def customize_event()

in Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py [0:0]


def customize_event(line, eventsSchemaMappingDict, requiredFieldsMappingDict, requireRaw):
    
    try:
        element = json.loads(line)  # Attempt to parse the line as JSON
    except json.JSONDecodeError as e:
        # Log the error and skip this line
        logging.error(f"JSON decoding error for line: {line}. Error: {str(e)}")
        return None, None
    if "event_simpleName" in element and element["event_simpleName"] in eventsSchemaMappingDict:
        schema = eventsSchemaMappingDict[element["event_simpleName"]]
    else:
        schema = "Additional"
    schema_fields_status = requiredFieldsMappingDict[schema]

    normalized_fields = {}
    normalized_additional_fields = {}
    raw_data_fields = {}
    raw_data_additional_fields = {}

    for key in element.keys():

        # Check if the schema field is already present or not
        if key in schema_fields_status:

            # If raw data is required and field is already known,
            # Add the same in raw data fields
            if requireRaw:
                raw_data_fields[key] = element[key]

            # This is only for normalization
            # If schema field is Requried for normalization
            # Add to normalization
            # Otherwise add to additional fields specific to normalized fields (Optional class in mapping)
            if schema_fields_status[key] == "Required":
                normalized_fields[key] = element[key]
            else:
                normalized_additional_fields[key] = element[key]

            # As below tables are getting transformed and loosing original info. Adding workaround to carry original timestamp and contextTimeStamp fields as it is    
            if key == "timestamp" and schema_fields_status[key] == "Required":
                normalized_additional_fields[key] = element[key]

            if key == "ContextTimeStamp" and schema_fields_status[key] == "Required":
                normalized_additional_fields[key] = element[key]

        # If field is new and never seen before
        # If Raw data is required, add this field to raw data specific to raw data
        # Otherwise only add to additional fields specific to normalized data
        else:
            if requireRaw:
                raw_data_additional_fields[key] = element[key]
            normalized_additional_fields[key] = element[key]

    normalized_additional_fields_text = str(json.dumps(normalized_additional_fields))
    if normalized_additional_fields_text != "{}":
        normalized_fields["AdditionalFields"] = normalized_additional_fields_text

    raw_data_additional_fields_text = str(json.dumps(raw_data_additional_fields))
    if raw_data_additional_fields_text != "{}":
        raw_data_fields["AdditionalFields"] = raw_data_additional_fields_text

    return normalized_fields, raw_data_fields