pC_cefmbmcsecurityalertdetection.md

Parser Content

{
Name = cef-mbmc-security-alert-detection
    Conditions = [ """|Malwarebytes|MBMC|""", """|DETECTION|""" ]
  
cef-mbmc-security-alert = {
    Vendor = Malwarebytes
    Product = Malwarebytes Endpoint Protection
    Lms = Splunk
    DataType = "alert"
    TimeFormat = "MMM dd yyyy HH:mm:ss"
    Fields = [
      """({host}\S+) Malwarebytes-Endpoint-Security""",
      """CEF:([^\|]{0,2000}\|){4}({alert_type}[^\|]{1,2000})""",
      """CEF:([^\|]{0,2000}\|){5}({alert_name}[^\|]{1,2000})""",
      """CEF:([^\|]{0,2000}\|){6}({alert_severity}[^\|]{1,2000})""",
      """\Wrt=({time}\w+ \d{1,100} \d\d\d\d \d\d:\d\d:\d\d)""",
      """\Wdvchost=({src_host}[\w\-.]{1,2000})""",
      """\Wdvc=({src_ip}[A-Fa-f:\d.]{1,2000})""",
      """\Wcs6=({malware_url}.+?)\s{1,100}(\w+=|$)""",
      """\Wsuser=(|({user}.+?))\s{1,100}(\w+=|$)""",
      """act=({outcome}[^\s]{1,2000})""",
      """deviceMacAddress=({src_mac}[^\s]{1,2000})""",
      """fname=(|({process_name}.*?)\s\w+=)""",
      """Process:\s({process_name}[^\|)]{1,2000})\s\w+=""",
    
}