From ea9230c836780746d996f00653ad6e2e68140489 Mon Sep 17 00:00:00 2001 From: Esther Kim Date: Mon, 7 Jul 2025 15:11:31 -0400 Subject: [PATCH] Add logs threat intel processor --- .../en/logs/log_configuration/processors.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/content/en/logs/log_configuration/processors.md b/content/en/logs/log_configuration/processors.md index 1f3c26fc05520..033af2fd605ea 100644 --- a/content/en/logs/log_configuration/processors.md +++ b/content/en/logs/log_configuration/processors.md @@ -241,7 +241,7 @@ Use the [Datadog Log Pipeline API endpoint][1] with the following log service re ## Log message remapper -`message` is a key attribute in Datadog. Its value is displayed in the **Content** column of the Log Explorer to provide context on the log. You can use the search bar to find a log by the log message. +`message` is a key attribute in Datadog. Its value is displayed in the **Content** column of the Log Explorer to provide context on the log. You can use the search bar to find a log by the log message. Use the log message remapper processor to define one or more attributes as the official log message. Define more than one attribute for cases where the attributes might not exist and an alternative is available. For example, if the defined message attributes are `attribute1`, `attribute2`, and `attribute3`, and `attribute1` does not exist, then `attribute2` is used. Similarly, if `attribute2` does not exist, then `attribute3` is used. @@ -572,7 +572,7 @@ Returns the following: Request GET https://app.datadoghq.com/users was answered with response 200 ``` -**Note**: `http` is an object and cannot be used in a block (`%{http}` fails), whereas `%{http.method}`, `%{http.status_code}`, or `%{http.url}` returns the corresponding value. Blocks can be used on arrays of values or on a specific attribute within an array. +**Note**: `http` is an object and cannot be used in a block (`%{http}` fails), whereas `%{http.method}`, `%{http.status_code}`, or `%{http.url}` returns the corresponding value. Blocks can be used on arrays of values or on a specific attribute within an array. * For example, adding the block `%{array_ids}` returns: @@ -672,15 +672,15 @@ The lookup processor performs the following actions: * Looks if the current log contains the source attribute. * Checks if the source attribute value exists in the mapping table. * If it does, creates the target attribute with the corresponding value in the table. - * Optionally, if it does not find the value in the mapping table, it creates a target attribute with the default fallback value set in the `fallbackValue` field. You can manually enter a list of `source_key,target_value` pairs or upload a CSV file on the **Manual Mapping** tab. - + * Optionally, if it does not find the value in the mapping table, it creates a target attribute with the default fallback value set in the `fallbackValue` field. You can manually enter a list of `source_key,target_value` pairs or upload a CSV file on the **Manual Mapping** tab. + {{< img src="logs/log_configuration/processor/lookup_processor_manual_mapping.png" alt="Lookup processor" style="width:80%;">}} The size limit for the mapping table is 100Kb. This limit applies across all Lookup Processors on the platform. However, Reference Tables support larger file sizes. * Optionally, if it does not find the value in the mapping table, it creates a target attribute with the value of the reference table. You can select a value for a [Reference Table][101] on the **Reference Table** tab. - - {{< img src="logs/log_configuration/processor/lookup_processor_reference_table.png" alt="Lookup processor" + + {{< img src="logs/log_configuration/processor/lookup_processor_reference_table.png" alt="Lookup processor" style="width:80%;">}} @@ -939,6 +939,12 @@ Add an attribute value to the end of a target array attribute in the log. {{% /tab %}} {{< /tabs >}} +## Threat intel processor + +Add the Threat Intel Process to evaluate logs against the table using a specific Indicator of Compromise (IoC) key, such as an IP address. If a match is found, the log is enriched with relevant Threat Intelligence (TI) attributes from the table, which enhances detection, investigation, and response. + +For more information, see [Threat Intelligence][9]. + ## Further Reading {{< partial name="whats-next/whats-next.html" >}} @@ -954,3 +960,4 @@ Add an attribute value to the end of a target array attribute in the log. [6]: /logs/search_syntax/ [7]: /integrations/guide/reference-tables/ [8]: /tracing/other_telemetry/connect_logs_and_traces/ +[9]: /security/threat_intelligence/