pC_code42fileoperations3.md
June 14, 2023 ยท View on GitHub
Parser Content
{
Name = code42-file-operations-3
Vendor = Code42
Product = Code42 Incydr
Lms = Direct
DataType = "file-operations"
TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
Conditions= [ """KAFKA_CONNECT_SYSLOG: Code42LogCollector,""""]
Fields = [
"""KAFKA_CONNECT_SYSLOG: Code42LogCollector,.*?,.*?,(|({accesses}[^,]{1,2000})),({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d\d\dZ),.*?,(|({file_path}[^,]{1,2000})),(|({file_name}[^,]{1,2000})),(|({file_type}[^,]{1,2000})),(|({file_category}[^,]{1,2000})),(|({bytes}\d{1,100})),(|({file_owner}[^,]{1,2000})),(|({md5}[^,]{1,2000})),(|({sha256}[^,]{1,2000})),(|({time_created}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)),(|({time_modified}\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)),(|({user_email}[^,]{1,2000})),(|({device_id}[^,]{1,2000})),(|({uid}[^,]{1,2000})),(|({host}[^,]{1,2000})),(|({domain}[^,]{1,2000})),(|({src_ip}[^,]{1,2000})),(|({private_ip}[^,]{1,2000})),(|({actor}[^,]{1,2000})),(|({directory}[^,]{1,2000})),(|({log_source}[^,]{1,2000})),(|({url}[^,]{1,2000})),(|({shared}[^,]{1,2000})),(|({shared_with}[^,]{1,2000})|"({=shared_with}[^"]{1,2000}))",(|({file_exposure_changed_to}[^,]{1,2000})),(|({cloud_drive_id}[^,]{1,2000})),(|({detection_source_alias}[^,]{1,2000})),(|({file_id}[^,]{1,2000})),(|({exposure_type}[^,]{1,2000})),(|({process_owner}[^,]{1,2000})),(|({process}[^,]{1,2000})),(|({tab_title}[^,]{1,2000})),,(|({tab_url}[^,]{1,2000})),(|({removable_media_vendor}[^,]{1,2000})),(|({removable_media_name}[^,]{1,2000})),(|({removable_media_serial_number}[^,]{1,2000})),(|({removable_media_capacity}[^,]{1,2000})),(|({removable_media_bus_type}[^,]{1,2000})),(|({removable_media_media_name}[^,]{1,2000})),(|({removable_media_volume_name}[^,]{1,2000})),(|({removable_media_partition_id}[^,]{1,2000})),(|({sync_destination}[^,]{1,2000})),(|({email_dlp_policy_names}[^,]{1,2000})),(|({subject}[^,]{1,2000})),(|({sender}[^,]{1,2000})),(|({email_dlp_from}[^,]{1,2000}))"""
]
DupFields = ["file_path->file_parent"]
}