You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Jonathan Rider (JIRA)" <ji...@apache.org> on 2016/05/16 16:17:12 UTC

[jira] [Created] (METRON-158) Create McAfee ePO Parser

Jonathan Rider created METRON-158:
-------------------------------------

             Summary: Create McAfee ePO Parser
                 Key: METRON-158
                 URL: https://issues.apache.org/jira/browse/METRON-158
             Project: Metron
          Issue Type: Improvement
            Reporter: Jonathan Rider
            Priority: Minor


Creating a parser for McAfee ePO.

The log should look like this:
<13> computer.website.com "2016-04-11 14:20:15" timestamp="2016-04-11 14:20:15.693", AutoID="136424372", signature="WRITE_DENIED", threat_type="none", signature_id="20719", category="cc.file.block", severity_id="3", event_description="File Write Denied", detected_timestamp="2016-04-11 13:29:09.0", file_name="c:\windows\system32\folder\file", detection_method="NULL", vendor_action="deny write", threat_handled="1", logon_user="NT AUTHORITY\NETWORK SERVICE", user="abc123", dest_nt_domain="APL", dest_dns="IMCAVA12345", dest_nt_host="IMCAVA12345", fqdn="IMCAVA12345.something.website.com", dest_ip="100.170.200.100", dest_mac="000000000000", os="Windows 7", sp="Service Pack 1", os_version="6.1", os_build="7601", timezone="Eastern Standard Time", src_dns="NULL", src_ip="200.23.55.70", src_mac="NULL", process="NULL", url="NULL", source_logon_user="NULL", is_laptop="1", product="Solidifier", product_version="6.1.3.436", engine_version="NULL", dat_version="NULL", vse_dat_version="8130.0000", vse_engine64_version="5800.7501", vse_engine_version="5800.7501", vse_hotfix="5", vse_product_version="8.8.0.1385"



And the output json should look like this: 


{
  "priority": 13,
  "timestamp": "2016-04-11 14:20:15.693",
  "AutoID": "136424372",
  "signature": "WRITE_DENIED",
  "threat_type": "none",
  "signature_id": "20719",
  "category": "cc.file.block",
  "severity_id": "3",
  "event_description": "File Write Denied",
  "detected_timestamp": "2016-04-11 13:29:09.0",
  "file_name": "c:\\windows\\system32\folder\file",
  "detection_method": "NULL",
  "vendor_action": "deny write",
  "threat_handled": "1",
  "logon_user": "NT AUTHORITY\\NETWORK SERVICE",
  "user": "abc123",
  "dest_nt_domain": "APL",
  "dest_dns": "IMCAVA12345",
  "dest_nt_host": "IMCAVA12345",
  "fqdn": "IMCAVA12345.something.website.com",
  "ip_dst_addr": "100.170.200.100",
  "dst_mac": "000000000000",
  "os": "Windows 7",
  "sp": "Service Pack 1",
  "os_version": "6.1",
  "os_build": "7601",
  "timezone": "Eastern Standard Time",
  "ip_src_addr": "200.23.55.70",
  "is_laptop": "1",
  "product": "Solidifier",
  "product_version": "6.1.3.436",
  "vse_dat_version": "8130.0000",
  "vse_engine64_version": "5800.7501",
  "vse_engine_version": "5800.7501",
  "vse_hotfix": "5",
  "vse_product_version": "8.8.0.1385"
}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)