pC_cefdefenderatpprocess1.md

August 30, 2023 · View on GitHub
Parser Content

{
Name = cef-defender-atp-process-1
  DataType = "process-created"
  Vendor = Microsoft
  Product = Defender ATP
  Lms = Splunk
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSSZ"
  Conditions = [ """AdvancedHunting-DeviceProcessEvents""", """ActionType""", """ProcessCreated""" ]
  Fields = [
     """exabeam_host=([^=]{1,2000}@\s{0,100})?({host}\S+)""",
     """time"{1,100}:\s{0,100}"{1,100}({time}[^"]{1,2000})"""",
     """operationName\\?"{1,100}:\s{0,100}\\?"{1,100}({activity}[^"]{1,2000}?)\\?"""",
     """"category\\?"{1,100}:\s{0,100}\\?"{1,100}({category}[^"]{1,2000}?)\\?"""",
     """RemoteIP"{1,100}:\s{0,100}"{1,100}({dest_ip}[a-fA-F\d.:]{1,2000})""",
     """"Protocol"{1,100}:\s{0,100}"{1,100}({protocol}[^"]{1,2000})""",
     """LocalIP"{1,100}:\s{0,100}"{1,100}({src_ip}[a-fA-F\d.:]{1,2000})""",
     """LocalPort"{1,100}:({src_port}\d{1,100})""",
     """ActionType\\?"{1,100}:\s{0,100}\\?"{1,100}({outcome}[^"]{1,2000}?)\\?"""",
     """RemoteIPType"{1,100}:\s{0,100}"{1,100}(null|({direction}[^"]{1,2000}))""",
     """DeviceName\\?"{1,100}:\s{0,100}\\?"{1,100}({dest_host}[^"]{1,2000}?)\\?"""",
     """InitiatingProcessAccountName\\?"{1,100}:\s{0,100}\\?"{1,100}(system|SYSTEM|({user}[^"]{1,2000}?))\\?"""",
     """"ProcessIntegrityLevel\\?"{1,100}:\s{0,100}\\?"{1,100}({process_integrity}[^"]{1,2000}?)\\?"""",
     """InitiatingProcessAccountSid\\?"{1,100}:\s{0,100}\\?"{1,100}({user_sid}[^"]{1,2000}?)\\?"""",
     """InitiatingProcessFileName\\?"{1,100}:\s{0,100}\\?"{1,100}({process_name}[^"\\\/]{1,2000}?)\\?"""",
     """ProcessId\\?"{1,100}:({pid}\d{1,100})""",
     """"InitiatingProcessFolderPath"{1,20}:\s{0,100}"{1,20}({parent_process}({parent_directory}[^"]{0,2000}?[\\\/]{1,2000})?({parent_process_name}[^"\\\/]{1,2000}?))""""
     """InitiatingProcessFileName\\?"{1,100}:\s{0,100}\\?"{1,100}({parent_process_name}[^"\\\/]{1,2000}?)\\?"""",
     """"FileName\\?"{1,100}:\s{0,100}\\?"{1,100}({process_name}[^\\\/"]{1,2000}?)\\?"""",
     """"ProcessCommandLine\\?"{1,100}:\s{0,100}\\?"\s{0,100}({command_line}.+?)\s{0,100}\\*",""""
     """\"InitiatingProcessCommandLine\\?\"{1,100}:\s{0,100}\\?\"\s{0,100}({command_line}.+?)\s{0,100}\\{0,100}","\w+":"""
     """MD5\\?"{1,100}:\\?"{1,100}({md5}[^"]{1,2000}?)\\?"""",
     """\[Namespace:\s{0,100}({event_hub_namespace}\S+) ; EventHub name:\s{0,100}({event_hub_name}[\w-]{1,2000})"""
     """"FolderPath"{1,100}:"{1,100}({process}({directory}(\w:)?(?:[^:\]]{1,2000})?[\\\/])?({process_name}[^\\\/"\]]{1,2000}?))"""",
     """"AccountDomain":"({domain}[^:]{1,2000}?)",""",
     """"InitiatingProcessFolderPath":\s{0,100}"({process}(({process_directory}[^"]{1,2000}?)\\{1,20})?({process_name}[^"\\]{1,2000}))"""",
     """"InitiatingProcessParentFileName":"({parent_process_name}[^"]{1,2000})""",
     """"InitiatingProcessParentId"{1,20}:({parent_process_id}\d{1,100})""" 
  ]
  DupFields = ["category->event_name", "event_hub_namespace->host"]


}