Expressions in LEEF format for structured data
Structured data in LEEF format contains one or more properties, which are represented as key-value pairs.
About this task
You can extract properties from an event that is presented in LEEF format by writing a LEEF expression that matches the property. Valid LEEF expressions are in the form of either a single key reference, or a special LEEF header field reference.
For example, you have an event that is formatted in LEEF V1.0, such
as:
LEEF:1.0|ABC Company|SystemDefender|1.13|console_login|devTimeFormat=yyyy-MM-dd'T'HH:mm:ss.SSSZ
devTime=2017-10-18T11:26:03.060+0200 usrName=flastname name=Firstname Lastname
authType=interactivePassword src=192.168.0.1
or
an event that is formatted in LEEF V2.0 with the caret (^) separator character, such
as:LEEF:2.0|ABC Company|SystemDefender|1.13|console_login|^|devTimeFormat=yyyy-MMdd'T'HH:mm:ss.SSSZ^
devTime=2017-10-18T11:26:03.060+0200^usrName=flastname^name=Firstname Lastname
^authType=interactivePassword^src=192.168.0.1
You can extract a property or a header key property from the event by choosing one of the following methods: