[ https://issues.apache.org/jira/browse/METRON-158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Casey Stella updated METRON-158: -------------------------------- Fix Version/s: (was: 0.2.2BETA) > Create McAfee ePO Parser > ------------------------ > > Key: METRON-158 > URL: https://issues.apache.org/jira/browse/METRON-158 > Project: Metron > Issue Type: Improvement > Reporter: Jonathan Rider > Assignee: James Sirota > Priority: Minor > Labels: ParserExtension, platform > Original Estimate: 24h > Remaining Estimate: 24h > > Creating a parser for McAfee ePO. > The log should look like this: > <13> computer.website.com "2016-04-11 14:20:15" timestamp="2016-04-11 > 14:20:15.693", AutoID="136424372", signature="WRITE_DENIED", > threat_type="none", signature_id="20719", category="cc.file.block", > severity_id="3", event_description="File Write Denied", > detected_timestamp="2016-04-11 13:29:09.0", > file_name="c:\windows\system32\folder\file", detection_method="NULL", > vendor_action="deny write", threat_handled="1", logon_user="NT > AUTHORITY\NETWORK SERVICE", user="abc123", dest_nt_domain="APL", > dest_dns="IMCAVA12345", dest_nt_host="IMCAVA12345", > fqdn="IMCAVA12345.something.website.com", dest_ip="100.170.200.100", > dest_mac="000000000000", os="Windows 7", sp="Service Pack 1", > os_version="6.1", os_build="7601", timezone="Eastern Standard Time", > src_dns="NULL", src_ip="200.23.55.70", src_mac="NULL", process="NULL", > url="NULL", source_logon_user="NULL", is_laptop="1", product="Solidifier", > product_version="6.1.3.436", engine_version="NULL", dat_version="NULL", > vse_dat_version="8130.0000", vse_engine64_version="5800.7501", > vse_engine_version="5800.7501", vse_hotfix="5", > vse_product_version="8.8.0.1385" > And the output json should look like this: > { > "priority": 13, > "timestamp": 1460384415693, > "AutoID": "136424372", > "signature": "WRITE_DENIED", > "threat_type": "none", > "signature_id": "20719", > "category": "cc.file.block", > "severity_id": "3", > "event_description": "File Write Denied", > "detected_timestamp": "2016-04-11 13:29:09.0", > "file_name": "c:\\windows\\system32\folder\file", > "detection_method": "NULL", > "vendor_action": "deny write", > "threat_handled": "1", > "logon_user": "NT AUTHORITY\\NETWORK SERVICE", > "user": "abc123", > "dest_nt_domain": "APL", > "dest_dns": "IMCAVA12345", > "dest_nt_host": "IMCAVA12345", > "fqdn": "IMCAVA12345.something.website.com", > "ip_dst_addr": "100.170.200.100", > "dst_mac": "000000000000", > "os": "Windows 7", > "sp": "Service Pack 1", > "os_version": "6.1", > "os_build": "7601", > "timezone": "Eastern Standard Time", > "ip_src_addr": "200.23.55.70", > "is_laptop": "1", > "product": "Solidifier", > "product_version": "6.1.3.436", > "vse_dat_version": "8130.0000", > "vse_engine64_version": "5800.7501", > "vse_engine_version": "5800.7501", > "vse_hotfix": "5", > "vse_product_version": "8.8.0.1385" > } -- This message was sent by Atlassian JIRA (v6.3.4#6332)