pC_code42appactivity.md
June 14, 2023 ยท View on GitHub
Parser Content
{
Name = code42-app-activity
Vendor = Code42
Product = Code42 Incydr
Lms = Direct
DataType = "app-activity"
TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
Conditions= [ """"actorType": "API_CLIENT"""", """"actorName"""", """"success":""", """Code42""" ]
Fields = [
"""timestamp":\s{0,100}"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
"""destinationServiceName =({app}Custom Application)""",
""""actorName":\s{0,100}"({user}[^"\s]{1,2000})""",
""""audit_log:+({activity}[^"]{1,2000})""",
""""actorIpAddress":\s{0,100}"({src_ip}[A-Fa-f\d.:]{1,2000})"""",
]
}