSuccess ends with
check:
- target_field: ends_with('wazuh!!')
{
"target_field": "hello wazuh!!"
}
The check was successful
Failure ends with
check:
- target_field: ends_with($conteined)
{
"conteined": "wazuh",
"target_field": "hello wazuh!!!"
}
The check was performed with errors
Failure ends with
check:
- target_field: ends_with('hello')
{
"target_field": "hello wazuh!"
}
The check was performed with errors
field: exists()
| Type | Possible values |
|---|---|
| [number, string, boolean, array, object] | - |
Checks whether the key named “field” exists in the event. If it does, the function will evaluate to true, otherwise it will be false. This helper function is used in the check stage.
undefinedTarget Field exist
check:
- target_field: exists()
{
"target_field": 1234
}
The check was successful
field: exists_key_in(object)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| object | object | value or reference | Any object |
| Type | Possible values |
|---|---|
| string | Any string |
Checks if the target field value is present as a key in the specified object. This parameter must be a definition object or a reference to a field containing the object. If the object contains the key, then the function will evaluate to true, otherwise it will be false. This helper function is typically used in the check stage.
undefinedCompare two different integers
check:
- target_field: exists_key_in({'key': 'value'})
{
"target_field": "key-not-exist"
}
The check was performed with errors
Compare two equals integers
check:
- target_field: exists_key_in($object)
{
"object": {
"key": "value"
},
"target_field": "key"
}
The check was successful
field: int_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Checkers whether the integer number stored in field is equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
integer
comparison
Compare two different integers
check:
- target_field: int_equal(22)
{
"target_field": 2
}
The check was performed with errors
Compare two equals integers
check:
- target_field: int_equal($any_number)
{
"any_number": 22,
"target_field": 22
}
The check was successful
field: int_greater(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Checkers whether the integer number stored in field is greater than to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
integer
comparison
Success int greater
check:
- target_field: int_greater(1)
{
"target_field": 100
}
The check was successful
Failure int greater
check:
- target_field: int_greater($any_number)
{
"any_number": 50,
"target_field": 20
}
The check was performed with errors
Failure int greater
check:
- target_field: int_greater(1000)
{
"target_field": 1000
}
The check was performed with errors
field: int_greater_or_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Checkers whether the integer number stored in field is greater than or equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
integer
comparison
Failure int greater or equal
check:
- target_field: int_greater_or_equal(22)
{
"target_field": 2
}
The check was performed with errors
Success int greater or equal
check:
- target_field: int_greater_or_equal($any_number)
{
"any_number": 22,
"target_field": 22
}
The check was successful
Success int greater or equal
check:
- target_field: int_greater_or_equal(2)
{
"target_field": 22
}
The check was successful
field: int_less(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Checkers whether the integer number stored in field is less than to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
integer
comparison
Success int less
check:
- target_field: int_less(22)
{
"target_field": 2
}
The check was successful
Failure int less
check:
- target_field: int_less($any_number)
{
"any_number": 2,
"target_field": 22
}
The check was performed with errors
Failure int less
check:
- target_field: int_less(100)
{
"target_field": 100
}
The check was performed with errors
field: int_less_or_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Checkers whether the integer number stored in field is less than or equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
integer
comparison
Success int less or equal
check:
- target_field: int_less_or_equal(22)
{
"target_field": 2
}
The check was successful
Success int less or equal
check:
- target_field: int_less_or_equal($any_number)
{
"any_number": 22,
"target_field": 22
}
The check was successful
Failure int less or equal
check:
- target_field: int_less_or_equal(2)
{
"target_field": 22
}
The check was performed with errors
field: int_not_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Checkers whether the integer number stored in field is not equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
integer
comparison
Success int not equal
check:
- target_field: int_not_equal(22)
{
"target_field": 2
}
The check was successful
Failure int not equal
check:
- target_field: int_not_equal($any_number)
{
"any_number": 22,
"target_field": 22
}
The check was performed with errors
field: ip_cidr_match(subnet, mask)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| subnet | string | value | Any IP |
| mask | string | value | Any IP |
| Type | Possible values |
|---|---|
| string | Any IP |
Checks if the IP address stored in field belongs to a given CIDR notation range. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. IPv4: support address in dotted-decimal format, "ddd.ddd.ddd.ddd" where ddd is a decimal number of up to three digits in the range 0 to 255. Mask: Support “dd” where ddd is a decimal number of up to 2 digits in the range 0 to 32 or “ddd.ddd.ddd.ddd" where ddd is a decimal number of up to three digits in the range 0 to 255. This helper function is typically used in the check stage
undefinedMatch IP CIDR
check:
- target_field: ip_cidr_match('192.168.0.0', '192.168.0.11')
{
"target_field": "192.168.1.5"
}
The check was successful
Don't match IP CIDR
check:
- target_field: ip_cidr_match('192.168.0.0', '192.168.0.11')
{
"target_field": "111.111.1.11"
}
The check was performed with errors
field: is_array()
| Type | Possible values |
|---|---|
| array | Integers between -2^63 and 2^63-1 |
Checks if the value stored in field is of type array. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs array
check:
- target_field: is_array()
{
"target_field": [
1,
2,
3,
4
]
}
The check was successful
Not is array
check:
- target_field: is_array()
{}
The check was performed with errors
Not is array
check:
- target_field: is_array()
{
"target_field": "false"
}
The check was performed with errors
field: is_boolean()
| Type | Possible values |
|---|---|
| boolean | Any boolean |
Checks if the value stored in field is of type boolean. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs boolean
check:
- target_field: is_boolean()
{
"target_field": true
}
The check was successful
Is boolean
check:
- target_field: is_boolean()
{}
The check was successful
Not is boolean
check:
- target_field: is_boolean()
{
"target_field": "false"
}
The check was performed with errors
field: is_ipv4()
| Type | Possible values |
|---|---|
| string | Any IP |
Checks if the IP address stored in the field is an IPv4. IPv4:
undefinedInvalid IPv4. It's an IPv6
check:
- target_field: is_ipv4()
{
"target_field": "3002:0bd6:0000:0000:0000:ee00:0033:6778"
}
The check was performed with errors
Valid special IPv4
check:
- target_field: is_ipv4()
{
"target_field": "127.0.0.1"
}
The check was successful
Valid special IPv4
check:
- target_field: is_ipv4()
{
"target_field": "192.168.0.0"
}
The check was successful
Valid public IPv4
check:
- target_field: is_ipv4()
{
"target_field": "8.8.8.8"
}
The check was successful
field: is_ipv6()
| Type | Possible values |
|---|---|
| string | Any IP |
Checks if the IP address stored in the field is an IPv6. IPv6:
undefinedInvalid IPv6. It's an IPv4
check:
- target_field: is_ipv6()
{
"target_field": "127.0.0.1"
}
The check was performed with errors
Valid special IPv6
check:
- target_field: is_ipv6()
{
"target_field": "::1"
}
The check was successful
Valid special IPv6
check:
- target_field: is_ipv6()
{
"target_field": "fd00:abcd::1234"
}
The check was successful
Valid public IPv6
check:
- target_field: is_ipv6()
{
"target_field": "a03:2880:f10c:83:face:b00c::25de"
}
The check was successful
field: is_not_array()
| Type | Possible values |
|---|---|
| [number, boolean, object, string] | - |
Checks if the value stored in field is not of type array. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs array
check:
- target_field: is_not_array()
{
"target_field": [
1,
2,
3,
4
]
}
The check was performed with errors
Not is array
check:
- target_field: is_not_array()
{
"target_field": 234
}
The check was successful
Not is array
check:
- target_field: is_not_array()
{
"target_field": {
"key": "value"
}
}
The check was successful
field: is_not_boolean()
| Type | Possible values |
|---|---|
| [number, array, object, string] | - |
Checks if the value stored in field is not of type boolean. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs boolean
check:
- target_field: is_not_boolean()
{
"target_field": true
}
The check was performed with errors
Not is boolean
check:
- target_field: is_not_boolean()
{
"target_field": 234
}
The check was successful
Not is boolean
check:
- target_field: is_not_boolean()
{
"target_field": {
"key": "value"
}
}
The check was successful
field: is_not_null()
| Type | Possible values |
|---|---|
| [number, string, boolean, array, object] | - |
Checks if the value stored in field is not null. If it is null, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedNot null (string)
check:
- target_field: is_not_null()
{
"target_field": "hello"
}
The check was successful
Not null (number)
check:
- target_field: is_not_null()
{}
The check was successful
Not null (boolean)
check:
- target_field: is_not_null()
{
"target_field": true
}
The check was successful
Not null (array, non-empty)
check:
- target_field: is_not_null()
{
"target_field": [
1
]
}
The check was successful
Not null (object, non-empty)
check:
- target_field: is_not_null()
{
"target_field": {
"key": "value"
}
}
The check was successful
Missing (empty object is unmapped)
check:
- target_field: is_not_null()
{}
The check was performed with errors
field: is_not_number()
| Type | Possible values |
|---|---|
| [number, string, boolean, array, object] | - |
Checks if the value stored in field is not a number. If it is a number, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedNot number (string)
check:
- target_field: is_not_number()
{
"target_field": "hello"
}
The check was successful
Not number (boolean)
check:
- target_field: is_not_number()
{
"target_field": true
}
The check was successful
number (array not empty)
check:
- target_field: is_not_number()
{
"target_field": [
1
]
}
The check was successful
Not number (object)
check:
- target_field: is_not_number()
{
"target_field": {
"key": "value"
}
}
The check was successful
Is number
check:
- target_field: is_not_number()
{}
The check was performed with errors
field: is_not_object()
| Type | Possible values |
|---|---|
| [number, array, string, boolean] | - |
Checks if the value stored in field is not of type object. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs object
check:
- target_field: is_not_object()
{
"target_field": {
"key": "value"
}
}
The check was performed with errors
Not is object
check:
- target_field: is_not_object()
{
"target_field": 234
}
The check was successful
Not is object
check:
- target_field: is_not_object()
{
"target_field": [
1,
2,
3,
4
]
}
The check was successful
field: is_not_string()
| Type | Possible values |
|---|---|
| [number, array, object, boolean] | - |
Checks if the value stored in field is not of type string. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedNot is string
check:
- target_field: is_not_string()
{
"target_field": {
"key": "value"
}
}
The check was successful
Not is string
check:
- target_field: is_not_string()
{
"target_field": [
1,
2,
3,
4
]
}
The check was successful
Is string
check:
- target_field: is_not_string()
{
"target_field": "hello"
}
The check was performed with errors
field: is_null()
| Type | Possible values |
|---|---|
| [number, string, boolean, array, object] | - |
Checks if the value stored in field is null. If it's not null, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs null
check:
- target_field: is_null()
{}
The check was performed with errors
Not null (string)
check:
- target_field: is_null()
{
"target_field": "hello"
}
The check was performed with errors
Not null (number)
check:
- target_field: is_null()
{}
The check was performed with errors
Not null (array)
check:
- target_field: is_null()
{}
The check was performed with errors
Not null (object)
check:
- target_field: is_null()
{
"target_field": {
"key": "value"
}
}
The check was performed with errors
field: is_number()
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Checks if the value stored in field is of type numeric. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs object
check:
- target_field: is_number()
{
"target_field": {
"key": "value"
}
}
The check was performed with errors
Is array
check:
- target_field: is_number()
{
"target_field": [
1,
2,
3,
4
]
}
The check was performed with errors
Not is string
check:
- target_field: is_number()
{
"target_field": "hello"
}
The check was performed with errors
Not is boolean
check:
- target_field: is_number()
{
"target_field": true
}
The check was performed with errors
Is number
check:
- target_field: is_number()
{
"target_field": 23
}
The check was successful
Is number
check:
- target_field: is_number()
{
"target_field": 23.23
}
The check was successful
field: is_object()
| Type | Possible values |
|---|---|
| object | Any object |
Checks if the value stored in field is of type object. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedIs object
check:
- target_field: is_object()
{
"target_field": {
"key": "value"
}
}
The check was successful
Is object
check:
- target_field: is_object()
{
"target_field": [
1,
2,
3,
4
]
}
The check was performed with errors
Not is object
check:
- target_field: is_object()
{
"target_field": "hello"
}
The check was performed with errors
field: is_public_ip()
| Type | Possible values |
|---|---|
| string | Any IP |
Checks if the IP address stored in the field is a public ip. Assumes that the ip is public if it is not within the following networks: IPv4:
undefinedCheck IP valid
check:
- target_field: is_public_ip()
{
"target_field": "111.111.1.11"
}
The check was successful
Check IP valid
check:
- target_field: is_public_ip()
{
"target_field": "3002:0bd6:0000:0000:0000:ee00:0033:6778"
}
The check was successful
Check IP invalid
check:
- target_field: is_public_ip()
{
"target_field": 6778
}
The check was performed with errors
field: is_string()
| Type | Possible values |
|---|---|
| string | Any string |
Checks if the value stored in field is of type string. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedNot is string
check:
- target_field: is_string()
{
"target_field": {
"key": "value"
}
}
The check was performed with errors
Not is string
check:
- target_field: is_string()
{
"target_field": [
1,
2,
3,
4
]
}
The check was performed with errors
Is string
check:
- target_field: is_string()
{
"target_field": "hello"
}
The check was successful
field: is_test_session()
| Type | Possible values |
|---|---|
| [number, string, boolean, array, object] | - |
Check if the environment in use is testing or production. This helper function is typically used in the check stage
undefinedIs test session
check:
- target_field: is_test_session()
{
"target_field": {
"key": "value"
}
}
The check was successful
field: keys_exist_in_list(elements)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| elements | array | value or reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Checks if all the specified keys from the target field (an object) are present in the given list. It verifies whether the elements in the list are included as keys in the target object. If any key from the target object is missing in the list, the validation fails. The function does not require that all keys in the list be present in the target field, but all keys from the target field must be in the list. If any element in the list is not a string, or if the target object is missing any keys from the list, the validation fails. This helper is particularly useful for ensuring that all required keys are present in the object and are strictly enforced in the list.
array
object
Success keys in list
check:
- target_field: keys_exist_in_list(['ts', 'host'])
{
"target_field": {
"ts": "2021-01-03T01:19:32.488179Z",
"host": "192.168.4.43"
}
}
The check was successful
There are elements in the list that are missing from the target field
check:
- target_field: keys_exist_in_list($elements)
{
"elements": [
"ts",
"host",
"other"
],
"target_field": {
"ts": "2021-01-03T01:19:32.488179Z",
"host": "192.168.4.43"
}
}
The check was successful
There are keys in the target field that are missing from the list
check:
- target_field: keys_exist_in_list(['ts', 'host'])
{
"target_field": {
"ts": "2021-01-03T01:19:32.488179Z",
"host": "192.168.4.43",
"other_key": "some_value"
}
}
The check was performed with errors
Element in array is not a string
check:
- target_field: keys_exist_in_list($elements)
{
"elements": [
"ts",
9999,
"other"
],
"target_field": {
"ts": "2021-01-03T01:19:32.488179Z",
"host": "192.168.4.43"
}
}
The check was performed with errors
field: kvdb_match(db_name)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| db_name | string | value | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checks whether the string stored in the target field is the name of an existing key in the KVDB given by "db_name".
This helper is intended to be used in the check stage. It does not modify the event; it only decides whether the check block passes or fails.
kvdbFails when the KVDB cannot be loaded
check:
- target_field: kvdb_match('non-existing-db')
{
"target_field": "0x0"
}
The check was performed with errors
Check passes when the target field contains a key present in the KVDB
check:
- target_field: kvdb_match('windows_kerberos_status_code_to_code_name')
{
"target_field": "0x0"
}
The check was successful
Check also passes for keys whose KVDB value is an array
check:
- target_field: kvdb_match('windows_kerberos_status_code_to_code_name')
{
"target_field": "bitmask_test_values"
}
The check was successful
Check fails when the target field contains a key that is not present in the KVDB
check:
- target_field: kvdb_match('windows_kerberos_status_code_to_code_name')
{
"target_field": "0x99"
}
The check was performed with errors
field: kvdb_not_match(db_name)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| db_name | string | value | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checks whether the string stored in the target field is NOT the name of an existing key in the KVDB given by "db_name".
This helper is intended to be used in the check stage. It does not modify the event; it only decides whether the check block passes or fails.
kvdbFails when the KVDB cannot be loaded
check:
- target_field: kvdb_not_match('non-existing-db')
{
"target_field": "0x0"
}
The check was performed with errors
Check fails when the target field contains a key present in the KVDB
check:
- target_field: kvdb_not_match('windows_kerberos_status_code_to_code_name')
{
"target_field": "0x0"
}
The check was performed with errors
Check also fails for keys whose KVDB value is an array
check:
- target_field: kvdb_not_match('windows_kerberos_status_code_to_code_name')
{
"target_field": "bitmask_test_values"
}
The check was performed with errors
Check passes when the target field contains a key that is not present in the KVDB
check:
- target_field: kvdb_not_match('windows_kerberos_status_code_to_code_name')
{
"target_field": "0x99"
}
The check was successful
field: match_value(array)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| array | array | value or reference | [number, string, boolean, object, array] |
| Type | Possible values |
|---|---|
| [number, string, boolean, array, object] | - |
Checks if the target field value is present in the specified array. This parameter must be a definition array or a reference to a field containing the array. If the array contains the value, then the function will evaluate to true, otherwise it will be false. This helper function is typically used in the check stage.
undefinedValue is in array
check:
- target_field: match_value([1, 2, 3, 4])
{
"target_field": 10
}
The check was performed with errors
Value not is in array
check:
- target_field: match_value($array)
{
"array": [
"hello"
],
"target_field": "wazuh"
}
The check was performed with errors
Value is in array
check:
- target_field: match_value([{'key': 'value'}])
{
"target_field": {
"key": "value"
}
}
The check was successful
Value is in array
check:
- target_field: match_value($array)
{
"array": [
[
true,
"hello",
2
]
],
"target_field": [
true,
"hello",
2
]
}
The check was successful
field: not_exists()
| Type | Possible values |
|---|---|
| [number, string, boolean, array, object] | - |
Checks that the field does not exist. If the field exists (with any value), the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
undefinedField exists (string)
check:
- target_field: not_exists()
{
"target_field": "hello"
}
The check was performed with errors
Field exists (number)
check:
- target_field: not_exists()
{}
The check was performed with errors
Field exists (array non-empty)
check:
- target_field: not_exists()
{
"target_field": [
1
]
}
The check was performed with errors
Field exists (object non-empty)
check:
- target_field: not_exists()
{
"target_field": {
"key": "value"
}
}
The check was performed with errors
Field exists (boolean)
check:
- target_field: not_exists()
{
"target_field": true
}
The check was performed with errors
Field absent via empty array
check:
- target_field: not_exists()
{}
The check was successful
Field absent via empty object
check:
- target_field: not_exists()
{}
The check was successful
field: number_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference |
| Type | Possible values |
|---|---|
| number |
Checkers whether the number stored in field is equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
number
comparison
Compare two different numbers
check:
- target_field: number_equal(2.6)
{
"target_field": 2
}
The check was performed with errors
Compare two different numbers
check:
- target_field: number_equal($any_number)
{
"any_number": 6,
"target_field": 5.5
}
The check was performed with errors
Compare two equals numbers
check:
- target_field: number_equal(2.3)
{
"target_field": 2.3
}
The check was successful
Compare two equals numbers
check:
- target_field: number_equal($any_number)
{
"any_number": 2,
"target_field": 2.0
}
The check was successful
field: number_greater(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference |
| Type | Possible values |
|---|---|
| number |
Checkers whether the number stored in field is greater than to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
comparisonSuccess number greater
check:
- target_field: number_greater(1.5)
{
"target_field": 4.6
}
The check was successful
Success number greater
check:
- target_field: number_greater($any_number)
{
"any_number": 1,
"target_field": 2.2
}
The check was successful
Failure number greater
check:
- target_field: number_greater(3.8)
{
"target_field": 2.2
}
The check was performed with errors
Failure number greater
check:
- target_field: number_greater($any_number)
{
"any_number": 3,
"target_field": 2.2
}
The check was performed with errors
field: number_greater_or_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference |
| Type | Possible values |
|---|---|
| number |
Checkers whether the number stored in field is greater than or equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
number
comparison
Failure int greater or equal
check:
- target_field: number_greater_or_equal(2.6)
{
"target_field": 2
}
The check was performed with errors
Failure int greater or equal
check:
- target_field: number_greater_or_equal($any_number)
{
"any_number": 2,
"target_field": 1.5
}
The check was performed with errors
Success int greater or equal
check:
- target_field: number_greater_or_equal(2.2)
{
"target_field": 2.2
}
The check was successful
Success int greater or equal
check:
- target_field: number_greater_or_equal($any_number)
{
"any_number": 2,
"target_field": 2
}
The check was successful
field: number_less(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference |
| Type | Possible values |
|---|---|
| number |
Checkers whether the number stored in field is less than to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
number
comparison
Success number less
check:
- target_field: number_less(2.2)
{
"target_field": 2
}
The check was successful
Success number less
check:
- target_field: number_less($any_number)
{
"any_number": 2.1,
"target_field": 1.6
}
The check was successful
Failure number less
check:
- target_field: number_less(2)
{
"target_field": 2.2
}
The check was performed with errors
Failure number less
check:
- target_field: number_less($any_number)
{
"any_number": 10,
"target_field": 10
}
The check was performed with errors
field: number_less_or_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference |
| Type | Possible values |
|---|---|
| number |
Checkers whether the number stored in field is less than or equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
number
comparison
Success number less or equal
check:
- target_field: number_less_or_equal(2.2)
{
"target_field": 2
}
The check was successful
Success number less or equal
check:
- target_field: number_less_or_equal($any_number)
{
"any_number": 2,
"target_field": 1.2
}
The check was successful
Failure number less or equal
check:
- target_field: number_less_or_equal(1.8)
{
"target_field": 2.6
}
The check was performed with errors
Failure number less or equal
check:
- target_field: number_less_or_equal($any_number)
{
"any_number": 2,
"target_field": 22
}
The check was performed with errors
field: number_not_equal(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | value or reference |
| Type | Possible values |
|---|---|
| number |
Checkers whether the number stored in field is not equal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
number
comparison
Success number not equal
check:
- target_field: number_not_equal(2.2)
{
"target_field": 2
}
The check was successful
Success number not equal
check:
- target_field: number_not_equal($any_number)
{
"any_number": 1,
"target_field": 2.3
}
The check was successful
Failure number not equal
check:
- target_field: number_not_equal(2.2)
{
"target_field": 2.2
}
The check was performed with errors
Failure number not equal
check:
- target_field: number_not_equal($any_number)
{
"any_number": 2,
"target_field": 2
}
The check was performed with errors
field: regex_match(regxp)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| regxp | string | value | Any regex |
| Type | Possible values |
|---|---|
| string | Any string |
Checks if the given target field contains a string that matches the regex passed. Evaluates to true if the regex matches, otherwise if it does not match or the target field does not exist or the target field is not of type string, evaluates to false. Keep in mind that we need to escape reserved Yaml characters depending on the string input mode of Yaml. RE2 syntax: https://github.com/google/re2/wiki/Syntax This helper function is typically used in the check stage.
undefinedMatch regular expression
check:
- target_field: regex_match('^(bye pcre\\d)$')
{
"target_field": "bye pcre2"
}
The check was successful
Don't match regular expression
check:
- target_field: regex_match('^(bye pcre\\d)$')
{
"target_field": "ye pcre2"
}
The check was performed with errors
field: regex_not_match(regxp)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| regxp | string | value | Any regex |
| Type | Possible values |
|---|---|
| string | Any string |
Checks that the target field (string) does NOT match the given regular expression (RE2). If it matches, evaluates to false. If the field is missing or not a string, evaluates to false. Keep in mind YAML escaping rules. RE2 syntax: https://github.com/google/re2/wiki/Syntax Typically used in the check stage.
undefinedDoes not match (no 'abc' prefix)
check:
- target_field: regex_not_match('^abc')
{
"target_field": "hello world"
}
The check was successful
Matches (prefix 'abc')
check:
- target_field: regex_not_match('^abc')
{
"target_field": "abc123"
}
The check was performed with errors
Not a string -> fails
check:
- target_field: regex_not_match('^(bye pcre\\d)$')
{
"target_field": 123
}
The check was performed with errors
field: starts_with(conteined)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| conteined | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checks if the value stored in the field starts with the value provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false.
undefinedSuccess start with
check:
- target_field: starts_with('hello')
{
"target_field": "hello wazuh!"
}
The check was successful
Failure start with
check:
- target_field: starts_with($conteined)
{
"conteined": "hello!",
"target_field": "hello wazuh!"
}
The check was performed with errors
Failure start with
check:
- target_field: starts_with('wazuh!')
{
"target_field": "hello wazuh!"
}
The check was performed with errors
field: string_equal(any_string)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_string | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checkers whether the value stored in field is equal to the one provided, byte for byte. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
string
comparison
Compare two different strings
check:
- target_field: string_equal('hello world!')
{
"target_field": "hello"
}
The check was performed with errors
Compare two equals strings
check:
- target_field: string_equal($any_string)
{
"any_string": "hello world!",
"target_field": "hello world!"
}
The check was successful
field: string_greater(any_string)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_string | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checks whether the value stored in field is lexicographically greater than to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
string
comparison
Success string greater
check:
- target_field: string_greater('hello world!')
{
"target_field": "wazuh"
}
The check was successful
Failure string greater
check:
- target_field: string_greater($any_string)
{
"any_string": "wazuh",
"target_field": "hello world!"
}
The check was performed with errors
Failure string greater
check:
- target_field: string_greater('hello world!')
{
"target_field": "hello world!"
}
The check was performed with errors
field: string_greater_or_equal(any_string)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_string | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checks whether the string stored in field is lexicographically greater than or equal to the provided value. If it is less, evaluates to false. On error, evaluates to false. Typically used in the check stage.
string
comparison
Equal strings → passes
check:
- target_field: string_greater_or_equal('hello')
{
"target_field": "hello"
}
The check was successful
Target >= argument (world >= hello) → passes
check:
- target_field: string_greater_or_equal($any_string)
{
"any_string": "hello",
"target_field": "world"
}
The check was successful
Target < argument (abc < def) → fails
check:
- target_field: string_greater_or_equal('def')
{
"target_field": "abc"
}
The check was performed with errors
Not a string → fails
check:
- target_field: string_greater_or_equal($any_string)
{
"any_string": "abc",
"target_field": 123
}
The check was performed with errors
field: string_less(any_string)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_string | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checkers whether the value stored in field is lexicographically less than to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
string
comparison
Success string less
check:
- target_field: string_less('wazuh')
{
"target_field": "hello world!"
}
The check was successful
Failure string less
check:
- target_field: string_less($any_string)
{
"any_string": "hello world!",
"target_field": "wazuh"
}
The check was performed with errors
Failure string less
check:
- target_field: string_less('hello world!')
{
"target_field": "hello world!"
}
The check was performed with errors
field: string_less_or_equal(any_string)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_string | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checkers whether the value stored in field is lexicographically less than or equeal to the one provided. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
string
comparison
Success string less or equal
check:
- target_field: string_less_or_equal('wazuh')
{
"target_field": "hello world!"
}
The check was successful
Failure string less or equal
check:
- target_field: string_less_or_equal($any_string)
{
"any_string": "hello world!",
"target_field": "wazuh"
}
The check was performed with errors
Success string less or equal
check:
- target_field: string_less_or_equal('hello world!')
{
"target_field": "hello world!"
}
The check was successful
field: string_not_equal(any_string)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_string | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Checkers whether the two provided strings are equal, byte for byte. If they're not, the function evaluates to false. In case of error, the function will evaluate to false. This helper function is typically used in the check stage
string
comparison
Success string not equal
check:
- target_field: string_not_equal('hello world!')
{
"target_field": "hello"
}
The check was successful
Failure string not equal
check:
- target_field: string_not_equal($any_string)
{
"any_string": "hello world!",
"target_field": "hello world!"
}
The check was performed with errors
field: array_extract_key_obj(source_array, key_pointer, new_value_pointer, old_value_pointer, skip_serializer)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| source_array | array | reference | Any string |
| key_pointer | string | value | Any string |
| new_value_pointer | string | value | Any string |
| old_value_pointer | string | value | Any string |
| skip_serializer | boolean | value | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Builds a map of extracted key objects from an array. Each element provides the key
(via a JSON pointer) and both the new and old values (as JSON pointers, / for the full object).
Keys are normalized to lowercase snake_case unless skipSerializer is true, in which
case keys are kept verbatim. Entries missing a key or new value, or producing an empty key, are skipped.
Old values that resolve to empty strings are omitted from the result.
The helper returns an error when no entries are inserted.
array
map
extract
changes
Builds map with normalized keys and both new/old values
normalize:
- map:
- target_field: array_extract_key_obj($source_array, '/Name', '/NewValue', '/OldValue', False)
{
"source_array": [
{
"Name": "RequiredResourceAccess",
"NewValue": "new-data",
"OldValue": "old-data"
},
{
"Name": "Included Updated Properties",
"NewValue": "RequiredResourceAccess",
"OldValue": ""
}
]
}
{
"source_array": [
{
"Name": "RequiredResourceAccess",
"NewValue": "new-data",
"OldValue": "old-data"
},
{
"Name": "Included Updated Properties",
"NewValue": "RequiredResourceAccess",
"OldValue": ""
}
],
"target_field": {
"requiredresourceaccess": {
"NewValue": "new-data",
"OldValue": "old-data"
},
"included_updated_properties": {
"NewValue": "RequiredResourceAccess"
}
}
}
The operation was successful
Keeps keys verbatim when skipSerializer is true
normalize:
- map:
- target_field: array_extract_key_obj($source_array, '/Name', '/NewValue', '/OldValue', True)
{
"source_array": [
{
"Name": "RequiredResourceAccess",
"NewValue": "new-data",
"OldValue": "old-data"
},
{
"Name": "Included Updated Properties",
"NewValue": "RequiredResourceAccess",
"OldValue": ""
}
]
}
{
"source_array": [
{
"Name": "RequiredResourceAccess",
"NewValue": "new-data",
"OldValue": "old-data"
},
{
"Name": "Included Updated Properties",
"NewValue": "RequiredResourceAccess",
"OldValue": ""
}
],
"target_field": {
"RequiredResourceAccess": {
"NewValue": "new-data",
"OldValue": "old-data"
},
"Included Updated Properties": {
"NewValue": "RequiredResourceAccess"
}
}
}
The operation was successful
Keeps entries that only provide a new value
normalize:
- map:
- target_field: array_extract_key_obj($source_array, '/Name', '/NewValue', '/OldValue', False)
{
"source_array": [
{
"Name": "AzurePolicyChange",
"NewValue": "Enabled"
}
]
}
{
"source_array": [
{
"Name": "AzurePolicyChange",
"NewValue": "Enabled"
}
],
"target_field": {
"azurepolicychange": {
"NewValue": "Enabled"
}
}
}
The operation was successful
Discards old value when it resolves to blanks
normalize:
- map:
- target_field: array_extract_key_obj($source_array, '/Name', '/NewValue', '/OldValue', False)
{
"source_array": [
{
"Name": "AlertThreshold",
"NewValue": 10,
"OldValue": " "
}
]
}
{
"source_array": [
{
"Name": "AlertThreshold",
"NewValue": 10,
"OldValue": " "
}
],
"target_field": {
"alertthreshold": {
"NewValue": 10
}
}
}
The operation was successful
Fails when new value is missing
normalize:
- map:
- target_field: array_extract_key_obj($source_array, '/Name', '/NewValue', '/OldValue', False)
{
"source_array": [
{
"Name": "RequiredResourceAccess",
"OldValue": "old-data"
}
]
}
{
"source_array": [
{
"Name": "RequiredResourceAccess",
"OldValue": "old-data"
}
]
}
The operation was performed with errors
Fails when array does not exist in the context
normalize:
- map:
- target_field: array_extract_key_obj($source_array, '/Name', '/NewValue', '/OldValue', False)
{
"source_array": "$.Missing"
}
{
"source_array": "$.Missing"
}
The operation was performed with errors
field: array_obj_to_mapkv(source_array, key_pointer, value_pointer, skip_serializer)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| source_array | array | reference | Any string |
| key_pointer | string | value | Any string |
| value_pointer | string | value | Any string |
| skip_serializer | boolean | value | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Builds a map (object) from an array of objects. Each element provides the key
(via a JSON pointer) and the value (another pointer, optionally / for the full object).
Keys are normalized to lowercase snake_case unless skipSerializer is true, in which
case keys are kept verbatim. Entries missing a key/value or producing an empty key
are skipped. The helper returns an error when no entries are inserted.
array
map
key-value
Normalizes keys and extracts values using /Value pointer
normalize:
- map:
- target_field: array_obj_to_mapkv($source_array, '/Name', '/Value', False)
{
"source_array": [
{
"Name": "UserAgent",
"Value": "Mozilla/5.0"
},
{
"Name": "Request.Type",
"Value": "OAuth2:Authorize"
},
{
"Name": "Included Updated Properties",
"Value": "RequiredResourceAccess"
}
]
}
{
"source_array": [
{
"Name": "UserAgent",
"Value": "Mozilla/5.0"
},
{
"Name": "Request.Type",
"Value": "OAuth2:Authorize"
},
{
"Name": "Included Updated Properties",
"Value": "RequiredResourceAccess"
}
],
"target_field": {
"useragent": "Mozilla/5.0",
"request_type": "OAuth2:Authorize",
"included_updated_properties": "RequiredResourceAccess"
}
}
The operation was successful
Keeps keys verbatim when skipSerializer is true
normalize:
- map:
- target_field: array_obj_to_mapkv($source_array, '/Name', '/Value', True)
{
"source_array": [
{
"Name": "UserAgent",
"Value": "Mozilla/5.0"
},
{
"Name": "KeepMeSignedIn",
"Value": true
},
{
"Name": "OptionalField",
"Value": null
},
{
"Name": "Roles",
"Value": [
"admin",
"user"
]
},
{
"Name": "Meta",
"Value": {
"os": "linux",
"arch": "x64"
}
}
]
}
{
"source_array": [
{
"Name": "UserAgent",
"Value": "Mozilla/5.0"
},
{
"Name": "KeepMeSignedIn",
"Value": true
},
{
"Name": "OptionalField",
"Value": null
},
{
"Name": "Roles",
"Value": [
"admin",
"user"
]
},
{
"Name": "Meta",
"Value": {
"os": "linux",
"arch": "x64"
}
}
],
"target_field": {
"UserAgent": "Mozilla/5.0",
"KeepMeSignedIn": true,
"OptionalField": null,
"Roles": [
"admin",
"user"
],
"Meta": {
"os": "linux",
"arch": "x64"
}
}
}
The operation was successful
Fails when array does not exist in the context
normalize:
- map:
- target_field: array_obj_to_mapkv($source_array, '/Name', '/Value', False)
{
"source_array": null
}
{}
The operation was performed with errors
field: as(ip, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| ip | string | reference | Any IP |
| Type | Possible values |
|---|---|
| object | Any object |
Performs a query to the maxmind GeoLite2-ASN database (provided by Maxmind Inc. https://www.maxmind.com ). In case of errors the target field will not be modified. In case of success it will return an object with the following fields:
max_min_dbGet as of public ip
normalize:
- map:
- target_field: as($ip)
{
"ip": "1.2.3.4"
}
{
"ip": "1.2.3.4",
"target_field": {
"number": 1234,
"organization": {
"name": " Wazuh Organization"
}
}
}
The operation was successful
field: concat(operand_left, operand_right, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| operand_left | string, number, object | value or reference | Any object |
| operand_right | string, number, object | value or reference | Any object |
| Type | Possible values |
|---|---|
| string | Any string |
The function concat concatenates various types of data including strings, numbers, and objects.
The function receives two or more operands and concatenates them in the order they are provided.
The result of the concatenation is stored in the field field.
different_typesConcatenate a string with another empty one
normalize:
- map:
- target_field: concat('yes', ' ', 'no', 'hello', 'yes')
{}
{
"target_field": "hello noyesyes"
}
The operation was successful
Trying to concatenate a value with a reference does not exist
normalize:
- map:
- target_field: concat($operand_left, 'hello')
{
"operand_left": null
}
{}
The operation was performed with errors
Concat object, number and string
normalize:
- map:
- target_field: concat($operand_left, 2, $operand_right_1)
{
"operand_left": {
"key": "value"
},
"operand_right_1": "hello"
}
{
"operand_left": {
"key": "value"
},
"operand_right_1": "hello",
"target_field": "{\"key\":\"value\"}2hello"
}
The operation was successful
field: concat_any(operand_left, operand_right, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| operand_left | string, number, object | value or reference | Any object |
| operand_right | string, number, object | value or reference | Any object |
| Type | Possible values |
|---|---|
| string | Any string |
The function concat concatenates various types of data including strings, numbers, and objects.
The function receives two or more operands and concatenates them in the order they are provided.
The result of the concatenation is stored in the field field.
different_typesConcatenate a string with another empty one
normalize:
- map:
- target_field: concat_any('hello', ' ', 'yes')
{}
{
"target_field": "hello yes"
}
The operation was successful
Try to concatenate an existing reference with a non-existing reference
normalize:
- map:
- target_field: concat_any($operand_left, $operand_right)
{
"operand_left": null,
"operand_right": "hello"
}
{
"operand_left": null,
"operand_right": "hello",
"target_field": "hello"
}
The operation was successful
Trying to concatenate a value with a reference does not exist
normalize:
- map:
- target_field: concat_any($operand_left, 'hello')
{
"operand_left": null
}
{
"operand_left": null,
"target_field": "hello"
}
The operation was successful
field: date_from_epoch(epoch)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| epoch | number | reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| string | Any string |
Date from epoch will convert the input value, can be a reference or a value representing the epoch time to a human readable date time. Transforms UNIX epoch time to a human readable date time in the format of 'YYYY-MM-DDTHH:MM:SSZ'.
undefinedGet date using initial epoch
normalize:
- map:
- target_field: date_from_epoch($epoch)
{
"epoch": 0
}
{
"epoch": 0,
"target_field": "1970-01-01T00:00:00.000000Z"
}
The operation was successful
Get date using any epoch
normalize:
- map:
- target_field: date_from_epoch($epoch)
{
"epoch": 1715958658
}
{
"epoch": 1715958658,
"target_field": "2024-05-17T15:10:58.000000Z"
}
The operation was successful
field: date_to_epoch(date, format)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| date | string | reference | Any string |
| format | string | value | Any string |
| Type | Possible values |
|---|---|
| double |
Converts a date/time string to its UNIX epoch (seconds since 1970-01-01T00:00:00Z), returned as a double. Parsing is strict and driven entirely by a format:
format is provided (string literal), it is used verbatim by the parser.format is omitted, the default format "%Y-%m-%dT%H:%M:%SZ" (ISO 8601, UTC with trailing 'Z') is used.
To support other ISO-8601 variants (offsets, basic format, space instead of 'T', etc.), pass the appropriate format.date
time
epoch
timestamp
Default format → epoch start
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "1970-01-01T00:00:00Z"
}
{
"date": "1970-01-01T00:00:00Z",
"target_field": 0.0
}
The operation was successful
Default format → UTC with trailing Z
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "2024-05-17T15:10:58Z"
}
{
"date": "2024-05-17T15:10:58Z",
"target_field": 1715958658.0
}
The operation was successful
Default format → fractional seconds preserved
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "2024-09-24T23:03:00.597629Z"
}
{
"date": "2024-09-24T23:03:00.597629Z",
"target_field": 1727218980.597629
}
The operation was successful
Default format → negative epoch
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "1969-12-31T23:59:59Z"
}
{
"date": "1969-12-31T23:59:59Z",
"target_field": -1.0
}
The operation was successful
Default format requires 'Z' → fails without timezone
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "2024-05-17T15:10:58"
}
{
"date": "2024-05-17T15:10:58"
}
The operation was performed with errors
Offset with colon (−03:00)
normalize:
- map:
- target_field: date_to_epoch($date, '%FT%T%Ez')
{
"date": "2024-05-17T12:10:58-03:00"
}
{
"date": "2024-05-17T12:10:58-03:00",
"target_field": 1715958658.0
}
The operation was successful
Offset without colon (−0300)
normalize:
- map:
- target_field: date_to_epoch($date, '%FT%T%z')
{
"date": "2024-05-17T12:10:58-0300"
}
{
"date": "2024-05-17T12:10:58-0300",
"target_field": 1715958658.0
}
The operation was successful
Space instead of 'T' + offset
normalize:
- map:
- target_field: date_to_epoch($date, '%F %T%Ez')
{
"date": "2024-05-17 15:10:58+00:00"
}
{
"date": "2024-05-17 15:10:58+00:00",
"target_field": 1715958658.0
}
The operation was successful
Basic (no-extended) format with 'Z'
normalize:
- map:
- target_field: date_to_epoch($date, '%Y%m%dT%H%M%SZ')
{
"date": "20240517T151058Z"
}
{
"date": "20240517T151058Z",
"target_field": 1715958658.0
}
The operation was successful
Basic format with offset (−0300)
normalize:
- map:
- target_field: date_to_epoch($date, '%Y%m%dT%H%M%S%z')
{
"date": "20240517T121058-0300"
}
{
"date": "20240517T121058-0300",
"target_field": 1715958658.0
}
The operation was successful
No timezone in input; format without timezone
normalize:
- map:
- target_field: date_to_epoch($date, '%FT%T')
{
"date": "2024-05-17T15:10:58"
}
{
"date": "2024-05-17T15:10:58",
"target_field": 1715958658.0
}
The operation was successful
IANA zone America/Argentina/Buenos_Aires, UTC−03) → 2024-05-17T15:10:58Z
normalize:
- map:
- target_field: date_to_epoch($date, '%F %T %Z')
{
"date": "2024-05-17 12:10:58 America/Argentina/Buenos_Aires"
}
{
"date": "2024-05-17 12:10:58 America/Argentina/Buenos_Aires",
"target_field": 1715958658.0
}
The operation was successful
IANA zone (Europe/Berlin, CEST UTC+02) → 2024-07-01T08:00:00Z
normalize:
- map:
- target_field: date_to_epoch($date, '%F %T %Z')
{
"date": "2024-07-01 10:00:00 Europe/Berlin"
}
{
"date": "2024-07-01 10:00:00 Europe/Berlin",
"target_field": 1719820800.0
}
The operation was successful
Unknown IANA zone → tzdb lookup fails
normalize:
- map:
- target_field: date_to_epoch($date, '%F %T %Z')
{
"date": "2024-05-17 15:10:58 Mars/Phobos"
}
{
"date": "2024-05-17 15:10:58 Mars/Phobos"
}
The operation was performed with errors
DST spring-forward gap (nonexistent local time in New York)
normalize:
- map:
- target_field: date_to_epoch($date, '%F %T %Z')
{
"date": "2024-03-10 02:30:00 America/New_York"
}
{
"date": "2024-03-10 02:30:00 America/New_York"
}
The operation was performed with errors
Reject non-string input for 'date'
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": 123456789
}
{
"date": 123456789
}
The operation was performed with errors
Reject null input for 'date'
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": null
}
{}
The operation was performed with errors
Invalid format format with unknown specifier
normalize:
- map:
- target_field: date_to_epoch($date, '%invalid_format')
{
"date": "2024-05-17T15:10:58Z"
}
{
"date": "2024-05-17T15:10:58Z"
}
The operation was performed with errors
Empty format format
normalize:
- map:
- target_field: date_to_epoch($date, '')
{
"date": "2024-05-17T15:10:58Z"
}
{
"date": "2024-05-17T15:10:58Z"
}
The operation was performed with errors
Null format format
normalize:
- map:
- target_field: date_to_epoch($date, null)
{
"date": "2024-05-17T15:10:58Z"
}
{
"date": "2024-05-17T15:10:58Z"
}
The operation was performed with errors
Non-string format format
normalize:
- map:
- target_field: date_to_epoch($date, 123)
{
"date": "2024-05-17T15:10:58Z"
}
{
"date": "2024-05-17T15:10:58Z"
}
The operation was performed with errors
Date string doesn't match format (has time, format expects only date)
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%d')
{
"date": "2024-05-17T15:10:58Z"
}
{
"date": "2024-05-17T15:10:58Z"
}
The operation was performed with errors
format expects time, date string has only date
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "2024-05-17"
}
{
"date": "2024-05-17"
}
The operation was performed with errors
Completely malformed date string
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "not-a-date"
}
{
"date": "not-a-date"
}
The operation was performed with errors
Empty date string
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": ""
}
{
"date": ""
}
The operation was performed with errors
Invalid date - February 30th doesn't exist
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "2024-02-30T15:10:58Z"
}
{
"date": "2024-02-30T15:10:58Z"
}
The operation was performed with errors
Invalid date - 13th month doesn't exist
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "2024-13-17T15:10:58Z"
}
{
"date": "2024-13-17T15:10:58Z"
}
The operation was performed with errors
Invalid date - 32nd day doesn't exist
normalize:
- map:
- target_field: date_to_epoch($date, '%Y-%m-%dT%H:%M:%SZ')
{
"date": "2024-05-32T15:10:58Z"
}
{
"date": "2024-05-32T15:10:58Z"
}
The operation was performed with errors
field: decode_base16(hex)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| hex | string | reference | Any hexadecimal |
| Type | Possible values |
|---|---|
| string | Any string |
The operation transforms a string of hexa digits into an ASCII string. The result of the operation is mapped to “field”. If the “field” already exists, then it will be replaced. In case of errors “field” will not be modified.
undefinedConvert base 16 to decimal
normalize:
- map:
- target_field: decode_base16($hex)
{
"hex": "48656C6C6F20776F726C6421"
}
{
"hex": "48656C6C6F20776F726C6421",
"target_field": "Hello world!"
}
The operation was successful
field: downcase(upper_characters)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| upper_characters | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
The operation converts any uppercase character to an lowercase character. The result of the lowercase (+downcase) operation is mapped to “field”. If the field field already exists, then it will be replaced. In case of errors “field” will not be modified.
stringChange string to downcase
normalize:
- map:
- target_field: downcase('ABCD')
{}
{
"target_field": "abcd"
}
The operation was successful
Change string to downcase
normalize:
- map:
- target_field: downcase($upper_characters)
{
"upper_characters": "AbcD"
}
{
"upper_characters": "AbcD",
"target_field": "abcd"
}
The operation was successful
Change string to downcase
normalize:
- map:
- target_field: downcase('aBcDECF')
{}
{
"target_field": "abcdecf"
}
The operation was successful
field: float_calculate(operator, operand_left, operand_right, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| operator | string | value | mul, div, sub, sum |
| operand_left | number | value or reference | |
| operand_right | number | value or reference |
| Type | Possible values |
|---|---|
| number |
The function float_calculate performs basic arithmetic operations on floats and integers.
The function receives an operator and two or more operands.
The function applies the operator to the first two operands and then applies the result to the next operand.
The result of the operation is stored in the field field.
The function supports the following operators: sum (addition), sub (subtraction), mul (multiplication), and div (division).
mathDivision by zero is not allowed (the function will fail).
The limit for a float is 3.402823466e+38
Sum that produces overflow. The limit for a double is exceeded.
normalize:
- map:
- target_field: float_calculate('sum', 1.7976931348623157e+308, 1.7976931348623157e+308)
{}
{}
The operation was performed with errors
Sum that produces overflow. The limit for a double is exceeded.
normalize:
- map:
- target_field: float_calculate('sum', $operand_left, $operand_right)
{
"operand_left": -1.7976931348623157e+308,
"operand_right": -1.7976931348623157e+308
}
{
"operand_left": -1.7976931348623157e+308,
"operand_right": -1.7976931348623157e+308
}
The operation was performed with errors
Subtraction that produces overflow. The limit for a double is exceeded.
normalize:
- map:
- target_field: float_calculate('sub', 1.7976931348623157e+308, -1.7976931348623157e+308)
{}
{}
The operation was performed with errors
Subtraction that produces overflow. The limit for a double is exceeded.
normalize:
- map:
- target_field: float_calculate('sub', $operand_left, $operand_right)
{
"operand_left": -1.7976931348623157e+308,
"operand_right": 1.7976931348623157e+308
}
{
"operand_left": -1.7976931348623157e+308,
"operand_right": 1.7976931348623157e+308
}
The operation was performed with errors
Multiplication that produces overflow. The limit for a double is exceeded.
normalize:
- map:
- target_field: float_calculate('mul', 1.7976931348623157e+308, 2.0)
{}
{}
The operation was performed with errors
Multiplication that produces overflow. The limit for a double is exceeded.
normalize:
- map:
- target_field: float_calculate('mul', $operand_left, $operand_right)
{
"operand_left": 1.7976931348623157e+308,
"operand_right": -2.0
}
{
"operand_left": 1.7976931348623157e+308,
"operand_right": -2.0
}
The operation was performed with errors
Any division with a numerator equal to zero results in zero as long as the denominator is different from 0.
normalize:
- map:
- target_field: float_calculate('div', 0.0, 8)
{}
{
"target_field": 0.0
}
The operation was successful
Any division with a denominator equal to zero is an indeterminate operation.
normalize:
- map:
- target_field: float_calculate('div', $operand_left, $operand_right)
{
"operand_left": 5,
"operand_right": 0.0
}
{
"operand_left": 5,
"operand_right": 0.0
}
The operation was performed with errors
Sum float with integer
normalize:
- map:
- target_field: float_calculate('sum', -1.53, 1)
{}
{
"target_field": -0.53
}
The operation was successful
Sum integer with integer
normalize:
- map:
- target_field: float_calculate('sum', $operand_left, $operand_right)
{
"operand_left": 1,
"operand_right": 1
}
{
"operand_left": 1,
"operand_right": 1,
"target_field": 2.0
}
The operation was successful
Sum float with float
normalize:
- map:
- target_field: float_calculate('sum', 2.676, 3.756)
{}
{
"target_field": 6.432
}
The operation was successful
Sub float with integer
normalize:
- map:
- target_field: float_calculate('sub', $operand_left, $operand_right)
{
"operand_left": 1.53,
"operand_right": -1
}
{
"operand_left": 1.53,
"operand_right": -1,
"target_field": 2.5300000000000002
}
The operation was successful
Sub integer with integer
normalize:
- map:
- target_field: float_calculate('sub', -1, -1)
{}
{
"target_field": 0.0
}
The operation was successful
Sub float with float
normalize:
- map:
- target_field: float_calculate('sub', $operand_left, $operand_right)
{
"operand_left": -2.676,
"operand_right": -3.756
}
{
"operand_left": -2.676,
"operand_right": -3.756,
"target_field": 1.0799999999999996
}
The operation was successful
Mul float with integer
normalize:
- map:
- target_field: float_calculate('mul', 12.53, -3)
{}
{
"target_field": -37.589999999999996
}
The operation was successful
Mul integer with integer
normalize:
- map:
- target_field: float_calculate('mul', $operand_left, $operand_right)
{
"operand_left": -45,
"operand_right": 2
}
{
"operand_left": -45,
"operand_right": 2,
"target_field": -90
}
The operation was successful
Mul float with float
normalize:
- map:
- target_field: float_calculate('mul', -2.676, -3.756)
{}
{
"target_field": 10.051056
}
The operation was successful
Div float with integer
normalize:
- map:
- target_field: float_calculate('div', $operand_left, $operand_right)
{
"operand_left": 12.53,
"operand_right": -3
}
{
"operand_left": 12.53,
"operand_right": -3,
"target_field": -4.176666666666667
}
The operation was successful
Div integer with integer
normalize:
- map:
- target_field: float_calculate('div', -45, 2)
{}
{
"target_field": -22.5
}
The operation was successful
Div float with float
normalize:
- map:
- target_field: float_calculate('div', $operand_left, $operand_right)
{
"operand_left": -2.676,
"operand_right": -3.756
}
{
"operand_left": -2.676,
"operand_right": -3.756,
"target_field": 0.7124600638977636
}
The operation was successful
field: geoip(ip, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| ip | string | reference | Any IP |
| Type | Possible values |
|---|---|
| object | Any object |
Performs a query to the maxmind GeoLite2-City database (provided by Maxmind Inc. https://www.maxmind.com ). In case of errors the target field will not be modified. In case of success it will return an object with the following fields:
max_min_dbGet geo of public ip
normalize:
- map:
- target_field: geoip($ip)
{
"ip": "1.2.3.4"
}
{
"ip": "1.2.3.4",
"target_field": {
"city_name": "Wazuh city",
"timezone": "Wazuh/Timezone",
"country_name": "Wazuh Country",
"continent_code": "WC",
"continent_name": "Wazuh Continent",
"country_iso_code": "WCtry",
"postal_code": "7777",
"location": {
"lon": 88.4293,
"lat": 41.7776
}
}
}
The operation was successful
field: get_date()
| Type | Possible values |
|---|---|
| string | Any string |
Get the current date in the format "%Y-%m-%dT%H:%M:%SZ". The date is generated in UTC time zone.
time
field: hex_to_number(hex)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| hex | string | reference | Any hexadecimal |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
The peration transforms a number in hexadecimal format (0x...) to a base 10 number. The result of the operation is mapped to “field”. If the “field” already exists, then it will be replaced. In case of errors “field” will not be modified.
undefinedConvert hexadecimal to decimal
normalize:
- map:
- target_field: hex_to_number($hex)
{
"hex": "2A"
}
{
"hex": "2A",
"target_field": 42
}
The operation was successful
Converts hexadecimal to int64
normalize:
- map:
- target_field: hex_to_number($hex)
{
"hex": "0xBC763516"
}
{
"hex": "0xBC763516",
"target_field": 3161863446
}
The operation was successful
field: iana_protocol_name_to_number(protocol_name)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| protocol_name | string | reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Resolves an IANA IP protocol keyword to its numeric code, returned as a string (e.g., "6"). Normalization rules:
iana
protocol
canonical keyword
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "tcp"
}
{
"protocol_name": "tcp",
"target_field": "6"
}
The operation was successful
case-insensitive
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "UDP"
}
{
"protocol_name": "UDP",
"target_field": "17"
}
The operation was successful
canonical hyphenated form
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "ipv6-icmp"
}
{
"protocol_name": "ipv6-icmp",
"target_field": "58"
}
The operation was successful
underscore alias normalized → "udplite"
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "udp_lite"
}
{
"protocol_name": "udp_lite",
"target_field": "136"
}
The operation was successful
alias normalized → "ipip"
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "ip-in-ip"
}
{
"protocol_name": "ip-in-ip",
"target_field": "94"
}
The operation was successful
alias normalized → "ipv6-icmp"
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "ICMPv6"
}
{
"protocol_name": "ICMPv6",
"target_field": "58"
}
The operation was successful
reject generic/unspecific categories
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "any-host-internal-protocol"
}
{
"protocol_name": "any-host-internal-protocol"
}
The operation was performed with errors
application-layer name → not an IANA IP protocol keyword
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": "smtp"
}
{
"protocol_name": "smtp"
}
The operation was performed with errors
empty string
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": ""
}
{
"protocol_name": ""
}
The operation was performed with errors
non-string input rejected (must be a reference to string)
normalize:
- map:
- target_field: iana_protocol_name_to_number($protocol_name)
{
"protocol_name": 123
}
{
"protocol_name": 123
}
The operation was performed with errors
field: iana_protocol_number_to_name(protocol_code)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| protocol_code | string, number | reference | Any object |
| Type | Possible values |
|---|---|
| string | Any string |
Resolves an IANA IP protocol numeric code (0..255) to its canonical keyword. The helper accepts either a number or a base-10 numeric string (same argument, by reference). The helper returns failure for experimental, reserved, unassigned codes and for generic/unspecific categories.
iana
protocol
6 → "tcp"
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 6
}
{
"protocol_code": 6,
"target_field": "tcp"
}
The operation was successful
58 → "ipv6-icmp"
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 58
}
{
"protocol_code": 58,
"target_field": "ipv6-icmp"
}
The operation was successful
147 → "bit-emu"
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 147
}
{
"protocol_code": 147,
"target_field": "bit-emu"
}
The operation was successful
string numeric accepted
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": "6"
}
{
"protocol_code": "6",
"target_field": "tcp"
}
The operation was successful
string numeric accepted
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": "58"
}
{
"protocol_code": "58",
"target_field": "ipv6-icmp"
}
The operation was successful
string numeric accepted
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": "147"
}
{
"protocol_code": "147",
"target_field": "bit-emu"
}
The operation was successful
rejects non-integer numeric string
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": "6.0"
}
{
"protocol_code": "6.0"
}
The operation was performed with errors
out of range (negative)
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": "-1"
}
{
"protocol_code": "-1"
}
The operation was performed with errors
out of range (>255)
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": "256"
}
{
"protocol_code": "256"
}
The operation was performed with errors
non-numeric string rejected
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": "abc"
}
{
"protocol_code": "abc"
}
The operation was performed with errors
reject generic/unspecific category
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 61
}
{
"protocol_code": 61
}
The operation was performed with errors
reject generic/unspecific category
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 63
}
{
"protocol_code": 63
}
The operation was performed with errors
reject generic/unspecific category
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 68
}
{
"protocol_code": 68
}
The operation was performed with errors
reject generic/unspecific category
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 99
}
{
"protocol_code": 99
}
The operation was performed with errors
reject generic/unspecific category
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 114
}
{
"protocol_code": 114
}
The operation was performed with errors
unassigned protocol code
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 148
}
{
"protocol_code": 148
}
The operation was performed with errors
experimental protocol code
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 253
}
{
"protocol_code": 253
}
The operation was performed with errors
reserved protocol code
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 255
}
{
"protocol_code": 255
}
The operation was performed with errors
out of range (negative)
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": -1
}
{
"protocol_code": -1
}
The operation was performed with errors
out of range (>255)
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": 256
}
{
"protocol_code": 256
}
The operation was performed with errors
null rejected
normalize:
- map:
- target_field: iana_protocol_number_to_name($protocol_code)
{
"protocol_code": null
}
{}
The operation was performed with errors
field: int_calculate(operator, operand_left, operand_right, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| operator | string | value | mul, div, sub, sum |
| operand_left | number | value or reference | Integers between -2^63 and 2^63-1 |
| operand_right | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
The function int_calculate performs basic arithmetic operations on integers.
The function receives an operator and two or more operands.
The function applies the operator to the first two operands and then applies the result to the next operand.
The result of the operation is stored in the field field.
The function supports the following operators: sum (addition), sub (subtraction), mul (multiplication), and div (division).
mathDivision by zero is not allowed (the function will fail).
The limit for a 64-bit integer is 2^63-1 and -2^63.
Sum that produces overflow. the limit for a 64-bit integer is exceeded
normalize:
- map:
- target_field: int_calculate('sum', 1, 9223372036854775807)
{}
{}
The operation was performed with errors
Sum that produces overflow. the limit for a 64-bit integer is exceeded
normalize:
- map:
- target_field: int_calculate('sum', $operand_left, $operand_right)
{
"operand_left": -1,
"operand_right": -9223372036854775808
}
{
"operand_left": -1,
"operand_right": -9223372036854775808
}
The operation was performed with errors
Sub that produces overflow. the limit for a 64-bit integer is exceeded
normalize:
- map:
- target_field: int_calculate('sub', 9223372036854775807, -1)
{}
{}
The operation was performed with errors
Sub that produces overflow. the limit for a 64-bit integer is exceeded
normalize:
- map:
- target_field: int_calculate('sub', $operand_left, $operand_right)
{
"operand_left": -9223372036854775808,
"operand_right": 1
}
{
"operand_left": -9223372036854775808,
"operand_right": 1
}
The operation was performed with errors
Mul that produces overflow. the limit for a 64-bit integer is exceeded
normalize:
- map:
- target_field: int_calculate('mul', 4611686018427387904, 2)
{}
{}
The operation was performed with errors
Mul that produces overflow. the limit for a 64-bit integer is exceeded
normalize:
- map:
- target_field: int_calculate('mul', $operand_left, $operand_right)
{
"operand_left": 3074457345618258603,
"operand_right": -3
}
{
"operand_left": 3074457345618258603,
"operand_right": -3
}
The operation was performed with errors
Any division with a numerator equal to zero results in zero as long as the denominator is different from 0.
normalize:
- map:
- target_field: int_calculate('div', 0, 8)
{}
{
"target_field": 0
}
The operation was successful
Any division with a denominator equal to zero is an indeterminate operation.
normalize:
- map:
- target_field: int_calculate('div', $operand_left, $operand_right)
{
"operand_left": 5,
"operand_right": 0
}
{
"operand_left": 5,
"operand_right": 0
}
The operation was performed with errors
field: ip_version(ip)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| ip | string | reference | Any IP |
| Type | Possible values |
|---|---|
| string | Any string |
Checks the protocol version of an IP. If the version is IPv4 then it maps the IPv4 value to field. If the version is IPv6 then it maps the IPv6 value to field. If the field field already exists, then it will be replaced. In case of errors target field will not be modified.
ipGet the version type of an ip
normalize:
- map:
- target_field: ip_version($ip)
{
"ip": "111.111.1.11"
}
{
"ip": "111.111.1.11",
"target_field": "IPv4"
}
The operation was successful
Get the version type of an ip
normalize:
- map:
- target_field: ip_version($ip)
{
"ip": "3002:0bd6:0000:0000:0000:ee00:0033:6778"
}
{
"ip": "3002:0bd6:0000:0000:0000:ee00:0033:6778",
"target_field": "IPv6"
}
The operation was successful
field: join(array, separator)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| array | array | reference | Any string |
| separator | string | value | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
The operation concatenates the elements (strings) of the "array" and separates them with “separator”. The result of the string concatenation (join) operation is mapped to “field”. If the “field” already exists, then it will be replaced. In case of errors “field” will not be modified.
undefinedJoin a string using space like separator
normalize:
- map:
- target_field: join($array, ' ')
{
"array": [
"Hi Wazuh!",
"It is",
"the",
"year",
"2024"
]
}
{
"array": [
"Hi Wazuh!",
"It is",
"the",
"year",
"2024"
],
"target_field": "Hi Wazuh! It is the year 2024"
}
The operation was successful
Join a string using a string like separator
normalize:
- map:
- target_field: join($array, 'separator')
{
"array": [
"Hi Wazuh!",
"It is",
"the",
"year",
"2024"
]
}
{
"array": [
"Hi Wazuh!",
"It is",
"the",
"year",
"2024"
],
"target_field": "Hi Wazuh!separatorIt isseparatortheseparatoryearseparator2024"
}
The operation was successful
field: network_community_id(source_ip, destination_ip, source_port, destination_port, protocol)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| source_ip | string | reference | Any IP |
| destination_ip | string | reference | Any IP |
| source_port | number | reference | Integers between -2^63 and 2^63-1 |
| destination_port | number | reference | Integers between -2^63 and 2^63-1 |
| protocol | number | value or reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| string | Any string |
Produces the Community ID v1 (format 1:<base64>) for a network flow using source/destination IPs,
transport ports (or ICMP type/code), and the IANA protocol number. The seed is fixed to 0.
Port requirements by protocol:
network
community-id
TCP/IPv4 flow (protocol literal), seed=0
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, 6)
{
"source_ip": "192.168.0.1",
"destination_ip": "10.0.0.5",
"source_port": 12345,
"destination_port": 80
}
{
"source_ip": "192.168.0.1",
"destination_ip": "10.0.0.5",
"source_port": 12345,
"destination_port": 80,
"target_field": "1:JHvDxB6S6/K68OntUBf4DJZYvkM="
}
The operation was successful
UDP/IPv4 flow (protocol literal), seed=0
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, $protocol)
{
"source_ip": "10.1.1.1",
"destination_ip": "10.1.1.2",
"source_port": 5353,
"destination_port": 53,
"protocol": 17
}
{
"source_ip": "10.1.1.1",
"destination_ip": "10.1.1.2",
"source_port": 5353,
"destination_port": 53,
"protocol": 17,
"target_field": "1:8JTDncPomK8OiyinJXhpO10W6EY="
}
The operation was successful
IPv6 encapsulation flow (no ports), seed=0
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, 41)
{
"source_ip": "2001:db8::1",
"destination_ip": "2001:db8::2",
"source_port": 0,
"destination_port": 0
}
{
"source_ip": "2001:db8::1",
"destination_ip": "2001:db8::2",
"source_port": 0,
"destination_port": 0,
"target_field": "1:CXfAfp/8zYUwm/5DkEbJvPdJtcU="
}
The operation was successful
ICMP echo request (type/code mapped to ports), seed=0
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, $protocol)
{
"source_ip": "192.0.2.1",
"destination_ip": "198.51.100.2",
"source_port": 8,
"destination_port": 0,
"protocol": 1
}
{
"source_ip": "192.0.2.1",
"destination_ip": "198.51.100.2",
"source_port": 8,
"destination_port": 0,
"protocol": 1,
"target_field": "1:zFLKq9oekfjLhmre/zOf0XYYjVE="
}
The operation was successful
Reject invalid source IP literal
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, 6)
{
"source_ip": "not-an-ip",
"destination_ip": "10.0.0.5",
"source_port": 12345,
"destination_port": 80
}
{
"source_ip": "not-an-ip",
"destination_ip": "10.0.0.5",
"source_port": 12345,
"destination_port": 80
}
The operation was performed with errors
Reject out-of-range protocol number (>255)
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, $protocol)
{
"source_ip": "192.168.0.1",
"destination_ip": "10.0.0.5",
"source_port": 12345,
"destination_port": 80,
"protocol": 300
}
{
"source_ip": "192.168.0.1",
"destination_ip": "10.0.0.5",
"source_port": 12345,
"destination_port": 80,
"protocol": 300
}
The operation was performed with errors
Reject transport port above 65535
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, 6)
{
"source_ip": "192.168.0.1",
"destination_ip": "10.0.0.5",
"source_port": 70000,
"destination_port": 80
}
{
"source_ip": "192.168.0.1",
"destination_ip": "10.0.0.5",
"source_port": 70000,
"destination_port": 80
}
The operation was performed with errors
Reject endpoints from mixed IP families
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, $protocol)
{
"source_ip": "192.168.0.1",
"destination_ip": "2001:db8::1",
"source_port": 12345,
"destination_port": 80,
"protocol": 6
}
{
"source_ip": "192.168.0.1",
"destination_ip": "2001:db8::1",
"source_port": 12345,
"destination_port": 80,
"protocol": 6
}
The operation was performed with errors
TCP puerto 0 inválido (dest)
normalize:
- map:
- target_field: network_community_id($source_ip, $destination_ip, $source_port, $destination_port, 6)
{
"source_ip": "222.222.2.22",
"destination_ip": "222.222.2.22",
"source_port": 8,
"destination_port": 0
}
{
"source_ip": "222.222.2.22",
"destination_ip": "222.222.2.22",
"source_port": 8,
"destination_port": 0
}
The operation was performed with errors
field: regex_extract(fieldToMatch, regex)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| fieldToMatch | string | reference | Any string |
| regex | string | value | Any regex |
| Type | Possible values |
|---|---|
| string | Any string |
Match and capture the regex expression against the indicated "fieldToMatch", saving the captured group in field. Save in field the captured group if the regex expression matches, otherwise if "fieldToMatch" is not found or is not of type string, or if the regex did not match, nothing is performed. If the operation executes successfully the field is overridden, if it does not exist, it is created. Keep in mind that we need to escape reserved Yaml characters depending on the string input mode of Yaml. RE2 syntax: https://github.com/google/re2/wiki/Syntax This helper function is used in the map stage
undefinedMatch regular expression
normalize:
- map:
- target_field: regex_extract($fieldToMatch, '^(bye pcre\\d)$')
{
"fieldToMatch": "bye pcre2"
}
{
"fieldToMatch": "bye pcre2",
"target_field": "bye pcre2"
}
The operation was successful
Don't match regular expression
normalize:
- map:
- target_field: regex_extract($fieldToMatch, '^(bye pcre\\d)$')
{
"fieldToMatch": "ye pcre2"
}
{
"fieldToMatch": "ye pcre2"
}
The operation was performed with errors
field: sha1(any_string)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_string | string | reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Calculates the hash SHA-1 of a string. The result of the hash (sha1) operation is rendered as a hexadecimal number which is 40 digits long and is mapped to “field”. If the “field” already exists, then it will be replaced. In case of errors “field” will not be modified. This helper function is typically used in the map stage
undefinedGet hash of string
normalize:
- map:
- target_field: sha1($any_string)
{
"any_string": "Hi Wazuh!"
}
{
"any_string": "Hi Wazuh!",
"target_field": "c4e30dbc1b87ba8f29b24a74dba2f006be2a709e"
}
The operation was successful
field: syslog_extract_facility(priority)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| priority | number | reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| object | Any object |
Derives the syslog facility code and name from a priority value following RFC 5424.
Valid priorities range from 0 to 191 (facility*8 + severity).
The helper returns an object so it can be stored under log.syslog.facility.
syslog
facility name
facility code
Facility derived from priority 165 (local4).
normalize:
- map:
- target_field: syslog_extract_facility($priority)
{
"priority": 165
}
{
"priority": 165,
"target_field": {
"code": 20,
"name": "local4"
}
}
The operation was successful
Reject priority above 191.
normalize:
- map:
- target_field: syslog_extract_facility($priority)
{
"priority": 255
}
{
"priority": 255
}
The operation was performed with errors
Reject negative priority values.
normalize:
- map:
- target_field: syslog_extract_facility($priority)
{
"priority": -1
}
{
"priority": -1
}
The operation was performed with errors
field: syslog_extract_severity(priority)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| priority | number | reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| object | Any object |
Derives the syslog severity code and name from a priority value following RFC 5424.
Valid priorities range from 0 to 191 (facility*8 + severity).
The helper returns an object so it can be stored under log.syslog.severity.
syslog
severity name
severity code
Severity derived from priority 165 (Notice level).
normalize:
- map:
- target_field: syslog_extract_severity($priority)
{
"priority": 165
}
{
"priority": 165,
"target_field": {
"code": 5,
"name": "notice"
}
}
The operation was successful
Reject priority above 191.
normalize:
- map:
- target_field: syslog_extract_severity($priority)
{
"priority": 255
}
{
"priority": 255
}
The operation was performed with errors
Reject negative priority values.
normalize:
- map:
- target_field: syslog_extract_severity($priority)
{
"priority": -1
}
{
"priority": -1
}
The operation was performed with errors
field: system_epoch()
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Get unix epoch time in seconds from system clock. The result operation is mapped to “field”. If the “field” already exists, then it will be replaced.
time
field: to_bool(number_to_convert)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| number_to_convert | number | reference |
| Type | Possible values |
|---|---|
| boolean |
Converts a numeric reference to boolean. Rule: non-zero → true, zero → false. In case of errors “target_field” will not be modified. This helper function is typically used in the map stage.
boolean
number
Converts integer 1 to true.
normalize:
- map:
- target_field: to_bool($number_to_convert)
{
"number_to_convert": 1
}
{
"number_to_convert": 1,
"target_field": true
}
The operation was successful
Converts float 1.0 to true.
normalize:
- map:
- target_field: to_bool($number_to_convert)
{
"number_to_convert": 1.0
}
{
"number_to_convert": 1.0,
"target_field": true
}
The operation was successful
Converts integer 0 to false.
normalize:
- map:
- target_field: to_bool($number_to_convert)
{
"number_to_convert": 0
}
{
"number_to_convert": 0,
"target_field": false
}
The operation was successful
Converts float 0.0 to false.
normalize:
- map:
- target_field: to_bool($number_to_convert)
{
"number_to_convert": 0.0
}
{
"number_to_convert": 0.0,
"target_field": false
}
The operation was successful
Converts integer 2 to true (positive numbers are true).
normalize:
- map:
- target_field: to_bool($number_to_convert)
{
"number_to_convert": 2
}
{
"number_to_convert": 2,
"target_field": true
}
The operation was successful
Converts integer -1 to true (non-positives are true).
normalize:
- map:
- target_field: to_bool($number_to_convert)
{
"number_to_convert": -1
}
{
"number_to_convert": -1,
"target_field": true
}
The operation was successful
Converts float 0.5 to true (positive numbers are true).
normalize:
- map:
- target_field: to_bool($number_to_convert)
{
"number_to_convert": 0.5
}
{
"number_to_convert": 0.5,
"target_field": true
}
The operation was successful
field: to_int(number_to_transform, operation_mode)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| number_to_transform | number | reference | |
| operation_mode | string | value | truncate, round |
| Type | Possible values |
|---|---|
| number | Integers between -2^63 and 2^63-1 |
Transforms a number to an integer by truncating the fractional part or rounding to the nearest integer based on the fractional value (e.g., 9.6 → 10, -4.7 → -5); values with a fractional part ≥ 0.5 or ≤ -0.5 round away from zero, while others round toward zero. The result of the to_int operation is mapped to “target_field”. In case of errors “target_field” will not be modified. This helper function is typically used in the map stage
double
float
integer
Truncates a negative float, ignoring the fractional part.
normalize:
- map:
- target_field: to_int($number_to_transform, 'truncate')
{
"number_to_transform": -4.176666736602783
}
{
"number_to_transform": -4.176666736602783,
"target_field": -4
}
The operation was successful
Round a negative float.
normalize:
- map:
- target_field: to_int($number_to_transform, 'round')
{
"number_to_transform": -4.716666736602783
}
{
"number_to_transform": -4.716666736602783,
"target_field": -5
}
The operation was successful
Rounds a negative float to the nearest integer.
normalize:
- map:
- target_field: to_int($number_to_transform, 'round')
{
"number_to_transform": -4.176666736602783
}
{
"number_to_transform": -4.176666736602783,
"target_field": -4
}
The operation was successful
Truncates a positive float less than 1 to 0.
normalize:
- map:
- target_field: to_int($number_to_transform, 'truncate')
{
"number_to_transform": 0.7124601006507874
}
{
"number_to_transform": 0.7124601006507874,
"target_field": 0
}
The operation was successful
Rounds a positive float greater than 0.5 to 1.
normalize:
- map:
- target_field: to_int($number_to_transform, 'round')
{
"number_to_transform": 0.7124601006507874
}
{
"number_to_transform": 0.7124601006507874,
"target_field": 1
}
The operation was successful
Truncates a positive float with a fractional part of 0.5.
normalize:
- map:
- target_field: to_int($number_to_transform, 'truncate')
{
"number_to_transform": 1.5
}
{
"number_to_transform": 1.5,
"target_field": 1
}
The operation was successful
Truncates a positive float just below 1.5 to 1.
normalize:
- map:
- target_field: to_int($number_to_transform, 'truncate')
{
"number_to_transform": 1.49999999
}
{
"number_to_transform": 1.49999999,
"target_field": 1
}
The operation was successful
Rounds a positive float just below 1.5 to 2.
normalize:
- map:
- target_field: to_int($number_to_transform, 'round')
{
"number_to_transform": 1.51
}
{
"number_to_transform": 1.51,
"target_field": 2
}
The operation was successful
Rounds a positive float below 1.5 but closer to 1 to 1.
normalize:
- map:
- target_field: to_int($number_to_transform, 'round')
{
"number_to_transform": 1.48888888
}
{
"number_to_transform": 1.48888888,
"target_field": 1
}
The operation was successful
Rounds a positive integer
normalize:
- map:
- target_field: to_int($number_to_transform, 'round')
{
"number_to_transform": 1000
}
{
"number_to_transform": 1000,
"target_field": 1000
}
The operation was successful
field: to_string(any_number)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_number | number | reference | Integers between -2^63 and 2^63-1 |
| Type | Possible values |
|---|---|
| string | Any string |
Transforms a number into a string with that number. This helper function is typically used in the map stage
undefinedSuccess to_string
normalize:
- map:
- target_field: to_string($any_number)
{
"any_number": 12345
}
{
"any_number": 12345,
"target_field": "12345"
}
The operation was successful
Success to_string
normalize:
- map:
- target_field: to_string($any_number)
{
"any_number": 23.565
}
{
"any_number": 23.565,
"target_field": "23.565000"
}
The operation was successful
Failure to_string
normalize:
- map:
- target_field: to_string($any_number)
{
"any_number": "12345"
}
{
"any_number": "12345"
}
The operation was performed with errors
field: upcase(lower_characters)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| lower_characters | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Converts any lowercase character to an uppercase character. The result of the uppercase (upcase) operation is mapped to “field”. If the “field” already exists, then it will be replaced. In case of errors “field” will not be modified.
stringChange string to uppercase
normalize:
- map:
- target_field: upcase('abcd')
{}
{
"target_field": "ABCD"
}
The operation was successful
Change string to uppercase
normalize:
- map:
- target_field: upcase($lower_characters)
{
"lower_characters": "aBcD"
}
{
"lower_characters": "aBcD",
"target_field": "ABCD"
}
The operation was successful
Change string to uppercase
normalize:
- map:
- target_field: upcase('aBcDECF')
{}
{
"target_field": "ABCDECF"
}
The operation was successful
field: array_append(any_object, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | number, string, object, boolean, array | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Adds the values or references of any Json type to the target array field. This helper function is normally used in the map stage. If the target field exists and is not an array it will be overridden, if it does not exist it will be created. Currently this operations will fails as soon as one reference parameter is not found. As it is an array, only elements of the same type can be added. The type of the first element contained in the array will always be taken or, failing that, the type of the first element to be added.
arrayThe type of the value matches the type of the elements of the array
normalize:
- map:
- target_field: array_append(5)
{
"target_field": [
1,
2,
3,
4
]
}
{
"target_field": [
1,
2,
3,
4,
5
]
}
The operation was successful
The type of the value does not match the type of the array elements
normalize:
- map:
- target_field: array_append($any_object)
{
"any_object": "hello",
"target_field": [
1,
2,
3,
4
]
}
{
"any_object": "hello",
"target_field": [
1,
2,
3,
4
]
}
The operation was performed with errors
The type of the value does not match the type of the array elements
normalize:
- map:
- target_field: array_append([1, 2])
{
"target_field": [
1,
2,
3,
4
]
}
{
"target_field": [
1,
2,
3,
4
]
}
The operation was performed with errors
The type of the value does match the type of the array elements
normalize:
- map:
- target_field: array_append($any_object)
{
"any_object": 2,
"target_field": [
1.2,
2.3,
3.5,
4.9
]
}
{
"any_object": 2,
"target_field": [
1.2,
2.3,
3.5,
4.9,
2
]
}
The operation was successful
field: array_append_any(any_object, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | number, string, object, boolean, array | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Adds the values or references of any Json type to the target array field. This helper function is normally used in the map stage. If the target field exists and is not an array it will be overridden, if it does not exist it will be created. This operation will not fail if a reference parameter is not found, any parameters before or after it will be added to the target field. As it is an array, only elements of the same type can be added. The type of the first element contained in the array will always be taken or, failing that, the type of the first element to be added.
arrayThe type of the value matches the type of the elements of the array
normalize:
- map:
- target_field: array_append_any(5, 6)
{
"target_field": [
1,
2,
3,
4
]
}
{
"target_field": [
1,
2,
3,
4,
5,
6
]
}
The operation was successful
The type of the value matches the type of the elements of the array
normalize:
- map:
- target_field: array_append_any($any_object, $any_object_2)
{
"any_object": null,
"any_object_2": 6,
"target_field": [
1,
2,
3,
4
]
}
{
"any_object": null,
"any_object_2": 6,
"target_field": [
1,
2,
3,
4,
6
]
}
The operation was successful
The type of the value matches the type of the elements of the array
normalize:
- map:
- target_field: array_append_any(5, $any_object_2)
{
"any_object_2": null,
"target_field": [
1,
2,
3,
4
]
}
{
"any_object_2": null,
"target_field": [
1,
2,
3,
4,
5
]
}
The operation was successful
field: array_append_unique(any_object, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | number, string, object, boolean, array | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Appends the string values or any Json type by reference to the target array field. This helper function is typically used in the map stage. If the target field exists and is not an array it will be overridden, if it does not exist it will be created. Currently this operations will fails as soon as one reference parameter is not found or the element trying to be added already exists in the array.
arrayFailure array append unique
normalize:
- map:
- target_field: array_append_unique('hello')
{
"target_field": [
"hola",
"hello",
"salut",
"ciao"
]
}
{
"target_field": [
"hola",
"hello",
"salut",
"ciao"
]
}
The operation was performed with errors
Failure array append unique
normalize:
- map:
- target_field: array_append_unique($any_object)
{
"any_object": 5,
"target_field": [
1,
2,
3,
4,
5
]
}
{
"any_object": 5,
"target_field": [
1,
2,
3,
4,
5
]
}
The operation was performed with errors
Success array append unique
normalize:
- map:
- target_field: array_append_unique(5)
{
"target_field": [
1,
2,
3,
4
]
}
{
"target_field": [
1,
2,
3,
4,
5
]
}
The operation was successful
field: array_append_unique_any(any_object, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | number, string, object, boolean, array | value or reference | Any object |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Appends the string values or any Json type by reference to the target array field. This helper function is typically used in the map stage. If the target field exists and is not an array it will be overridden, if it does not exist it will be created. This operation will not fail if a reference parameter is not found, any parameters before or after it will be added to the target field.
arrayThe type of the value matches the type of the elements of the array
normalize:
- map:
- target_field: array_append_unique_any(5, 6)
{
"target_field": [
1,
2,
3,
4,
5
]
}
{
"target_field": [
1,
2,
3,
4,
5,
6
]
}
The operation was successful
The type of the value matches the type of the elements of the array
normalize:
- map:
- target_field: array_append_unique_any($any_object, $any_object_2)
{
"any_object": null,
"any_object_2": 6,
"target_field": [
1,
2,
3,
4,
6
]
}
{
"any_object": null,
"any_object_2": 6,
"target_field": [
1,
2,
3,
4,
6
]
}
The operation was performed with errors
The type of the value matches the type of the elements of the array
normalize:
- map:
- target_field: array_append_unique_any(5, $any_object_2)
{
"any_object_2": null,
"target_field": [
1,
2,
3,
4
]
}
{
"any_object_2": null,
"target_field": [
1,
2,
3,
4,
5
]
}
The operation was successful
field: delete()
| Type | Possible values |
|---|---|
| [number, string, object, boolean, array] | - |
Deletes the key named “field” from the event. If it does not exist, the function will evaluate to false. This helper function is typically used in the map stage.
deleteSuccess delete
normalize:
- map:
- target_field: delete()
{
"target_field": "-- Hi wazuh! --"
}
{
"target_field": ""
}
The operation was successful
Success delete
normalize:
- map:
- target_field: delete()
{
"target_field": {
"key": "value"
}
}
{
"target_field": ""
}
The operation was successful
Success delete
normalize:
- map:
- target_field: delete()
{
"target_field": [
1,
2,
3,
4
]
}
{
"target_field": ""
}
The operation was successful
field: delete_fields_with_value(any_object)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | number, string, object, boolean, array | value or reference | Any object |
| Type | Possible values |
|---|---|
| object | Any object |
Deletes all immediate children of “field” whose value equals the provided argument. The argument may be any JSON value (string, number, boolean, null, array, object) or a reference ($ref). Equality is type-aware and structural (objects/arrays compared by value).
deleteDeletes children equal to the given string
normalize:
- map:
- target_field: delete_fields_with_value('N/A')
{
"target_field": {
"a": "N/A",
"b": "ok",
"c": "N/A"
}
}
{
"target_field": {
"b": "ok"
}
}
The operation was successful
Deletes children equal to integer 1
normalize:
- map:
- target_field: delete_fields_with_value(1)
{
"target_field": {
"a": 1,
"b": 2,
"c": 1
}
}
{
"target_field": {
"b": 2
}
}
The operation was successful
Deletes children equal to the given double
normalize:
- map:
- target_field: delete_fields_with_value(1.0)
{
"target_field": {
"a": 1.0,
"b": 2.0,
"c": 1.0
}
}
{
"target_field": {
"b": 2.0
}
}
The operation was successful
Deletes children equal to the given boolean
normalize:
- map:
- target_field: delete_fields_with_value(True)
{
"target_field": {
"a": true,
"b": false,
"c": true
}
}
{
"target_field": {
"b": false
}
}
The operation was successful
Deletes children equal to the given object
normalize:
- map:
- target_field: delete_fields_with_value({'k': 1})
{
"target_field": {
"a": {
"k": 1
},
"b": {
"k": 2
},
"c": {
"k": 1
}
}
}
{
"target_field": {
"b": {
"k": 2
}
}
}
The operation was successful
Deletes children equal to the given array
normalize:
- map:
- target_field: delete_fields_with_value([1, 2])
{
"target_field": {
"a": [
1,
2
],
"b": [
3
],
"c": [
1,
2
]
}
}
{
"target_field": {
"b": [
3
]
}
}
The operation was successful
No deletions when there are no matches
normalize:
- map:
- target_field: delete_fields_with_value('Z')
{
"target_field": {
"a": "foo",
"b": 2
}
}
{
"target_field": {
"a": "foo",
"b": 2
}
}
The operation was successful
No deletions when reference path is not found
normalize:
- map:
- target_field: delete_fields_with_value($any_object)
{
"any_object": "$target.missing",
"target_field": {
"a": "keep",
"b": 1
}
}
{
"any_object": "$target.missing",
"target_field": {
"a": "keep",
"b": 1
}
}
The operation was successful
No deletions when argument is null but target has no nulls
normalize:
- map:
- target_field: delete_fields_with_value(null)
{
"target_field": {
"a": "keep",
"b": 1,
"c": false
}
}
{
"target_field": {
"a": "keep",
"b": 1,
"c": false
}
}
The operation was successful
field: discard_events()
| Type | Possible values |
|---|---|
| [boolean] | - |
Immediately stops event processing in the pipeline by setting the discard flag. This helper is used to prevent events from being enriched and/or indexed based on specific conditions.
Behavior depends on policy configuration (index_discarded_events):
Usage Rules:
delete
field: erase_custom_fields()
| Type | Possible values |
|---|---|
| [number, string, object, boolean, array] | - |
This operation removes all fields that do not belong to the schema. Typically used with field = ".", the root element.
deleteSuccess erase custom file
normalize:
- map:
- target_field: erase_custom_fields()
{
"target_field": "-- Hi wazuh! --"
}
{
"target_field": ""
}
The operation was successful
Success erase custum file
normalize:
- map:
- target_field: erase_custom_fields()
{
"target_field": {
"key": "value"
}
}
{
"target_field": ""
}
The operation was successful
Success erase custom file
normalize:
- map:
- target_field: erase_custom_fields()
{
"target_field": [
1,
2,
3,
4
]
}
{
"target_field": ""
}
The operation was successful
field: get_key_in(any_object, key)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | object | value or reference | Any object |
| key | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Maps target field value with the content of some key in the specified object. Where the key is specified with a reference to another field. The object parameter must be a definition object or a reference to a field containing the object. This helper function is typically used in the map stage.
undefinedThe value to replace was found
normalize:
- map:
- target_field: get_key_in({'key': 'name', 'key2': 'surname'}, $key)
{
"key": "key2",
"target_field": "name"
}
{
"key": "key2",
"target_field": "surname"
}
The operation was successful
The value to replace was found
normalize:
- map:
- target_field: get_key_in($any_object, $key)
{
"any_object": {
"key": "name",
"key2": {
"age": 27,
"address": "new york"
}
},
"key": "key2",
"target_field": "name"
}
{
"any_object": {
"key": "name",
"key2": {
"age": 27,
"address": "new york"
}
},
"key": "key2",
"target_field": {
"age": 27,
"address": "new york"
}
}
The operation was successful
field: kvdb_decode_bitmask(db_name, table_name, mask)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| db_name | string | value | Any string |
| table_name | string | value | Any string |
| mask | string | reference | Any hexadecimal |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
Decodes a hexadecimal bitmask into an array of values using a reference table stored in a KVDB.
Compile time:
Execution time:
Special notes:
kvdb
bitmask
Fails when the KVDB does not exist, leaving the target array unchanged
normalize:
- map:
- target_field: kvdb_decode_bitmask('non-existing-db', 'access_mask', $mask)
{
"mask": "1"
}
{
"mask": "1",
"target_field": []
}
The operation was performed with errors
Fails when the table entry does not exist in the KVDB
normalize:
- map:
- target_field: kvdb_decode_bitmask('windows_kerberos_status_code_to_code_name', 'non_existing_table', $mask)
{
"mask": "1"
}
{
"mask": "1",
"target_field": []
}
The operation was performed with errors
Decodes a mask with bit 0 set into the corresponding access_mask value
normalize:
- map:
- target_field: kvdb_decode_bitmask('windows_kerberos_status_code_to_code_name', 'access_mask', $mask)
{
"mask": "1"
}
{
"mask": "1",
"target_field": [
"Create Child"
]
}
The operation was successful
Decodes a mask with multiple active bits, preserving bit order
normalize:
- map:
- target_field: kvdb_decode_bitmask('windows_kerberos_status_code_to_code_name', 'access_mask', $mask)
{
"mask": "11"
}
{
"mask": "11",
"target_field": [
"Create Child",
"Read Property"
]
}
The operation was successful
Skips bit positions that are not present in the access_mask table
normalize:
- map:
- target_field: kvdb_decode_bitmask('windows_kerberos_status_code_to_code_name', 'access_mask', $mask)
{
"mask": "1100"
}
{
"mask": "1100",
"target_field": [
"Control Access"
]
}
The operation was successful
Appends decoded access_mask values to an existing array
normalize:
- map:
- target_field: kvdb_decode_bitmask('windows_kerberos_status_code_to_code_name', 'access_mask', $mask)
{
"mask": "10000",
"target_field": [
"Base"
]
}
{
"mask": "10000",
"target_field": [
"Base",
"DELETE"
]
}
The operation was successful
Fails when no bits in the mask have entries in the access_mask table, leaving target unchanged
normalize:
- map:
- target_field: kvdb_decode_bitmask('windows_kerberos_status_code_to_code_name', 'access_mask', $mask)
{
"mask": "8000",
"target_field": [
"Base"
]
}
{
"mask": "8000",
"target_field": [
"Base"
]
}
The operation was performed with errors
field: kvdb_get(db_name, key)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| db_name | string | value | Any string |
| key | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| [string, number, boolean, object, array] | - |
Looks up the value of a given key in the KVDB named "db_name". If the key exists, its value (string, number, boolean, object, array or null) is stored in the target field. If either the database or the key do not exist, the operation is a no-op: it does not modify the target field and evaluates to false (but must not fail). This helper function is typically used in the map stage.
kvdbNo-op when the KVDB does not exist
normalize:
- map:
- target_field: kvdb_get('non-existing-db', '0x0')
{
"target_field": "keep-me"
}
{
"target_field": "keep-me"
}
The operation was performed with errors
No-op when the key does not exist in the KVDB
normalize:
- map:
- target_field: kvdb_get('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x99",
"target_field": "keep-me"
}
{
"key": "0x99",
"target_field": "keep-me"
}
The operation was performed with errors
Stores a string value from the KVDB into the target field
normalize:
- map:
- target_field: kvdb_get('windows_kerberos_status_code_to_code_name', '0x0')
{}
{
"target_field": "KDC_ERR_NONE"
}
The operation was successful
Stores another string value from the KVDB into the target field
normalize:
- map:
- target_field: kvdb_get('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x6"
}
{
"key": "0x6",
"target_field": "KDC_ERR_C_PRINCIPAL_UNKNOWN"
}
The operation was successful
Resolves key from a reference before lookup
normalize:
- map:
- target_field: kvdb_get('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x1"
}
{
"key": "0x1",
"target_field": "KDC_ERR_NAME_EXP"
}
The operation was successful
Stores an object value from the KVDB into the target field
normalize:
- map:
- target_field: kvdb_get('windows_kerberos_status_code_to_code_name', $key)
{
"key": "access_mask"
}
{
"key": "access_mask",
"target_field": {
"0": "Create Child",
"1": "Delete Child",
"2": "List Contents",
"3": "SELF",
"4": "Read Property",
"5": "Write Property",
"6": "Delete Tree",
"7": "List Object",
"8": "Control Access",
"16": "DELETE",
"17": "READ_CONTROL",
"18": "WRITE_DAC",
"19": "WRITE_OWNER",
"20": "SYNCHRONIZE",
"24": "ADS_RIGHT_ACCESS_SYSTEM_SECURITY",
"31": "ADS_RIGHT_GENERIC_READ",
"30": "ADS_RIGHT_GENERIC_WRITE",
"29": "ADS_RIGHT_GENERIC_EXECUTE",
"28": "ADS_RIGHT_GENERIC_ALL"
}
}
The operation was successful
Stores an array value from the KVDB into the target field
normalize:
- map:
- target_field: kvdb_get('windows_kerberos_status_code_to_code_name', 'bitmask_test_values')
{}
{
"target_field": [
0,
1,
2,
3,
4,
16,
17,
18,
19,
20,
24,
28,
29,
30,
31
]
}
The operation was successful
field: kvdb_get_array(db_name, array_key)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| db_name | string | value | Any string |
| array_key | array | value or reference | Any string |
| Type | Possible values |
|---|---|
| array | [number, string, boolean, object, array] |
For each key in "array_key", looks up the value in the KVDB named "db_name" and appends any found values to the target array field.
kvdb
array
No-op when the KVDB does not exist
normalize:
- map:
- target_field: kvdb_get_array('non-existing-db', ['0x0', '0x1'])
{
"target_field": [
"BASE"
]
}
{
"target_field": [
"BASE"
]
}
The operation was performed with errors
Appends values for each existing key in array_key
normalize:
- map:
- target_field: kvdb_get_array('windows_kerberos_status_code_to_code_name', $array_key)
{
"array_key": [
"0x0",
"0x1"
]
}
{
"array_key": [
"0x0",
"0x1"
],
"target_field": [
"KDC_ERR_NONE",
"KDC_ERR_NAME_EXP"
]
}
The operation was successful
Skips keys that are not present in the KVDB
normalize:
- map:
- target_field: kvdb_get_array('windows_kerberos_status_code_to_code_name', ['0x0', '0x99', '0x6'])
{}
{
"target_field": [
"KDC_ERR_NONE",
"KDC_ERR_C_PRINCIPAL_UNKNOWN"
]
}
The operation was performed with errors
Appends KVDB values to an existing array
normalize:
- map:
- target_field: kvdb_get_array('windows_kerberos_status_code_to_code_name', $array_key)
{
"array_key": [
"0x2"
],
"target_field": [
"LOCAL_BASE"
]
}
{
"array_key": [
"0x2"
],
"target_field": [
"LOCAL_BASE",
"KDC_ERR_SERVICE_EXP"
]
}
The operation was successful
No-op when none of the keys exist in the KVDB
normalize:
- map:
- target_field: kvdb_get_array('windows_kerberos_status_code_to_code_name', ['0x99', '0x98'])
{
"target_field": [
"BASE"
]
}
{
"target_field": [
"BASE"
]
}
The operation was performed with errors
Appends values for keys provided by reference
normalize:
- map:
- target_field: kvdb_get_array('windows_kerberos_status_code_to_code_name', $array_key)
{
"array_key": [
"0x0",
"0x1",
"0x6"
]
}
{
"array_key": [
"0x0",
"0x1",
"0x6"
],
"target_field": [
"KDC_ERR_NONE",
"KDC_ERR_NAME_EXP",
"KDC_ERR_C_PRINCIPAL_UNKNOWN"
]
}
The operation was successful
Skips non-existing keys provided by reference
normalize:
- map:
- target_field: kvdb_get_array('windows_kerberos_status_code_to_code_name', $array_key)
{
"array_key": [
"0x2",
"0x99",
"0x6"
]
}
{
"array_key": [
"0x2",
"0x99",
"0x6"
],
"target_field": [
"KDC_ERR_SERVICE_EXP",
"KDC_ERR_C_PRINCIPAL_UNKNOWN"
]
}
The operation was performed with errors
Appends an array value from the KVDB as a single element in the target array
normalize:
- map:
- target_field: kvdb_get_array('windows_kerberos_status_code_to_code_name', $array_key)
{
"array_key": [
"bitmask_test_values"
]
}
{
"array_key": [
"bitmask_test_values"
],
"target_field": [
[
0,
1,
2,
3,
4,
16,
17,
18,
19,
20,
24,
28,
29,
30,
31
]
]
}
The operation was successful
field: kvdb_get_merge(db_name, key)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| db_name | string | value | Any string |
| key | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| [object, array] | - |
Looks up the value of a given key in the KVDB named "db_name". If the key exists and the value type matches the current type of the target field, both values are merged:
kvdbNo-op when the KVDB does not exist
normalize:
- map:
- target_field: kvdb_get_merge('non-existing-db', '0x0')
{
"target_field": {
"merged": {
"status": "INITIAL"
}
}
}
{
"target_field": {
"merged": {
"status": "INITIAL"
}
}
}
The operation was performed with errors
No-op when the key does not exist in the KVDB
normalize:
- map:
- target_field: kvdb_get_merge('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x99",
"target_field": {
"merged": {
"status": "INITIAL"
}
}
}
{
"key": "0x99",
"target_field": {
"merged": {
"status": "INITIAL"
}
}
}
The operation was performed with errors
No-op when KVDB value is a string and target field is an object
normalize:
- map:
- target_field: kvdb_get_merge('windows_kerberos_status_code_to_code_name', '0x0')
{
"target_field": {
"status": "INITIAL"
}
}
{
"target_field": {
"status": "INITIAL"
}
}
The operation was performed with errors
No-op when KVDB value is a string and target field is an array
normalize:
- map:
- target_field: kvdb_get_merge('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x1",
"target_field": [
"KDC_ERR_OLD"
]
}
{
"key": "0x1",
"target_field": [
"KDC_ERR_OLD"
]
}
The operation was performed with errors
No-op when KVDB value is a string and target field is an object, using a referenced key
normalize:
- map:
- target_field: kvdb_get_merge('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x2",
"target_field": {
"status": "INITIAL"
}
}
{
"key": "0x2",
"target_field": {
"status": "INITIAL"
}
}
The operation was performed with errors
Recursively merges object from KVDB into target object, overriding shared keys and preserving local-only keys
normalize:
- map:
- target_field: kvdb_get_merge('windows_kerberos_status_code_to_code_name', $key)
{
"key": "access_mask",
"target_field": {
"0": "LOCAL_OVERRIDE",
"99": "LOCAL_CUSTOM"
}
}
{
"key": "access_mask",
"target_field": {
"0": "Create Child",
"1": "Delete Child",
"2": "List Contents",
"3": "SELF",
"4": "Read Property",
"5": "Write Property",
"6": "Delete Tree",
"7": "List Object",
"8": "Control Access",
"16": "DELETE",
"17": "READ_CONTROL",
"18": "WRITE_DAC",
"19": "WRITE_OWNER",
"20": "SYNCHRONIZE",
"24": "ADS_RIGHT_ACCESS_SYSTEM_SECURITY",
"31": "ADS_RIGHT_GENERIC_READ",
"30": "ADS_RIGHT_GENERIC_WRITE",
"29": "ADS_RIGHT_GENERIC_EXECUTE",
"28": "ADS_RIGHT_GENERIC_ALL",
"99": "LOCAL_CUSTOM"
}
}
The operation was successful
Recursively merges array from KVDB into target array, appending elements without clearing existing ones
normalize:
- map:
- target_field: kvdb_get_merge('windows_kerberos_status_code_to_code_name', 'bitmask_test_values')
{
"target_field": [
-1
]
}
{
"target_field": [
-1,
0,
1,
2,
3,
4,
16,
17,
18,
19,
20,
24,
28,
29,
30,
31
]
}
The operation was successful
field: kvdb_get_merge_recursive(db_name, key)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| db_name | string | value | Any string |
| key | string | value or reference | Any string |
| Type | Possible values |
|---|---|
| [object, array] | - |
Gets the value of a given key in the DB named "db_name" and, if successful, recursively merges this value into the current value of the target field.
kvdb
merge
recursive
No-op when the KVDB does not exist
normalize:
- map:
- target_field: kvdb_get_merge_recursive('non-existing-db', '0x0')
{
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
{
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
The operation was performed with errors
No-op when the key does not exist in the KVDB
normalize:
- map:
- target_field: kvdb_get_merge_recursive('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x99",
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
{
"key": "0x99",
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
The operation was performed with errors
No-op when KVDB value is a string and target field is an object
normalize:
- map:
- target_field: kvdb_get_merge_recursive('windows_kerberos_status_code_to_code_name', '0x0')
{
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
{
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
The operation was performed with errors
No-op when KVDB value is a string and target field is an array
normalize:
- map:
- target_field: kvdb_get_merge_recursive('windows_kerberos_status_code_to_code_name', $key)
{
"key": "0x1",
"target_field": [
"KDC_ERR_OLD"
]
}
{
"key": "0x1",
"target_field": [
"KDC_ERR_OLD"
]
}
The operation was performed with errors
No-op when KVDB value is a string and target field is an object, using a referenced key
normalize:
- map:
- target_field: kvdb_get_merge_recursive('windows_kerberos_status_code_to_code_name', $key)
{
"key": "kerberos_code",
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
{
"key": "kerberos_code",
"target_field": {
"kerberos": {
"status": "INITIAL"
}
}
}
The operation was performed with errors
Recursively merges object from KVDB into target object, overriding shared keys and preserving local-only keys
normalize:
- map:
- target_field: kvdb_get_merge_recursive('windows_kerberos_status_code_to_code_name', $key)
{
"key": "access_mask",
"target_field": {
"0": "LOCAL_OVERRIDE",
"99": "LOCAL_CUSTOM"
}
}
{
"key": "access_mask",
"target_field": {
"0": "Create Child",
"1": "Delete Child",
"2": "List Contents",
"3": "SELF",
"4": "Read Property",
"5": "Write Property",
"6": "Delete Tree",
"7": "List Object",
"8": "Control Access",
"16": "DELETE",
"17": "READ_CONTROL",
"18": "WRITE_DAC",
"19": "WRITE_OWNER",
"20": "SYNCHRONIZE",
"24": "ADS_RIGHT_ACCESS_SYSTEM_SECURITY",
"31": "ADS_RIGHT_GENERIC_READ",
"30": "ADS_RIGHT_GENERIC_WRITE",
"29": "ADS_RIGHT_GENERIC_EXECUTE",
"28": "ADS_RIGHT_GENERIC_ALL",
"99": "LOCAL_CUSTOM"
}
}
The operation was successful
Recursively merges array from KVDB into target array, appending elements without clearing existing ones
normalize:
- map:
- target_field: kvdb_get_merge_recursive('windows_kerberos_status_code_to_code_name', 'bitmask_test_values')
{
"target_field": [
-1
]
}
{
"target_field": [
-1,
0,
1,
2,
3,
4,
16,
17,
18,
19,
20,
24,
28,
29,
30,
31
]
}
The operation was successful
field: merge(any_object)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | object, array, number, string, boolean | reference | Any object |
| Type | Possible values |
|---|---|
| [object, array, number, string, boolean] | - |
Merge “any_object“ into “field”. Both fields must be the same type and of type object or type array otherwise the operation will fail and neither fields will be modified. The result of the merge operation is mapped to “field” and “any_object“ is deleted. When merging objects, if a collision is produced the target key will be overridden by the reference key. When merging arrays, if a collision is produced the target key will be preserved in its original order and will be not duplicated. This helper function is typically used in the map stage
undefinedJSON objects merged
normalize:
- map:
- target_field: merge($any_object)
{
"any_object": {
"key": "name",
"key2": {
"age": 27,
"address": "new york"
}
},
"target_field": {
"key3": "surname"
}
}
{
"any_object": {
"key": "name",
"key2": {
"age": 27,
"address": "new york"
}
},
"target_field": {
"key": "name",
"key2": {
"age": 27,
"address": "new york"
},
"key3": "surname"
}
}
The operation was successful
JSON objects merged
normalize:
- map:
- target_field: merge($any_object)
{
"any_object": [
0,
1,
2,
4
],
"target_field": [
1,
3
]
}
{
"any_object": [
0,
1,
2,
4
],
"target_field": [
1,
3,
0,
2,
4
]
}
The operation was successful
field: merge_key_in(any_object, key)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | object | value or reference | Any object |
| key | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Merge in target field value with the content of some key in the specified object, where the key is specified with a reference to another field. The object parameter must be a definition object or a reference to a field containing the object. This helper function is typically used in the map stage.
undefinedThe merge was success
normalize:
- map:
- target_field: merge_key_in({'input_key_1': {'v1': 'k1'}, 'input_key_2': {'v2': 'k2'}}, $key)
{
"key": "input_key_1",
"target_field": {
"v0": "k0"
}
}
{
"key": "input_key_1",
"target_field": {
"v0": "k0",
"v1": "k1"
}
}
The operation was successful
The input key was not found
normalize:
- map:
- target_field: merge_key_in($any_object, $key)
{
"any_object": {
"input_key_1": {
"v1": "k1"
},
"input_key_2": {
"v2": "k2"
}
},
"key": "input_key_not_found",
"target_field": {
"v0": "k0"
}
}
{
"any_object": {
"input_key_1": {
"v1": "k1"
},
"input_key_2": {
"v2": "k2"
}
},
"key": "input_key_not_found",
"target_field": {
"v0": "k0"
}
}
The operation was performed with errors
The value from the specified key input_key_1 is not merged into target_field, due to the need for recursion.
normalize:
- map:
- target_field: merge_key_in({'input_key_1': {'v1': 'k1', 'nested': {'n1': 'value1'}}, 'input_key_2': {'v2': 'k2'}}, $key)
{
"key": "input_key_1",
"target_field": {
"v0": "k0",
"nested": {
"n2": "value2"
}
}
}
{
"key": "input_key_1",
"target_field": {
"v0": "k0",
"v1": "k1",
"nested": {
"n1": "value1"
}
}
}
The operation was successful
Success merge in object with same keys
normalize:
- map:
- target_field: merge_key_in($any_object, $key)
{
"any_object": {
"input_key_1": {
"b": "a-value",
"c": "a-value"
}
},
"key": "input_key_1",
"target_field": {
"a": "b-value",
"c": "b-value"
}
}
{
"any_object": {
"input_key_1": {
"b": "a-value",
"c": "a-value"
}
},
"key": "input_key_1",
"target_field": {
"a": "b-value",
"b": "a-value",
"c": "a-value"
}
}
The operation was successful
field: merge_recursive_key_in(any_object, key)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| any_object | object | value or reference | Any object |
| key | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Recursively merge the target field value with the content of a specified key in the given object. The key is identified through a reference to another field. If the key's value contains nested objects, the merge operation is applied recursively, combining all levels of the structure. The object parameter must be a definition object or a reference to a field containing the object. This helper function is typically used in the map stage to ensure deep merging of complex objects.
undefinedThe value from the specified key input_key_1 is merged into target_field, including nested structures.
normalize:
- map:
- target_field: merge_recursive_key_in({'input_key_1': {'v1': 'k1', 'nested': {'n1': 'value1'}}, 'input_key_2': {'v2': 'k2'}}, $key)
{
"key": "input_key_1",
"target_field": {
"v0": "k0",
"nested": {
"n2": "value2"
}
}
}
{
"key": "input_key_1",
"target_field": {
"v0": "k0",
"v1": "k1",
"nested": {
"n1": "value1",
"n2": "value2"
}
}
}
The operation was successful
The value from the specified key input_key_1, including a different nested structure (other_nested), is merged into target_field.
normalize:
- map:
- target_field: merge_recursive_key_in($any_object, $key)
{
"any_object": {
"input_key_1": {
"v1": "k1",
"other_nested": {
"n1": "value1"
}
},
"input_key_2": {
"v2": "k2"
}
},
"key": "input_key_1",
"target_field": {
"v0": "k0",
"nested": {
"n2": "value2"
}
}
}
{
"any_object": {
"input_key_1": {
"v1": "k1",
"other_nested": {
"n1": "value1"
}
},
"input_key_2": {
"v2": "k2"
}
},
"key": "input_key_1",
"target_field": {
"v0": "k0",
"v1": "k1",
"other_nested": {
"n1": "value1"
},
"nested": {
"n2": "value2"
}
}
}
The operation was successful
The nested content from the specified key input_key_1 is merged into target_field, preserving existing fields.
normalize:
- map:
- target_field: merge_recursive_key_in({'input_key_1': {'v1': 'k1', 'nested': {'n1': 'value1'}}, 'input_key_2': {'v2': 'k2'}}, $key)
{
"key": "input_key_1",
"target_field": {
"v1": "k1",
"nested": {
"n2": "value2"
}
}
}
{
"key": "input_key_1",
"target_field": {
"v1": "k1",
"nested": {
"n1": "value1",
"n2": "value2"
}
}
}
The operation was successful
The specified key input_key_not_exists does not exist in any_object, so no merge is performed, and the test fails as expected.
normalize:
- map:
- target_field: merge_recursive_key_in($any_object, $key)
{
"any_object": {
"input_key_1": {
"v1": "k1",
"nested": {
"n1": "value1"
}
},
"input_key_2": {
"v2": "k2"
}
},
"key": "input_key_not_exists",
"target_field": {
"v0": "k0",
"nested": {
"n2": "value2"
}
}
}
{
"any_object": {
"input_key_1": {
"v1": "k1",
"nested": {
"n1": "value1"
}
},
"input_key_2": {
"v2": "k2"
}
},
"key": "input_key_not_exists",
"target_field": {
"v0": "k0",
"nested": {
"n2": "value2"
}
}
}
The operation was performed with errors
field: parse_alphanumeric(field_to_parse, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| field_to_parse | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Checks if an input matches an alphanumeric string, and if so, it evaluates to true and the extracted data contained in a JSON object is stored in the output field; otherwise, it evaluates to false.
parserSuccess alphanumeric parse
normalize:
- map:
- target_field: parse_alphanumeric($field_to_parse)
{
"field_to_parse": "Hello2024",
"target_field": "any_value"
}
{
"field_to_parse": "Hello2024",
"target_field": "Hello2024"
}
The operation was successful
Failure alphanumeric parse
normalize:
- map:
- target_field: parse_alphanumeric($field_to_parse)
{
"field_to_parse": "Not{isalphanum}",
"target_field": "any_value"
}
{
"field_to_parse": "Not{isalphanum}",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_between(input_field, start, end, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| start | string | value | Any string |
| end | string | value | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that begins with the start delimiter and ends
with the end delimiter. If so, it extracts the text found between these delimiters
and stores this extracted substring in field
parserSuccess between parse
normalize:
- map:
- target_field: parse_between($input_field, '[', ']')
{
"input_field": "[Hello, World!]",
"target_field": "any_value"
}
{
"input_field": "[Hello, World!]",
"target_field": "Hello, World!"
}
The operation was successful
Failure between parse
normalize:
- map:
- target_field: parse_between($input_field, '(', ')')
{
"input_field": "(Start) Middle End",
"target_field": "any_value"
}
{
"input_field": "(Start) Middle End",
"target_field": "any_value"
}
The operation was performed with errors
Success between parse
normalize:
- map:
- target_field: parse_between($input_field, 'Start', 'End')
{
"input_field": "Start and End",
"target_field": "any_value"
}
{
"input_field": "Start and End",
"target_field": " and "
}
The operation was successful
field: parse_binary(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
Evaluates if the content of the input field is a string that accurately represents base64 encoded data.
It checks the string for compliance with the base64 encoding standards, including character set and padding.
If the string is a valid base64 encoded string, it stores the same string in field without modification.
parserSuccess binary parse
normalize:
- map:
- target_field: parse_binary($input_field)
{
"input_field": "SGVsbG8sIFdvcmxkIQ==",
"target_field": "any_value"
}
{
"input_field": "SGVsbG8sIFdvcmxkIQ==",
"target_field": "SGVsbG8sIFdvcmxkIQ=="
}
The operation was successful
Failure binary parse
normalize:
- map:
- target_field: parse_binary($input_field)
{
"input_field": "not base64",
"target_field": "any_value"
}
{
"input_field": "not base64",
"target_field": "any_value"
}
The operation was performed with errors
Failure binary parse
normalize:
- map:
- target_field: parse_binary($input_field)
{
"input_field": "not base64",
"target_field": [
"any_value"
]
}
{
"input_field": "not base64",
"target_field": [
"any_value"
]
}
The operation was performed with errors
Failure binary parse
normalize:
- map:
- target_field: parse_binary($input_field)
{
"input_field": "not base64",
"target_field": {
"key": "value"
}
}
{
"input_field": "not base64",
"target_field": {
"key": "value"
}
}
The operation was performed with errors
Failure binary parse
normalize:
- map:
- target_field: parse_binary($input_field)
{
"input_field": "not base64",
"target_field": true
}
{
"input_field": "not base64",
"target_field": true
}
The operation was performed with errors
field: parse_bool(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
Checks if an input is the “true” or “false” string and store a boolean value in field according to the string value. The operation es key insensitive Fail if other value is store in $inField or not exist.
parserSuccess bool parse
normalize:
- map:
- target_field: parse_bool($input_field)
{
"input_field": "true",
"target_field": "any_value"
}
{
"input_field": "true",
"target_field": true
}
The operation was successful
Failure bool parse
normalize:
- map:
- target_field: parse_bool($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
Failure bool parse
normalize:
- map:
- target_field: parse_bool($input_field)
{
"input_field": "hello",
"target_field": [
"any_value"
]
}
{
"input_field": "hello",
"target_field": [
"any_value"
]
}
The operation was performed with errors
Failure bool parse
normalize:
- map:
- target_field: parse_bool($input_field)
{
"input_field": "hello",
"target_field": {
"key": "value"
}
}
{
"input_field": "hello",
"target_field": {
"key": "value"
}
}
The operation was performed with errors
field: parse_byte(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
Evaluates if the content of the input field is a string representing a numeric value.
If the numeric value is within the range of -128 to 127 (inclusive)
it truncates the number to fit into a byte data type and stores the result in field. The operation is case-sensitive.
parserSuccess byte parse
normalize:
- map:
- target_field: parse_byte($input_field)
{
"input_field": "127",
"target_field": "any_value"
}
{
"input_field": "127",
"target_field": 127
}
The operation was successful
Failure byte parse
normalize:
- map:
- target_field: parse_byte($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
Failure byte parse
normalize:
- map:
- target_field: parse_byte($input_field)
{
"input_field": "130",
"target_field": [
"any_value"
]
}
{
"input_field": "130",
"target_field": [
"any_value"
]
}
The operation was performed with errors
Failure byte parse
normalize:
- map:
- target_field: parse_byte($input_field)
{
"input_field": "130",
"target_field": {
"key": "value"
}
}
{
"input_field": "130",
"target_field": {
"key": "value"
}
}
The operation was performed with errors
Success byte parse
normalize:
- map:
- target_field: parse_byte($input_field)
{
"input_field": "3.14",
"target_field": "any_value"
}
{
"input_field": "3.14",
"target_field": 3
}
The operation was successful
field: parse_csv(input_field, out1, out2, out3, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| out1 | string | value | Any string |
| out2 | string | value | Any string |
| out3 | string | value | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
This parser is just the same as the “dsv” parser, but its delimiter is the “comma”, the quoting and escaping character are the quotation mark, and they cannot be changed. It can be used to extract values separated by commas (“comma separated values”). These values will be stored on user-specified fields (outputs), but only if all the expected outputs are obtained. Eg, user expects 4 values but only 3 can be obtained, then the parser fails and no value is stored. All the characters contained between the “quoting” characters will be considered part of a single value even the “comma” character. If the quoting is not correctly balanced, the parser will fail. The “escaping” character is used to escape the “quoting” characters that are intended to be used as literal characters. This helper function is typically used in the map stage.
parserSuccess csv parse
normalize:
- map:
- target_field: parse_csv($input_field, 'out1', 'out2', 'out3')
{
"input_field": "value1,value2,value3",
"target_field": "any_value"
}
{
"input_field": "value1,value2,value3",
"target_field": {
"out1": "value1",
"out2": "value2",
"out3": "value3"
}
}
The operation was successful
Success csv parse with slash and dotpath
normalize:
- map:
- target_field: parse_csv($input_field, 'out1.key', 'out2/key', 'out3.key/subkey')
{
"input_field": "value1,value2,value3",
"target_field": "any_value"
}
{
"input_field": "value1,value2,value3",
"target_field": {
"out1": {
"key": "value1"
},
"out2": {
"key": "value2"
},
"out3": {
"key": {
"subkey": "value3"
}
}
}
}
The operation was successful
Failure csv parse
normalize:
- map:
- target_field: parse_csv($input_field, 'out1', 'out2', 'out3')
{
"input_field": "valu1=1 value2=2",
"target_field": "any_value"
}
{
"input_field": "valu1=1 value2=2",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_date(input_field, format, locale)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| format | string | value | Any string |
| locale | string | value | Any string |
| Type | Possible values |
|---|---|
| string | Any string |
Parses a date/time string and normalizes it to a datetime value. The first option must be either a strftime-like format (e.g., "%Y-%m-%dT%H:%M:%S%z") or a sample date string from which the format can be inferred. Optionally, a second parameter "locale" can be provided. If omitted, "C/POSIX" is used.
parser
date
time
ISO-8601 with timezone (explicit format)
normalize:
- map:
- target_field: parse_date($input_field, '%Y-%m-%dT%H:%M:%S%Ez', '_auto')
{
"input_field": "2025-09-01T10:30:00-05:00",
"target_field": "any_value"
}
{
"input_field": "2025-09-01T10:30:00-05:00",
"target_field": "2025-09-01T15:30:00.000Z"
}
The operation was successful
dd/mm/YYYY HH:MM (explicit format)
normalize:
- map:
- target_field: parse_date($input_field, '%d/%m/%Y %H:%M', '_auto')
{
"input_field": "01/09/2025 10:30",
"target_field": "any_value"
}
{
"input_field": "01/09/2025 10:30",
"target_field": "2025-09-01T10:30:00.000Z"
}
The operation was successful
Format mismatch -> error
normalize:
- map:
- target_field: parse_date($input_field, '%Y-%m-%d %H:%M', '_auto')
{
"input_field": "2025/09/01 10:30",
"target_field": "any_value"
}
{
"input_field": "2025/09/01 10:30",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_double(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that can be successfully converted into a double-precision
floating-point number. It converts and stores the double-precision number in field without truncation
as double-precision floating-point numbers are capable of representing a wide range of decimal numbers with
significant precision.
undefinedSuccess double parse
normalize:
- map:
- target_field: parse_double($input_field)
{
"input_field": "23.45",
"target_field": "any_value"
}
{
"input_field": "23.45",
"target_field": 23.45
}
The operation was successful
Failure double parse
normalize:
- map:
- target_field: parse_double($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_dsv(input_field, delim_char, quote_char, esc_char, out, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| delim_char | string | value | Any string |
| quote_char | string | value | Any string |
| esc_char | string | value | Any string |
| out | string | value | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
This parser can be used to extract values separated by a specific delimiter (“delimiter separated values”) which must be a single character. These values will be stored on user-specified fields (outputs) but only if all the expected outputs are obtained. Eg, user expects 4 values but only 3 can be obtained then the parser fails and no value is stored. Additionally to the “delimiting” character, the user must define a “quoting” and “escaping” character. All the characters contained between the “quoting” characters will be considered part of a single value, even the “delimiting” character. If the quoting is not correctly balanced, the parser will fail. The “escaping” character is used to escape the “quoting” characters that are intended to be used as literal characters. This helper function is typically used in the map stage.
parserSuccess dsv parse
normalize:
- map:
- target_field: parse_dsv($input_field, '|', "'", '\\', 'out1', 'out2')
{
"input_field": "value1|value2",
"target_field": "any_value"
}
{
"input_field": "value1|value2",
"target_field": {
"out1": "value1",
"out2": "value2"
}
}
The operation was successful
Success dsv parse with slash and dotpath
normalize:
- map:
- target_field: parse_dsv($input_field, '|', "'", '\\', 'out1.key', 'out2/key', 'out3.key/subkey')
{
"input_field": "value1|value2|value3",
"target_field": "any_value"
}
{
"input_field": "value1|value2|value3",
"target_field": {
"out1": {
"key": "value1"
},
"out2": {
"key": "value2"
},
"out3": {
"key": {
"subkey": "value3"
}
}
}
}
The operation was successful
Failure dsv parse
normalize:
- map:
- target_field: parse_dsv($input_field, '|', '\\', "'", 'out1', 'out2')
{
"input_field": "key1:value1",
"target_field": "any_value"
}
{
"input_field": "key1:value1",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_file(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
Checks whether an input contains a valid file path and, if so, it evaluates to true and the extracted data contained in a JSON object is then stored on the field, otherwise it evaluates to false.
parserSuccess file parse
normalize:
- map:
- target_field: parse_file($input_field)
{
"input_field": "C:\\Windows\\System32\\program.exe",
"target_field": "any_value"
}
{
"input_field": "C:\\Windows\\System32\\program.exe",
"target_field": {
"path": "C:\\Windows\\System32",
"ext": "exe",
"drive_letter": "C",
"name": "program.exe"
}
}
The operation was successful
field: parse_float(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that can be successfully converted into a floating-point number.
It converts and stores the floating-point number in field, as floating-point numbers inherently support decimals.
parserSuccess float parse
normalize:
- map:
- target_field: parse_float($input_field)
{
"input_field": "23.45234",
"target_field": "any_value"
}
{
"input_field": "23.45234",
"target_field": 23.45233917236328
}
The operation was successful
Failure float parse
normalize:
- map:
- target_field: parse_float($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
Failure float parse
normalize:
- map:
- target_field: parse_float($input_field)
{
"input_field": "hello",
"target_field": [
"any_value"
]
}
{
"input_field": "hello",
"target_field": [
"any_value"
]
}
The operation was performed with errors
Failure float parse
normalize:
- map:
- target_field: parse_float($input_field)
{
"input_field": "hello",
"target_field": {
"key": "value"
}
}
{
"input_field": "hello",
"target_field": {
"key": "value"
}
}
The operation was performed with errors
field: parse_fqdn(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser is used to obtain, if possible, a valid domain name. Such domain cannot be longer than 255 characters and can only contain “a-z”, “A-Z”, “0-9”, “.” and “-”. Checks whether an input contains a valid domain name format and, if so, it evaluates to true and is then stored on the field, otherwise it evaluates to false.
parserSuccess fqdn parse
normalize:
- map:
- target_field: parse_fqdn($input_field)
{
"input_field": "www.someurl.co",
"target_field": "any_value"
}
{
"input_field": "www.someurl.co",
"target_field": "www.someurl.co"
}
The operation was successful
Failure fqdn parse
normalize:
- map:
- target_field: parse_fqdn($input_field)
{
"input_field": "www.some~url.com",
"target_field": "any_value"
}
{
"input_field": "www.some~url.com",
"target_field": "any_value"
}
The operation was performed with errors
Failure fqdn parse
normalize:
- map:
- target_field: parse_fqdn($input_field)
{
"input_field": "www.some~url.com",
"target_field": [
"any_value"
]
}
{
"input_field": "www.some~url.com",
"target_field": [
"any_value"
]
}
The operation was performed with errors
Failure fqdn parse
normalize:
- map:
- target_field: parse_fqdn($input_field)
{
"input_field": "www.some~url.com",
"target_field": {
"key": "value"
}
}
{
"input_field": "www.some~url.com",
"target_field": {
"key": "value"
}
}
The operation was performed with errors
field: parse_half_float(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that can be successfully converted into a half precision
floating-point number. It converts and stores the floating-point number in field, as floating-point numbers
inherently support decimals.
parserSuccess half float parse
normalize:
- map:
- target_field: parse_half_float($input_field)
{
"input_field": "23.45234",
"target_field": "any_value"
}
{
"input_field": "23.45234",
"target_field": 23.45233917236328
}
The operation was successful
Failure half float parse
normalize:
- map:
- target_field: parse_half_float($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
Failure half float parse
normalize:
- map:
- target_field: parse_half_float($input_field)
{
"input_field": "hello",
"target_field": [
"any_value"
]
}
{
"input_field": "hello",
"target_field": [
"any_value"
]
}
The operation was performed with errors
Failure half float parse
normalize:
- map:
- target_field: parse_half_float($input_field)
{
"input_field": "hello",
"target_field": {
"key": "value"
}
}
{
"input_field": "hello",
"target_field": {
"key": "value"
}
}
The operation was performed with errors
field: parse_integer(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that can be successfully converted into an integer
number. It converts and stores the integer number in field with truncation.
parserSuccess integer parse
normalize:
- map:
- target_field: parse_integer($input_field)
{
"input_field": "-2",
"target_field": "any_value"
}
{
"input_field": "-2",
"target_field": -2
}
The operation was successful
Success integer parse
normalize:
- map:
- target_field: parse_integer($input_field)
{
"input_field": "12345",
"target_field": "any_value"
}
{
"input_field": "12345",
"target_field": 12345
}
The operation was successful
Success integer parse
normalize:
- map:
- target_field: parse_integer($input_field)
{
"input_field": "23.45",
"target_field": "any_value"
}
{
"input_field": "23.45",
"target_field": 23
}
The operation was successful
Failure integer parse
normalize:
- map:
- target_field: parse_integer($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_ip(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser is designed to validate and parse strings representing IP addresses, whether they are in IPv4 or IPv6 format.
Evaluates if the content of the input field is a string that accurately represents an IP address in either IPv4 or IPv6 format.
It checks the string for compliance with IP addressing standards, including the correct notation
and range for IPv4 (four decimal numbers separated by dots, each ranging from 0 to 255)
and the correct format for IPv6 (eight groups of four hexadecimal digits separated by colons).
If the string is a valid IP address, it stores the same string in field without modification.
parserSuccess ip parse
normalize:
- map:
- target_field: parse_ip($input_field)
{
"input_field": "192.168.1.1",
"target_field": "any_value"
}
{
"input_field": "192.168.1.1",
"target_field": "192.168.1.1"
}
The operation was successful
Success ip parse
normalize:
- map:
- target_field: parse_ip($input_field)
{
"input_field": "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
"target_field": "any_value"
}
{
"input_field": "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
"target_field": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
}
The operation was successful
Failure ip parse
normalize:
- map:
- target_field: parse_ip($input_field)
{
"input_field": "999.999.999.999",
"target_field": [
"any_value"
]
}
{
"input_field": "999.999.999.999",
"target_field": [
"any_value"
]
}
The operation was performed with errors
Failure ip parse
normalize:
- map:
- target_field: parse_ip($input_field)
{
"input_field": "999.999.999.999",
"target_field": {
"key": "value"
}
}
{
"input_field": "999.999.999.999",
"target_field": {
"key": "value"
}
}
The operation was performed with errors
field: parse_json(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser is designed to interpret and convert strings formatted in JSON notation into a JSON. It is particularly useful for extracting structured data from stringified JSON representations. Upon invocation, the parser reads the input string and attempts to validate it as a proper JSON format. If the validation is successful, the input is transformed into a JSON object which is then assigned to the specified field. If the input is not valid JSON, the parser does not modify the output.
parserSuccess json parse
normalize:
- map:
- target_field: parse_json($input_field)
{
"input_field": "{\"key\": {\"innerKey\": \"value\"}}",
"target_field": "any_value"
}
{
"input_field": "{\"key\": {\"innerKey\": \"value\"}}",
"target_field": {
"key": {
"innerKey": "value"
}
}
}
The operation was successful
Failure json parse
normalize:
- map:
- target_field: parse_json($input_field)
{
"input_field": "{\"key\": \"innerKey\": \"value\"}}",
"target_field": [
"any_value"
]
}
{
"input_field": "{\"key\": \"innerKey\": \"value\"}}",
"target_field": [
"any_value"
]
}
The operation was performed with errors
field: parse_key_value(input_field, sep_token, delim_token, quote_char, esc_char, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| sep_token | string | value | Any string |
| delim_token | string | value | Any string |
| quote_char | string | value | Any string |
| esc_char | string | value | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser can be used to extract key-value pairs from a keys-values list. If the parser succeeds, each value will be stored on a field named as its corresponding key. Keys are linked to values by the “separator” token (may be multi-character). Each key-value pair is split from others, given the “delimiting” token (may be multi-character). Additionally, the user must define a “quoting” and “escaping” character. All the characters contained between the “quoting” characters will be considered part of a single value even the “separator” and “delimiting” tokens. If the quoting is not correctly balanced, the parser will fail. The “escaping” character is used to escape the “quoting” characters that are intended to be used as literal characters. This helper function is typically used in the map stage. Checks whether an input fits a keys-values list format and, if it does, such pairs of keys and values are stored as new fields of the event.
parserSuccess key value parse
normalize:
- map:
- target_field: parse_key_value($input_field, '=', ' ', "'", '\\')
{
"input_field": "key1=value1 key2=value2 key3=value3",
"target_field": "any_value"
}
{
"input_field": "key1=value1 key2=value2 key3=value3",
"target_field": {
"key1": "value1",
"key2": "value2",
"key3": "value3"
}
}
The operation was successful
Failure key value parse
normalize:
- map:
- target_field: parse_key_value($input_field, '=', ' ', "'", '\\')
{
"input_field": "key1:value1",
"target_field": "any_value"
}
{
"input_field": "key1:value1",
"target_field": "any_value"
}
The operation was performed with errors
Success with multi-char delimiter and single-char separator
normalize:
- map:
- target_field: parse_key_value($input_field, '=', ' || ', "'", '\\')
{
"input_field": "k1=v1 || k2=v2",
"target_field": "any_value"
}
{
"input_field": "k1=v1 || k2=v2",
"target_field": {
"k1": "v1",
"k2": "v2"
}
}
The operation was successful
Success with single-char delimiter and multi-char separator
normalize:
- map:
- target_field: parse_key_value($input_field, '::=', ',', "'", '\\')
{
"input_field": "a::=x,b::=y",
"target_field": "any_value"
}
{
"input_field": "a::=x,b::=y",
"target_field": {
"a": "x",
"b": "y"
}
}
The operation was successful
Success multi-character tokens
normalize:
- map:
- target_field: parse_key_value($input_field, '::=', ' || ', '"', '\\')
{
"input_field": "k1::=v1 || k2::=v2",
"target_field": "any_value"
}
{
"input_field": "k1::=v1 || k2::=v2",
"target_field": {
"k1": "v1",
"k2": "v2"
}
}
The operation was successful
Failure when separator and delimiter are the same
normalize:
- map:
- target_field: parse_key_value($input_field, '=', '=', "'", '\\')
{
"input_field": "a=b=c",
"target_field": "any_value"
}
{
"input_field": "a=b=c",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_long(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that can be successfully converted into a 64-bit
integer (long). It converts and stores the integer value in field.
parserSuccess long parse (positive integer)
normalize:
- map:
- target_field: parse_long($input_field)
{
"input_field": "12345",
"target_field": "any_value"
}
{
"input_field": "12345",
"target_field": 12345
}
The operation was successful
Success long parse (negative integer)
normalize:
- map:
- target_field: parse_long($input_field)
{
"input_field": "-42",
"target_field": "any_value"
}
{
"input_field": "-42",
"target_field": -42
}
The operation was successful
Success long parse with truncation
normalize:
- map:
- target_field: parse_long($input_field)
{
"input_field": "42.23",
"target_field": "any_value"
}
{
"input_field": "42.23",
"target_field": 42
}
The operation was successful
Failure long parse (non-numeric characters)
normalize:
- map:
- target_field: parse_long($input_field)
{
"input_field": "12a3",
"target_field": "any_value"
}
{
"input_field": "12a3",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_quoted(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser is designed to extract text enclosed in quotation marks from the input string.
It supports custom quotation and escape characters, allowing for flexibility in parsing complex quoted strings.
Evaluates the content of the input field to extract text that is enclosed in the specified quoted character
considering any escape characters used to include the quotation character within the quoted text.
parserSuccess quoted parse
normalize:
- map:
- target_field: parse_quoted($input_field)
{
"input_field": "\"Hello, my name is 'Wazuh'.\"",
"target_field": "any_value"
}
{
"input_field": "\"Hello, my name is 'Wazuh'.\"",
"target_field": "Hello, my name is 'Wazuh'."
}
The operation was successful
Failure quoted parse
normalize:
- map:
- target_field: parse_quoted($input_field)
{
"input_field": "'escaped\\' quotes'",
"target_field": "any_value"
}
{
"input_field": "'escaped\\' quotes'",
"target_field": "any_value"
}
The operation was performed with errors
Failure quoted parse
normalize:
- map:
- target_field: parse_quoted($input_field)
{
"input_field": "don't start with quotes \"here",
"target_field": "any_value"
}
{
"input_field": "don't start with quotes \"here",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_short(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that can be successfully converted into an short integer
number. It converts and stores the short integer number in field with truncation.
parserSuccess short parse
normalize:
- map:
- target_field: parse_short($input_field)
{
"input_field": "-2",
"target_field": "any_value"
}
{
"input_field": "-2",
"target_field": -2
}
The operation was successful
Failure short parse (out of range)
normalize:
- map:
- target_field: parse_short($input_field)
{
"input_field": "32768",
"target_field": "any_value"
}
{
"input_field": "32768",
"target_field": "any_value"
}
The operation was performed with errors
Success short parse with truncation
normalize:
- map:
- target_field: parse_short($input_field)
{
"input_field": "23.45",
"target_field": "any_value"
}
{
"input_field": "23.45",
"target_field": 23
}
The operation was successful
Failure unsigned long parse
normalize:
- map:
- target_field: parse_short($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_unsigned_long(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| object | Any object |
Evaluates if the content of the input field is a string that can be successfully converted into an unsigned long
number. It converts and stores the unsigned long number in field with truncation.
parserFailure unsigned long parse (negative integer)
normalize:
- map:
- target_field: parse_unsigned_long($input_field)
{
"input_field": "-2",
"target_field": "any_value"
}
{
"input_field": "-2",
"target_field": "any_value"
}
The operation was performed with errors
Success unsigned long parse with truncation
normalize:
- map:
- target_field: parse_unsigned_long($input_field)
{
"input_field": "23.45",
"target_field": "any_value"
}
{
"input_field": "23.45",
"target_field": 23
}
The operation was successful
Success unsigned long parse
normalize:
- map:
- target_field: parse_unsigned_long($input_field)
{
"input_field": "2345",
"target_field": "any_value"
}
{
"input_field": "2345",
"target_field": 2345
}
The operation was successful
Failure unsigned long parse
normalize:
- map:
- target_field: parse_unsigned_long($input_field)
{
"input_field": "hello",
"target_field": "any_value"
}
{
"input_field": "hello",
"target_field": "any_value"
}
The operation was performed with errors
field: parse_uri(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser is used to obtain, if possible, information from a valid URI. The result will be an ECS url object encoded as a JSON string. This parser takes no arguments. Checks whether an input contains a valid URI format and, if so, it evaluates to true and transforms it to a ECS url object encoded as a JSON string which is then stored on the field, otherwise it evaluates to false.
parserSuccess uri parse
normalize:
- map:
- target_field: parse_uri($input_field)
{
"input_field": "http://someurl.com",
"target_field": "any_value"
}
{
"input_field": "http://someurl.com",
"target_field": {
"original": "http://someurl.com/",
"scheme": "http",
"domain": "someurl.com",
"path": "/"
}
}
The operation was successful
Failure uri parse
normalize:
- map:
- target_field: parse_uri($input_field)
{
"input_field": "www.someurl.com",
"target_field": "any_value"
}
{
"input_field": "www.someurl.com",
"target_field": "any_value"
}
The operation was performed with errors
Failure uri parse
normalize:
- map:
- target_field: parse_uri($input_field)
{
"input_field": "www.someurl.com",
"target_field": true
}
{
"input_field": "www.someurl.com",
"target_field": true
}
The operation was performed with errors
Failure uri parse
normalize:
- map:
- target_field: parse_uri($input_field)
{
"input_field": "www.someurl.com",
"target_field": [
true
]
}
{
"input_field": "www.someurl.com",
"target_field": [
true
]
}
The operation was performed with errors
field: parse_useragent(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser is designed to process and map user agent strings.
It does not perform any transformation or parsing in the traditional sense but directly maps
the input user agent string to a specific field in the output.
Takes a reference to a string that represents the user agent of a device or browser.
It directly maps this string to field without any modification or parsing.
This function is particularly useful for logging or analyzing user agent strings in their original format.
parserSuccess useragent parse
normalize:
- map:
- target_field: parse_useragent($input_field)
{
"input_field": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110",
"target_field": "any_value"
}
{
"input_field": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110",
"target_field": {
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110"
}
}
The operation was successful
field: parse_xml(input_field, [...])
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
This parser is designed to interpret and convert strings formatted in XML notation into a JSON object. It preserves the structure of the original XML in the default mode and provides a specialized transformation for Windows Event Log XML when the optional "windows" argument is used.
parserSuccess xml parse
normalize:
- map:
- target_field: parse_xml($input_field)
{
"input_field": "<greeting>some greetring</greeting>",
"target_field": "any_value"
}
{
"input_field": "<greeting>some greetring</greeting>",
"target_field": {
"greeting": {
"#text": "some greetring"
}
}
}
The operation was successful
Invalid XML
normalize:
- map:
- target_field: parse_xml($input_field)
{
"input_field": "<greeting>some greetring<greeting>",
"target_field": "any_value"
}
{
"input_field": "<greeting>some greetring<greeting>",
"target_field": "any_value"
}
The operation was performed with errors
field: rename(input_field)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
Moves existing “input_field” to the field name provided (field). Replace if field exist. This helper function is used in the map stage.
undefinedTarget field 'target_field' already exists
normalize:
- map:
- target_field: rename($input_field)
{
"input_field": 42,
"target_field": "elapsed_time"
}
{
"input_field": 42,
"target_field": "elapsed_time"
}
The operation was performed with errors
field: replace(old, new)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| old | string | value | Any string |
| new | string | value | Any string |
| Type | Possible values |
|---|---|
| string |
The operation replaces in “field”, all occurrences of the given string by the new string. In case of errors “field” will not be modified. This helper function is typically used in the map stage
stringThe value to replace was found
normalize:
- map:
- target_field: replace('hello', 'hi')
{
"target_field": "hello world!"
}
{
"target_field": "hi world!"
}
The operation was successful
The value to replace was not found
normalize:
- map:
- target_field: replace('non exist', 'hi')
{
"target_field": "hello world!"
}
{
"target_field": "hello world!"
}
The operation was successful
field: sanitize_fields(recursive)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| recursive | boolean | value | Any string |
| Type | Possible values |
|---|---|
| [object, array, string] | - |
Normalize JSON object keys, nested object keys, standalone strings, and strings inside arrays using basicNormalize.
recursive is true, keys inside nested objects are also sanitized.recursive is true.target_field is a string node) are normalized directly.sanitize
rename
normalize
Keys already normalized
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
"a": 1,
"b": 2
}
}
{
"target_field": {
"a": 1,
"b": 2
}
}
The operation was successful
Keys lowercased and separators mapped to underscores
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
"Full Name": "Ana",
"e-mail": "x",
"Pais": "AR"
}
}
{
"target_field": {
"full_name": "Ana",
"e_mail": "x",
"pais": "AR"
}
}
The operation was successful
Both map to 'hello_world' -> collision
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
"hello world": 1,
"hello-world": 2
}
}
{
"target_field": ""
}
The operation was performed with errors
basicNormalize does not prefix underscores for leading digits
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
"123abc": 1,
"x": 2
}
}
{
"target_field": {
"123abc": 1,
"x": 2
}
}
The operation was successful
Strings in arrays normalized
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
"Hello world",
"hello-world",
"HELLO world"
]
}
{
"target_field": [
"hello_world",
"hello_world",
"hello_world"
]
}
The operation was successful
Object keys inside arrays normalized
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
{
"Full Name": "Ana"
},
{
"e-mail": "x"
}
]
}
{
"target_field": [
{
"full_name": "Ana"
},
{
"e_mail": "x"
}
]
}
The operation was successful
Mixed string/object array supported
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
"Hello world",
{
"Full Name": "Ana"
}
]
}
{
"target_field": [
"hello_world",
{
"full_name": "Ana"
}
]
}
The operation was successful
Numbers in arrays not allowed by policy
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
1,
{
"a": 1
}
]
}
{
"target_field": ""
}
The operation was performed with errors
Booleans in arrays not allowed by policy
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
true,
{
"a": 1
}
]
}
{
"target_field": ""
}
The operation was performed with errors
Nulls in arrays not allowed by policy
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
null,
{
"a": 1
}
]
}
{
"target_field": ""
}
The operation was performed with errors
Nested arrays/objects processed recursively
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
[
"Hello world",
"hello-world"
],
[
{
"Full Name": "Ana"
}
]
]
}
{
"target_field": [
[
"hello_world",
"hello_world"
],
[
{
"full_name": "Ana"
}
]
]
}
The operation was successful
Deep object keys normalized
normalize:
- map:
- target_field: sanitize_fields(True)
{
"target_field": {
"a": {
"B-C": {
"D E": 1
}
}
}
}
{
"target_field": {
"a": {
"b_c": {
"d_e": 1
}
}
}
}
The operation was successful
Duplicated normalized strings in arrays are allowed
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
"a b",
"a-b",
"a_b"
]
}
{
"target_field": [
"a_b",
"a_b",
"a_b"
]
}
The operation was successful
All characters dropped -> empty key is invalid
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
"***": 1
}
}
{
"target_field": ""
}
The operation was performed with errors
Mixed '\', '/', ':', spaces collapse to single underscores
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
"a\\\\b///c::d e": 1
}
}
{
"target_field": {
"a_b_c_d_e": 1
}
}
The operation was successful
Trailing ':' produces '_' then it is trimmed at the end
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
"name:": 1
}
}
{
"target_field": {
"name": 1
}
}
The operation was successful
All characters are separators; normalized key becomes empty
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": {
":\\ /- .": 1
}
}
{
"target_field": ""
}
The operation was performed with errors
Backslash and colon in strings become underscores
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": [
"A\\B:C",
"X:Y\\Z"
]
}
{
"target_field": [
"a_b_c",
"x_y_z"
]
}
The operation was successful
Single string node normalized directly
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": "HELLO-world\\TEST"
}
{
"target_field": "hello_world_test"
}
The operation was successful
Only separators -> sanitized string becomes empty
normalize:
- map:
- target_field: sanitize_fields(False)
{
"target_field": "::::"
}
{
"target_field": ""
}
The operation was performed with errors
field: split(input_field, character)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| input_field | string | reference | Any string |
| character | string | value | Any string |
| Type | Possible values |
|---|---|
| [object, array, string, number, boolean] | - |
The operation splits a string into parts by a separator character. The parts are put into an array of strings. The result of the split into array (split) operation is mapped to “field”. If the “field” already exists, then it will be replaced. In case of errors “field” will not be modified. This helper function is typically used in the map stage
stringSuccess split
normalize:
- map:
- target_field: split($input_field, '|')
{
"input_field": "val 1 | val 2 | val 3"
}
{
"input_field": "val 1 | val 2 | val 3",
"target_field": [
"val 1 ",
" val 2 ",
" val 3"
]
}
The operation was successful
field: trim(trim_place, character)
| parameter | Type | Source | Accepted values |
|---|---|---|---|
| trim_place | string | value | begin, end, both |
| character | string | value | Any string |
| Type | Possible values |
|---|---|
| string |
The operation removes characters (0 or more) from the start, end or start and end of the field. The result of the trim (trim) operation is mapped to “field”. In case of errors “field” will not be modified. This helper function is typically used in the map stage
stringSuccess trim
normalize:
- map:
- target_field: trim('end', '-')
{
"target_field": "-- Hi wazuh! --"
}
{
"target_field": "-- Hi wazuh! "
}
The operation was successful
Success trim
normalize:
- map:
- target_field: trim('begin', '-')
{
"target_field": "-- Hi wazuh! --"
}
{
"target_field": " Hi wazuh! --"
}
The operation was successful
Success trim
normalize:
- map:
- target_field: trim('both', '-')
{
"target_field": "-- Hi wazuh! --"
}
{
"target_field": " Hi wazuh! "
}
The operation was successful