CSE Schema
In this section, we will introduce the following concepts:
📄️ Record Processing Pipeline
This topic describes how CSE transforms incoming raw messages into Records. For each message received, CSE creates a Record, or in rare cases, multiple Records.
📄️ Schema Attributes
This topic defines the attributes in CSE Schema v3.
📄️ Attributes You Can Map to Records
This topic lists the schema attributes that you can map to Records. Note that you can map any of the attributes defined below to any record type. For information about all schema attributes, including those that cannot be mapped to Records, for example enrichment fields, see Schema Attributes.
📄️ CSE Record Types
This topic defines the Record Types that CSE supports. For related information, see Attributes You Can Map to Records.
📄️ Parsing Language Reference Guide
This topic describes the CSE parsing language, which you can use to write custom parsers.
📄️ Create a Structured Log Mapping
This topic has instructions for creating a log mapping for structured messages using the CSE UI. Log mapping is the process of telling CSE how to build a Record from the key-value pairs extracted from messages. For more information about log mapping, and how it fits into the Record creation process, see the Record Processing Pipeline topic.
📄️ CSE Normalized Classification
This topic describes how CSE applies normalized classification to Records.
📄️ Field Mapping for Security Event Sources
This topic has information about creating field mappings for messages that you want to be processed by normalized threat rules.
📄️ Parser Editor
This topic has instructions for using the Sumo Logic parser editor. You can use the editor to customize system parsers, and to create your own
📄️ Username and Hostname Normalization
This topic describes how CSE normalizes usernames and hostnames in Records during the parsing and mapping process. This allows for common name forms among Active Directory, AWS, and fully qualified domain names to be normalized into a domain and username form.