pC_code42fileoperations2.md

June 14, 2023 ยท View on GitHub

Parser Content

{
Name = code42-file-operations-2
  Vendor = Code42
  Product = Code42 Incydr
  Lms = Direct
  DataType = "file-operations"
  TimeFormat = "epoch"
  Conditions= [ """formattedTimestamp""", """deviceAddress""", """deviceRemoteAddress""", """operatingSystemUser""", """"fileEventType":""", """"modular_input_consumption_time":"""]
  Fields = [
    """exabeam_host=({host}[\w.\-]{1,2000})""",
    """processOwner"\s{0,100}:\s{0,100}"({user}[^"]{1,2000})""",
    """"fileOwnerUsername":\s{0,100}"(\w+\\+)?({user}[^"]{1,2000})""",
    """"deviceAddress":\s{0,100}"({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",
    """"deviceAddress":\s{0,100}"({src_ip}\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4})""",
    """"deviceRemoteAddress":\s{0,100}"({src_translated_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",
    """"deviceRemoteAddress":\s{0,100}"({src_translated_ip}\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4})""",
    """"fileName":\s{0,100}"({file_name}[^"]{1,2000})""",
    """"fileEventType":\s{0,100}"({accesses}[^"]{1,2000})""",
    """"fileType":\s{0,100}"({file_type}[^"]{1,2000})""",
    """"detectionTimestamp":\s{0,100}({time}\d\d\d\d\d\d\d\d\d\d\d\d\d)""",
    """"processName":\s{0,100}"({process}({directory}[^"]{0,2000}?[\\\/]{1,2000})?({process_name}[^"\\\/]{1,2000}?))"""",
    """"fullPath":\s{0,100}"({file_path}({file_parent}[^"]{0,2000}?[\\\/]{1,2000})?({file_name}[^"\\\/]{1,2000}?(\.({file_ext}\w+))?))"""",
    """"md5":\s"({md5_sum}[^"]{1,2000})""",
    """"sha256":\s"({sha256_sum}[^"]{1,2000})""",
    """"userUid":\s"({user_uid}[^"]{1,2000})""",
  ]


}