Skip to content

Latest commit

 

History

History
35 lines (33 loc) · 1.77 KB

pC_qushrjsonprinteractivitysuccessriskybehavior.md

File metadata and controls

35 lines (33 loc) · 1.77 KB
Raw

Parser Content

{
Name = qush-r-json-printer-activity-success-riskybehavior
  Conditions = [ """reveal""", """"printer"""", """"tags":""", """"riskybehavior"""" ]
  Fields = ${QUSHRevealParserTemplates.qush-reveal-events.Fields} [
    """({event_name}print)"""
  ]
  ParserVersion = "v1.0.0"

qush-reveal-events = {
    Vendor = QUSH
    Product = Reveal
    TimeFormat = ["yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSZ","yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSZ"]
    Fields = [
      """"agent_hostname"+:"+({host}[^"]+)"""",
      """"timestamp"+:"+({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d.\d+Z)"""",
      """"description"+:"+({additional_info}[^\n]+?)\s*",""",
      """"username":"(({full_name}[^\\\s"]+\s[^"\\]+)|(({domain}[^"\s\\]+)\\+)?({user}[\w\.\-]{1,40}\$?))"""",
      """"destination_ip":\["({dest_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({dest_port}\d+))?"\]""",
      """"destination_port":\["({dest_port}\d{1,5})"\]""",
      """"source_ip":\["({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?"\]""",
      """"source_port":\["({src_port}\d{1,5})"\]"""
      """"binary_path"+:"+({process_path}({process_dir}[^"]+?)\\+({process_name}[^"\\]+))"""",
      """"binary_name"+:\["+({process_name}[^",]+)"\]""",
      """"anonymised_description"+:"+({event_name}[^\n]+?)",""",
      """"accountname"+:\["+((({domain}[^\\",]+)\\+)?({user}[\w\.\-]{1,40}\$?))"\]""",
      """"file_name":\["({file_name}[^"]+?(\.({file_ext}[^"\.:]+)(:[^"]+)?)?)"""",
      """"file_path":\["({file_path}[^"]+)"""",
      """"tags":\[[^\]]*?"({tag}[^"\]]+)"\]""",
      """"agent_hostname":"({host}[\w\-\.]+)"""",
      """"created_by":"policy:[^"]+?name=({event_name}[^"]+)""""
    
}