You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "James Sirota (JIRA)" <ji...@apache.org> on 2016/06/02 05:34:59 UTC
[jira] [Updated] (METRON-158) Create McAfee ePO Parser
[ https://issues.apache.org/jira/browse/METRON-158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Sirota updated METRON-158:
--------------------------------
Labels: ParserExtension (was: )
> Create McAfee ePO Parser
> ------------------------
>
> Key: METRON-158
> URL: https://issues.apache.org/jira/browse/METRON-158
> Project: Metron
> Issue Type: Improvement
> Reporter: Jonathan Rider
> Priority: Minor
> Labels: ParserExtension
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Creating a parser for McAfee ePO.
> The log should look like this:
> <13> computer.website.com "2016-04-11 14:20:15" timestamp="2016-04-11 14:20:15.693", AutoID="136424372", signature="WRITE_DENIED", threat_type="none", signature_id="20719", category="cc.file.block", severity_id="3", event_description="File Write Denied", detected_timestamp="2016-04-11 13:29:09.0", file_name="c:\windows\system32\folder\file", detection_method="NULL", vendor_action="deny write", threat_handled="1", logon_user="NT AUTHORITY\NETWORK SERVICE", user="abc123", dest_nt_domain="APL", dest_dns="IMCAVA12345", dest_nt_host="IMCAVA12345", fqdn="IMCAVA12345.something.website.com", dest_ip="100.170.200.100", dest_mac="000000000000", os="Windows 7", sp="Service Pack 1", os_version="6.1", os_build="7601", timezone="Eastern Standard Time", src_dns="NULL", src_ip="200.23.55.70", src_mac="NULL", process="NULL", url="NULL", source_logon_user="NULL", is_laptop="1", product="Solidifier", product_version="6.1.3.436", engine_version="NULL", dat_version="NULL", vse_dat_version="8130.0000", vse_engine64_version="5800.7501", vse_engine_version="5800.7501", vse_hotfix="5", vse_product_version="8.8.0.1385"
> And the output json should look like this:
> {
> "priority": 13,
> "timestamp": 1460384415693,
> "AutoID": "136424372",
> "signature": "WRITE_DENIED",
> "threat_type": "none",
> "signature_id": "20719",
> "category": "cc.file.block",
> "severity_id": "3",
> "event_description": "File Write Denied",
> "detected_timestamp": "2016-04-11 13:29:09.0",
> "file_name": "c:\\windows\\system32\folder\file",
> "detection_method": "NULL",
> "vendor_action": "deny write",
> "threat_handled": "1",
> "logon_user": "NT AUTHORITY\\NETWORK SERVICE",
> "user": "abc123",
> "dest_nt_domain": "APL",
> "dest_dns": "IMCAVA12345",
> "dest_nt_host": "IMCAVA12345",
> "fqdn": "IMCAVA12345.something.website.com",
> "ip_dst_addr": "100.170.200.100",
> "dst_mac": "000000000000",
> "os": "Windows 7",
> "sp": "Service Pack 1",
> "os_version": "6.1",
> "os_build": "7601",
> "timezone": "Eastern Standard Time",
> "ip_src_addr": "200.23.55.70",
> "is_laptop": "1",
> "product": "Solidifier",
> "product_version": "6.1.3.436",
> "vse_dat_version": "8130.0000",
> "vse_engine64_version": "5800.7501",
> "vse_engine_version": "5800.7501",
> "vse_hotfix": "5",
> "vse_product_version": "8.8.0.1385"
> }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)