├── .gitignore
├── resources
├── favicon.ico
└── Exabeam-2024-Logo.png
├── ParsersLegacy
└── y_parsers.md
└── DS
├── Ps
├── pC_ciscoumbrellacefdnsresponsesuccessallowed.md
├── pC_dgepkvprinteractivitysuccess22.md
├── pC_sophosepsk4alerttriggersuccessenc.md
├── pC_imprivataikvappactivitysuccessagentshutdown.md
├── pC_sophosepsk4alerttriggersuccessevent.md
├── pC_sophosepsk4alerttriggersuccessendpointevent.md
├── pC_dellswkvrdptrafficsuccesssslvpn.md
├── pC_imprivataikvappactivitysuccesspasswordreset.md
├── pC_microsoftmssqlkvdatabaseloginfail33205.md
├── pC_checkpointngfwkvnetworktrafficvpn1.md
├── pC_microsoftmssqlkvdatabaseloginsuccess33205.md
├── pC_microsoftwindowsxmlvpnlogoutsuccess4304.md
├── pC_panngfwjsonalerttriggersuccessspyware.md
├── pC_sophosepsk4alerttriggersuccesssavdisable.md
├── pC_checkpointngfwleefnetworktrafficfirewall.md
├── pC_auth0ajsonendpointloginfailfp.md
├── pC_checkpointngfwjsonnetworktrafficfaildrop.md
├── pC_sophosepsk4alerttriggersuccesscorepua.md
├── pC_sophosepsk4alerttriggersuccesshmpacrypyguard.md
├── pC_sophosepsk4alerttriggersuccessthreatclean.md
├── pC_checkpointamleefalerttriggersuccessantimalware.md
├── pC_checkpointesleefalerttriggersuccesscheckpoint.md
├── pC_checkpointngfwkvnetworktrafficfaildrop1.md
├── pC_crowdstrikefalconjsonappactivityawsec2securitygroup.md
├── pC_microsoftwindowsxmlvpnloginsuccess2002.md
├── pC_panwildfirecefalerttriggersuccessfilethreat.md
├── pC_panwildfirecefalerttriggersuccesspanos.md
├── pC_sophosepcefalerttriggersuccesshmpacredguard.md
├── pC_sophosepcefalerttriggersuccesspuadetected.md
├── pC_sophosepcefalerttriggersuccesssafebrowsing.md
├── pC_checkpointngfwkvnetworktrafficsuccessaccept4.md
├── pC_crowdstrikefalconjsonappactivityawsec2networkaclentry.md
├── pC_sophosepsk4alerttriggersuccessapplicationblock.md
├── pC_sophosepsk4alerttriggersuccesscontrolviolation.md
├── pC_sophosepsk4alerttriggersuccessthreatdetected.md
├── pC_zeekzjsonnetworktrafficsuccessdpd.md
├── pC_checkpointngfwkvnetworktrafficsuccessaccept2.md
├── pC_checkpointngfwleefnetworktrafficapplicationcontrol.md
├── pC_microsoftwindowsxmlvpnloginsuccess2000.md
├── pC_microsoftwindowsxmlvpnlogoutsuccess2001.md
├── pC_panngfwleefnetworktrafficfaildeny.md
├── pC_stealthbitsskvvpnloginfailfailedlogin.md
├── pC_crowdstrikefalconsk4appactivityawsec2networkinterface.md
├── pC_cyberarkpamkvalerttriggersuccesskeystrokelogging.md
├── pC_cyberarkpamkvuserpasswordresetsuccesssetpassword.md
├── pC_openldapostrusersuccessop.md
├── pC_sophosepsk4alerttriggersuccessencryptionsuspened.md
├── pC_stealthbitsskvvpnloginsuccessloginsucceed.md
├── pC_beyondtrustprividentitycefappactivityjobaccount.md
├── pC_panngfwleefnetworktrafficfaildrop.md
├── pC_vmwareairwatchkvendpointloginfailauthentication.md
├── pC_microsoftevsecuritykvdsobjectdeletesuccess51411.md
├── pC_panngfwleefnetworktrafficfaildeny1.md
├── pC_postgresqlpstrdatabaseactivitylog.md
├── pC_unixunixstrcronsessionsuccesssessionopened.md
├── pC_beyondtrustprividentitycefappactivitysuccessidpassword.md
├── pC_beyondtrustprividentitycefapploginprivilegedidentity.md
├── pC_beyondtrustsrakvappactivitysuccessconnectionterminated.md
├── pC_ciscoumbrellacefdnsresponsesuccessnetworks.md
├── pC_cyberarkpamkvuserpasswordmodifysuccesscpmpasswordchanged.md
├── pC_ibmdb2kvdatabaseloginfailvalidate.md
├── pC_oracledbjsondatabasequerysuccessosusername.md
├── pC_postgresqlpstrdatabaseactivityfatal.md
├── pC_beyondtrustprividentitycefappactivityelevationfailed.md
├── pC_fireeyeendpointsecuritycefalerttriggersuccesscontainmentcancelled.md
├── pC_microsoftwindowsjsonapploginwazuhalerts.md
├── pC_oracledbjsondatabasequerysuccessuserhost.md
├── pC_postgresqlpstrdatabaseactivitydetail.md
├── pC_sailpointidentitynowjsonendpointauthenticationauth.md
├── pC_ciscoumbrellacefdnsresponsesuccessadcomputers.md
├── pC_sophosepsk4alerttriggersuccessperipheralblock.md
├── pC_unixunixstrsshtrafficsuccesssftpsessionopened.md
├── pC_beyondtrustprividentitycefappactivityaccountdeelevated.md
├── pC_beyondtrustprividentitycefappactivitylistaddedaccount.md
├── pC_cyberarkpamkvalerttriggersuccessnonauthorizedimpersonation.md
├── pC_microsoftevsecuritykvdsobjectactivitysuccess46623.md
├── pC_exabeamsearchjsonappactivitysuccessrole.md
├── pC_exabeamsearchjsonappactivitysuccessrule.md
├── pC_microsofto365cefappfiletabadded.md
├── pC_beyondtrustsrakvendpointloginsuccesschallenge.md
├── pC_ciscoumbrellacefdnsresponsesuccessinternalnetworks.md
├── pC_ciscoumbrellacefdnsresponsesuccessroamingcomputers.md
├── pC_exabeamaajsonapploginfailfailedlogin.md
├── pC_microsoftevdhcpserverxmlvpnloginsuccess4303.md
├── pC_microsofto365cefappfileteams.md
├── pC_panwildfirecefalerttriggersuccesslsardeleteaccess.md
├── pC_sentinelonesingularitypjsonalerttriggersuccessurl.md
├── pC_vmwareesxistrendpointactivityvmkernel.md
├── pC_exabeamsearchjsonapploginsuccessactivitylogin.md
├── pC_microsoftevsecurityjsonendpointloginsuccess46245.md
├── pC_microsoftxcsvemailfailed.md
├── pC_exabeamsearchjsonappactivitysuccesssearch.md
├── pC_microsoftevsecurityjsonendpointlogoutsuccess47791.md
├── pC_microsoftxcsvemailresolved.md
├── pC_panngfwleefendpointauthenticationsuccessauthsuccess.md
├── pC_sailpointidentitynowjsonuserpasswordmodifypasswordactivity.md
├── pC_sentinelonesingularitypjsonalerttriggersuccesspacked.md
├── pC_sentinelonesingularitypjsonalerttriggersuccessprocess.md
├── pC_sentinelonesingularitypjsonalerttriggersuccesssecurity.md
├── pC_sentinelonesingularitypjsonalerttriggersuccessvirus.md
├── pC_ciscosecureendpointsk4alerttriggersuccessthreatdetection.md
├── pC_exabeamsearchjsonappactivitysuccesspermissionchange.md
├── pC_forcepointngfwcefnetworkcloseconnectionclosed.md
├── pC_microsoftmcasceffilereadsuccesssharefile.md
├── pC_vmwareviewstrendpointdeletesuccessdeleted.md
├── pC_ciscosecureendpointsk4alerttriggersuccessmajorfaultraised.md
├── pC_microsoftmcasceffilereadsuccessmodifyfile.md
├── pC_sentinelonesingularitypjsonalerttriggersuccessbackdoor.md
├── pC_vmwareesxistrappnotificationvmkwarning.md
├── pC_ciscoumbrellacefdnsresponsesuccessadusers.md
├── pC_exabeamsearchjsonappactivitysuccessaddededited.md
├── pC_exabeamsearchjsonappactivitysuccessgroupmodified.md
├── pC_exabeamsearchjsonappactivitysuccesslogsourceadded.md
├── pC_exabeamsearchjsonappactivitysuccessrestarting.md
├── pC_microsoftevsecuritysk4networksessionsuccess5156.md
├── pC_microsofto365ceffiledeletesuccessfiledeleted.md
├── pC_microsofto365ceffilereadsuccessfileaccessed.md
├── pC_sentinelonesingularitypjsonalerttriggersuccessransomware.md
├── pC_sentinelonesingularitypjsonalerttriggersuccessthreatname.md
├── pC_symantecbcpastrhttpsessionfailed.md
├── pC_microsofto365jsonemailreceivesuccessemailreceive.md
├── pC_openldapostrusersuccesserr.md
├── pC_sophosepsk4alerttriggersuccessprivilegeexploitprevented.md
├── pC_symantecbcpamixhttpsessionproxied.md
├── pC_postgresqlpstrdatabaseactivitycontext.md
├── pC_exabeamaajsonapploginsuccessapplogin.md
├── pC_sentinelonesingularitypjsonalerttriggersuccessclassification.md
├── pC_panngfwcsvnetworktrafficsuccessallow.md
├── pC_ciscoumbrellask4dnsresponsesuccessroamingclient.md
├── pC_forcepointngfwcefappactivitylog.md
├── pC_ipswitchmoveittransferstrendpointauthenticationfailauthfailed.md
├── pC_rsaramstrconfigurationmodifysuccessconfigupdate.md
├── pC_checkpointngfwkvnetworktrafficfailreject.md
├── pC_exabeamaajsonappactivitysuccesssearch.md
├── pC_microsoftevsecurityjsongroupmemberremovesuccess4729.md
├── pC_postgresqlpstrdatabaselogoutsuccessdisconnect.md
├── pC_proofpointpepkvappactivitysuccessmod.md
├── pC_sonicwallswkvalerttriggersuccess2.md
├── pC_vmwareesxikvappnotificationsuccessesxupdate.md
├── pC_panngfwcsvnetworktrafficsuccessend.md
├── pC_bitglasscasbcefappscandlpscan.md
├── pC_crowdstrikefalconleefdnsrequestsuccessdnsrequests.md
├── pC_forcepointngfwcefnetworktrafficcatchall.md
├── pC_slacksjsonapploginsuccessuserlogin.md
├── pC_vmwareidmjsonappactivitysuccessuser.md
├── pC_bitglasscasbcefappscanmalwarescan.md
├── pC_bitglasscasbcefappscanscantimeout.md
├── pC_pangpcsvvpnloginfailloginfailure.md
├── pC_pangpcsvvpnloginsuccessconnected.md
├── pC_postgresqlpstrdatabaseloginfailpassworddoesnotmatch.md
├── pC_postgresqlpstrdatabaseloginfailroledoesnt_exist.md
├── pC_slacksjsonappactivitysuccessfileshared.md
├── pC_slacksjsonappactivitysuccessuserlogout.md
├── pC_slacksjsonfileuploadsuccessfileuploaded.md
├── pC_barracudawafstrhttprequestsuccessvalid.md
├── pC_rsaramstrconfigurationroutingmodifysuccesssystemconfig.md
├── pC_barracudawafstrhttprequestsuccessinternalpassive.md
├── pC_bitglasscasbsk4appactivitysuccessonedrive.md
├── pC_junipersrxkvnetworktrafficfailactiondeny.md
├── pC_slacksjsonappactivitysuccessuserchanneljoin.md
├── pC_slacksjsonappactivitysuccessuserdeactivated.md
├── pC_slacksjsonfiledownloadsuccessfiledownloaded.md
├── pC_stealthbitsskvusermodifyobjectmodified.md
├── pC_bitglasscasbsk4appactivitysuccesscatchall.md
├── pC_impervasecurespherecefdatabasealertsuccesssecurity.md
├── pC_slacksjsonappactivitysuccesscustomtosaccepted.md
├── pC_slacksjsonappactivitysuccessuserchannelleave.md
├── pC_barracudawafstrhttprequestsuccesspassivevalid.md
├── pC_egnyteecefappactivitysuccesscreate.md
├── pC_engyteecefappactivitysuccessupdate.md
├── pC_postgresqlpstrdatabaseloginsuccessauthenticated.md
├── pC_stealthbitsskvendpointmodifyobjectmodified.md
├── pC_stealthbitsskvgroupmodifyobjectmodified.md
├── pC_barracudawafstrhttprequestsuccessprotectedvalid.md
├── pC_microsoftevsecurityjsonfilesuccessobjectopen.md
├── pC_slacksjsonappactivitysuccesspublicchannelcreated.md
├── pC_stealthbitsskvappactivityactivedirectory.md
├── pC_barracudawafstrhttprequestsuccessunproctectedvalid.md
├── pC_microsofto365cefapploginsuccessuser.md
├── pC_slacksjsonappactivitysuccessprivatechannelcreated.md
├── pC_barracudawafstrhttprequestsuccessprofiledvalid.md
├── pC_microsofto365cefuserpasswordmodifysuccesschangeuserpassword.md
├── pC_egnyteegnytesk4appactivitysuccessaddedtogroup.md
├── pC_sentinelonevcefappactivitysuccessusercreatedrole.md
├── pC_unixunixauditdstrendpointloginsuccessauthenticated.md
├── pC_barracudawafstrhttprequestsuccessdefaultunprotectedvalid.md
├── pC_barracudawafstrhttprequestsuccessserverdefaultpassivevalid.md
├── pC_symantecedrjsonappnotificationsuccess21.md
├── pC_vmwareesxistrappnotificationfailed.md
├── pC_egnyteecefappactivitysuccessdisable.md
├── pC_egnyteegnytesk4appactivitysuccessremovedfromgroup.md
├── pC_vmwareedrceffilewritesuccessfilemod.md
├── pC_egnyteegnytesk4appactivitysuccessupgradedtopower.md
├── pC_egnyteegnytesk4appactivitysuccessverified.md
├── pC_microsoftazurekvfilesuccessvmid.md
├── pC_sentinelonevcefappactivitysuccessusermodified.md
├── pC_vmwareesxistrapploginsuccessvmauthd.md
├── pC_watchguardwkvnetworktrafficfirewall.md
├── pC_wizwjsonappactivitysuccessfailwiz.md
├── pC_watchguardwkvnetworktrafficfirewall1.md
├── pC_watchguardwkvnetworktrafficfirewall2.md
├── pC_junipersrxkvnetworktrafficsuccessactionpermit.md
├── pC_microsoftdefenderepjsonfilesuccesstenantid.md
├── pC_postgresqlpstrdatabaseloginfailpassword_failed.md
├── pC_unixunixauditdstrendpointloginsuccessauthentication.md
├── pC_vmwareesxistrappnotificationsuccesssfcbd.md
├── pC_vmwareesxistrendpointactivitysuccesscrxcli.md
├── pC_egnyteegnytesk4appactivitysuccessverificationdisable.md
├── pC_vmwareesxistrappnotificationsuccessnicmgmtd.md
├── pC_vmwareesxistrendpointactivitysuccesslocalcli.md
├── pC_vmwareesxistrappnotificationvsantraceurgent.md
├── pC_vmwareesxistrendpointactivitysuccessvmwipmi.md
├── pC_vmwareesxistrnetworksessionfailiofiltervpd.md
├── pC_forcepointngfwcefnetworktraffic1004.md
├── pC_microsoftdefenderepjsonapploginsuccesstimegenerated.md
├── pC_microsoftsysmonceffilewritesuccessfilecreated.md
├── pC_vmwareesxistrendpointactivitysuccessconfigstore.md
├── pC_microsoftazureceffilereadsuccessactiontype.md
├── pC_microsofto365ceffilereadsuccessmemberadded.md
├── pC_panngfwkvnetworktrafficfaildrop.md
├── pC_panngfwkvnetworktrafficsuccessend.md
├── pC_vmwareesxistrendpointactivitysuccessprovidermanager.md
├── pC_fortinetfortigatekvnetworknotificationsuccesssystem.md
├── pC_esetesleefhttpsessionfaileset.md
├── pC_googleworkspacejsonappactivitysuccessreportsactivity.md
├── pC_microsoftazuremonsk4dnssuccessazurefirewalldnsproxy.md
├── pC_panngfwleefendpointauthenticationfailauthfail.md
├── pC_vmwareesxistrendpointactivitysuccessuserworldcorrelator.md
├── pC_rsaramkvconfigurationmodifysuccessconfighost.md
└── pC_panngfwcefvpnloginsuccessclientswitchtossltunnelmodesucceeded.md
├── SAP
└── sap
│ └── Ps
│ ├── pC_sapscefuserdeletefailaudit.md
│ ├── pC_sapsceffiledownloadsuccessauy.md
│ └── pC_sapscefendpointauthenticationlogon.md
├── Accellion
└── kiteworks
│ └── Ps
│ ├── pC_accellionkwkvappactivitysuccesscreateddraft.md
│ ├── pC_accellionkwkvappactivitysuccessdraftchanged.md
│ ├── pC_accellionkwkvappactivitysuccessviewedemailsubject.md
│ ├── pC_accellionkwkvappactivitysuccessuserdeleted.md
│ ├── pC_accellionkwkvfileuploadsuccessuploadedfile1.md
│ ├── pC_accellionkwkvfiledeletesuccessdeletedfolder.md
│ ├── pC_accellionkwkvappactivitysuccessrequestedafile.md
│ ├── pC_accellionkwkvappactivitysuccessuserprofile.md
│ ├── pC_accellionkwkvfilepermissionmodifysuccessaddednewpermission.md
│ └── pC_accellionkiteworkskvuserpasswordmodifysuccessupdatedpassword.md
├── Unix
├── unix
│ └── Ps
│ │ ├── pC_unixunixjsonuserswitchsuccesssession.md
│ │ ├── pC_unixunixkvendpointactivitysuccessauditid.md
│ │ ├── pC_unixunixstruserpasswordmodifysuccesschangepasswd.md
│ │ ├── pC_unixunixstrnetworktrafficfailpacketsendfail.md
│ │ ├── pC_unixunixstrendpointnotificationsshdset.md
│ │ ├── pC_unixunixstrappnotificationsuccessnomad.md
│ │ ├── pC_unixunixstrendpointnotificationsuccesspamlimit.md
│ │ ├── pC_unixunixstrendpointauthenticationfailauth.md
│ │ ├── pC_unixunixstrendpointauthenticationfailsudoauth.md
│ │ ├── pC_unixunixstrendpointnotificationbash.md
│ │ ├── pC_unixunixstrendpointactivitysuccessunixid.md
│ │ ├── pC_unixunixstrendpointloginfailconnectionrefuse.md
│ │ ├── pC_unixunixstrendpointnotificationsuccesssnapd.md
│ │ ├── pC_unixunixkvendpointloginfailauthfailure.md
│ │ ├── pC_unixunixstrendpointloginsshdsessionopen.md
│ │ ├── pC_unixunixstruserpasswordmodifysuccesschage.md
│ │ ├── pC_unixunixstrappnotificationsuccessdkimsignatureadded.md
│ │ ├── pC_unixunixstrendpointloginsuccessauthsucceede.md
│ │ ├── pC_unixunixstrappnotificationsuccessconsul.md
│ │ ├── pC_unixunixkvendpointauthenticationsuccessdsepamauth.md
│ │ ├── pC_unixunixstrendpointactivitykernel.md
│ │ └── pC_unixunixstrnetworknotificationsuccessnetworkmanager.md
├── unix_auditd
│ └── Ps
│ │ └── pC_unixadstrendpointactivityauditd.md
├── unix_dhcpd
│ ├── RM
│ │ └── r_m_unix_unix_dhcpd_Enrichment.md
│ └── Ps
│ │ └── pC_unixdhcpdstrdhcptrafficdhcpd.md
└── unix_sendmail
│ └── Ps
│ ├── pC_unixsmstremailvirusclean.md
│ └── pC_unixsmkvemailattach.md
├── Salesforce
└── salesforce
│ └── Ps
│ ├── pC_salesforcesfsk4appactivitysuccesschangedemail.md
│ ├── pC_salesforcesfsk4appactivitysuccessfrozeuser.md
│ ├── pC_salesforcesfsk4appactivitysuccessactivateduser.md
│ ├── pC_salesforcesfsk4appactivitysuccesschangedcommunitynickname.md
│ └── pC_salesforcesfsk4appactivitysuccessuseremailchangesent.md
├── Dell
└── sonicwall
│ └── Ps
│ ├── pC_sonicwallswkvvpnloginsuccess1080.md
│ ├── pC_dellswkvvpnloginfailsslvpn.md
│ ├── pC_dellswkvvpnloginfail140.md
│ ├── pC_sonicwallswkvvpnlogoutsuccesssslvpn.md
│ └── pC_dellswkvvpnloginsuccessuserloginsuccessful.md
├── Cisco
├── cisco_identity_and_access_management
│ └── Ps
│ │ ├── pC_ciscoacscefendpointauthenticationfailauthfailed.md
│ │ └── pC_ciscoduostrappauthenticationsuccessloginfor.md
├── cisco_network_security
│ └── Ps
│ │ ├── pC_ciscoasastrappnotificationsuccesserror.md
│ │ ├── pC_ciscoasastrappnotificationsuccessfetchfail.md
│ │ ├── pC_ciscoasastrvpnlogoutsuccessauthensessionend.md
│ │ └── pC_ciscofpstrappnotificationsuccessfmc.md
├── cisco_email_security
│ └── Ps
│ │ ├── pC_ciscoiecsvemailoutcome.md
│ │ ├── pC_ciscoiestrappnotificationmaillogs.md
│ │ ├── pC_ciscoiestremailspam.md
│ │ ├── pC_ciscoiecefemailresponse.md
│ │ ├── pC_ciscoiestremailsubject.md
│ │ ├── pC_ciscoiekvemailresponse.md
│ │ ├── pC_ciscoiestremailattachment.md
│ │ ├── pC_ciscoiestremailantivirus.md
│ │ └── pC_ciscoiestremailfinished.md
├── cisco_network_infrastructure_and_management
│ └── Ps
│ │ ├── pC_ciscoasastrappnotificationsuccesspdt.md
│ │ ├── pC_ciscoasastrappnotificationsuccesscdp.md
│ │ ├── pC_ciscoasastrappnotificationsuccessl2fm.md
│ │ ├── pC_ciscoasastrappnotificationsuccesshsrp.md
│ │ ├── pC_ciscoasastrappnotificationsuccesstrack.md
│ │ ├── pC_ciscoasastrappnotificationsuccessswmatm.md
│ │ ├── pC_ciscoasastrappnotificationsuccessethport1.md
│ │ ├── pC_ciscoasastrappnotificationsuccessplatform.md
│ │ ├── pC_ciscoasastrappnotificationsuccessethport.md
│ │ └── pC_ciscoasastrappnotificationsuccesssys.md
├── cisco_collaboration
│ └── Ps
│ │ └── pC_ciscoasastrappnotificationsuccesssip.md
└── cisco_data_center
│ └── Ps
│ └── pC_ciscoasastrappnotificationsuccessucsm.md
├── VMware
├── vmware_esxi
│ └── Ps
│ │ ├── pC_vmwareesxistrappactivityvsand.md
│ │ ├── pC_vmwareesxistrappactivityinfo.md
│ │ ├── pC_vmwareesxistrendpointdeleteremovedvm.md
│ │ ├── pC_vmwareesxistrappactivityvsansystem.md
│ │ ├── pC_vmwareesxistrappactivityhostd1.md
│ │ └── pC_vmwareesxistrhttpsessionfailiofiltervpd.md
├── vcenter
│ └── Ps
│ │ └── pC_barracudawafstrappnotificationsamltokenparsed.md
├── vmware_horizon
│ └── Ps
│ │ ├── pC_vmwarehorizonstrappnotificationsuccessmaximum.md
│ │ ├── pC_vmwarehorizonstrapploginsuccessloggedin.md
│ │ └── pC_vmwarehorizonstrappauthenticationview.md
├── vmware_view
│ └── Ps
│ │ ├── pC_vmwareviewstrapplogoutsuccessloggedout.md
│ │ └── pC_vmwareviewstrapploginsuccessviewuser.md
└── vmware_velocloud_sd-wan
│ └── Ps
│ └── pC_vmwarevmsdwanstrappnotificationcatchall.md
├── Zeek
└── zeek
│ └── Ps
│ ├── pC_zeekzeekstrnetworksessionstatslog.md
│ ├── pC_zeekzjsonendpointloginrdp.md
│ ├── pC_zeekzjsonhttpsessionfileset.md
│ ├── pC_zeekzjsonemailsendsuccesssmtp.md
│ ├── pC_zeekzjsondnsrequestsuccessdnsrequest.md
│ ├── pC_zeekzjsondnsresponsesuccessdnsred.md
│ ├── pC_zeekzjsonshareaccesssuccesssharetype.md
│ └── pC_zeekzjsondnsrequestsuccessdnsred.md
├── Symantec
└── symantec_email_security
│ └── Ps
│ ├── pC_symantecescstremailspf.md
│ ├── pC_symantecescstremailbytes.md
│ ├── pC_symantecescstremaildirection.md
│ ├── pC_symantecescstremailsubject.md
│ ├── pC_symantecescstremailreturnpath.md
│ ├── pC_symantecescstremailattachment.md
│ └── pC_symantecescstremailattachment1.md
├── Badge
└── badge
│ └── Ps
│ └── pC_badgebkvphysicallocationaccesssuccesscardadmitted.md
├── F5
├── f5_access_policy_manager
│ └── Ps
│ │ ├── pC_f5apmstrvpnsuccesssessiondeleted.md
│ │ ├── pC_f5apmstrvpnloginfailfailedlogin.md
│ │ ├── pC_f5apmstrvpnsuccessusername.md
│ │ ├── pC_f5apmstrvpnsuccessaccesspolicy.md
│ │ ├── pC_f5apmjsonendpointloginfail01490212.md
│ │ ├── pC_f5apmstrvpnsuccessstatistics.md
│ │ ├── pC_f5apmstrvpnsuccessuseragent.md
│ │ └── pC_f5apmstrvpnsuccessclientinfo.md
└── f5_big-ip
│ └── Ps
│ ├── pC_f5bigipstrappnotificationinfo.md
│ ├── pC_f5bigipstrappactivityrestserver.md
│ └── pC_f5bigipstrvpnloginsuccessplatform.md
├── HP
└── hpe_comware
│ ├── Ps
│ ├── pC_hpcomwarestrappnotificationlink.md
│ ├── pC_hpcomwarestrappnotificationinterface.md
│ └── pC_hpcomwarestrconfigurationmodifyforwarding.md
│ └── RM
│ └── r_m_hp_hpe_comware_Enrichment.md
├── Microsoft
├── azure_monitor
│ └── Ps
│ │ ├── pC_microsoftazuremonjsonappactivitysuccessdatastorereadevent.md
│ │ ├── pC_microsoftazuremonjsonappactivitysuccesscomputeinstanceevent.md
│ │ ├── pC_microsoftazuremonjsonappactivitysuccessamlcomputeclusterevent.md
│ │ ├── pC_microsoftazuremonjsonappactivitysuccesserrors.md
│ │ ├── pC_microsoftazuremonjsondatabaseactivitysuccesstimeouts.md
│ │ └── pC_microsoftazuremonjsonappactivitysuccesssynapserbacoperations.md
├── microsoft_365
│ └── Ps
│ │ └── pC_microsofto365sk4filedeletesuccessfiledeleted.md
└── microsoft_defender
│ └── Ps
│ └── pC_microsoftazurescjsonalerttriggersuccessasc.md
├── OpenDJ
└── opendj
│ └── Ps
│ └── pC_opendjokvendpointloginuid.md
├── Forcepoint
└── forcepoint_next-gen_firewall
│ └── Ps
│ └── pC_forcepointngfwcefnetworktrafficsuccessconnectionallowed.md
├── N3K
└── n3k
│ └── RM
│ └── r_m_n3k_n3k_Enrichment.md
├── Kemp
└── kemp_loadmaster
│ └── Ps
│ └── pC_kemploadmasterstrappnotificationsmtpalertsuccessfullysent.md
├── Onapsis
└── onapsis
│ └── Ps
│ └── pC_onapsisocefappnotificationisalive.md
├── Shibboleth
└── shibboleth
│ └── Ps
│ └── pC_shibbolethskvappnotificationwarn.md
├── Delinea
└── secret_server
│ └── Ps
│ └── pC_delineasscefappnotificationsystemlog.md
├── Nagios
└── nagios
│ └── RM
│ └── r_m_nagios_nagios_Enrichment.md
├── OpenAI
└── openai
│ └── RM
│ └── r_m_openai_openai_Enrichment.md
├── APC
└── apc
│ └── Ps
│ └── pC_apcastrapploginfailinvalidcredentials.md
├── Amazon
├── aws_ssm
│ └── RM
│ │ └── r_m_amazon_aws_ssm_Enrichment.md
└── amazon_rds
│ └── RM
│ └── r_m_amazon_amazon_rds_Enrichment.md
├── Barracuda
├── barracuda_cloudgen_firewall
│ └── Ps
│ │ └── pC_barracudafirewallstrvpnauthenticationvpnike.md
└── barracuda_waf
│ └── Ps
│ └── pC_barracudawafstrappnotificationfoundcdpdu.md
├── Check_Point
└── check_point_ngfw
│ └── Ps
│ └── pC_checkpointngfwkvvpnauthenticationsuccessauthrequest.md
├── Infoblox
└── bloxone_ddi
│ └── Ps
│ ├── pC_infobloxbddistrnetworknotificationsuccessnolongerconnected.md
│ └── pC_infobloxbddistrnetworknotificationsuccessnopeer.md
├── MongoDB
└── mongodb
│ └── RM
│ └── r_m_mongodb_mongodb_Enrichment.md
├── Seclore
└── seclore
│ └── RM
│ └── r_m_seclore_seclore_Enrichment.md
├── IBM
└── ibm_datapower
│ └── RM
│ └── r_m_ibm_ibm_datapower_Enrichment.md
├── CrushFTP
└── crushftp
│ └── RM
│ └── r_m_crushftp_crushftp_Enrichment.md
├── Exabeam
├── audit_log
│ └── RM
│ │ └── r_m_exabeam_audit_log_Enrichment.md
└── ng_analytics
│ └── RM
│ └── r_m_exabeam_ng_analytics_Enrichment.md
├── Sophos
└── sophos_ztna
│ └── RM
│ └── r_m_sophos_sophos_ztna_Enrichment.md
├── Weblogin
└── weblogin
│ └── RM
│ └── r_m_weblogin_weblogin_Enrichment.md
├── Apache
└── apache_tomcat
│ └── RM
│ └── r_m_apache_apache_tomcat_Enrichment.md
├── NNT
└── nnt_changetracker
│ └── RM
│ └── r_m_nnt_nnt_changetracker_Enrichment.md
└── XPS
└── xps
└── Ps
└── pC_xpsskvprinteractivitysuccessset.md
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | .DS_Store
3 |
--------------------------------------------------------------------------------
/resources/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ExabeamLabs/Content-Library-CIM2/HEAD/resources/favicon.ico
--------------------------------------------------------------------------------
/ParsersLegacy/y_parsers.md:
--------------------------------------------------------------------------------
1 | | Old Parser Name | New-Scale Parser Name || --------------- | --------------------- |
2 |
--------------------------------------------------------------------------------
/resources/Exabeam-2024-Logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ExabeamLabs/Content-Library-CIM2/HEAD/resources/Exabeam-2024-Logo.png
--------------------------------------------------------------------------------
/DS/Ps/pC_ciscoumbrellacefdnsresponsesuccessallowed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "cisco-umbrella-cef-dns-response-success-allowed"
5 | Conditions = [
6 | ""","Allowed","1 (A)","""
7 | ]
8 | ParserVersion = "v1.0.0"
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_dgepkvprinteractivitysuccess22.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = dg-ep-kv-printer-activity-success-22
5 | Conditions = [
6 | """Operation="22""""
7 | """Agent_UTC_Time="""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccessenc.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-enc
5 | Conditions = [
6 | """CEF:"""
7 | """"Event::Endpoint::Enc::"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_imprivataikvappactivitysuccessagentshutdown.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = imprivata-i-kv-app-activity-success-agentshutdown
5 | Conditions = [
6 | """Event: Agent Shutdown"""
7 | ]
8 | ParserVersion = "v1.0.0"
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccessevent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-event
5 | Conditions = [
6 | """CEF:"""
7 | """"Event::Endpoint::Core"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccessendpointevent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-endpointevent
5 | Conditions = [
6 | """Event::Endpoint::Threat::"""
7 | ]
8 | ParserVersion = "v1.0.0"
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_dellswkvrdptrafficsuccesssslvpn.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = dell-sw-kv-rdp-traffic-success-sslvpn
5 | Conditions = [
6 | """msg="RDP"""
7 | """SSLVPN:"""
8 | """id=sslvpn"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_imprivataikvappactivitysuccesspasswordreset.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = imprivata-i-kv-app-activity-success-passwordreset
5 | Conditions = [
6 | """Event: Primary Password Reset"""
7 | ]
8 | ParserVersion = "v1.0.0"
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftmssqlkvdatabaseloginfail33205.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-mssql-kv-database-login-fail-33205
5 | Conditions = [
6 | """EventCode=33205"""
7 | """action_id:LGIF"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/SAP/sap/Ps/pC_sapscefuserdeletefailaudit.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sap-s-cef-user-delete-fail-audit"
5 | Product = "SAP"
6 | Conditions = [
7 | """CEF:"""
8 | """|SAP|Security Audit Log|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_checkpointngfwkvnetworktrafficvpn1.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = checkpoint-ngfw-kv-network-traffic-vpn-1
5 | Conditions = [
6 | """|Check Point|VPN-1 & FireWall-1|"""
7 | """layer_name="""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftmssqlkvdatabaseloginsuccess33205.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-mssql-kv-database-login-success-33205
5 | Conditions = [
6 | """EventCode=33205"""
7 | """action_id:LGIS"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftwindowsxmlvpnlogoutsuccess4304.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-windows-xml-vpn-logout-success-4304"
5 | Conditions = [
6 | """4304"""
7 | """"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwjsonalerttriggersuccessspyware.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-ngfw-json-alert-trigger-success-spyware
5 | Conditions = [
6 | """"LogType":"THREAT""""
7 | """"Subtype":"spyware""""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccesssavdisable.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-savdisable
5 | Conditions = [
6 | """CEF:"""
7 | """"Event::Endpoint::SavDisabled""""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_checkpointngfwleefnetworktrafficfirewall.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = checkpoint-ngfw-leef-network-traffic-firewall
5 | Conditions = [
6 | """LEEF"""
7 | """|Check Point|VPN-1 & FireWall-1|"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_auth0ajsonendpointloginfailfp.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = auth0-a-json-endpoint-login-fail-fp
5 | Conditions = [
6 | """type":"fp"""
7 | """user_id"""
8 | """client_name"""
9 | """client_id"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_checkpointngfwjsonnetworktrafficfaildrop.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = checkpoint-ngfw-json-network-traffic-fail-drop
5 | Conditions = [
6 | """product="VPN-1 & FireWall-1""""
7 | """Action="drop""""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccesscorepua.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-corepua
5 | Conditions = [
6 | """CEF:"""
7 | """"Event::Endpoint::CorePua"""
8 | """"group":"PUA""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccesshmpacrypyguard.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
5 | Conditions = [
6 | """CEF:"""
7 | """"Event::Endpoint::HmpaCryptoGuard"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccessthreatclean.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-threatclean
5 | Conditions = [
6 | """CEF:"""
7 | """"type":"Event::Endpoint::Threat::Clean"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_checkpointamleefalerttriggersuccessantimalware.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "checkpoint-am-leef-alert-trigger-success-antimalware"
5 | Conditions = [
6 | """|Check Point|Anti Malware|"""
7 | """signature="""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_checkpointesleefalerttriggersuccesscheckpoint.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "checkpoint-es-leef-alert-trigger-success-checkpoint"
5 | Conditions = [
6 | """|Check Point|New Anti Virus|"""
7 | """signature="""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_checkpointngfwkvnetworktrafficfaildrop1.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = checkpoint-ngfw-kv-network-traffic-fail-drop-1
5 | Conditions = [
6 | """product:"""
7 | """VPN-1 & FireWall-1;"""
8 | """ drop """
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_crowdstrikefalconjsonappactivityawsec2securitygroup.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = crowdstrike-falcon-json-app-activity-awsec2securitygroup
5 | Conditions = [
6 | """"event_simpleName":"AwsEc2SecurityGroup""""
7 | ]
8 | ParserVersion = "v1.0.0"
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftwindowsxmlvpnloginsuccess2002.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-windows-xml-vpn-login-success-2002"
5 | Conditions = [
6 | """2002"""
7 | """2000"""
7 | """2001"""
7 | """4303"""
7 | """"""
8 | """Microsoft-Windows-Iphlpsvc/Operational"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsofto365cefappfileteams.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-cef-app-file-teams"
5 | Conditions = [
6 | """CEF:"""
7 | """|Microsoft Teams|"""
8 | """|TeamsSessionStarted|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-adfs-auth.Fields}[
13 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panwildfirecefalerttriggersuccesslsardeleteaccess.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "pan-wildfire-cef-alert-trigger-success-lsardeleteaccess"
5 | Conditions = [
6 | """Palo Alto Networks|PAN-OS|"""
7 | """Windows Local Security Architect lsardelete access(30857)|THREAT|"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccessurl.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-url"
5 | Conditions = [
6 | """"threatName":"""
7 | """"classification": "PUA""""
8 | """"agentComputerName":"""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrendpointactivityvmkernel.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-activity-vmkernel
5 | ParserVersion = v1.0.0
6 | Conditions = [ """vmkernel:""" ]
7 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
8 | """({event_name}Last path removed for TGT)"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Salesforce/salesforce/Ps/pC_salesforcesfsk4appactivitysuccessfrozeuser.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "salesforce-sf-sk4-app-activity-success-frozeuser"
5 | Product = "Salesforce"
6 | Conditions = [
7 | """Action\=frozeuser"""
8 | """type\=SetupAuditTrail;"""
9 | """Display\="""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamsearchjsonapploginsuccessactivitylogin.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "exabeam-search-json-app-login-success-activitylogin"
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"app-login""""
8 | """"activity":"Log in""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftevsecurityjsonendpointloginsuccess46245.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-evsecurity-json-endpoint-login-success-4624-5"
5 | Conditions = [
6 | """"data.id":"4624""""
7 | """"type":"wazuh-alerts""""
8 | """"decoder.parent":"windows""""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftxcsvemailfailed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-x-csv-email-failed
5 | ParserVersion = v1.0.0
6 | Conditions = [
7 | ""","Failed","""
8 | ]
9 |
10 | exchange-dlp-email-alert} {
11 | Name = microsoft-x-csv-email-failed
12 | ParserVersion = v1.0.0
13 | Conditions = [
14 | ""","Failed","""
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamsearchjsonappactivitysuccesssearch.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "exabeam-search-json-app-activity-success-search"
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"app-activity""""
8 | """"activity":"Threat hunter search"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftevsecurityjsonendpointlogoutsuccess47791.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-evsecurity-json-endpoint-logout-success-4779-1
5 | Conditions = [
6 | """"data.id":"4779""""
7 | """"type":"wazuh-alerts""""
8 | """"decoder.parent":"windows""""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftxcsvemailresolved.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-x-csv-email-resolved
5 | ParserVersion = v1.0.0
6 | Conditions = [
7 | ""","Resolved","""
8 | ]
9 |
10 | exchange-dlp-email-alert} {
11 | Name = microsoft-x-csv-email-failed
12 | ParserVersion = v1.0.0
13 | Conditions = [
14 | ""","Failed","""
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwleefendpointauthenticationsuccessauthsuccess.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-ngfw-leef-endpoint-authentication-success-authsuccess
5 | Conditions = [
6 | """LEEF:"""
7 | """|Palo Alto Networks|PAN-OS Syslog Integration|"""
8 | """type=auth"""
9 | """|auth-success|"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sailpointidentitynowjsonuserpasswordmodifypasswordactivity.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sailpoint-identitynow-json-user-password-modify-passwordactivity"
5 | ExtractionType = json
6 | Conditions = [
7 | """"type": "PASSWORD_ACTIVITY""""
8 | """"stack": """
9 | """"attributes":"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccesspacked.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-packed"
5 | ExtractionType = json
6 | Conditions = [
7 | """"threatName":"""
8 | """"classification": "Packed""""
9 | """"agentComputerName":"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccessprocess.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-process"
5 | Conditions = [
6 | """"threatName":"""
7 | """"classification": "Malware""""
8 | """"agentComputerName":"""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccesssecurity.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-security"
5 | Conditions = [
6 | """"threatName":"""
7 | """"classification": "Trojan""""
8 | """"agentComputerName":"""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccessvirus.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-virus"
5 | Conditions = [
6 | """"threatName":"""
7 | """"classification": "Virus""""
8 | """"agentComputerName":"""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Salesforce/salesforce/Ps/pC_salesforcesfsk4appactivitysuccessactivateduser.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "salesforce-sf-sk4-app-activity-success-activateduser"
5 | Product = "Salesforce"
6 | Conditions = [
7 | """Action\=activateduser"""
8 | """type\=SetupAuditTrail"""
9 | """Display\="""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_ciscosecureendpointsk4alerttriggersuccessthreatdetection.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
5 | Conditions = [
6 | """"event_type""""
7 | """Threat Detection"""
8 | """"trajectory":"""
9 | """"timestamp_nanoseconds":"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamsearchjsonappactivitysuccesspermissionchange.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = exabeam-search-json-app-activity-success-permissionchange
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"permission change""""
8 | """"activity":""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_forcepointngfwcefnetworkcloseconnectionclosed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = forcepoint-ngfw-cef-network-close-connectionclosed
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """CEF:""", """|FORCEPOINT|""", """|Connection_Closed|""" ]
7 | Fields = ${DLForcepointParsersTemplates.forcepoint-template.Fields} [
8 | ]
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftmcasceffilereadsuccesssharefile.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-mcas-cef-file-read-success-sharefile"
5 | Conditions = [
6 | """CEF:"""
7 | """|MCAS|SIEM_Agent|"""
8 | """|Share file|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-adfs-auth.Fields}[
13 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareviewstrendpointdeletesuccessdeleted.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-view-str-endpoint-delete-success-deleted
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """ View """, """has been deleted""" ]
7 | Fields = ${VMWareParsersTemplates.vmware-view-events.Fields}[
8 | """({operation}deleted)"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Salesforce/salesforce/Ps/pC_salesforcesfsk4appactivitysuccesschangedcommunitynickname.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "salesforce-sf-sk4-app-activity-success-changedcommunitynickname"
5 | Product = "Salesforce"
6 | Conditions = [
7 | """Action\=changedcommunitynickname;"""
8 | """Sales Cloud"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_ciscosecureendpointsk4alerttriggersuccessmajorfaultraised.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
5 | Conditions = [
6 | """"event_type""""
7 | """"Major Fault Raised""""
8 | """"trajectory":"""
9 | """"timestamp_nanoseconds":"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftmcasceffilereadsuccessmodifyfile.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-mcas-cef-file-read-success-modifyfile"
5 | Conditions = [
6 | """CEF:"""
7 | """|MCAS|SIEM_Agent|"""
8 | """|Modify file|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-adfs-auth.Fields}[
13 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccessbackdoor.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-backdoor"
5 | ExtractionType = json
6 | Conditions = [
7 | """"threatName":"""
8 | """"classification": "Backdoor""""
9 | """"agentComputerName":"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrappnotificationvmkwarning.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-notification-vmkwarning
5 | Conditions = [ """vmkwarning:""", """Invalid checksum""" ]
6 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
7 | """({event_name}Invalid checksum)"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_ciscoumbrellacefdnsresponsesuccessadusers.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "cisco-umbrella-cef-dns-response-success-adusers"
5 | Conditions = [
6 | """destinationServiceName =Cisco Umbrella"""
7 | """"queryType":""""
8 | """"responseCode":""""
9 | """"mostGranularIdentityType":"AD Users""""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamsearchjsonappactivitysuccessaddededited.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "exabeam-search-json-app-activity-success-addededited"
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"app-activity""""
8 | """"activity":"Log feed added/edited"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamsearchjsonappactivitysuccessgroupmodified.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = exabeam-search-json-app-activity-success-groupmodified
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"app-activity""""
8 | """"activity":"LDAP group modified""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamsearchjsonappactivitysuccesslogsourceadded.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = exabeam-search-json-app-activity-success-logsourceadded
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"app-activity""""
8 | """"activity":"Log source added""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamsearchjsonappactivitysuccessrestarting.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "exabeam-search-json-app-activity-success-restarting"
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"app-activity""""
8 | """"activity":"A component is restarting"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftevsecuritysk4networksessionsuccess5156.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-evsecurity-sk4-network-session-success-5156"
5 | Conditions = [
6 | """"EventId":5156"""
7 | """The Windows Filtering Platform has permitted a connection"""
8 | """"MachineName":"""
9 | """"TimeCreated":"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsofto365ceffiledeletesuccessfiledeleted.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-cef-file-delete-success-filedeleted"
5 | Conditions = [
6 | """|Microsoft|"""
7 | """|FileDeleted|"""
8 | """eventId="""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-adfs-auth.Fields}[
13 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsofto365ceffilereadsuccessfileaccessed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-cef-file-read-success-fileaccessed"
5 | Conditions = [
6 | """|Microsoft|"""
7 | """|FileAccessed|"""
8 | """eventId="""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-adfs-auth.Fields}[
13 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccessransomware.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-ransomware"
5 | ExtractionType = json
6 | Conditions = [
7 | """"threatName":"""
8 | """"classification": "Ransomware""""
9 | """"agentComputerName":"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccessthreatname.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-threatname"
5 | Conditions = [
6 | """"threatName":"""
7 | """"classification": "Hacktool""""
8 | """"agentComputerName":"""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_symantecbcpastrhttpsessionfailed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "symantec-bcpa-str-http-session-failed"
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """PROXIED""", """ ssl """]
7 |
8 | bluecoat-proxy}{
9 | Name = "symantec-bcpa-mix-http-session-proxied"
10 | ParserVersion = "v1.0.0"
11 | Conditions = [ """ PROXIED """, """http"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsofto365jsonemailreceivesuccessemailreceive.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-json-email-receive-success-emailreceive"
5 | ExtractionType = json
6 | Conditions = [
7 | """"activity_type":"Receive""""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | cef-azure-onedrive-app-activity.Fields} [
12 | """\Wrt=({time}\d{13})""",
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_openldapostrusersuccesserr.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = openldap-o-str-user-success-err
5 | Conditions = [ """slapd[""", """conn=""", """op=""", """ RESULT """, """err=""" ]
6 | Fields = ${openldapParserTemplates.openldap-kv-parser.Fields}[
7 | """err=({error_code}\d+)\s"""
8 | """tag=({result_code}\d+)"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sophosepsk4alerttriggersuccessprivilegeexploitprevented.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
5 | Conditions = [
6 | """"endpoint_type":"""
7 | """"type":"Event::Endpoint::HmpaPrivGuard""""
8 | """We prevented a privilege escalation exploit"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_symantecbcpamixhttpsessionproxied.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "symantec-bcpa-mix-http-session-proxied"
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """ PROXIED """, """http""" ]
7 |
8 | bluecoat-proxy}{
9 | Name = "symantec-bcpa-mix-http-session-proxied"
10 | ParserVersion = "v1.0.0"
11 | Conditions = [ """ PROXIED """, """http"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Salesforce/salesforce/Ps/pC_salesforcesfsk4appactivitysuccessuseremailchangesent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "salesforce-sf-sk4-app-activity-success-useremailchangesent"
5 | Product = "Salesforce"
6 | Conditions = [
7 | """Action\=useremailchangesent"""
8 | """type\=SetupAuditTrail"""
9 | """Display\="""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_postgresqlpstrdatabaseactivitycontext.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = postgresql-p-str-database-activity-context
5 | Conditions = ["""CONTEXT:""", """postgres"""]
6 | Fields = ${postgresqlParser-Template.postgresql-parser-str-1.Fields}[
7 | """\WCONTEXT:\s*({additional_info}.+$)"""
8 | """\WSQL statement\s*"({db_query}[^\"]+)""""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_identity_and_access_management/Ps/pC_ciscoacscefendpointauthenticationfailauthfailed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-acs-cef-endpoint-authentication-fail-authfailed
5 | Product = "Cisco Identity and Access Management"
6 | Conditions = [
7 | """|Cisco Secure ACS|"""
8 | """|Authentication failed|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamaajsonapploginsuccessapplogin.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "exabeam-aa-json-app-login-success-applogin"
5 | Conditions = [
6 | """"Exabeam Audit Event""""
7 | """"event_type":"app-login""""
8 | """"activity":"Log in""""
9 | """"app":"Exabeam Advanced Analytics""""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonesingularitypjsonalerttriggersuccessclassification.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sentinelone-singularityp-json-alert-trigger-success-classification"
5 | Conditions = [
6 | """"threatName":"""
7 | """"classification": "Generic.Heuristic""""
8 | """"agentComputerName":"""
9 | ]
10 | ExtractionType = json
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwcsvnetworktrafficsuccessallow.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-ngfw-csv-network-traffic-success-allow
5 | Conditions = [
6 | """,TRAFFIC,"""
7 | """,allow,"""
8 | """APC-PANORAMA-LOGS"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | cef-palo-alto-networks-firewall.Fields}[
13 | """\sapp=({action}(incomplete|insufficient-data))\s+(\w+=|$)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_esxi/Ps/pC_vmwareesxistrappactivityvsand.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-activity-vsand
5 | ParserVersion = v1.0.0
6 | Product = VMware ESXi
7 | Conditions = [ """VSANMGMTSVC""", """ vsand[""" ]
8 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
9 | """({event_name}Initialized ObjectCache)"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_ciscoumbrellask4dnsresponsesuccessroamingclient.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-umbrella-sk4-dns-response-success-roamingclient
5 | Conditions = [
6 | """destinationServiceName =Cisco Umbrella"""
7 | """"queryType":""""
8 | """"responseCode":""""
9 | """"mostGranularIdentityType":"Anyconnect Roaming Client""""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_forcepointngfwcefappactivitylog.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = forcepoint-ngfw-cef-app-activity-log
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """CEF:""", """|FORCEPOINT|""", """|Log_Compress-SIDs|""" ]
7 | Fields = ${DLForcepointParsersTemplates.forcepoint-template.Fields} [
8 | """CEF:\s*\d+\|([^\|]+\|){4}({event_name}[^\|]+)""",
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_ipswitchmoveittransferstrendpointauthenticationfailauthfailed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "ipswitch-moveittransfer-str-endpoint-authentication-fail-authfailed"
5 | Conditions = [
6 | """MOVEitDMZ"""
7 | """authentication failed"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | forcepoint-template-aa.Fields} [
12 | """proto=\s*({protocol}.+?)(\s\w+=)""",
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_rsaramstrconfigurationmodifysuccessconfigupdate.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = rsa-ram-str-configuration-modify-success-configupdate
5 | Conditions = [ """ SINGLEPOINT """, """ SYSTEM_CONFIG_UPDATE """ ]
6 | Fields = ${DLRSAParserTemplate.rsa-system-events.Fields}[
7 | """\]\s+({additional_info}[^"]+?)\.*\s*$"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_esxi/Ps/pC_vmwareesxistrappactivityinfo.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-activity-info
5 | ParserVersion = v1.0.0
6 | Product = VMware ESXi
7 | Conditions = [ """hostd-probe:""", """info """ ]
8 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
9 | """sub=Default\]\s+({event_name}[^"\$]+?)\s*($|")"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_checkpointngfwkvnetworktrafficfailreject.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = checkpoint-ngfw-kv-network-traffic-fail-reject
5 | Conditions = [ """ CheckPoint """, """action:"Reject"""", """product:"VPN-1"""" ]
6 | ParserVersion = "v1.0.0"
7 |
8 | checkpoint-auth.Fields}[
9 | """action:"+({event_name}({operation}[^"]+))""",
10 | """\Wtime(:|=)"({time}\d{10})""""
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_exabeamaajsonappactivitysuccesssearch.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "exabeam-aa-json-app-activity-success-search"
5 | Conditions = [
6 | """"Exabeam Audit Event"""
7 | """"event_type":"app-activity""""
8 | """"activity":"Threat hunter search""""
9 | """"app":"Exabeam Advanced Analytics"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftevsecurityjsongroupmemberremovesuccess4729.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-evsecurity-json-group-member-remove-success-4729"
5 | Conditions = [
6 | """Security ID:"""
7 | """Logon ID:"""
8 | """A member was removed from a security-enabled"""
9 | """raw"""
10 | """event_id\":4729"""
11 | """computer_name"""
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_postgresqlpstrdatabaselogoutsuccessdisconnect.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = postgresql-p-str-database-logout-success-disconnect
5 | Conditions = ["""LOG:""", """ disconnection:""", """ session time:""", """ database=""" ]
6 | Fields = ${postgresqlParser-Template.postgresql-parser-str.Fields}[
7 | """session time:\s*({session_duration}[^=]+?)\s*\w+="""
8 | ]
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_proofpointpepkvappactivitysuccessmod.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = proofpoint-pep-kv-app-activity-success-mod
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """filter_instance1[""", """mod=""" ]
7 |
8 | proofpoint-dlp-log}{
9 | Name = proofpoint-pep-kv-app-activity-success-mod
10 | ParserVersion = "v1.0.0"
11 | Conditions = [ """filter_instance1[""", """mod="""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sonicwallswkvalerttriggersuccess2.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sonicwall-sw-kv-alert-trigger-success-2"
5 | Conditions = [
6 | """ m="""
7 | """id="""
8 | """ fw="""
9 | """ c="""
10 | """ msg=""""
11 | """ pri=2 """
12 | """ src="""
13 | """ dst="""
14 | ]
15 | ParserVersion = "v1.0.0"
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxikvappnotificationsuccessesxupdate.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-kv-app-notification-success-esxupdate
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ esxupdate:""", """: """ ]
7 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
8 | """\sesxupdate:\s\d+:[^\n]+?(INFO|DEBUG):\s+({additional_info}[^\$]+?)\s*$"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzeekstrnetworksessionstatslog.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = zeek-zeek-str-network-session-statslog
5 | ParserVersion = v1.0.0
6 | Vendor = Zeek
7 | Product = Zeek
8 | TimeFormat = "epoch_sec"
9 | Conditions = [ """/stats.log""" ]
10 | Fields = [
11 | """({time}\d{10})\.\d{6}[\s\t]*"""
12 | # active_dns_requests is removed
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwcsvnetworktrafficsuccessend.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-ngfw-csv-network-traffic-success-end
5 | ParserVersion = v1.0.0
6 | Conditions = [
7 | """,TRAFFIC,""",
8 | """,allow,"""
9 | ]
10 | Fields = ${PaloAltoParsersTemplates.paloalto-firewall.Fields}[
11 | """TRAFFIC,([^,]*,){10}({action}(incomplete|insufficient-data))\s*"""
12 | ]
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_esxi/Ps/pC_vmwareesxistrendpointdeleteremovedvm.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-delete-removedvm
5 | ParserVersion = "v1.0.0"
6 | Product = "VMware ESXi"
7 | Conditions = [ """Fdm:""", """fdm[""", """Removed VM """ ]
8 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
9 | """({event_name}Removed VM)"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzjsonendpointloginrdp.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "zeek-z-json-endpoint-login-rdp"
5 | Product = "Zeek"
6 | Conditions = [
7 | """protocol"""
8 | """"rdp""""
9 | """zeek"""
10 | """type"""
11 | ]
12 | ExtractionType = json
13 | ParserVersion = "v1.0.0"
14 |
15 | json-zeek-activity.Fields}[
16 | """"ts":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_bitglasscasbcefappscandlpscan.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = bitglass-casb-cef-app-scan-dlpscan
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ api.bitglass.com """, """"action":"DLPScan"""" ]
7 |
8 | cef-bitglass-system-info}{
9 | Name = bitglass-casb-cef-app-scan-scantimeout
10 | ParserVersion = v1.0.0
11 | Conditions = [ """ api.bitglass.com """, """"action":"ScanTimeout""""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_crowdstrikefalconleefdnsrequestsuccessdnsrequests.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = crowdstrike-falcon-leef-dns-request-success-dnsrequests
5 | Conditions = [
6 | """LEEF:"""
7 | """|CrowdStrike|FalconHost|"""
8 | """cat=DnsRequests"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | crowdstrike-auth-activity.Fields} [
13 | """"event_simpleName\\*"+:\\*"+({event_code}[^"\\]+)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Symantec/symantec_email_security/Ps/pC_symantecescstremailspf.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-esc-str-email-spf
5 | ParserVersion = v1.0.0
6 | Vendor = Symantec
7 | Product = Symantec Email Security
8 | TimeFormat = "epoch_sec"
9 | Conditions = [
10 | """|SPF|"""
11 | ]
12 | Fields = [
13 | """\|spf=({spf_result}[^$]+?)$"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzjsonhttpsessionfileset.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "zeek-z-json-http-session-fileset"
5 | Product = "Zeek"
6 | Conditions = [
7 | """fileset"""
8 | """"http""""
9 | """type"""
10 | """zeek"""
11 | ]
12 | ExtractionType = json
13 | ParserVersion = "v1.0.0"
14 |
15 | json-zeek-activity.Fields}[
16 | """"ts":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_forcepointngfwcefnetworktrafficcatchall.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = forcepoint-ngfw-cef-network-traffic-catchall
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """CEF:""", """|Forcepoint|Firewall|""", """dvchost=""", """rt=""" ]
7 | Fields = ${DLForcepointParsersTemplates.forcepoint-template.Fields} [
8 | """CEF:\s*\d+\|([^\|]+\|){4}({event_name}[^\|]+)""",
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Badge/badge/Ps/pC_badgebkvphysicallocationaccesssuccesscardadmitted.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = badge-b-kv-physical-location-access-success-cardadmitted
5 | Vendor = Badge
6 | Product = Badge
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """ CardAdmitted """]
9 | Fields = [
10 | """({result}CardAdmitted)"""
11 | ]
12 | ParserVersion = "v1.0.0"
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_security/Ps/pC_ciscoasastrappnotificationsuccesserror.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-error
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Security
7 | Conditions = [ """: %ENTROPY-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_security/Ps/pC_ciscoasastrappnotificationsuccessfetchfail.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-fetchfail
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Security
7 | Conditions = [ """: %PKI-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonapploginsuccessuserlogin.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-login-success-userlogin"
5 | Conditions = [
6 | """"action": "user_login""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareidmjsonappactivitysuccessuser.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "vmware-idm-json-app-activity-success-user"
5 | Conditions = [
6 | """"objectType"""
7 | """vidm"""
8 | """"organizationId"""
9 | """"User\""""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | airwatch-app-activity.Fields}[
14 | """Timestamp: ({time}\w+\s\d{1,2}\s\d+:\d+:\d+)"""
15 | """({result}AdminUserLoggedIn)"""
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_bitglasscasbcefappscanmalwarescan.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = bitglass-casb-cef-app-scan-malwarescan
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ api.bitglass.com """, """"action":"AdvMalwareScan"""" ]
7 |
8 | cef-bitglass-system-info}{
9 | Name = bitglass-casb-cef-app-scan-scantimeout
10 | ParserVersion = v1.0.0
11 | Conditions = [ """ api.bitglass.com """, """"action":"ScanTimeout""""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_bitglasscasbcefappscanscantimeout.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = bitglass-casb-cef-app-scan-scantimeout
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ api.bitglass.com """, """"action":"ScanTimeout"""" ]
7 |
8 | cef-bitglass-system-info}{
9 | Name = bitglass-casb-cef-app-scan-scantimeout
10 | ParserVersion = v1.0.0
11 | Conditions = [ """ api.bitglass.com """, """"action":"ScanTimeout""""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzjsonemailsendsuccesssmtp.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = zeek-z-json-email-send-success-smtp
5 | Product = "Zeek"
6 | Conditions = [
7 | """protocol"""
8 | """"smtp""""
9 | """"zeek""""
10 | """type"""
11 | ]
12 | ExtractionType = json
13 | ParserVersion = "v1.0.0"
14 |
15 | json-zeek-activity.Fields}[
16 | """"ts":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_pangpcsvvpnloginfailloginfailure.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-gp-csv-vpn-login-fail-loginfailure
5 | ParserVersion = v1.0.0
6 | Conditions = [
7 | """,GLOBALPROTECT,""",
8 | """,login,""",
9 | """,failure,"""
10 | ]
11 | Fields = ${PaloAltoParsersTemplates.raw-pan-vpn-event.Fields}[
12 | """,({failure_reason}[^,]+),(|"[^"]*?"),failure,([^,]*?,)(|({failure_code}\d+)),"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_pangpcsvvpnloginsuccessconnected.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-gp-csv-vpn-login-success-connected
5 | ParserVersion = v1.0.0
6 | Conditions = [
7 | """,GLOBALPROTECT,""",
8 | """,connected,""",
9 | """,success,"""
10 | ]
11 | Fields = ${PaloAltoParsersTemplates.raw-pan-vpn-event.Fields}[
12 | """,({app}GLOBALPROTECT),""",
13 | """({result}success|Success|SUCCESS)"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_postgresqlpstrdatabaseloginfailpassworddoesnotmatch.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = postgresql-p-str-database-login-fail-password-doesnotmatch
5 | Conditions = ["""DETAIL:""",""" Password does not match for user""" ]
6 | Fields = ${postgresqlParser-Template.postgresql-parser-str-1.Fields}[
7 | """({failure_reason}Password does not match) for user\s*"({user}[\w\.\-\!\#\^\~]{1,40}\$?)""""
8 | ]
9 |
10 |
11 | }
12 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_postgresqlpstrdatabaseloginfailroledoesnt_exist.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = postgresql-p-str-database-login-fail-role-doesnt_exist
5 | Conditions = ["""DETAIL:""", """ Role""", """ does not exist""" ]
6 | Fields = ${postgresqlParser-Template.postgresql-parser-str.Fields}[
7 | """Role\s*(\\*"*)({user}[\w\.\-\!\#\^\~]{1,40}\$?)"""
8 | """({failure_reason}Role\s*.+?does not exist)"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccessfileshared.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-fileshared"
5 | Conditions = [
6 | """"action": "file_shared""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccessuserlogout.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-userlogout"
5 | Conditions = [
6 | """"action": "user_logout""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzjsondnsrequestsuccessdnsrequest.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = zeek-z-json-dns-request-success-dnsrequest
5 | Product = Zeek
6 | Conditions = [
7 | """query":"""
8 | """"id.resp_h":"""
9 | """"id.resp_p":"""
10 | ]
11 | ExtractionType = json
12 | ParserVersion = "v1.0.0"
13 |
14 | json-zeek-activity.Fields}[
15 | """"ts":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonfileuploadsuccessfileuploaded.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-file-upload-success-fileuploaded"
5 | Conditions = [
6 | """"action": "file_uploaded""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccessvalid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-valid
5 | ParserVersion = v1.0.0
6 | Conditions = [ """SERVER""", """DEFAULT""", """PROTECTED""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_rsaramstrconfigurationroutingmodifysuccesssystemconfig.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = rsa-ram-str-configuration-routing-modify-success-systemconfig
5 | Conditions = [ """ SINGLEPOINT """, """ SYSTEM_CONFIG_ROUTE """ ]
6 | Fields = ${DLRSAParserTemplate.rsa-system-events.Fields}[
7 | """RULE="({rule}[^"]+)"""",
8 | """\]\s+({additional_info}[^"]+?)\.*\s*$"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiecsvemailoutcome.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-csv-email-outcome
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ Message done""", """ MID """, """RID""" ]
10 | Fields = [
11 | """({result}done)""",
12 | """MID ({alert_id}\d+)"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccessinternalpassive.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-internalpassive
5 | ParserVersion = v1.0.0
6 | Conditions = [ """INTERNAL""", """PASSIVE""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_bitglasscasbsk4appactivitysuccessonedrive.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = bitglass-casb-sk4-app-activity-success-onedrive
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ api.bitglass.com """, """"filename":""", """"owner":""" ]
7 |
8 | cef-bitglass-system-info}{
9 | Name = bitglass-casb-cef-app-scan-scantimeout
10 | ParserVersion = v1.0.0
11 | Conditions = [ """ api.bitglass.com """, """"action":"ScanTimeout""""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_junipersrxkvnetworktrafficfailactiondeny.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = juniper-srx-kv-network-traffic-fail-actiondeny
5 | ParserVersion = v1.0.0
6 | Conditions = [
7 | """NetScreen"""
8 | """ start_time=""""
9 | """ src zone="""
10 | """ action=Deny"""
11 | ]
12 | Fields = ${JuniperParsersTemplates.juniper-firewall-network-traffic.Fields} [
13 | """\Wreason=({failure_reason}.+?)\s*(\w+=|$)""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccessuserchanneljoin.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-userchanneljoin"
5 | Conditions = [
6 | """"action": "user_channel_join""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccessuserdeactivated.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-userdeactivated"
5 | Conditions = [
6 | """"action": "user_deactivated""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonfiledownloadsuccessfiledownloaded.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-file-download-success-filedownloaded"
5 | Conditions = [
6 | """"action": "file_downloaded""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_stealthbitsskvusermodifyobjectmodified.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = stealthbits-s-kv-user-modify-objectmodified
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """StealthINTERCEPT""", """Object Modified""", """ObjectClass="user"""", """ SuccessfulChange="""" ]
7 | Fields = ${StealthBitsParsersTempletes.stealthintercept-ad-events.Fields} [
8 | """\sDistinguishedName =\"({user_ou}[^\"]+)\""""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_esxi/Ps/pC_vmwareesxistrappactivityvsansystem.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-activity-vsansystem
5 | ParserVersion = v1.0.0
6 | Product = VMware ESXi
7 | Conditions = [ """ vsansystem:""", """ vsansystem[""", """ [vSAN@6876""" ]
8 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
9 | """({event_name}Invalid soap session cookie id|ObjLibPluginInit)"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_bitglasscasbsk4appactivitysuccesscatchall.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = bitglass-casb-sk4-app-activity-success-catchall
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ api.bitglass.com """, """"activity":"""",""""action":"""" ]
7 |
8 | cef-bitglass-system-info}{
9 | Name = bitglass-casb-cef-app-scan-scantimeout
10 | ParserVersion = v1.0.0
11 | Conditions = [ """ api.bitglass.com """, """"action":"ScanTimeout""""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_impervasecurespherecefdatabasealertsuccesssecurity.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = imperva-securesphere-cef-database-alert-success-security
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """CEF""", """|cat=Security""" , """|EventId=""" , """|Policy=""", """|EventType="""]
7 | Fields = ${ImpervaParsersTemplates.securesphere-db-activity.Fields}[
8 | """EventType=({alert_name}({alert_type}[^\|]+))"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccesscustomtosaccepted.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-customtosaccepted"
5 | Conditions = [
6 | """"action": "custom_tos_accepted""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccessuserchannelleave.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-userchannelleave"
5 | Conditions = [
6 | """"action": "user_channel_leave""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzjsondnsresponsesuccessdnsred.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = zeek-z-json-dns-response-success-dnsred
5 | Product = Zeek
6 | Conditions = [
7 | """"id.orig_h"""
8 | """"id.resp_h"""
9 | """"_path":"dns_red""""
10 | """"query":""""
11 | ]
12 | ExtractionType = json
13 | ParserVersion = "v1.0.0"
14 |
15 | json-zeek-activity.Fields}[
16 | """"ts":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccesspdt.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-pdt
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %ILPOWER-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """\d+:\d+:\d+\s+({host}[\w\-.]+)"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Dell/sonicwall/Ps/pC_dellswkvvpnloginfailsslvpn.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "dell-sw-kv-vpn-login-fail-sslvpn"
5 | Product = "Sonicwall"
6 | Conditions = [
7 | """msg="User login failed"""
8 | """SSLVPN:"""
9 | """id=sslvpn"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | sonicwall-firewall.Fields} [
14 | """Category="({category}[^"]+)""",
15 | """dstname=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|({web_domain}[^"\/\s]+))"""
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmstrvpnsuccesssessiondeleted.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-apm-str-vpn-success-sessiondeleted
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """/Common/""", """:Common:""", """Session deleted""" ]
9 | Fields = [
10 | """:Common:({session_id}[^\s:]+): Session deleted""",
11 | ]
12 | ParserVersion = "v1.0.0"
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccesspassivevalid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-passivevalid
5 | ParserVersion = v1.0.0
6 | Conditions = [ """SERVER""", """ PROFILED""", """PASSIVE""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_egnyteecefappactivitysuccesscreate.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "egnyte-e-cef-app-activity-success-create"
5 | Conditions = [
6 | """"action":"Create""""
7 | """destinationServiceName =Egnyte"""
8 | """"subject":""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | pam-authentication.Fields}[
13 | """({event_name}LDAP authentication failed)""",
14 | """({failure_reason}The user entered an incorrect password.)""",
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_engyteecefappactivitysuccessupdate.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "engyte-e-cef-app-activity-success-update"
5 | Conditions = [
6 | """"action":"Update""""
7 | """destinationServiceName =Egnyte"""
8 | """"subject":""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | pam-authentication.Fields}[
13 | """({event_name}LDAP authentication failed)""",
14 | """({failure_reason}The user entered an incorrect password.)""",
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_postgresqlpstrdatabaseloginsuccessauthenticated.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = postgresql-p-str-database-login-success-authenticated
5 | Conditions = ["""LOG:""", """ connection authenticated:""", """ method=""" ]
6 | Fields = ${postgresqlParser-Template.postgresql-parser-str.Fields}[
7 | """identity=\s*({user}[\w\.\-\!\#\^\~]{1,40}\$?)"""
8 | """method=({method}[^\s]+)"""
9 | """db=({db_name}[^,]+)"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_stealthbitsskvendpointmodifyobjectmodified.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = stealthbits-s-kv-endpoint-modify-objectmodified
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """StealthINTERCEPT""", """Object Modified""", """ObjectClass="computer"""", """ SuccessfulChange="""" ]
7 | Fields = ${StealthBitsParsersTempletes.stealthintercept-ad-events.Fields} [
8 | """\sDistinguishedName =\"({user_ou}[^\"]+)\""""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_stealthbitsskvgroupmodifyobjectmodified.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = stealthbits-s-kv-group-modify-objectmodified
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """StealthINTERCEPT""", """Object Modified""", """ObjectClass="group"""", """ SuccessfulChange="""" ]
7 | Fields = ${StealthBitsParsersTempletes.stealthintercept-ad-events.Fields} [
8 | """\sDistinguishedName ="CN=.+?,({group_ou}OU.+?DC=.+?)""""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixkvendpointactivitysuccessauditid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-kv-endpoint-activity-success-auditid
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ audit:""", """ [ID""" ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d(\.\S+)? ({host}\S+)? audit:""",
12 | """\saudit:\s*({additional_info}.+?)\s*$"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzjsonshareaccesssuccesssharetype.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "zeek-z-json-share-access-success-sharetype"
5 | Product = "Zeek"
6 | Conditions = [
7 | """"id.orig_h""""
8 | """"id.resp_h""""
9 | """"share_type""""
10 | """"path""""
11 | ]
12 | ExtractionType = json
13 | ParserVersion = "v1.0.0"
14 |
15 | json-zeek-activity.Fields}[
16 | """"ts":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiestrappnotificationmaillogs.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-str-app-notification-maillogs
5 | ParserVersion = "v1.0.0"
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ mail_logs""", """ Info: """, """ DCID """ ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d mail_logs.*: Info: ({event_name}[^\n]+?)\s*$""",
12 | ]
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccessprotectedvalid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-protectedvalid
5 | ParserVersion = v1.0.0
6 | Conditions = [ """INTERNAL""", """ PROTECTED""", """VALID""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftevsecurityjsonfilesuccessobjectopen.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-evsecurity-json-file-success-objectopen"
5 | Conditions = [
6 | """EventCode=560"""
7 | """Message=Object Open"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | cef-sysmon-file-write.Fields} [
12 | """cs2=({registry_value}[^=]+)\s+\w+="""
13 | """cs1=({registry_path}[^=]*?\\+({registry_key}[^=\\\/]+?)\\+({registry_value}[^\\=]+))\s\w+="""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccesspublicchannelcreated.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-publicchannelcreated"
5 | Conditions = [
6 | """"action": "public_channel_created""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_stealthbitsskvappactivityactivedirectory.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = stealthbits-s-kv-app-activity-activedirectory
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """StealthINTERCEPT""", """Event_Source="Active Directory"""", """ObjectClass="""", """ SuccessfulChange="""" ]
7 | Fields = ${StealthBitsParsersTempletes.stealthintercept-ad-events.Fields} [
8 | """\sDistinguishedName =\"({user_ou}[^\"]+)\""""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccessunproctectedvalid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-unproctectedvalid
5 | ParserVersion = v1.0.0
6 | Conditions = [ """SERVER""", """DEFAULT""", """UNPROTECTED""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsofto365cefapploginsuccessuser.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-cef-app-login-success-user"
5 | Conditions = [
6 | """"Workload":"""
7 | """"AzureActiveDirectoryEventType":"""
8 | """"Operation":"""
9 | """"UserLoggedIn""""
10 | """"ResultStatus":"""
11 | """"ClientIP":"""
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 | cef-azure-app-activity-2.Fields}[
16 | """\"description\":\"[^\"]*?device ({src_host}[^\"<]+)"""
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_slacksjsonappactivitysuccessprivatechannelcreated.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "slack-s-json-app-activity-success-privatechannelcreated"
5 | Conditions = [
6 | """"action": "private_channel_created""""
7 | """"date_create":"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | pam-authentication.Fields}[
12 | """({event_name}LDAP authentication failed)""",
13 | """({failure_reason}The user entered an incorrect password.)""",
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/HP/hpe_comware/Ps/pC_hpcomwarestrappnotificationlink.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = hp-comware-str-app-notification-link
5 | ParserVersion = "v1.0.0"
6 | Vendor = HP
7 | Product = HPE Comware
8 | TimeFormat = "MMM dd HH:mm:ss yyyy"
9 | Conditions = ["""LINK_UPDOWN"""]
10 | Fields = [
11 | """link\sstatus\sis\s([^.]+)""",
12 | """({time}\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)"""
13 | # link_status is removed
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccessprofiledvalid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-profiledvalid
5 | ParserVersion = v1.0.0
6 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsofto365cefuserpasswordmodifysuccesschangeuserpassword.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-cef-user-password-modify-success-changeuserpassword"
5 | Conditions = [
6 | """"AzureActiveDirectoryEventType":"""
7 | """"Operation":"Change user password"""
8 | """"ResultStatus":"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | cef-azure-app-activity-2.Fields}[
13 | """\"description\":\"[^\"]*?device ({src_host}[^\"<]+)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Accellion/kiteworks/Ps/pC_accellionkwkvappactivitysuccessuserdeleted.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = accellion-kw-kv-app-activity-success-userdeleted
5 | Product = Kiteworks
6 | Conditions = [
7 | """User deleted"""
8 | """Activity:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-kiteworks-file-activity.Fields}[
13 | """({access}Downloaded) file ({file_path}({file_dir}.*?[\\\/]+)?({file_name}[^\\\/]+?(\.({file_ext}[^\.]+))?))\.\s+File:\s"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Accellion/kiteworks/Ps/pC_accellionkwkvfileuploadsuccessuploadedfile1.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "accellion-kw-kv-file-upload-success-uploadedfile1"
5 | Product = "Kiteworks"
6 | Conditions = [
7 | """Uploaded file"""
8 | """Activity:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-kiteworks-file-activity.Fields}[
13 | """({access}Downloaded) file ({file_path}({file_dir}.*?[\\\/]+)?({file_name}[^\\\/]+?(\.({file_ext}[^\.]+))?))\.\s+File:\s"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Dell/sonicwall/Ps/pC_dellswkvvpnloginfail140.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "dell-sw-kv-vpn-login-fail-140"
5 | Product = "Sonicwall"
6 | Conditions = [
7 | """ m=140 """
8 | """id="""
9 | """ usr="""
10 | """ fw="""
11 | """Authentication failure"""
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 | sonicwall-firewall.Fields} [
16 | """Category="({category}[^"]+)""",
17 | """dstname=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|({web_domain}[^"\/\s]+))"""
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Dell/sonicwall/Ps/pC_sonicwallswkvvpnlogoutsuccesssslvpn.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "sonicwall-sw-kv-vpn-logout-success-sslvpn"
5 | Product = "Sonicwall"
6 | Conditions = [
7 | """msg="User logged out"""
8 | """SSLVPN:"""
9 | """id=sslvpn"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | sonicwall-firewall.Fields} [
14 | """Category="({category}[^"]+)""",
15 | """dstname=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|({web_domain}[^"\/\s]+))"""
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_egnyteegnytesk4appactivitysuccessaddedtogroup.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "egnyte-egnyte-sk4-app-activity-success-addedtogroup"
5 | Conditions = [
6 | """"action":"""
7 | """destinationServiceName =Egnyte"""
8 | """:"Added to group"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | pam-authentication.Fields}[
13 | """({event_name}LDAP authentication failed)""",
14 | """({failure_reason}The user entered an incorrect password.)""",
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonevcefappactivitysuccessusercreatedrole.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sentinelone-v-cef-app-activity-success-usercreatedrole
5 | ParserVersion = v1.0.0
6 | Conditions = [ """CEF:""", """|SentinelOne|Mgmt|""", """|User created role|""", """activityType=""", """notificationScope=""" ]
7 | Fields = ${SentinelOneParsersTemplates.sentinelone-vigilance-app-events.Fields}[
8 | """({operation}User created role)"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_unixunixauditdstrendpointloginsuccessauthenticated.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unixauditd-str-endpoint-login-success-authenticated
5 | Conditions = [ """- USER""", """Authenticated without password""" ]
6 | Fields = ${UnixParsersTemplates.unixauditd-str-template.Fields}[
7 | """({event_name}Authenticated without password)"""
8 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s+"""
9 | ]
10 | ParserVersion = v1.0.0
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstruserpasswordmodifysuccesschangepasswd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-user-password-modify-success-changepasswd"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [
9 | """changed password for"""
10 | """passwd:"""
11 | ]
12 | Fields = [
13 | """({host}[\w.\-]+)\s+passwd:"""
14 | """changed password for '({account}[^']+)'"""
15 | ]
16 | ParserVersion = "v1.0.0"
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_esxi/Ps/pC_vmwareesxistrappactivityhostd1.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-activity-hostd-1
5 | Vendor = VMware
6 | Product = VMware ESXi
7 | ParserVersion = v1.0.0
8 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
9 | Conditions = [ """Hostd: """ ]
10 | Fields = [
11 | """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d+Z)\s+({host}[^\s]+)\s""",
12 | """Hostd:\s*({additional_info}[^=]+?)\s*$"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Zeek/zeek/Ps/pC_zeekzjsondnsrequestsuccessdnsred.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = zeek-z-json-dns-request-success-dnsred
5 | Product = Zeek
6 | Conditions = [
7 | """"id.orig_h"""
8 | """"id.resp_h"""
9 | """"_path":"dns_red""""
10 | """"query":""""
11 | """"qtype_name":""""
12 | ]
13 | ExtractionType = json
14 | ParserVersion = "v1.0.0"
15 |
16 | json-zeek-activity.Fields}[
17 | """"ts":"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""",
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Accellion/kiteworks/Ps/pC_accellionkwkvfiledeletesuccessdeletedfolder.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = accellion-kw-kv-file-delete-success-deletedfolder
5 | Product = Kiteworks
6 | Conditions = [
7 | """Deleted folder"""
8 | """Activity:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-kiteworks-file-activity.Fields}[
13 | """({access}Downloaded) file ({file_path}({file_dir}.*?[\\\/]+)?({file_name}[^\\\/]+?(\.({file_ext}[^\.]+))?))\.\s+File:\s"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_collaboration/Ps/pC_ciscoasastrappnotificationsuccesssip.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-sip
5 | ParserVersion = v1.0.0
6 | Product = Cisco Collaboration
7 | Conditions = [ """: %SIP-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_data_center/Ps/pC_ciscoasastrappnotificationsuccessucsm.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-ucsm
5 | ParserVersion = v1.0.0
6 | Product = Cisco Data Center
7 | Conditions = [ """: %UCSM-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccessdefaultunprotectedvalid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-defaultunprotectedvalid
5 | ParserVersion = v1.0.0
6 | Conditions = [ """INTERNAL""", """DEFAULT""", """UNPROTECTED""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_barracudawafstrhttprequestsuccessserverdefaultpassivevalid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-http-request-success-serverdefaultpassivevalid
5 | ParserVersion = v1.0.0
6 | Conditions = [ """SERVER""" , """DEFAULT""" , """ PASSIVE""" ]
7 |
8 | barracuda-web-activity}{
9 | Name = barracuda-waf-str-http-request-success-profiledvalid
10 | ParserVersion = v1.0.0
11 | Conditions = [ """SERVER""", """PROFILED""", """PROTECTED""", """VALID"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_symantecedrjsonappnotificationsuccess21.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-edr-json-app-notification-success-2-1
5 | ParserVersion = v1.0.0
6 | ExtractionType = json
7 | Conditions = [ """"destinationServiceName":"Symantec"""", """"event_data_type":"sep"""",""""type_id":2""" ]
8 | Fields = ${DLSymantecParserTemplates.symantec-system-info-template.Fields}[
9 | """exa_json_path=$.message,exa_field_name=additional_info"""
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrappnotificationfailed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-notification-failed
5 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ssZ"
6 | Conditions = [ """vsfwd:""", """[ERROR] failed""", """invalid argument""" ]
7 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
8 | """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ)""",
9 | """({event_name}failed to create rule)"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Accellion/kiteworks/Ps/pC_accellionkwkvappactivitysuccessrequestedafile.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = accellion-kw-kv-app-activity-success-requestedafile
5 | Product = Kiteworks
6 | Conditions = [
7 | """Requested a file"""
8 | """Activity:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-kiteworks-file-activity.Fields}[
13 | """({access}Downloaded) file ({file_path}({file_dir}.*?[\\\/]+)?({file_name}[^\\\/]+?(\.({file_ext}[^\.]+))?))\.\s+File:\s"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_egnyteecefappactivitysuccessdisable.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "egnyte-e-cef-app-activity-success-disable"
5 | Conditions = [
6 | """"action":"Disable""""
7 | """destinationServiceName =Egnyte"""
8 | """"subject":""""
9 | """suspended by"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | pam-authentication.Fields}[
14 | """({event_name}LDAP authentication failed)""",
15 | """({failure_reason}The user entered an incorrect password.)""",
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_egnyteegnytesk4appactivitysuccessremovedfromgroup.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "egnyte-egnyte-sk4-app-activity-success-removedfromgroup"
5 | Conditions = [
6 | """"action":"""
7 | """destinationServiceName =Egnyte"""
8 | """:"Removed from group"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | pam-authentication.Fields}[
13 | """({event_name}LDAP authentication failed)""",
14 | """({failure_reason}The user entered an incorrect password.)""",
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareedrceffilewritesuccessfilemod.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "vmware-edr-cef-file-write-success-filemod"
5 | ParserVersion = v1.0.0
6 | Conditions = [ """"type":"endpoint.event.filemod"""", """"process_username":"""", """"event_origin":"EDR"""" ]
7 | Fields = ${CarbonBlackParsersTemplates.carbonblack-edr.Fields}[
8 | """parent_path":"({parent_process_path}({parent_process_dir}[^"]+(\\|\/)+)?({parent_process_name}[^"]+))"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiestremailspam.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-str-email-spam
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """MID """, """CASE spam""" ]
10 | Fields = [
11 | """MID ({alert_id}\d+)""",
12 | """CASE spam ({spam_score}.+?)"(\s+\w+=|\s*$)"""
13 | """MID ({message_id}\d+)""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Dell/sonicwall/Ps/pC_dellswkvvpnloginsuccessuserloginsuccessful.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "dell-sw-kv-vpn-login-success-userloginsuccessful"
5 | Product = "Sonicwall"
6 | Conditions = [
7 | """msg="User login successful""""
8 | """SSLVPN:"""
9 | """id=sslvpn"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | sonicwall-firewall.Fields} [
14 | """Category="({category}[^"]+)""",
15 | """dstname=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|({web_domain}[^"\/\s]+))"""
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmstrvpnloginfailfailedlogin.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-apm-str-vpn-login-fail-failedlogin
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """:Common:""", """AD Agent:""" ]
9 | Fields = [
10 | """:Common:({session_id}[^\s:]+): AD Agent:""",
11 | """AD Agent:\s*({failure_reason}[^"]+?)\s*("|$)""",
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_egnyteegnytesk4appactivitysuccessupgradedtopower.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "egnyte-egnyte-sk4-app-activity-success-upgradedtopower"
5 | Conditions = [
6 | """"action":"""
7 | """destinationServiceName =Egnyte"""
8 | """:"Upgraded to Power User""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | pam-authentication.Fields}[
13 | """({event_name}LDAP authentication failed)""",
14 | """({failure_reason}The user entered an incorrect password.)""",
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_egnyteegnytesk4appactivitysuccessverified.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "egnyte-egnyte-sk4-app-activity-success-verified"
5 | Conditions = [
6 | """"action":"""
7 | """destinationServiceName =Egnyte"""
8 | """:"Email address"""
9 | """ verified"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | pam-authentication.Fields}[
14 | """({event_name}LDAP authentication failed)""",
15 | """({failure_reason}The user entered an incorrect password.)""",
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftazurekvfilesuccessvmid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-azure-kv-file-success-vmid"
5 | Conditions = [
6 | """|beatname=eventhubbeat|"""
7 | """|device_type=eventhubbeat|"""
8 | """|subject=AdvancedHunting-DeviceFileEvents|"""
9 | """vmid="""
10 | """@timestamp"""
11 | """@metadata"""
12 | """"ActionType":"""
13 | ]
14 | ParserVersion = "v1.0.0"
15 |
16 | q-adfs-auth.Fields}[
17 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_sentinelonevcefappactivitysuccessusermodified.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = sentinelone-v-cef-app-activity-success-usermodified
5 | ParserVersion = v1.0.0
6 | Conditions = [ """CEF:""", """|SentinelOne|Mgmt|""", """|Administrative information - User Modified|""", """activityType=""", """notificationScope=""" ]
7 | Fields = ${SentinelOneParsersTemplates.sentinelone-vigilance-app-events.Fields}[
8 | """({operation}User Modified)"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrapploginsuccessvmauthd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-login-success-vmauthd
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ vmauthd[""", """]: """ ]
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_watchguardwkvnetworktrafficfirewall.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = watchguard-w-kv-network-traffic-firewall
5 | Conditions = [
6 | """msg_id="""
7 | """3000-0148"""
8 | """firewall:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | moveit-activity.Fields}[
13 | """\sFileID:\s*({file_id}[^,]+)"""
14 | """\sFileName:\s*({file_name}[^.,]+\.({file_ext}[^,]+))"""
15 | """\sFolderPath:\s*({file_dir}[^,]+)"""
16 | """\sXFerSize:\s*({bytes}\d+)"""
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_wizwjsonappactivitysuccessfailwiz.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = wiz-w-json-app-activity-success-fail-wiz
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """"action":"""", """"actionParameters":""" , """"serviceAccount":""", """"sourceIP":""" ]
7 |
8 | wiz-w-json-audit-log}{
9 | Name = wiz-w-json-app-activity-success-fail-wiz
10 | ParserVersion = "v1.0.0"
11 | Conditions = [ """"action":"""", """"actionParameters":""" , """"serviceAccount":""", """"sourceIP":"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiecefemailresponse.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-cef-email-response
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "epoch"
9 | Conditions = [ """CEF:""", """MID """, """ RID """, """ Response """ ]
10 | Fields = [
11 | """\srt=({time}\d{13})""",
12 | """MID ({message_id}({alert_id}\d+)) ({additional_info}[^"]+?)\s\w+="""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiestremailsubject.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-str-email-subject
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """MID """, """ Subject """ ]
10 | Fields = [
11 | """MID ({alert_id}\d+) Subject ('|")?({email_subject}.+?)\s*('|"|$)"""
12 | """\sMID\s+({message_id}({alert_id}\d+))"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_watchguardwkvnetworktrafficfirewall1.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = watchguard-w-kv-network-traffic-firewall-1
5 | Conditions = [
6 | """msg_id="""
7 | """3000-0149"""
8 | """firewall:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | moveit-activity.Fields}[
13 | """\sFileID:\s*({file_id}[^,]+)"""
14 | """\sFileName:\s*({file_name}[^.,]+\.({file_ext}[^,]+))"""
15 | """\sFolderPath:\s*({file_dir}[^,]+)"""
16 | """\sXFerSize:\s*({bytes}\d+)"""
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_watchguardwkvnetworktrafficfirewall2.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = watchguard-w-kv-network-traffic-firewall-2
5 | Conditions = [
6 | """msg_id="""
7 | """3000-0151"""
8 | """firewall:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | moveit-activity.Fields}[
13 | """\sFileID:\s*({file_id}[^,]+)"""
14 | """\sFileName:\s*({file_name}[^.,]+\.({file_ext}[^,]+))"""
15 | """\sFolderPath:\s*({file_dir}[^,]+)"""
16 | """\sXFerSize:\s*({bytes}\d+)"""
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrnetworktrafficfailpacketsendfail.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-network-traffic-fail-packetsendfail
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """%SSH-""", """-PACK_SND_FAIL: """, """Packet send failed""" ]
10 | Fields = [
11 | """s_id\s+="({dest_host}[^:]+):({dest_port}\d+)"""",
12 | """({event_name}Packet send failed)"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Accellion/kiteworks/Ps/pC_accellionkwkvappactivitysuccessuserprofile.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = accellion-kw-kv-app-activity-success-userprofile
5 | Product = Kiteworks
6 | Conditions = [
7 | """User profile"""
8 | """is changed"""
9 | """Activity:"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | q-kiteworks-file-activity.Fields}[
14 | """({access}Downloaded) file ({file_path}({file_dir}.*?[\\\/]+)?({file_name}[^\\\/]+?(\.({file_ext}[^\.]+))?))\.\s+File:\s"""
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmstrvpnsuccessusername.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-apm-str-vpn-success-username
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """:Common:""", """Username """ ]
9 | Fields = [
10 | """:Common:({session_id}[^\s:]+): Username""",
11 | """\sUsername\s+'(?:[^'\\]+\\{1,20})?({user}[\w\.\-\!\#\^\~]{1,40}\$?)'"""
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_junipersrxkvnetworktrafficsuccessactionpermit.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = juniper-srx-kv-network-traffic-success-actionpermit
5 | ParserVersion = v1.0.0
6 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
7 | Conditions = [
8 | """NetScreen"""
9 | """ start_time=""""
10 | """ src zone="""
11 | """ action=Permit"""
12 | ]
13 | Fields = ${JuniperParsersTemplates.juniper-firewall-network-traffic.Fields} [
14 | """\Wreason=({failure_reason}.+?)\s*(\w+=|$)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftdefenderepjsonfilesuccesstenantid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-defenderep-json-file-success-tenantid"
5 | Conditions = [
6 | """"Type":"AdvancedHuntingDeviceFileEvents_CL"""
7 | """TimeGenerated"""
8 | """TenantId"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | cef-sysmon-file-write.Fields} [
13 | """cs2=({registry_value}[^=]+)\s+\w+="""
14 | """cs1=({registry_path}[^=]*?\\+({registry_key}[^=\\\/]+?)\\+({registry_value}[^\\=]+))\s\w+="""
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_postgresqlpstrdatabaseloginfailpassword_failed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = postgresql-p-str-database-login-fail-password_failed
5 | Conditions = [""":FATAL:""", """password authentication failed for user""" ]
6 | Fields = ${postgresqlParser-Template.postgresql-parser-str.Fields}[
7 | """password authentication failed for user\s*(\\*")*({user}[\w\.\-\!\#\^\~]{1,40}\$?)"""
8 | """({db_operation}({action}({operation}password authentication failed)))"""
9 | ]
10 |
11 |
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_unixunixauditdstrendpointloginsuccessauthentication.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unixauditd-str-endpoint-login-success-authentication
5 | Conditions = [ """- USER""", """TLSUserName authentication successful""" ]
6 | Fields = ${UnixParsersTemplates.unixauditd-str-template.Fields}[
7 | """({event_name}TLS/X509 TLSUserName authentication successful)"""
8 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s+"""
9 | ]
10 | ParserVersion = v1.0.0
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrappnotificationsuccesssfcbd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-notification-success-sfcbd
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ sfcbd[""", """]: """ ]
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Symantec/symantec_email_security/Ps/pC_symantecescstremailbytes.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-esc-str-email-bytes
5 | ParserVersion = v1.0.0
6 | Vendor = Symantec
7 | Product = Symantec Email Security
8 | TimeFormat = "epoch_sec"
9 | Conditions = [
10 | """|MSG_SIZE|"""
11 | ]
12 | Fields = [
13 | """\s({host}[\w\.-]+)\s+\w+\[\d+\]:""",
14 | """\s*({time}\d{10})\|(|({alert_id}[^\|]+))\|MSG_SIZE\|({bytes}\d+)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointnotificationsshdset.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-endpoint-notification-sshdset
5 | Vendor = Unix
6 | Product = Unix
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """sshd[""", """ Set """ ]
9 | Fields = [
10 | """({host}\S+) sshd\[""",
11 | """\ssshd\[\d+\]:\s*({additional_info}.+?)\s*$"""
12 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s*"""
13 | ]
14 | ParserVersion = "v1.0.0"
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/HP/hpe_comware/Ps/pC_hpcomwarestrappnotificationinterface.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = hp-comware-str-app-notification-interface
5 | ParserVersion = "v1.0.0"
6 | Vendor = HP
7 | Product = HPE Comware
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """INTERFACE UPDOWN"""]
10 | Fields = [
11 | """Interface\s({interface}\d+)\sis\s({result}[^,]+)""",
12 | """ifAdminStatus\sis\s({result}\d+)""",
13 | # oper_status is removed
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Microsoft/azure_monitor/Ps/pC_microsoftazuremonjsonappactivitysuccessdatastorereadevent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuremon-json-app-activity-success-datastorereadevent
5 | Product = Azure Monitor
6 | ParserVersion = v1.0.0
7 | Conditions = [
8 | """"resourceId":""",
9 | """"category":"DataStoreReadEvent"""",
10 | """"operationName":"""
11 | ]
12 | Fields = ${MicrosoftAzureParsersTemplates.cef-azure-db-for-mysql.Fields} [
13 |
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/OpenDJ/opendj/Ps/pC_opendjokvendpointloginuid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = opendj-o-kv-endpoint-login-uid
5 | Vendor = OpenDJ
6 | Product = OpenDJ
7 | TimeFormat = "dd/MMM/yyyy:HH:mm:ss Z"
8 | Conditions = [ """uid=""", """ REQ conn=""", """op=""", """msgID=""" ]
9 | Fields = [
10 | """\[({time}\d\d\/\w+\/\d\d\d\d:\d\d:\d\d:\d\d [-\+]\d+)\]""",
11 | """conn=({connection_id}\d+)""",
12 | """uid=({user_uid}\d+)"""
13 | ]
14 | ParserVersion = "v1.0.0"
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrendpointactivitysuccesscrxcli.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-activity-success-crxcli
5 | Conditions = [ """ crx-cli[""", """]: """ ]
6 | ParserVersion = "v1.0.0"
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Forcepoint/forcepoint_next-gen_firewall/Ps/pC_forcepointngfwcefnetworktrafficsuccessconnectionallowed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = forcepoint-ngfw-cef-network-traffic-success-connectionallowed
5 | ParserVersion = v1.0.0
6 | Product = Forcepoint Next-Gen Firewall
7 | Conditions = [ """CEF:""", """|FORCEPOINT|""", """|Connection_Allowed|""" ]
8 | Fields = ${ForcepointParsersTemplates.forcepoint-template-aa.Fields} [
9 | """proto=\s*({protocol}.+?)(\s\w+=)""",
10 | ]
11 |
12 |
13 | }
14 | ```
--------------------------------------------------------------------------------
/DS/Microsoft/azure_monitor/Ps/pC_microsoftazuremonjsonappactivitysuccesscomputeinstanceevent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuremon-json-app-activity-success-computeinstanceevent
5 | Product = Azure Monitor
6 | ParserVersion = v1.0.0
7 | Conditions = [
8 | """"resourceId":""",
9 | """"category":"ComputeInstanceEvent"""",
10 | """"operationName":"""
11 | ]
12 | Fields = ${MicrosoftAzureParsersTemplates.cef-azure-db-for-mysql.Fields} [
13 |
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_egnyteegnytesk4appactivitysuccessverificationdisable.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "egnyte-egnyte-sk4-app-activity-success-verificationdisable"
5 | Conditions = [
6 | """"action":"""
7 | """destinationServiceName =Egnyte"""
8 | """:"Two-step Login Verification disabled""""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | pam-authentication.Fields}[
13 | """({event_name}LDAP authentication failed)""",
14 | """({failure_reason}The user entered an incorrect password.)""",
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrappnotificationsuccessnicmgmtd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-notification-success-nicmgmtd
5 | ParserVersion = v1.0.0
6 | Conditions = [ """ nicmgmtd[""", """]: """ ]
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrendpointactivitysuccesslocalcli.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-activity-success-localcli
5 | Conditions = [ """ localcli[""", """]: """ ]
6 | ParserVersion = "v1.0.0"
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Symantec/symantec_email_security/Ps/pC_symantecescstremaildirection.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-esc-str-email-direction
5 | ParserVersion = v1.0.0
6 | Vendor = Symantec
7 | Product = Symantec Email Security
8 | TimeFormat = "epoch_sec"
9 | Conditions = [
10 | """|SOURCE|"""
11 | ]
12 | Fields = [
13 | """\s({host}[\w\.-]+)\s+\w+\[\d+\]:""",
14 | """\s*({time}\d{10})\|(|({alert_id}[^\|]+))\|SOURCE\|({direction}\w+)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Accellion/kiteworks/Ps/pC_accellionkwkvfilepermissionmodifysuccessaddednewpermission.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = accellion-kw-kv-file-permission-modify-success-addednewpermission
5 | Product = Kiteworks
6 | Conditions = [
7 | """Added new permission"""
8 | """Activity:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-kiteworks-file-activity.Fields}[
13 | """({access}Downloaded) file ({file_path}({file_dir}.*?[\\\/]+)?({file_name}[^\\\/]+?(\.({file_ext}[^\.]+))?))\.\s+File:\s"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Microsoft/azure_monitor/Ps/pC_microsoftazuremonjsonappactivitysuccessamlcomputeclusterevent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuremon-json-app-activity-success-amlcomputeclusterevent
5 | Product = Azure Monitor
6 | ParserVersion = v1.0.0
7 | Conditions = [
8 | """"resourceId":""",
9 | """"category":"AmlComputeClusterEvent"""",
10 | """"operationName":"""
11 | ]
12 | Fields = ${MicrosoftAzureParsersTemplates.cef-azure-db-for-mysql.Fields} [
13 |
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/N3K/n3k/RM/r_m_n3k_n3k_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: N3K
4 | -----------
5 | ### Product: [N3K](../ds_n3k_n3k.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrappnotificationvsantraceurgent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-app-notification-vsantraceurgent
5 | ParserVersion = v1.0.0
6 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss"
7 | Conditions = [ """vsantraceUrgent:""", """DOMTraceObjectServerAssocTerminateCb""" ]
8 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
9 | """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d)"""
10 | """({event_name}DOMTraceObjectServerAssocTerminateCb)"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrendpointactivitysuccessvmwipmi.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-activity-success-vmwipmi
5 | Conditions = [ """ sfcb-vmw_ipmi[""", """]: """ ]
6 | ParserVersion = "v1.0.0"
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrnetworksessionfailiofiltervpd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-network-session-fail-iofiltervpd
5 | ParserVersion = v1.0.0
6 | TimeFormat = ["yyyy-MM-dd'T'HH:mm:ss.SSSZ","yyyy-MM-dd'T'HH:mm:ss"]
7 | Conditions = [ """iofiltervpd[""", """SSL Connection error""" ]
8 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
9 | """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d\d\dZ)""",
10 | """({event_name}SSL Connection error)"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Accellion/kiteworks/Ps/pC_accellionkiteworkskvuserpasswordmodifysuccessupdatedpassword.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "accellion-kiteworks-kv-user-password-modify-success-updatedpassword"
5 | Product = "Kiteworks"
6 | Conditions = [
7 | """Updated their password"""
8 | """Activity:"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | q-kiteworks-file-activity.Fields}[
13 | """({access}Downloaded) file ({file_path}({file_dir}.*?[\\\/]+)?({file_name}[^\\\/]+?(\.({file_ext}[^\.]+))?))\.\s+File:\s"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmstrvpnsuccessaccesspolicy.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-apm-str-vpn-success-accesspolicy
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """:Common:""", """Access policy result:""" ]
9 | Fields = [
10 | """:Common:({session_id}[^\s:]+): Access policy result""",
11 | """\sAccess policy result:\s*({policy_name}[^"]+?)\s*("|$)"""
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Kemp/kemp_loadmaster/Ps/pC_kemploadmasterstrappnotificationsmtpalertsuccessfullysent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = kemp-loadmaster-str-app-notification-smtpalertsuccessfullysent
5 | Vendor = Kemp
6 | Product = Kemp LoadMaster
7 | ParserVersion = "v1.0.0"
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """mailer: """, """SMTP alert successfully sent.""" ]
10 | Fields = [
11 | """mailer:\s+({event_name}.+?)\.\s+$""",
12 | """({event_category}mailer)"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Microsoft/azure_monitor/Ps/pC_microsoftazuremonjsonappactivitysuccesserrors.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuremon-json-app-activity-success-errors
5 | Product = Azure Monitor
6 | ParserVersion = v1.0.0
7 | Conditions = [
8 | """"resourceId":""",
9 | """"category":"Errors"""",
10 | """"operationName":"ErrorEvent""""
11 | ]
12 | Fields = ${MicrosoftAzureParsersTemplates.cef-azure-db-for-mysql.Fields} [
13 | """"DatabaseName":"({db_name}[^"]+)""""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_forcepointngfwcefnetworktraffic1004.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = forcepoint-ngfw-cef-network-traffic-1004
5 | Conditions = [
6 | """CEF:"""
7 | """|FORCEPOINT|Firewall|"""
8 | """|1004|FW_Related-Connection|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | moveit-activity.Fields}[
13 | """\sFileID:\s*({file_id}[^,]+)"""
14 | """\sFileName:\s*({file_name}[^.,]+\.({file_ext}[^,]+))"""
15 | """\sFolderPath:\s*({file_dir}[^,]+)"""
16 | """\sXFerSize:\s*({bytes}\d+)"""
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftdefenderepjsonapploginsuccesstimegenerated.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-defenderep-json-app-login-success-timegenerated"
5 | Conditions = [
6 | """"Type":"AdvancedHuntingDeviceLogonEvents_CL"""
7 | """TimeGenerated"""
8 | """TenantId"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | cef-sysmon-file-write.Fields} [
13 | """cs2=({registry_value}[^=]+)\s+\w+="""
14 | """cs1=({registry_path}[^=]*?\\+({registry_key}[^=\\\/]+?)\\+({registry_value}[^\\=]+))\s\w+="""
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftsysmonceffilewritesuccessfilecreated.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-sysmon-cef-file-write-success-filecreated"
5 | Conditions = [
6 | """CEF:"""
7 | """|Microsoft Sysmon|Sysmon NXLog|"""
8 | """|SysmonTask-SYSMON_FILE_CREATE|File created|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | cef-sysmon-file-write.Fields} [
13 | """cs2=({registry_value}[^=]+)\s+\w+="""
14 | """cs1=({registry_path}[^=]*?\\+({registry_key}[^=\\\/]+?)\\+({registry_value}[^\\=]+))\s\w+="""
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrendpointactivitysuccessconfigstore.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-activity-success-configstore
5 | Conditions = [ """ ConfigStore[""", """]: """ ]
6 | ParserVersion = "v1.0.0"
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrappnotificationsuccessnomad.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-app-notification-success-nomad"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = ["MMM dd HH:mm:ss"]
8 | Conditions = [
9 | """nomad["""
10 | """]:"""
11 | ]
12 | Fields = [
13 | """({time}\w\w\w \d\d \d\d:\d\d:\d\d)\s({host}[\w\-\.]+)\s({process_name}[^\[]+)\[({process_id}[^\]]+)]:.*?[^\d]:\s*({additional_info}[^$]+)"""
14 | ]
15 | ParserVersion = "v1.0.0"
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointnotificationsuccesspamlimit.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-endpoint-notification-success-pamlimit"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = "yyyy MMM dd HH:mm:ss"
8 | Conditions = [
9 | """(crond:session):""",
10 | """pam_limits"""
11 | ]
12 | Fields = [
13 | """\w+\s+\d+\s+\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
14 | """pam_sss\(crond:session\):\s*({event_name}[^$]*?)\s*$"""
15 | ]
16 | ParserVersion = "v1.0.0"
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/VMware/vcenter/Ps/pC_barracudawafstrappnotificationsamltokenparsed.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-app-notification-samltokenparsed
5 | ParserVersion = v1.0.0
6 | Vendor = VMware
7 | Product = vCenter
8 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
9 | Conditions = [ """SAML token for """, """ successfully parsed from""" ]
10 | Fields = [
11 | """({time}\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)"""
12 | """({additional_info}SAML token for .*)""",
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Onapsis/onapsis/Ps/pC_onapsisocefappnotificationisalive.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = onapsis-o-cef-app-notification-isalive
5 | Product = Onapsis
6 | Vendor = Onapsis
7 | ParserVersion = "v1.0.0"
8 | TimeFormat = "MMM dd yyyy HH:mm:ss"
9 | Conditions = [ """CEF:""", """|Onapsis|OSP|""", """|Is Alive|""" ]
10 | Fields = [
11 | """\Wend=({time}\w+ \d\d \d\d\d\d \d\d:\d\d:\d\d)""",
12 | # appliance_state is removed
13 | """\Wevent_id=({event_name}.+?)(\s+\w+=|\s*$)"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Symantec/symantec_email_security/Ps/pC_symantecescstremailsubject.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-esc-str-email-subject
5 | ParserVersion = v1.0.0
6 | Vendor = Symantec
7 | Product = Symantec Email Security
8 | TimeFormat = "epoch_sec"
9 | Conditions = [
10 | """|SUBJECT|"""
11 | ]
12 | Fields = [
13 | """\s({host}[\w\.-]+)\s+\w+\[\d+\]:""",
14 | """\s*({time}\d{10})\|(|({alert_id}[^\|]+))\|SUBJECT\|\s*(|({email_subject}.+?))(\||\s*$)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix_auditd/Ps/pC_unixadstrendpointactivityauditd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-ad-str-endpoint-activity-auditd
5 | Vendor = Unix
6 | Product = Unix Auditd
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """auditd[""", """]: """ ]
9 | Fields = [
10 | """\d\d:\d\d:\d\d ({host}[\w\-.]+).+?auditd""",
11 | """\sauditd\[\d+\]:\s*({additional_info}.+?)\s*$"""
12 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s*"""
13 | ]
14 | ParserVersion = "v1.0.0"
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_horizon/Ps/pC_vmwarehorizonstrappnotificationsuccessmaximum.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-horizon-str-app-notification-success-maximum
5 | ParserVersion = "v1.0.0"
6 | Vendor = VMware
7 | Product = VMware Horizon
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ View """ , """ the maximum number """ ]
10 | Fields = [
11 | """\w+\s+\d+\s+\d+:\d+:\d+\s+({host}[\w\-.]+)""",
12 | """({app}View)""",
13 | """({event_name}View.*?)\s+$""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccesscdp.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-cdp
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %CDP-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccessl2fm.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-l2fm
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %L2FM-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
10 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmjsonendpointloginfail01490212.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "f5-apm-json-endpoint-login-fail-01490212"
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
8 | Conditions = [ """01490212:4""" ]
9 | Fields = [
10 | """@timestamp"\s*:\s*"({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)""",
11 | """authenticate with '({user}[\w\.\-\!\#\^\~]{1,40}\$?)' failed""",
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmstrvpnsuccessstatistics.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-apm-str-vpn-success-statistics
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """:Common:""", """/Common/""", """Session statistics -""" ]
9 | Fields = [
10 | """:Common:({session_id}[^:]+)""",
11 | """Session statistics - bytes in:\s*({bytes_in}\d+),\s+bytes out:\s*({bytes_out}\d+)"""
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Shibboleth/shibboleth/Ps/pC_shibbolethskvappnotificationwarn.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = shibboleth-s-kv-app-notification-warn
5 | Product = Shibboleth
6 | Vendor = Shibboleth
7 | ParserVersion = "v1.0.0"
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """shibboleth: WARN""" ]
10 | Fields = [
11 | """\w+\s+\d+\s+\d\d:\d\d:\d\d\s+({host}[\w\-.]+)\s+shibboleth:""",
12 | """({app}Shibboleth)""",
13 | """Shibboleth\.Application\s*:\s*({event_name}.+?)\s*$""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Symantec/symantec_email_security/Ps/pC_symantecescstremailreturnpath.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-esc-str-email-returnpath
5 | ParserVersion = v1.0.0
6 | Vendor = Symantec
7 | Product = Symantec Email Security
8 | TimeFormat = "epoch_sec"
9 | Conditions = [
10 | """|MSGID|"""
11 | ]
12 | Fields = [
13 | """\s({host}[\w\.-]+)\s+\w+\[\d+\]:""",
14 | """\s*({time}\d{10})\|(|({alert_id}[^\|]+))\|MSGID\|\s*(|?)(\||\s*$)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointauthenticationfailauth.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-endpoint-authentication-fail-auth"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [
9 | """pam_unix(sudo:auth)"""
10 | """could not identify password for"""
11 | ]
12 | Fields = [
13 | """\w+\s+\d+\s+\d+:\d+:\d+\s+({host}[\w\-.]+)\s+"""
14 | """pam_unix\(sudo:auth\):\s*({event_name}[^$]*?)\s*$"""
15 | ]
16 | ParserVersion = "v1.0.0"
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointauthenticationfailsudoauth.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-endpoint-authentication-fail-sudoauth"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = "yyyy MMM dd HH:mm:ss"
8 | Conditions = [
9 | """pam_unix(sudo:auth)"""
10 | """conversation failed"""
11 | ]
12 | Fields = [
13 | """\w+\s+\d+\s+\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
14 | """pam_unix\(sudo:auth\):\s*({event_name}[^$]*?)\s*$"""
15 | ]
16 | ParserVersion = "v1.0.0"
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccesshsrp.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-hsrp
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %HSRP-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccesstrack.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-track
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %TRACK-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Microsoft/azure_monitor/Ps/pC_microsoftazuremonjsondatabaseactivitysuccesstimeouts.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuremon-json-database-activity-success-timeouts
5 | Product = Azure Monitor
6 | ParserVersion = v1.0.0
7 | Conditions = [
8 | """"resourceId":""",
9 | """"category":"Timeouts"""",
10 | """"operationName":"TimeoutEvent""""
11 | ]
12 | Fields = ${MicrosoftAzureParsersTemplates.cef-azure-db-for-mysql.Fields} [
13 | """"DatabaseName":"({db_name}[^"]+)""""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftazureceffilereadsuccessactiontype.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-azure-cef-file-read-success-actiontype"
5 | Conditions = [
6 | """|beatname=eventhubbeat|"""
7 | """|device_type=eventhubbeat|"""
8 | """|subject=AdvancedHunting-DeviceEvents|"""
9 | """vmid="""
10 | """@timestamp"""
11 | """@metadata"""
12 | """"ActionType":"ReadProcessMemoryApiCall""""
13 | ]
14 | ParserVersion = "v1.0.0"
15 |
16 | q-adfs-auth.Fields}[
17 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_microsofto365ceffilereadsuccessmemberadded.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-cef-file-read-success-memberadded"
5 | Conditions = [
6 | """CEF:"""
7 | """|Microsoft Teams|"""
8 | """|MemberAdded|"""
9 | ]
10 | ParserVersion = "v1.0.0"
11 |
12 | microsoft-azure-endpoint-json.Fields} [
13 | """exa_json_path=$.Uri,exa_field_name=file_path""",
14 | """exa_json_path=$.AccountName,exa_field_name=storage_account""",
15 | """exa_json_path=$.['_ResourceId'],exa_field_name=resource"""
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiekvemailresponse.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-kv-email-response
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ MID """, """Hostname=""" ]
10 | Fields = [
11 | """Hostname=({src_host}[\w.-]+)""",
12 | """MID ({alert_id}\d+)""",
13 | """<({email_address}([A-Za-z0-9]+[!#$%&'+\/=?^_`~.-])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)>"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccessswmatm.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-swmatm
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %SW_MATM-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Delinea/secret_server/Ps/pC_delineasscefappnotificationsystemlog.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "delinea-ss-cef-app-notification-systemlog"
5 | Vendor = "Delinea"
6 | Product = "Secret Server"
7 | TimeFormat = "MMM dd yyyy HH:mm:ss"
8 | Conditions = [
9 | """CEF:0|Thycotic Software|Secret Server|"""
10 | """|System Log|7|"""
11 | ]
12 | Fields = [
13 | """rt=({time}\w{3} \d\d \d\d\d\d \d\d:\d\d:\d\d)"""
14 | """msg=({additional_info}.+?) rt="""
15 | ]
16 | ParserVersion = "v1.0.0"
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmstrvpnsuccessuseragent.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-apm-str-vpn-success-useragent
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """/Common/""", """:Common:""", """Received User-Agent header:""" ]
9 | Fields = [
10 | """:Common:({session_id}[^\s:]+): Received User-Agent header:""",
11 | """Received User-Agent header:\s*({user_agent}.+?)\s*$""",
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/HP/hpe_comware/RM/r_m_hp_hpe_comware_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: HP
4 | ----------
5 | ### Product: [HPE Comware](../ds_hp_hpe_comware.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Nagios/nagios/RM/r_m_nagios_nagios_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Nagios
4 | --------------
5 | ### Product: [Nagios](../ds_nagios_nagios.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/OpenAI/openai/RM/r_m_openai_openai_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: OpenAI
4 | --------------
5 | ### Product: [OpenAI](../ds_openai_openai.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwkvnetworktrafficfaildrop.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-ngfw-kv-network-traffic-fail-drop
5 | Conditions = ["""type=TRAFFIC,""", """logset=Panorama,""", """subtype=drop,""" ]
6 | ParserVersion = "v1.0.0"
7 |
8 | leef-paloalto-vpn-event-1.Fields}[
9 | """\|devTime=({time}\w{3}\s+\d+ \d\d\d\d \d\d:\d\d:\d\d \w+)\|"""
10 | """({result}(allow|deny))""",
11 | """PAN-OS Syslog Integration\|(?:({result}[^\|]+)\|){2}"""
12 | """cat=({category}[^\s|]+)"""
13 | """\|msg="*({event_name}[^\|"]+)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwkvnetworktrafficsuccessend.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = pan-ngfw-kv-network-traffic-success-end
5 | Conditions = ["""type=TRAFFIC,""", """logset=Panorama,""", """subtype=end,""" ]
6 | ParserVersion = "v1.0.0"
7 |
8 | leef-paloalto-vpn-event-1.Fields}[
9 | """\|devTime=({time}\w{3}\s+\d+ \d\d\d\d \d\d:\d\d:\d\d \w+)\|"""
10 | """({result}(allow|deny))""",
11 | """PAN-OS Syslog Integration\|(?:({result}[^\|]+)\|){2}"""
12 | """cat=({category}[^\s|]+)"""
13 | """\|msg="*({event_name}[^\|"]+)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrendpointactivitysuccessprovidermanager.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-activity-success-providermanager
5 | Conditions = [ """ sfcb-ProviderManager[""", """]: """ ]
6 | ParserVersion = "v1.0.0"
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointnotificationbash.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-endpoint-notification-bash
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix
8 | TimeFormat = "MMM dd HH:mm:ss"
9 | Conditions = [ """ bash[""" , """]: """ ]
10 | Fields = [
11 | """({time}\w+\s*\d+ \d\d:\d\d:\d\d)\s*({host}[^\s]+)\s*bash\[""",
12 | """bash\[({process_id}\d+)\]:\s*({additional_info}.+?)\s*$""",
13 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s+""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/APC/apc/Ps/pC_apcastrapploginfailinvalidcredentials.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = apc-a-str-app-login-fail-invalidcredentials
5 | Vendor = APC
6 | Product = APC
7 | TimeFormat = "ddMMMyy HH:mm:ss"
8 | Conditions = [ """Invalid login credentials;""", """user: """" ]
9 | Fields = [
10 | """\s\w\w\w\s({time}\d{1,2}\w{1,3}\d\d\s\d\d:\d\d:\d\d)\s""",
11 | """user:\s"({user}[\w\.\-\!\#\^\~]{1,40}\$?)"""",
12 | """({failure_reason}Invalid login credentials)"""
13 | ]
14 | ParserVersion = "v1.0.0"
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Amazon/aws_ssm/RM/r_m_amazon_aws_ssm_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Amazon
4 | --------------
5 | ### Product: [AWS SSM](../ds_amazon_aws_ssm.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Barracuda/barracuda_cloudgen_firewall/Ps/pC_barracudafirewallstrvpnauthenticationvpnike.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "barracuda-firewall-str-vpn-authentication-vpnike"
5 | Vendor = "Barracuda"
6 | ParserVersion = "v1.0.0"
7 | Product = "Barracuda Cloudgen Firewall"
8 | TimeFormat = "MMM dd HH:mm:ss"
9 | Conditions = [
10 | """/srv_CSC_VPN_IKEv2:"""
11 | ]
12 | Fields = [
13 | """({time}\w+\s\d+\s\d\d:\d\d:\d\d)\s({host}[\w\_\.]+)\s\w+\/({event_name}srv_CSC_VPN_IKEv2):\s*({additional_info}.+?)\s*($)"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Barracuda/barracuda_waf/Ps/pC_barracudawafstrappnotificationfoundcdpdu.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = barracuda-waf-str-app-notification-foundcdpdu
5 | ParserVersion = v1.0.0
6 | Vendor = Barracuda
7 | Product = Barracuda WAF
8 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
9 | Conditions = [ """] Found CDPDU""", """, bytesLeft """ ]
10 | Fields = [
11 | """({time}\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)"""
12 | """({event_name})Found CDPDU"""
13 | """({additional_info}Found .*)""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Check_Point/check_point_ngfw/Ps/pC_checkpointngfwkvvpnauthenticationsuccessauthrequest.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = checkpoint-ngfw-kv-vpn-authentication-success-authrequest
5 | ParserVersion = v1.0.0
6 | Vendor = Check Point
7 | Product = Check Point NGFW
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """A request was made to authenticate to a wired network""", """Check Point""" ]
10 | Fields = [
11 | """({event_name}A request was made to authenticate to a wired network)""",
12 | ]
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccessethport1.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-ethport-1
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %ETHPORT-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccessplatform.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-platform
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %PLATFORM-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Infoblox/bloxone_ddi/Ps/pC_infobloxbddistrnetworknotificationsuccessnolongerconnected.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = infoblox-bddi-str-network-notification-success-nolongerconnected
5 | ParserVersion = v1.0.0
6 | Vendor = Infoblox
7 | Product = BloxOne DDI
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """: Grid member at""", """is no longer connected""" ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d\s+({host}[\w.-]+)\s+({src_ip}[a-fA-F\d.:]+?)\s+({additional_info}[^~]+?)\s*$"""
12 | ]
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_fortinetfortigatekvnetworknotificationsuccesssystem.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = fortinet-fortigate-kv-network-notification-success-system
5 | ParserVersion = v1.0.0
6 | Conditions = [ """CEF:""", """|Fortinet|FortiGate-""", """|system""" ]
7 | }
8 |
9 | ${FortinetParsersTemplates.fortinet-fortigate-cef-network-traffic-info}{
10 | Name = fortinet-fortigate-kv-network-notification-success-vpn
11 | ParserVersion = v1.0.0
12 | Conditions = [ """CEF:""", """|Fortinet|FortiGate-""", """|vpn""" ]
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointactivitysuccessunixid.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-endpoint-activity-success-unixid
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ unix:""", """ [ID""" ]
10 | Fields = [
11 | """\w{3}\s\d\d\s\d\d:\d\d:\d\d(\.\S+)?\s(::ffff:)?({host}[\w\-.]+)\s""",
12 | """\d\d:\d\d:\d\d(\.\S+)? (::ffff:)?({host}\S+)? unix:""",
13 | """\sunix:\s*({additional_info}.+?)\s*$"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointloginfailconnectionrefuse.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-endpoint-login-fail-connectionrefuse"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = "yyyy MMM dd HH:mm:ss"
8 | Conditions = [
9 | """(crond:session):""",
10 | """pam_sss"""
11 | """Connection refused"""
12 | ]
13 | Fields = [
14 | """\w+\s+\d+\s+\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
15 | """pam_sss\(crond:session\):\s*({event_name}[^$]*?)\s*$"""
16 | ]
17 | ParserVersion = "v1.0.0"
18 |
19 |
20 | }
21 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointnotificationsuccesssnapd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-endpoint-notification-success-snapd
5 | Vendor = Unix
6 | Product = Unix
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """snapd[""", """]: """ ]
9 | Fields = [
10 | """\d\d:\d\d:\d\d\s+({host}[\w.-]+)\s+({event_category}[^:]+):\s+""",
11 | """\]:\s*({additional_info}[^$]+?)\s*$"""
12 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s*"""
13 | ]
14 | ParserVersion = v1.0.0
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_horizon/Ps/pC_vmwarehorizonstrapploginsuccessloggedin.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-horizon-str-app-login-success-loggedin
5 | ParserVersion = "v1.0.0"
6 | Vendor = VMware
7 | Product = VMware Horizon
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ View """ , """has logged in""" ]
10 | Fields = [
11 | """\w+\s+\d+\s+\d+:\d+:\d+\s+({host}[\w\-.]+)""",
12 | """({app}View)""",
13 | """User\s+(({domain}[^\\\s]+)\\+)?({user}[\w\.\-\!\#\^\~]{1,40}\$?)""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiestremailattachment.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-str-email-attachment
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """MID """, """ attachment """ ]
10 | Fields = [
11 | """MID ({message_id}({alert_id}\d+)) attachment '({attachment}({email_attachment}[^']+))'""",
12 | """attachment '({email_attachment}[^']+\.({file_ext}[^']+))'""",
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccessethport.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-ethport
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %ETH_PORT_CHANNEL-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """({time}\d{4} \w{3,4}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"""
10 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_security/Ps/pC_ciscoasastrvpnlogoutsuccessauthensessionend.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "cisco-asa-str-vpn-logout-success-authensessionend"
5 | Vendor = "Cisco"
6 | Product = Cisco Network Security
7 | TimeFormat = "MMM dd yyyy HH:mm:ss"
8 | Conditions = [
9 | """Authen Session End:"""
10 | """%ASA-"""
11 | ]
12 | Fields = [
13 | """\s({host}[^\s]+)\s({time}[a-zA-Z]{3} \d\d \d\d\d\d \d\d:\d\d:\d\d).+Authen Session End: user '({user}[\w\.\-\!\#\^\~]{1,40}\$?)'"""
14 | ]
15 | ParserVersion = "v1.0.0"
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_big-ip/Ps/pC_f5bigipstrappnotificationinfo.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-bigip-str-app-notification-info
5 | ParserVersion = v1.0.0
6 | Vendor = F5
7 | Product = F5 BIG-IP
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ notice icrd_child: """, """INFO""" ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d\s+({host}[\w.-]+)\s\w+""",
12 | """icrd_child:\s+({event_code}\d+)""",
13 | """,\s+INFO,({additional_info}[^,]+?)\s*$""",
14 | """({event_category}RestRequestSender)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Microsoft/microsoft_365/Ps/pC_microsofto365sk4filedeletesuccessfiledeleted.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "microsoft-o365-sk4-file-delete-success-filedeleted"
5 | Product = "Microsoft 365"
6 | Conditions= [ """"Operation":"FileDeleted"""", """"Workload":"""", """"SourceFileName":"""" ]
7 | ParserVersion = "v1.0.0"
8 |
9 | cef-azure-app-activity.Fields} [
10 | """DNS query ({dns_query}[^<]+)"""
11 | """\"SourcePort\",\"value\":\"({src_port}\d+)\""""
12 | """\"DestinationPort\",\"value\":\"({dest_port}\d+)\""""
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/MongoDB/mongodb/RM/r_m_mongodb_mongodb_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: MongoDB
4 | ---------------
5 | ### Product: [MongoDB](../ds_mongodb_mongodb.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Ps/pC_esetesleefhttpsessionfaileset.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "eset-es-leef-http-session-fail-eset"
5 | Conditions = [
6 | """LEEF:"""
7 | """|ESET|RemoteAdministrator|"""
8 | """cat=ESET Filtered Website Event"""
9 | """actionTaken=Blocked"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | moveit-activity.Fields}[
14 | """\sFileID:\s*({file_id}[^,]+)"""
15 | """\sFileName:\s*({file_name}[^.,]+\.({file_ext}[^,]+))"""
16 | """\sFolderPath:\s*({file_dir}[^,]+)"""
17 | """\sXFerSize:\s*({bytes}\d+)"""
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_googleworkspacejsonappactivitysuccessreportsactivity.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = google-workspace-json-app-activity-success-reportsactivity
5 | ParserVersion = v1.0.0
6 | Conditions = [ """"kind":"admin#reports#activity"""", """"applicationName":""", """"uniqueQualifier":""" ]
7 |
8 | cef-google-app-activity}{
9 | Name = google-workspace-json-app-activity-success-reportsactivity
10 | ParserVersion = v1.0.0
11 | Conditions = [ """"kind":"admin#reports#activity"""", """"applicationName":""", """"uniqueQualifier":"""
12 | }
13 | ```
--------------------------------------------------------------------------------
/DS/Seclore/seclore/RM/r_m_seclore_seclore_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Seclore
4 | ---------------
5 | ### Product: [Seclore](../ds_seclore_seclore.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixkvendpointloginfailauthfailure.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-kv-endpoint-login-fail-authfailure
5 | Vendor = Unix
6 | Product = Unix
7 | TimeFormat = ["yyyy-MM-dd'T'HH:mm:ss","MMM dd HH:mm:ss"]
8 | Conditions = [ """(dsepam:auth):""", """authentication failure;""" ]
9 | Fields = [
10 | """({time}\w+ \d+ \d\d:\d\d:\d\d)\s+({host}\S+)\s+\S+\s+\S+\(dsepam:auth\)""",
11 | """\suser=({user}[\w\.\-\!\#\^\~]{1,40}\$?)(\s+\w+=|\s*$)""",
12 | ]
13 | ParserVersion = "v1.0.0"
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointloginsshdsessionopen.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-endpoint-login-sshdsessionopen
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """sshd[""", """]: """, """session opened""" ]
10 | Fields = [
11 | """(\d\d:|(\+|-))\d\d:\d\d (::ffff:)?({host}[\w\-.]+)\s""",
12 | """\d\d:\d\d:\d\d (::ffff:)?({host}\S+)? sshd\[""",
13 | """\ssshd\[\d+\]:\s*({additional_info}.+?)\s*$"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstruserpasswordmodifysuccesschage.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-user-password-modify-success-chage
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix
8 | TimeFormat = "yyyy:MM:dd-HH:mm:ss"
9 | Conditions = [
10 | """changed password expiry for""",
11 | """chage["""
12 | ]
13 | Fields = [
14 | """({host}[\w.\-]+)\s+chage\["""
15 | """changed password expiry for ({dest_user}({account}\S+))"""
16 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s*"""
17 | ]
18 |
19 |
20 | }
21 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix_dhcpd/RM/r_m_unix_unix_dhcpd_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Unix
4 | ------------
5 | ### Product: [Unix dhcpd](../ds_unix_unix_dhcpd.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Unix/unix_sendmail/Ps/pC_unixsmstremailvirusclean.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-sm-str-email-virusclean
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix Sendmail
8 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSS"
9 | Conditions = [
10 | """AntiVirus:""",
11 | """ classification="""
12 | ]
13 | Fields = [
14 | """\d{2}:\d{2}:\d{2} ({host}[\w.\-]+) \S+ \[.+?\-({alert_id}\w+)\]""",
15 | """({av_vendor}\S+)\.AntiVirus:""",
16 | """\sclassification=({malware_score}[^,]+)""",
17 | ]
18 |
19 |
20 | }
21 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_view/Ps/pC_vmwareviewstrapplogoutsuccessloggedout.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-view-str-app-logout-success-loggedout
5 | ParserVersion = "v1.0.0"
6 | Vendor = VMware
7 | Product = VMware View
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """View User""", """ has logged out""" ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d\s+({host}[^\s]+)\s+View User""",
12 | """View User\s+(({domain}[^\\\s]+)\\+)?({user}[\w\.\-\!\#\^\~]{1,40}\$?)""",
13 | """({app}View)"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/F5/f5_access_policy_manager/Ps/pC_f5apmstrvpnsuccessclientinfo.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-apm-str-vpn-success-clientinfo
5 | Vendor = F5
6 | Product = F5 Access Policy Manager
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """:Common:""", """Received client info""", """Hostname:""" ]
9 | Fields = [
10 | """:Common:({session_id}[^:]+)""",
11 | """Hostname:\s*({src_host}[\w\-.]+)\s+\w+:""",
12 | """Platform:\s*({os}[^\s]+)\s"""
13 | ]
14 | ParserVersion = "v1.0.0"
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/HP/hpe_comware/Ps/pC_hpcomwarestrconfigurationmodifyforwarding.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = hp-comware-str-configuration-modify-forwarding
5 | ParserVersion = "v1.0.0"
6 | Vendor = HP
7 | Product = HPE Comware
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """pr10f-hpfl-1""", """has been set to forwarding state"""]
10 | Fields = [
11 | # instance is removed
12 | # port_name is removed
13 | # port_name is removed
14 | """({event_name}port has been set to forwarding state)""",
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/IBM/ibm_datapower/RM/r_m_ibm_ibm_datapower_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: IBM
4 | -----------
5 | ### Product: [IBM Datapower](../ds_ibm_ibm_datapower.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Ps/pC_microsoftazuremonsk4dnssuccessazurefirewalldnsproxy.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy
5 | ParserVersion = "v1.0.0"
6 | Conditions = [ """"category":""", """"AzureFirewallDnsProxy"""", """"resourceId":""" ]
7 | Fields = ${LMSMSParsersTemplates.azure-ad-activity-2.Fields}[
8 | """"category":\s*"({category}AzureFirewallDnsProxy)""",
9 | """"RuleCollection":\s*"({rule_type}[^"]+)""""
10 | """"RuleCollectionGroup":\s*"({rule_source}[^"]+)""""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwleefendpointauthenticationfailauthfail.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "pan-ngfw-leef-endpoint-authentication-fail-authfail"
5 | Conditions = [
6 | """LEEF:"""
7 | """|Palo Alto Networks|PAN-OS Syslog Integration|"""
8 | """type=auth"""
9 | """|auth-fail|"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 | leef-paloalto-vpn-event.Fields}[
14 | """usrName =(({email_address}([A-Za-z0-9]+[!#$%&'+-\/=?^_`~])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)|(({domain}[^\\\s,]+)\\+)?({user}[\w\.\-\!\#\^\~]{1,40}\$?))"""
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_vmwareesxistrendpointactivitysuccessuserworldcorrelator.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-endpoint-activity-success-userworldcorrelator
5 | Conditions = [ """ vobd: [UserWorldCorrelator] """, """: [""" ]
6 | ParserVersion = "v1.0.0"
7 |
8 | VMParserTemplates}{
9 | Name = vmware-esxi-str-endpoint-activity-vmkernel
10 | ParserVersion = v1.0.0
11 | Conditions = [ """vmkernel:""" ]
12 | Fields = ${VMDLParsersTemplates.VMParserTemplates.Fields}[
13 | """({event_name}Last path removed for TGT)"""
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Amazon/amazon_rds/RM/r_m_amazon_amazon_rds_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Amazon
4 | --------------
5 | ### Product: [Amazon RDS](../ds_amazon_amazon_rds.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiestremailantivirus.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-str-email-antivirus
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = "epoch"
9 | Conditions = [ """MID """, """ antivirus """ ]
10 | Fields = [
11 | """MID ({alert_id}\d+)""",
12 | """ antivirus ({malware_score}.+?)(\s+\w+=|\s*$)"""
13 | """ antivirus -[^-]*?- Result '({malware_score}.+?)'"""
14 | """MID ({message_id}\d+)""",
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_infrastructure_and_management/Ps/pC_ciscoasastrappnotificationsuccesssys.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-asa-str-app-notification-success-sys
5 | ParserVersion = v1.0.0
6 | Product = Cisco Network Infrastructure and Management
7 | Conditions = [ """: %SYS-""" ]
8 | Fields = ${DLCiscoParsersTemplates.cisco-system-info.Fields} [
9 | """\d+:\d+:\d+\s+({host}[\w\-.]+)\s\d+:"""
10 | """({host}[\w\.\-]+):\s*(\d+:)?\s*({time}\w\w\w\s*\d+\s*\d\d:\d\d:\d\d\.\d\d\d): %SYS-5"""
11 | ]
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/CrushFTP/crushftp/RM/r_m_crushftp_crushftp_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: CrushFTP
4 | ----------------
5 | ### Product: [CrushFTP](../ds_crushftp_crushftp.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Exabeam/audit_log/RM/r_m_exabeam_audit_log_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Exabeam
4 | ---------------
5 | ### Product: [Audit Log](../ds_exabeam_audit_log.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/F5/f5_big-ip/Ps/pC_f5bigipstrappactivityrestserver.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-bigip-str-app-activity-restserver
5 | ParserVersion = v1.0.0
6 | Vendor = F5
7 | Product = F5 BIG-IP
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ notice icrd_child: """, """RestServer, INFO,""" ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d\s+({host}[\w.-]+)\s\w+""",
12 | """icrd_child:\s+({event_code}\d+)""",
13 | """,\s+INFO,({additional_info}[^,]+?)\s*$""",
14 | """({event_category}RestServer)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Microsoft/microsoft_defender/Ps/pC_microsoftazurescjsonalerttriggersuccessasc.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuresc-json-alert-trigger-success-asc
5 | Product = Microsoft Defender
6 | Conditions = [
7 | """"category":"""
8 | """"VM_LoginBruteForceValidUserFailed""""
9 | """"title":"""
10 | """"vendor":"""
11 | """"Microsoft""""
12 | """"provider":"""
13 | """"ASC""""
14 | ]
15 | ExtractionType = json
16 | ParserVersion = "v1.0.0"
17 |
18 | q-adfs-auth.Fields}[
19 | """\sComputer=({host}.+?)(\s+\w+=|\s*$)"""
20 |
21 | }
22 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_rsaramkvconfigurationmodifysuccessconfighost.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = rsa-ram-kv-configuration-modify-success-confighost
5 | Conditions = [ """ SINGLEPOINT """, """ SYSTEM_CONFIG_HOST """ ]
6 | Fields = ${DLRSAParserTemplate.rsa-system-events.Fields}[
7 | """HOST_IP="({host_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))""",
8 | """ALIASES="({host}[\w\.\-]+)"""",
9 | """\]\s+({additional_info}[^"]+?)\.*\s*$"""
10 | ]
11 | ParserVersion = "v1.0.0"
12 |
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Sophos/sophos_ztna/RM/r_m_sophos_sophos_ztna_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Sophos
4 | --------------
5 | ### Product: [Sophos ZTNA](../ds_sophos_sophos_ztna.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrappnotificationsuccessdkimsignatureadded.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-app-notification-success-dkimsignatureadded"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = ["MMM dd HH:mm:ss"]
8 | Conditions = [
9 | """DKIM-Signature"""
10 | """opendkim["""
11 | ]
12 | Fields = [
13 | """({time}\w\w\w \d\d \d\d:\d\d:\d\d)\s({host}[\w\-\.]+)\s({process_name}[^\[]+)\[({process_id}[^\]]+)]:\s*\w+:\s*({additional_info}[^$]+)"""
14 | ]
15 | ParserVersion = "v1.0.0"
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointloginsuccessauthsucceede.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-endpoint-login-success-authsucceede
5 | ParserVersion = "v1.0.0"
6 | Vendor = "Unix"
7 | Product = "Unix"
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [
10 | """ sshd["""
11 | """]: AD authentication succeeded for user"""
12 | ]
13 | Fields = [
14 | """AD authentication ({result}succeeded) for user ({user}[\w\.\-\!\#\^\~]{1,40}\$?)"""
15 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s*"""
16 | ]
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix_sendmail/Ps/pC_unixsmkvemailattach.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-sm-kv-email-attach
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix Sendmail
8 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSS"
9 | Conditions = [
10 | """ attach_name=""",
11 | """ attach_type=""",
12 | """ attach_filename="""
13 | ]
14 | Fields = [
15 | """\d{2}:\d{2}:\d{2} ({host}[\w.\-]+)""",
16 | """\smtaqid=({alert_id}[^,]+)""",
17 | """\sattach_filename="({email_attachment}[^"]+\.({file_ext}[^"]+))"""
18 | ]
19 |
20 |
21 | }
22 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_velocloud_sd-wan/Ps/pC_vmwarevmsdwanstrappnotificationcatchall.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-vmsdwan-str-app-notification-catchall
5 | Vendor = VMware
6 | Product = VMware VeloCloud SD-WAN
7 | ParserVersion = "v1.0.0"
8 | TimeFormat = ["MMM dd HH:mm:ss", "MMM dd HH:mm:ss"]
9 | Conditions = [ """ velocloud.sdwan: """ ]
10 | Fields = [
11 | """({time}\w\w\w\s*\d+\s+\d\d:\d\d:\d\d)\s+({host}[\w\-\.]+)\s*({log_source}[^:]+):\s+({event_name}[^:]+):\s*({additional_info}[^\$]+?)\s*($)"""
12 | ]
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------
/DS/Weblogin/weblogin/RM/r_m_weblogin_weblogin_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Weblogin
4 | ----------------
5 | ### Product: [Weblogin](../ds_weblogin_weblogin.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Microsoft/azure_monitor/Ps/pC_microsoftazuremonjsonappactivitysuccesssynapserbacoperations.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = microsoft-azuremon-json-app-activity-success-synapserbacoperations
5 | Product = Azure Monitor
6 | ParserVersion = v1.0.0
7 | Conditions = [
8 | """"resourceId":""",
9 | """"category":"SynapseRbacOperations"""",
10 | """"operationName":"""
11 | ]
12 | Fields = ${MicrosoftAzureParsersTemplates.cef-azure-db-for-mysql.Fields} [
13 | """"resultDescription":"({additional_info}[^"]+)"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Ps/pC_panngfwcefvpnloginsuccessclientswitchtossltunnelmodesucceeded.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded"
5 | Conditions = [
6 | """|Palo Alto Networks|PAN-OS|"""
7 | """|client switch to SSL tunnel mode succeeded|"""
8 | ]
9 | ParserVersion = "v1.0.0"
10 |
11 | leef-paloalto-vpn-event.Fields}[
12 | """usrName =(({email_address}([A-Za-z0-9]+[!#$%&'+-\/=?^_`~])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)|(({domain}[^\\\s,]+)\\+)?({user}[\w\.\-\!\#\^\~]{1,40}\$?))"""
13 |
14 | }
15 | ```
--------------------------------------------------------------------------------
/DS/Symantec/symantec_email_security/Ps/pC_symantecescstremailattachment.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-esc-str-email-attachment
5 | ParserVersion = v1.0.0
6 | Vendor = Symantec
7 | Product = Symantec Email Security
8 | TimeFormat = "epoch_sec"
9 | Conditions = [
10 | """|ATTACHFILTER|"""
11 | ]
12 | Fields = [
13 | """\s({host}[\w\.-]+)\s+\w+\[\d+\]:""",
14 | """\s*({time}\d{10})\|(|({alert_id}[^\|]+))\|ATTACHFILTER\|(|({email_attachment}.+?(\.({file_ext}.+?))?))(\||"*\s*$)"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrappnotificationsuccessconsul.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-app-notification-success-consul"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = ["MMM dd HH:mm:ss"]
8 | Conditions = [
9 | """consul["""
10 | """]:"""
11 | ]
12 | Fields = [
13 | """({time}\w\w\w \d\d \d\d:\d\d:\d\d)\s({host}[\w\-\.]+)\s({process_name}[^\[]+)\[({process_id}[^\]]+)]:.*?[^\d]:\s*({additional_info}[^$]+)"""
14 | """error="({error_info}[^"]+)"""
15 | ]
16 | ParserVersion = "v1.0.0"
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix_dhcpd/Ps/pC_unixdhcpdstrdhcptrafficdhcpd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-dhcpd-str-dhcp-traffic-dhcpd
5 | ParserVersion = v1.0.0
6 | Vendor = Unix
7 | Product = Unix dhcpd
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = ["""dhcpd""", """bind update on"""]
10 | Fields = [
11 | """({event_name}bind update)""",
12 | """\d\d:\d\d:\d\d\s+({host}[^\s]+)\s+dhcpd(\[\d+\])?: bind update on ({dest_ip}[\da-fA-F.:]+)\s+(got ack\s+)?from\s+({src_host}[^\s:]+):?\s+({additional_info}.+?)\.*"*\s*$""",
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_esxi/Ps/pC_vmwareesxistrhttpsessionfailiofiltervpd.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-esxi-str-http-session-fail-iofiltervpd
5 | ParserVersion = v1.0.0
6 | Vendor = VMware
7 | Product = VMware ESXi
8 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ss"
9 | Conditions = ["""iofiltervpd""", """IOFVPSSL_VerifySSLCertificate:""" ]
10 | Fields = [
11 | """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d)((\.\d+)?Z)\s({host}[\w.-]+)""",
12 | """({additional_info}({event_name}IOFVPSSL_VerifySSLCertificate)[^=]+?)\s*$"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/Apache/apache_tomcat/RM/r_m_apache_apache_tomcat_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Apache
4 | --------------
5 | ### Product: [Apache Tomcat](../ds_apache_apache_tomcat.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Cisco/cisco_identity_and_access_management/Ps/pC_ciscoduostrappauthenticationsuccessloginfor.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "cisco-duo-str-app-authentication-success-loginfor"
5 | Vendor = "Cisco"
6 | Product = "Cisco Identity and Access Management"
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [
9 | """) Successful Duo login for """
10 | ]
11 | Fields = [
12 | """\) Successful Duo login for \'(({domain}[^\\]+)\\)?({user}[\w\.\-\!\#\^\~]{1,40}\$?)"""
13 | """\d\d:\d\d \(({session_id}\d+)\)"""
14 | ]
15 | ParserVersion = "v1.0.0"
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Exabeam/ng_analytics/RM/r_m_exabeam_ng_analytics_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: Exabeam
4 | ---------------
5 | ### Product: [NG Analytics](../ds_exabeam_ng_analytics.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/F5/f5_big-ip/Ps/pC_f5bigipstrvpnloginsuccessplatform.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = f5-bigip-str-vpn-login-success-platform
5 | Vendor = F5
6 | Product = F5 BIG-IP
7 | ParserVersion = "v1.0.0"
8 | TimeFormat = "yyyy-MM-dd'T'HH:mm:ssZ"
9 | Conditions = [ """01490007:6:""", """: Session variable 'session.client.platform' set to '""" ]
10 | Fields = [
11 | """({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d[^\s]+)""",
12 | """:Common:({session_id}[^:]+)""",
13 | """platform' set to '({os}[^'"]+)'""",
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Infoblox/bloxone_ddi/Ps/pC_infobloxbddistrnetworknotificationsuccessnopeer.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = infoblox-bddi-str-network-notification-success-nopeer
5 | ParserVersion = v1.0.0
6 | Vendor = Infoblox
7 | Product = BloxOne DDI
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ntpd[""", """: no peer for too long""" ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d\s+({host}[\w.-]+)\s+({src_ip}[a-fA-F\d.:]+?)\s+({additional_info}[^~]+?)\s*$"""
12 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s*"""
13 | ]
14 |
15 |
16 | }
17 | ```
--------------------------------------------------------------------------------
/DS/NNT/nnt_changetracker/RM/r_m_nnt_nnt_changetracker_Enrichment.md:
--------------------------------------------------------------------------------
1 | Rules by Product and UseCase
2 | ============================
3 | Vendor: NNT
4 | -----------
5 | ### Product: [NNT ChangeTracker](../ds_nnt_nnt_changetracker.md)
6 | ### Use-Case: [Enrichment](../../../../UseCases/uc_enrichment.md)
7 |
8 | | Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
9 | |:-----:|:------:|:------------------:|:--------------:|:-------:|
10 | | 0 | 0 | 0 | 0 | 0 |
11 |
12 | | Event Type | Rules | Models || ---------- | ----- | ------ |
13 |
--------------------------------------------------------------------------------
/DS/Symantec/symantec_email_security/Ps/pC_symantecescstremailattachment1.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = symantec-esc-str-email-attachment-1
5 | ParserVersion = v1.0.0
6 | Vendor = Symantec
7 | Product = Symantec Email Security
8 | TimeFormat = "epoch_sec"
9 | Conditions = [
10 | """|ATTACH|"""
11 | ]
12 | Fields = [
13 | """\s({host}[\w\.-]+)\s+\w+\[\d+\]:""",
14 | """\s*({time}\d{10})\|(|({alert_id}[^\|]+))\|ATTACH\|({email_attachments}({email_attachment}.+?(\.({file_ext}.+?))?))"*\s*$"""
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixkvendpointauthenticationsuccessdsepamauth.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-kv-endpoint-authentication-success-dsepamauth"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = ["yyyy-MM-dd'T'HH:mm:ss","MMM dd HH:mm:ss"]
8 | Conditions = [
9 | """(dsepam:auth):"""
10 | """authentication success;"""
11 | ]
12 | Fields = [
13 | """({time}\w+ \d+ \d\d:\d\d:\d\d)\s+({host}\S+)\s+\S+\s+\S+\(dsepam:auth\)"""
14 | """\suser=({user}[\w\.\-\!\#\^\~]{1,40}\$?)(\s+\w+=|\s*$)"""
15 | ]
16 | ParserVersion = "v1.0.0"
17 |
18 |
19 | }
20 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrendpointactivitykernel.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = "unix-unix-str-endpoint-activity-kernel"
5 | Vendor = "Unix"
6 | Product = "Unix"
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [
9 | """ kernel: hub """
10 | ]
11 | Fields = [
12 | """\d\d:\d\d:\d\d\s({dest_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))?\s*({host}[^\s]+)\s*kernel:"""
13 | """\skernel:\s*({additional_info}.+?)\s*$""",
14 | ]
15 | ParserVersion = "v1.0.0"
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/Unix/unix/Ps/pC_unixunixstrnetworknotificationsuccessnetworkmanager.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = unix-unix-str-network-notification-success-networkmanager
5 | Vendor = Unix
6 | Product = Unix
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [ """NetworkManager[""", """]: """ ]
9 | Fields = [
10 | """\d\d:\d\d:\d\d\s+({host}[\w.-]+)\s+({event_category}[^:]+):\s+""",
11 | """\]:\s*({additional_info}[^$]+?)\s*$"""
12 | """\s+({process_name}\S+)\[({process_id}\d+)\]\:\s*"""
13 | ]
14 | ParserVersion = v1.0.0
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_horizon/Ps/pC_vmwarehorizonstrappauthenticationview.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-horizon-str-app-authentication-view
5 | ParserVersion = v1.0.0
6 | Vendor = VMware
7 | Product = VMware Horizon
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """ View """ , """ SSO """ ]
10 | Fields = [
11 | """\w+\s+\d+\s+\d+:\d+:\d+\s+({host}[\w\-.]+)""",
12 | """({app}View)""",
13 | """user\s+(({domain}[^\\\s]+)[\\\/]+)?({user}[\w\.\-\!\#\^\~]{1,40}\$?)""",
14 | """({operation}SSO)""",
15 | ]
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/VMware/vmware_view/Ps/pC_vmwareviewstrapploginsuccessviewuser.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = vmware-view-str-app-login-success-viewuser
5 | ParserVersion = v1.0.0
6 | Vendor = VMware
7 | Product = VMware View
8 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
9 | Conditions = [ """View User""", """ has logged in""" ]
10 | Fields = [
11 | """\d\d:\d\d:\d\d\s+({host}[^\s]+)\s+View User""",
12 | """View User\s+(({domain}[^\\\s]+)\\+)?({user}[\w\.\-\!\#\^\~]{1,40}\$?)""",
13 | """({app}View)"""
14 | ]
15 | ParserVersion = "v1.0.0"
16 |
17 |
18 | }
19 | ```
--------------------------------------------------------------------------------
/DS/XPS/xps/Ps/pC_xpsskvprinteractivitysuccessset.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = xps-s-kv-printer-activity-success-set
5 | Vendor = "XPS"
6 | Product = "XPS"
7 | TimeFormat = "yyyy-MM-dd HH:mm:ss"
8 | Conditions = [
9 | """printer="""
10 | """type="""
11 | """operation="""
12 | """attributes="""
13 | ]
14 | Fields = [
15 | """printer=({dest_host}({printer_name}[^\s]+))"""
16 | """type=({object}[^\s]+)\s*\W"""
17 | """attributes=({bytes}\d+)\s*"""
18 | """operation=({operation}[^\s]+)\s*\W+"""
19 | ]
20 | ParserVersion = "v1.0.0"
21 |
22 |
23 | }
24 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_email_security/Ps/pC_ciscoiestremailfinished.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-ie-str-email-finished
5 | ParserVersion = v1.0.0
6 | Vendor = Cisco
7 | Product = Cisco Email Security
8 | TimeFormat = ["yyyy-MM-dd HH:mm:ss", "MMM dd HH:mm:ss"]
9 | Conditions = [ """Message finished MID """ ]
10 | Fields = [
11 | """({time}\w+ \d\d \d\d:\d\d:\d\d)\s+"""
12 | """\srt=({time}\d+)""",
13 | """Message finished MID ({message_id}({alert_id}\d+)) ({result}[^=]+?)("|\s+\w+(=)?|\s*$)"""
14 | ]
15 |
16 |
17 | }
18 | ```
--------------------------------------------------------------------------------
/DS/Cisco/cisco_network_security/Ps/pC_ciscofpstrappnotificationsuccessfmc.md:
--------------------------------------------------------------------------------
1 | #### Parser Content
2 | ```Java
3 | {
4 | Name = cisco-fp-str-app-notification-success-fmc
5 | Vendor = Cisco
6 | Product = Cisco Network Security
7 | TimeFormat = "MMM dd HH:mm:ss"
8 | Conditions = [ """ PRIN-CISCO-FMC-1: """ ]
9 | ParserVersion = "v1.0.0"
10 | Fields = [
11 | """({time}\w{3}\s\d\d\s\d\d:\d\d:\d\d)\sPRIN-CISCO-FMC-1:\s*({host}[\w\-\.]+):[^\@]+\@([\w\s]+|({src_ip}(\d{1,3}\.){3}\d{1,3}|([A-Fa-f0-9]+:[A-Fa-f0-9:]+))),([^,]+),\s*({additional_info}[^"]+)"""
12 | ]
13 |
14 |
15 | }
16 | ```
--------------------------------------------------------------------------------