Comment on page
🚧
Transform Return Format
When writing a transform function, the following values can be returned in the transform function.
Name | Type | Description |
|---|---|---|
sourceType | String | A description of the log source. Usually the third party that identifies where the log came from. |
eventName | String | The name of the event, or type of event. Usually describes what happened in the event log. |
eventTime | Time | The timestamp of when the event occured. |
readOnly | Bool | True if this event was a readOnly or non-state changing operation. False if it was a state changing operation |
srcIP | String | Which IP the event originated from |
dstIP | String | The IP that the event was destined to. |
actor | Dict(String, String) | A python dictionary that contains pairs of strings, containing whatever identifies the actor who generated the event. |
tags | Dict(String, String) | A python dictionary that contains pairs of strings, containing additional information that should be stored associated with this event. |
In practice, a function making use of all of these might look like this:
import deep_get from runreveal
def transform(event):
return {
sourceType: "ExampleSaaS",
eventTime: deep_get(event, "time"),
eventName: deep_get(event, "type"),
readOnly: false,
srcIP: deep_get(event, "ip_address"),
dstIP: "",
actor: {
"email": deep_get(event, "email"),
"username": deep_get(event, "username")
},
tags: {
"admin": deep_get(event, "admin")
}
}
Last modified 6mo ago