pC_sentinelonevcefalerttriggersuccessthreatdetected.md

Parser Content

{
Name = sentinelone-v-cef-alert-trigger-success-threatdetected
  ParserVersion = v1.0.0
  Conditions = [ """CEF:""", """|SentinelOne|Mgmt|""", """|New Suspicious threat detected""", """activityType=""", """notificationScope=""" ]

sentinelone-vigilance-alerts {
    Vendor = SentinelOne
    Product = Vigilance
    TimeFormat = ["yyyy-MM-dd'T'HH:mm:ss.SSSSSS","yyyy-MM-dd HH:mm:ss.SSSSSS"]
    Fields = [
      """({time}\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d),\d{1,5}(\s+\S+){2}\s+CEF:""",
      """\srt=({time}\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d\.\d{1,6})\s""",
      """\smachine\s({dest_host}[\w\-\.]+)\|""",
      """activityType=({event_code}\d+)\s\w+=""",
      """\|SentinelOne\|Mgmt\|([^\|]+\|){2}({alert_name}[^\|\-]+)\s\-""",
      """\|SentinelOne\|Mgmt\|([^\|]+\|){3}({alert_severity}\d{1,2})""",
      """activityID=({alert_id}\d+)\s\w+=""",
      """\scat=({alert_type}\S+)""",
      """fileHash=(({hash_sha256}\w{64})|({hash_sha1}\w{40})|({hash_md5}\w{32}))\s\w+=""",
      """filePath=({file_path}({file_dir}[^=]+?)[\\\/]+({file_name}[^=\/\\]+?(\.({file_ext}[^=\/\\]+))?))\s\w+="""
    
}