in Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py [0:0]
def customize_event(line, eventsSchemaMappingDict, requiredFieldsMappingDict, requireRaw):
try:
element = json.loads(line) # Attempt to parse the line as JSON
except json.JSONDecodeError as e:
# Log the error and skip this line
logging.error(f"JSON decoding error for line: {line}. Error: {str(e)}")
return None, None
if "event_simpleName" in element and element["event_simpleName"] in eventsSchemaMappingDict:
schema = eventsSchemaMappingDict[element["event_simpleName"]]
else:
schema = "Additional"
schema_fields_status = requiredFieldsMappingDict[schema]
normalized_fields = {}
normalized_additional_fields = {}
raw_data_fields = {}
raw_data_additional_fields = {}
for key in element.keys():
# Check if the schema field is already present or not
if key in schema_fields_status:
# If raw data is required and field is already known,
# Add the same in raw data fields
if requireRaw:
raw_data_fields[key] = element[key]
# This is only for normalization
# If schema field is Requried for normalization
# Add to normalization
# Otherwise add to additional fields specific to normalized fields (Optional class in mapping)
if schema_fields_status[key] == "Required":
normalized_fields[key] = element[key]
else:
normalized_additional_fields[key] = element[key]
# As below tables are getting transformed and loosing original info. Adding workaround to carry original timestamp and contextTimeStamp fields as it is
if key == "timestamp" and schema_fields_status[key] == "Required":
normalized_additional_fields[key] = element[key]
if key == "ContextTimeStamp" and schema_fields_status[key] == "Required":
normalized_additional_fields[key] = element[key]
# If field is new and never seen before
# If Raw data is required, add this field to raw data specific to raw data
# Otherwise only add to additional fields specific to normalized data
else:
if requireRaw:
raw_data_additional_fields[key] = element[key]
normalized_additional_fields[key] = element[key]
normalized_additional_fields_text = str(json.dumps(normalized_additional_fields))
if normalized_additional_fields_text != "{}":
normalized_fields["AdditionalFields"] = normalized_additional_fields_text
raw_data_additional_fields_text = str(json.dumps(raw_data_additional_fields))
if raw_data_additional_fields_text != "{}":
raw_data_fields["AdditionalFields"] = raw_data_additional_fields_text
return normalized_fields, raw_data_fields