pC_code42usbinsert.md

June 14, 2023 ยท View on GitHub

Parser Content

{
Name = code42-usb-insert
  Vendor = Code42
  Product = Code42 Incydr
  Lms = Direct
  DataType = "usb-activity"
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
  Conditions= [ """formattedTimestamp""", """deviceAddress""", """deviceRemoteAddress""", """operatingSystemUser""", """"modular_input_consumption_time":""", """DEVICE_APPEARED""" ]
  Fields = [
    """exabeam_host=({host}[\w.\-]{1,2000})""",
    """"deviceAddress":\s{0,100}"({src_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",
    """"deviceAddress":\s{0,100}"({src_ip}\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4})""",
    """"deviceRemoteAddress":\s{0,100}"({src_translated_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",
    """"deviceRemoteAddress":\s{0,100}"({src_translated_ip}\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4})""",
    """"timestamp":\s{0,100}({time}\d\d\d\d\d\d\d\d\d\d)""",
    """"userUid":\s"({user_uid}[^"]{1,2000})""",
    """"eventType":\s"({activity}[^"]{1,2000})""",
    """"busType":\s"({device_type}[^"]{1,2000})""",
    """"deviceGuid":\s"({device_id}[^"]{1,2000})""",
    """"deviceName":\s"({device_name}[^"]{1,2000})""",
    """"mediaName":\s"({device_name}[^"]{1,2000})""",
    """"serialNumber":\s"(unknown|({usb_serial_number}[^"]{1,2000}))""",
    """"mediaName"":\s"({device_name}[^"]{1,2000})""",
    """"vendorName":\s"({vendor_name}[^"]{1,2000})""",
    """"vendorName":\s"({usb_vendor}[^"]{1,2000})""",
    """"volumeName":\s"(unknown|[^\(]{0,2000}?({drive_letter}[^"]{1,2000}))"""
  ]


}