pC_cefmalwarebytessecurityalert1.md

Parser Content

{
Name = cef-malwarebytes-security-alert-1
    Conditions = [ """|Malwarebytes|Malwarebytes Endpoint Protection|""" ]
    Fields = ${MBMCParserTemplates.cef-malwarebytes-security-alert.Fields} [
      """\WfilePath=({malware_url}[^\n]{1,2000}?)\s{0,100}(\w{1,2000}=|$)""",
    ]
  
cef-malwarebytes-security-alert = {
  Vendor = Malwarebytes
  Product = Malwarebytes Endpoint Protection
  Lms = ArcSight
  DataType = "alert"
  TimeFormat = "MMM dd yyyy HH:mm:ss"
  Fields = [
    """\Wrt=({time}\w+ \d{1,100} \d\d\d\d \d\d:\d\d:\d\d)""",
    """\Wdvchost=({host}[\w\-.]{1,2000})""",
    """({host}[\w\-.]{1,2000}) CEF:""",
    """([^\|]{0,2000}\|){6}({alert_severity}\d{1,100})""",
    """\Wdvchost=({src_host}[\w\-.]{1,2000})""",
    """\Wdvc=({src_ip}[A-Fa-f:\d.]{1,2000})""",
    """\WfileType=({additional_info}[^=]{1,2000}?)\s{0,100}(\w+=|$)""",
    """Process name:\s{0,100}({process}({directory}[^=]{0,2000}?)(\\+({process_name}[^\\]{1,2000}?))?)\s{0,100}(\w+=|$)""",
    """\Wcs1=({alert_name}[^=]{1,2000}?)\s{0,100}(\w+=|$)""",
    """\Wcat=({alert_type}[^=]{1,2000}?)\s{0,100}(\w+=|$)""",
    """\Wsuser=({user}[^=]{0,2000}?)\s{0,100}(\w+=|$)""",
    """\Wact=({action}[^=]{1,2000}?)\s{0,100}(\w+=|$)"""
  ]
  DupFields = ["action->outcome"
}