pC_code42emailoutoperations.md
June 14, 2023 ยท View on GitHub
Parser Content
{
Name = code42-email-out-operations
Vendor = Code42
Product = Code42 Incydr
Lms = Direct
DataType = "dlp-email-alert"
TimeFormat = "yyyy-MM-dd'T'HH:mm:ssZ"
Conditions= [ """"fileCategoryByExtension"""", """"eventType":"EMAILED"""", """"osHostName""", """act=send""" ]
Fields = [
"""exabeam_host=([^=]{1,2000}@\s{0,100})?({host}\S+)""",
""""eventTimestamp"{1,20}:\s{0,100}"{1,20}({time}\d{1,100}-\d{1,100}-\d{1,100}T\d{1,100}:\d{1,100}:\d{1,100}Z)""",
""""eventType"{1,20}:\s{0,100}"{1,20}({event_code}[^"]{1,2000})""",
""""source":"{1,20}({log_source}[^"]{1,2000})"""",
""""eventTimestamp"{1,20}:\s{0,100}"{1,20}({time}[^"]{1,2000})"""",
""""fileName"{1,20}:\s{0,100}"{1,20}({file_name}[^"]{1,2000}?(\.({file_ext}[^\."]{1,2000}))?)"""",
""""fileCategory"{1,20}:\s{0,100}"{1,20}({file_type}[^"]{1,2000})"""",
""""fileSize"{1,20}:\s{0,100}({bytes}\d{1,100})""",
""""osHostName"{1,20}:\s{0,100}"{1,20}({dest_host}[^"]{1,2000})"""",
""""eventType":"({alert_type}[^"]{1,2000})""",
""""emailSender":"{1,20}({sender}[^"@]{1,2000}@[^"]{1,2000})"""",
""""emailRecipients":\[*"{1,20}({recipient}[^"@]{1,2000}@[^"]{1,2000})"""",
""""emailSubject":\[*"{1,20}({subject}[^"]{1,2000})"""",
]
DupFields = ["sender->email_user", "recipient->recipients" ]
}