pC_cefmbmcsecurityalertdetection1.md

Parser Content

{
Name = cef-mbmc-security-alert-detection-1
    Conditions = [ """CEF:""", """|Malwarebytes|Malwarebytes""", """|Detection|""" ]
    Fields = ${MBMCParserTemplates.cef-malwarebytes-security-alert.Fields} [
      """msg=({additional_info}.+?)\s{0,100}\w+=""",
      """filePath=.*?(({dest_ip}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:({dest_port}\d{1,100}))?)"""
    ]
    DupFields = ["src_host->host"]
  
cef-malwarebytes-security-alert = {
  Vendor = Malwarebytes
  Product = Malwarebytes Endpoint Protection
  Lms = ArcSight
  DataType = "alert"
  TimeFormat = "MMM dd yyyy HH:mm:ss"
  Fields = [
    """\Wrt=({time}\w+ \d{1,100} \d\d\d\d \d\d:\d\d:\d\d)""",
    """\Wdvchost=({host}[\w\-.]{1,2000})""",
    """({host}[\w\-.]{1,2000}) CEF:""",
    """([^\|]{0,2000}\|){6}({alert_severity}\d{1,100})""",
    """\Wdvchost=({src_host}[\w\-.]{1,2000})""",
    """\Wdvc=({src_ip}[A-Fa-f:\d.]{1,2000})""",
    """\WfileType=({additional_info}[^=]{1,2000}?)\s{0,100}(\w+=|$)""",
    """Process name:\s{0,100}({process}({directory}[^=]{0,2000}?)(\\+({process_name}[^\\]{1,2000}?))?)\s{0,100}(\w+=|$)""",
    """\Wcs1=({alert_name}[^=]{1,2000}?)\s{0,100}(\w+=|$)""",
    """\Wcat=({alert_type}[^=]{1,2000}?)\s{0,100}(\w+=|$)""",
    """\Wsuser=({user}[^=]{0,2000}?)\s{0,100}(\w+=|$)""",
    """\Wact=({action}[^=]{1,2000}?)\s{0,100}(\w+=|$)"""
  ]
  DupFields = ["action->outcome"
}