metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Sirota (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (METRON-158) Create McAfee ePO Parser
Date Thu, 02 Jun 2016 05:41:59 GMT

     [ https://issues.apache.org/jira/browse/METRON-158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James Sirota updated METRON-158:
--------------------------------
    Assignee: Casey Stella

> Create McAfee ePO Parser
> ------------------------
>
>                 Key: METRON-158
>                 URL: https://issues.apache.org/jira/browse/METRON-158
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Jonathan Rider
>            Assignee: Casey Stella
>            Priority: Minor
>              Labels: ParserExtension
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Creating a parser for McAfee ePO.
> The log should look like this:
> <13> computer.website.com "2016-04-11 14:20:15" timestamp="2016-04-11 14:20:15.693",
AutoID="136424372", signature="WRITE_DENIED", threat_type="none", signature_id="20719", category="cc.file.block",
severity_id="3", event_description="File Write Denied", detected_timestamp="2016-04-11 13:29:09.0",
file_name="c:\windows\system32\folder\file", detection_method="NULL", vendor_action="deny
write", threat_handled="1", logon_user="NT AUTHORITY\NETWORK SERVICE", user="abc123", dest_nt_domain="APL",
dest_dns="IMCAVA12345", dest_nt_host="IMCAVA12345", fqdn="IMCAVA12345.something.website.com",
dest_ip="100.170.200.100", dest_mac="000000000000", os="Windows 7", sp="Service Pack 1", os_version="6.1",
os_build="7601", timezone="Eastern Standard Time", src_dns="NULL", src_ip="200.23.55.70",
src_mac="NULL", process="NULL", url="NULL", source_logon_user="NULL", is_laptop="1", product="Solidifier",
product_version="6.1.3.436", engine_version="NULL", dat_version="NULL", vse_dat_version="8130.0000",
vse_engine64_version="5800.7501", vse_engine_version="5800.7501", vse_hotfix="5", vse_product_version="8.8.0.1385"
> And the output json should look like this: 
> {
>   "priority": 13,
>   "timestamp": 1460384415693,
>   "AutoID": "136424372",
>   "signature": "WRITE_DENIED",
>   "threat_type": "none",
>   "signature_id": "20719",
>   "category": "cc.file.block",
>   "severity_id": "3",
>   "event_description": "File Write Denied",
>   "detected_timestamp": "2016-04-11 13:29:09.0",
>   "file_name": "c:\\windows\\system32\folder\file",
>   "detection_method": "NULL",
>   "vendor_action": "deny write",
>   "threat_handled": "1",
>   "logon_user": "NT AUTHORITY\\NETWORK SERVICE",
>   "user": "abc123",
>   "dest_nt_domain": "APL",
>   "dest_dns": "IMCAVA12345",
>   "dest_nt_host": "IMCAVA12345",
>   "fqdn": "IMCAVA12345.something.website.com",
>   "ip_dst_addr": "100.170.200.100",
>   "dst_mac": "000000000000",
>   "os": "Windows 7",
>   "sp": "Service Pack 1",
>   "os_version": "6.1",
>   "os_build": "7601",
>   "timezone": "Eastern Standard Time",
>   "ip_src_addr": "200.23.55.70",
>   "is_laptop": "1",
>   "product": "Solidifier",
>   "product_version": "6.1.3.436",
>   "vse_dat_version": "8130.0000",
>   "vse_engine64_version": "5800.7501",
>   "vse_engine_version": "5800.7501",
>   "vse_hotfix": "5",
>   "vse_product_version": "8.8.0.1385"
> }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message