Parser Content

{
Name = unix-process-created-1
  DataType = "process-created"
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
  Conditions = [ """"type":"SYSCALL"""", """success\=yes""", """Cloud Apps Security|""", """|audit-event|""" ]
  Fields = ${UnixParserTemplates.unix-template.Fields}[
    """\spid\\?=({pid}[^\s]{1,2000})\s\w+""",
    """ppid\\?=({parent_process_id}[^\s]{1,2000})\s{1,100}\w+""",
    """exe\\?=\\?"({command_line}[^"]{1,2000})""",
    """\ssuccess\\?=({outcome}[^\s]{1,2000})\s\w+"""
  ]	

unix-template = {
    Vendor = Unix
    Product = Unix Auditd
    Lms = Direct
    TimeFormat = epoch
    Fields = [
      """\Wrt=({time}\d{1,100})""",
      """\Wdvc=({host}[^\s]{1,2000})""",
      """\Wdvchost=({host}[^\s]{1,2000})""",
      """CEF:([^\|]{0,2000}\|){4}({additional_info}[^\|]{1,2000})""",
      """CEF:([^\|]{0,2000}\|){5}({event_code}[^\|]{1,2000})""",
      """CEF:([^\|]{0,2000}\|){6}({alert_severity}[^\|]{1,2000})""",
      """\WeventId=({alert_id}\d{1,100})""",
      """\Wsuser=({user}[^\s]{1,2000})""",
      """\Wdhost=({dest_host}[\w\-.]{1,2000})""",
    
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pC_unixprocesscreated1.md

pC_unixprocesscreated1.md

Parser Content

Files

pC_unixprocesscreated1.md

Latest commit

History

pC_unixprocesscreated1.md

File metadata and controls

Parser Content