{
Name = crowdstrike-falcon-sk4-endpoint-notification-timestamp
Vendor = CrowdStrike
Product = Falcon
ParserVersion = "v1.0.0"
TimeFormat = "epoch_sec"
Conditions = [ """"timestamp":"""", """"event_simpleName":"LocalIpAddressIP4"""" ]
Fields = [
""""timestamp":"({time}\d{10})""",
""""event_simpleName":"({event_code}[^"]+)""",
""""aid":"({aid}[^"]+)""",
""""aip":"({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?""",
# cid is removed
""""event_platform":"({os}[^"]+)""",
""""LocalAddressIP4":"({dest_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({dest_port}\d+))?""",
]
}