Cisco Umbrella Cloud Security Modeling Rule

Modeling Rule

Cisco Umbrella cloud security

Details

IDCisco_Umbrella_Cloud_Security_ModelingRule
From Version8.3.0

Rules (XIF)

[RULE: Cisco_Umbrella_Cloud_Security_Log_Type]
alter Log_Fields = split(_raw_log, "\",")
| alter Log_Fields = arraymap(Log_Fields, trim("@element", "\""))
| alter logType = if(_log_source_file_path contains "dnslogs", "DNS", _log_source_file_path contains "proxylogs", "Proxy", _log_source_file_path contains "auditlogs", "Admin Audit");

[MODEL: dataset = cisco_umbrella_raw]
// Mapping DNS Logs
call Cisco_Umbrella_Cloud_Security_Log_Type
| filter logType = "DNS"
| alter
        Query_Type = uppercase(arrayindex(regextract(arrayindex(Log_Fields, 6), "\(([^\)]+)\)"),0)),
        Response_Code = arrayindex(Log_Fields, 7)
| alter
        xdm.event.type = logType,
        xdm.source.user.username = if(arrayindex(Log_Fields, 10) = "AD Users", arrayindex(Log_Fields, 1), null),
        xdm.source.host.hostname = if(arrayindex(Log_Fields, 10) = "AD Users", null, arrayindex(Log_Fields, 1)),
        xdm.source.ipv4 = if(arrayindex(Log_Fields, 3) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(Log_Fields, 3), null),
        xdm.source.ipv6 = if(arrayindex(Log_Fields, 3) ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", arrayindex(Log_Fields, 3), null),
        xdm.intermediate.ipv4 = if(arrayindex(Log_Fields, 4) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(Log_Fields, 4), null),
        xdm.intermediate.ipv6 = if(arrayindex(Log_Fields, 4) ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", arrayindex(Log_Fields, 4), null),
        xdm.observer.action = arrayindex(Log_Fields, 5),
        xdm.network.dns.dns_question.type = if (Query_Type = "A",XDM_CONST.DNS_RECORD_TYPE_A, Query_Type = "AAAA",XDM_CONST.DNS_RECORD_TYPE_AAAA, Query_Type = "AFSDB",XDM_CONST.DNS_RECORD_TYPE_AFSDB, Query_Type = "APL",XDM_CONST.DNS_RECORD_TYPE_APL, Query_Type = "CAA",XDM_CONST.DNS_RECORD_TYPE_CAA, Query_Type = "CDNSKEY",XDM_CONST.DNS_RECORD_TYPE_CDNSKEY, Query_Type = "CDS",XDM_CONST.DNS_RECORD_TYPE_CDS, Query_Type = "CERT",XDM_CONST.DNS_RECORD_TYPE_CERT, Query_Type = "CNAME",XDM_CONST.DNS_RECORD_TYPE_CNAME, Query_Type = "CSYNC",XDM_CONST.DNS_RECORD_TYPE_CSYNC, Query_Type = "DHCID",XDM_CONST.DNS_RECORD_TYPE_DHCID, Query_Type = "DLV",XDM_CONST.DNS_RECORD_TYPE_DLV, Query_Type = "DNAME",XDM_CONST.DNS_RECORD_TYPE_DNAME, Query_Type = "DNSKEY",XDM_CONST.DNS_RECORD_TYPE_DNSKEY, Query_Type = "DS",XDM_CONST.DNS_RECORD_TYPE_DS, Query_Type = "EUI48",XDM_CONST.DNS_RECORD_TYPE_EUI48, Query_Type = "EUI64",XDM_CONST.DNS_RECORD_TYPE_EUI64, Query_Type = "HINFO",XDM_CONST.DNS_RECORD_TYPE_HINFO, Query_Type = "HIP",XDM_CONST.DNS_RECORD_TYPE_HIP, Query_Type = "HTTPS",XDM_CONST.DNS_RECORD_TYPE_HTTPS, Query_Type = "IPSECKEY",XDM_CONST.DNS_RECORD_TYPE_IPSECKEY, Query_Type = "KEY",XDM_CONST.DNS_RECORD_TYPE_KEY, Query_Type = "KX",XDM_CONST.DNS_RECORD_TYPE_KX, Query_Type = "LOC",XDM_CONST.DNS_RECORD_TYPE_LOC, Query_Type = "MX",XDM_CONST.DNS_RECORD_TYPE_MX, Query_Type = "NAPTR",XDM_CONST.DNS_RECORD_TYPE_NAPTR, Query_Type = "NS",XDM_CONST.DNS_RECORD_TYPE_NS, Query_Type = "NSEC",XDM_CONST.DNS_RECORD_TYPE_NSEC, Query_Type = "NSEC3",XDM_CONST.DNS_RECORD_TYPE_NSEC3, Query_Type = "NSEC3PARAM",XDM_CONST.DNS_RECORD_TYPE_NSEC3PARAM, Query_Type = "OPENPGPKEY",XDM_CONST.DNS_RECORD_TYPE_OPENPGPKEY, Query_Type = "PTR",XDM_CONST.DNS_RECORD_TYPE_PTR, Query_Type = "RRSIG",XDM_CONST.DNS_RECORD_TYPE_RRSIG, Query_Type = "RP",XDM_CONST.DNS_RECORD_TYPE_RP, Query_Type = "SIG",XDM_CONST.DNS_RECORD_TYPE_SIG, Query_Type = "SMIMEA",XDM_CONST.DNS_RECORD_TYPE_SMIMEA, Query_Type = "SOA",XDM_CONST.DNS_RECORD_TYPE_SOA, Query_Type = "SRV",XDM_CONST.DNS_RECORD_TYPE_SRV, Query_Type = "SSHFP",XDM_CONST.DNS_RECORD_TYPE_SSHFP, Query_Type = "SVCB",XDM_CONST.DNS_RECORD_TYPE_SVCB, Query_Type = "TA",XDM_CONST.DNS_RECORD_TYPE_TA, Query_Type = "TKEY",XDM_CONST.DNS_RECORD_TYPE_TKEY, Query_Type = "TLSA",XDM_CONST.DNS_RECORD_TYPE_TLSA, Query_Type = "TSIG",XDM_CONST.DNS_RECORD_TYPE_TSIG, Query_Type = "TXT",XDM_CONST.DNS_RECORD_TYPE_TXT, Query_Type = "URI",XDM_CONST.DNS_RECORD_TYPE_URI, Query_Type = "ZONEMD",XDM_CONST.DNS_RECORD_TYPE_ZONEMD, to_string(Query_Type)),
        xdm.network.dns.response_code = if(Response_Code = "NOERROR",XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR ,Response_Code = "FORMERR",XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR,Response_Code = "SERVFAIL",XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE,Response_Code = "NXDOMAIN",XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN,Response_Code = "NOTIMP",XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED,Response_Code = "REFUSED",XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED,Response_Code = "YXDOMAIN",XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT,Response_Code = "YXRRSET",XDM_CONST.DNS_RESPONSE_CODE_RR_SET_EXISTS_WHEN_IT_SHOULD_NOT,Response_Code = "NXRRSET",XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT,Response_Code = "NOTAUTH",XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE,Response_Code = "NOTZONE",XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE,Response_Code = "BADVERS",XDM_CONST.DNS_RESPONSE_CODE_BAD_OPT_VERSION,Response_Code = "BADSIG",XDM_CONST.DNS_RESPONSE_CODE_TSIG_SIGNATURE_FAILURE,Response_Code = "BADKEY",XDM_CONST.DNS_RESPONSE_CODE_KEY_NOT_RECOGNIZED,Response_Code = "BADTIME",XDM_CONST.DNS_RESPONSE_CODE_SIGNATURE_OUT_OF_TIME_WINDOW,Response_Code = "BADMODE",XDM_CONST.DNS_RESPONSE_CODE_BAD_TKEY_MODE,Response_Code = "BADNAME",XDM_CONST.DNS_RESPONSE_CODE_DUPLICATE_KEY_NAME, Response_Code = "BADALG",XDM_CONST.DNS_RESPONSE_CODE_ALGORITHM_NOT_SUPPORTED,Response_Code = "BADTRUNC",XDM_CONST.DNS_RESPONSE_CODE_BAD_TRUNCATION, to_string(Response_Code)),
        xdm.network.dns.dns_question.name = rtrim(arrayindex(Log_Fields, 8), "\."),
        xdm.event.description = arrayindex(Log_Fields, 9),
        xdm.network.dns.opcode = to_integer(arrayindex(regextract(arrayindex(Log_Fields, 6), "(\d+)\s*\("),0)),
        xdm.alert.subcategory = arrayindex(Log_Fields, 12);
// Mapping Proxy Logs
call Cisco_Umbrella_Cloud_Security_Log_Type
| filter logType = "Proxy"
| alter
        Status_Code = arrayindex(Log_Fields, 10),
        AV_Detections = arrayindex(Log_Fields, 16),
        AMP_Malware_Name = arrayindex(Log_Fields, 19),
        Request_Method = arrayindex(Log_Fields, 25)
| alter
        xdm.event.type = logType,
        xdm.source.host.hostname = arrayindex(Log_Fields, 1),
        xdm.source.ipv4 = if(arrayindex(Log_Fields, 2) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(Log_Fields, 2), null),
        xdm.source.ipv6 = if(arrayindex(Log_Fields, 2) ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", arrayindex(Log_Fields, 2), null),
        xdm.intermediate.ipv4 = if(arrayindex(Log_Fields, 3) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(Log_Fields, 3), null),
        xdm.intermediate.ipv6 = if(arrayindex(Log_Fields, 3) ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", arrayindex(Log_Fields, 3), null),
        xdm.target.ipv4 = if(arrayindex(Log_Fields, 4) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(Log_Fields, 4), null),
        xdm.target.ipv6 =if(arrayindex(Log_Fields, 4) ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", arrayindex(Log_Fields, 4), null),
        xdm.network.http.content_type = arrayindex(Log_Fields, 5),
        xdm.observer.action = arrayindex(Log_Fields, 6),
        xdm.network.http.url = arrayindex(Log_Fields, 7),
        xdm.network.http.referrer = arrayindex(Log_Fields, 8),
        xdm.source.user_agent = arrayindex(Log_Fields, 9),
        xdm.network.http.response_code = if(Status_Code = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, Status_Code = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, Status_Code = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, Status_Code = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, Status_Code = "200", XDM_CONST.HTTP_RSP_CODE_OK, Status_Code = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, Status_Code = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, Status_Code = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, Status_Code = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, Status_Code = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, Status_Code = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, Status_Code = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, Status_Code = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, Status_Code = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, Status_Code = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, Status_Code = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, Status_Code = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, Status_Code = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, Status_Code = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, Status_Code = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, Status_Code = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, Status_Code = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, Status_Code = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, Status_Code = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, Status_Code = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, Status_Code = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, Status_Code = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, Status_Code = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, Status_Code = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, Status_Code = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, Status_Code = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, Status_Code = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, Status_Code = "410", XDM_CONST.HTTP_RSP_CODE_GONE, Status_Code = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, Status_Code = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, Status_Code = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, Status_Code = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, Status_Code = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, Status_Code = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, Status_Code = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, Status_Code = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, Status_Code = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, Status_Code = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, Status_Code = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, Status_Code = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, Status_Code = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, Status_Code = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, Status_Code = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, Status_Code = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, Status_Code = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, Status_Code = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, Status_Code = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, Status_Code = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, Status_Code = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, Status_Code = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, Status_Code = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, Status_Code = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, Status_Code = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, Status_Code = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, Status_Code = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, Status_Code = null, null, to_string(Status_Code)),
        xdm.target.file.sha256 = arrayindex(Log_Fields, 14),
        xdm.target.application.name = arrayindex(Log_Fields, 17),
        xdm.alert.name = if(AV_Detections != null and AV_Detections != "", AV_Detections, AMP_Malware_Name != null and AMP_Malware_Name != "", AMP_Malware_Name, null),
        xdm.alert.subcategory = arrayindex(Log_Fields, 22),
        xdm.network.http.method = if(Request_Method = "ACL", XDM_CONST.HTTP_METHOD_ACL, Request_Method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL , Request_Method = "BIND", XDM_CONST.HTTP_METHOD_BIND, Request_Method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, Request_Method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, Request_Method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, Request_Method = "COPY", XDM_CONST.HTTP_METHOD_COPY, Request_Method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, Request_Method = "GET", XDM_CONST.HTTP_METHOD_GET, Request_Method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, Request_Method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, Request_Method = "LINK", XDM_CONST.HTTP_METHOD_LINK, Request_Method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, Request_Method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, Request_Method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, Request_Method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, Request_Method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, Request_Method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, Request_Method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, Request_Method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, Request_Method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, Request_Method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, Request_Method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, Request_Method = "POST", XDM_CONST.HTTP_METHOD_POST, Request_Method = "PRI", XDM_CONST.HTTP_METHOD_PRI, Request_Method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, Request_Method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, Request_Method = "PUT", XDM_CONST.HTTP_METHOD_PUT, Request_Method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, Request_Method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, Request_Method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, Request_Method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, Request_Method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, Request_Method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, Request_Method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, Request_Method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, Request_Method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, Request_Method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, Request_Method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, Request_Method = null, null, to_string(Request_Method)),
        xdm.target.file.filename = arrayindex(Log_Fields, 28),
        xdm.network.rule = if(arrayindex(Log_Fields, 30) != null and arrayindex(Log_Fields, 30) != "", arrayindex(Log_Fields, 30), arrayindex(Log_Fields, 29) != null and arrayindex(Log_Fields, 29) != "", arrayindex(Log_Fields, 29), null);
// Mapping Admin Audit logs
call Cisco_Umbrella_Cloud_Security_Log_Type
| filter logType = "Admin Audit" and array_length(Log_Fields) > 8
| alter
        xdm.event.type = logType,
        xdm.event.id = arrayindex(Log_Fields, 0),
        xdm.source.user.upn = arrayindex(Log_Fields, 2),
        xdm.source.user.username = arrayindex(Log_Fields, 3),
        xdm.observer.action = arrayindex(Log_Fields, 5),
        xdm.source.ipv4 = if(arrayindex(Log_Fields, 6) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(Log_Fields, 6), null),
        xdm.source.ipv6 = if(arrayindex(Log_Fields, 6) ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", arrayindex(Log_Fields, 6), null),
        xdm.target.resource_before.value = arrayindex(Log_Fields, 7),
        xdm.target.resource.value = arrayindex(Log_Fields, 8);

Schema

cisco_umbrella_raw

Field Type Array?
_log_source_file_path string
_raw_log string
Raw JSON
{
    "cisco_umbrella_raw": {
      "_raw_log": {
        "type": "string",
        "is_array": false
      },
        "_log_source_file_path": {
        "type": "string",
        "is_array": false
        }
    }
  }