pC_ciscoiecefemailsubject.md

Parser Content

{
Name = cisco-ie-cef-email-subject
    ParserVersion = v1.0.0
    Vendor = Cisco
    Product = Cisco Email Security
    TimeFormat = "epoch"
    Conditions = [ """CEF:""", """CISCO|IronPort""", """MID """, """ Subject """ ]
    Fields = [
      """ahost=({host}[\w\-\.]+)\s*""",
      """\srt=({time}\d{13})""",
      """MID ({message_id}({alert_id}\d+)) Subject ("|')?({email_subject}[^'=]+?)\s*('|"|$|\w+=)""",
      """\sagt=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))\s*"""
      ]
  

}