Transformation
In some cases, certain columns have more information that is needed by Skope IT, and also may increase the size of the column that contains the required data. In this case, you should create a transformation rule. In some log files the entire user profile may be captured as user information. In order to capture only the username, you have to identify the pattern and capture the data needed by setting up a transformation rule.
Create a Transformation Rule
The following is a example of a deny log from the gateway blocking access to the cloud application. In this case, you may want to generate an alert in Skope IT to record this type of action.
456 4 10.10.10.2 TCP_DENIED/407 251 CONNECT tcp://www.box.com:443/ - -/- - xx DENIED
In this case you will need to create a transformation rule mapping the action to block.
To create a transformation rule:
Go to the Transformation page in the Create Custom Parser workflow (Settings > Risk Insights > Parser > Test/Create).
Click Create Rule-Based Mapping.
Enter a Rule Name.
For When, select Action (like block) and Contains from the dropdown lists, and then enter
deny, denied
in the adjacent text field.For Set, select Action (like block) from the dropdown list, and then enter Action and select Action (like block) in the adjacent text field.
Click Create.
Now, in order for Skope IT to take action you must create a similar rule to generate an alert in Skope IT based on the log blocking action.
Click Create Rule-Based Mapping.
Enter a Rule Name.
For When, select Action (e.g. block) and Contains from the dropdown lists, and then enter
deny, denied
in the adjacent text field.For Set, select Alert Generated from the dropdown list, and then enter Action and select Action (e.g. block) in the adjacent text field.
Click Create.