pC_azurefilewrite.md

Parser Content

{
Name = azure-file-write
  Vendor = Microsoft
  Product = Azure
  Lms = Splunk
  DataType = "file-write"
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
  Conditions = [ """destinationServiceName =Azure""", """"OperationName":"SecretSet""" ]
  Fields = [
   """({time}\d{1,100}-\d{1,100}-\d{1,100}T\d{1,100}:\d{1,100}:\d{1,100}.\d{1,100}Z)""",
   """"ResourceProvider":"({object}[^"]{1,2000})""",
   """"ResourceId":"({file_path}({file_parent}(?:[^";]{1,2000})?[\/;])?({file_name}[^\/";]{1,2000}))""""
   """"Resource":"({file_name}[^"]{1,2000})"""",
   """suser=((?i)anonymous|({user}[^\s]{1,2000}))""",
   """devicePayloadId=.+\s{1,100}name\s{1,100}:\s{1,100}\[({host}[^\]]{1,2000})"""
   """fileType=({file_type}[^\s]{1,2000})""",
   """"CallerIPAddress":"({src_ip}[A-Fa-f\d:.]{1,2000})"""",
   """"ResultType":"({outcome}[^"]{1,2000})""",
   """requestClientApplication=({app}.+?)\s\w+=""",
   """"OperationName":"({event_name}[^"]{1,2000})"""",
   """({accesses}resource-created)"""
   """msg=({additional_info}.+?)\s{1,100}\w+="""
  ]


}