pC_scrowdstrikeapplogin2.md

Parser Content

{
Name = s-crowdstrike-app-login-2
  Conditions = [ """"eventType":""", """"AuthActivityAuditEvent"""", """"OperationName":""", """"validateEntitlementsHmac"""" ]

s-crowdstrike-app-login = {
  Vendor = CrowdStrike
  Product = Falcon
  Lms = Splunk
  DataType = "app-login"
  TimeFormat = "epoch"
  Fields = [
    """exabeam_host=([^=]{1,2000}@\s{0,100})?({host}\S+)""",
    """"timestamp":"({time}[^",]{1,2000})"""",
    """"UTCTimestamp":({time}\d{1,16})""",
    """"eventCreationTime":\s{0,100}({time}\d{13})""",
    """"UserId":\s{0,100}"({user_email}[^"@]{1,2000}@({email_domain}[^"@]{1,2000}))"""",
    """"UserIp":\s{0,100}"({src_ip}[^"]{1,2000})""",
    """"ServiceName":\s{0,100}"({app}[^"]{1,2000})""",
    """"Success":\s{0,100}({outcome}[^",}]{1,2000})""",
    """"cid":"({cid}[^"]{1,2000})""""
    """"OperationName":"({event_name}[^"]{1,2000})""""
  
}