pC_malwarebytesepcefalerttriggersuccessendpointprotection.md

Parser Content

{
Name = malwarebytes-ep-cef-alert-trigger-success-endpointprotection
 ParserVersion = v1.0.0
 Conditions = [ """|Malwarebytes|Malwarebytes Endpoint Protection|""" ]
 Fields = ${MBMCParsersTemplates.cef-malwarebytes-security-alert.Fields} [
   """\WfilePath=({malware_url}[^\n]+?)\s*(\w+=|$)""",
 ]

cef-malwarebytes-security-alert = {
  Vendor = Malwarebytes
  Product = Malwarebytes Endpoint Protection
  TimeFormat = "MMM dd yyyy HH:mm:ss"
  Fields = [
    """\Wrt=({time}\w+ \d+ \d\d\d\d \d\d:\d\d:\d\d)""",
    """\Wdvchost=({host}[\w\-.]+)""",
    """({host}[\w\-.]+) CEF:""",
    """([^\|]*\|){6}({alert_severity}\d+)""",
    """\Wdvchost=({src_host}[\w\-.]+)""",
    """\Wdvc=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?""",
    """\WfileType=({additional_info}[^=]+?)\s*(\w+=|$)""",
    """Process name:\s*({process_path}({process_dir}[^=]*?)(\\+({process_name}[^\\]+?))?)\s*(\w+=|$)""",
    """\Wcs1=({alert_name}[^=]+?)\s*(\w+=|$)""",
    """\Wcat=({alert_type}[^=]+?)\s*(\w+=|$)""",
    """\Wsuser=({user}[\w\.\-\!\#\^\~]{1,40}\$?)\s*(\w+=|$)""",
    """\Wact=({action}[^=]+?)\s*(\w+=|$)"""
  
}