{
Name = fireeye-networksecurity-leef-alert-trigger-success-malwareobject
Vendor = FireEye
Product = FireEye CMS
TimeFormat = "MMM dd yyyy HH:mm:ss"
Conditions = [ """|FireEye|CMS|""", """dvchost=""", """action=""" ]
Fields = [
"""\WdevTime=({time}\w+ \d+ \d\d\d\d \d\d:\d\d:\d\d)""",
"""\|FireEye\|CMS\|([^\|]*\|){1}({alert_type}[^\|]+)""",
"""\Wsev=({alert_severity}\d+)""",
"""\Wsname=({alert_name}[^\^]+)""",
"""\Wdvc=({host}[a-fA-F:\d.]+)""",
"""\Wdvchost=({host}[\w\-.]+)""",
"""\WexternalId=({alert_id}\d+)""",
"""\Wduser=({email_address}[^\^\s,]+)""",
"""\Wlink=({malware_url}[^\^]+)""",
]
SOAR {
IncidentType = "malware"
DupFields = ["time->startedDate", "vendor->source", "rawLog->sourceInfo", "alert_name->malwareName", "alert_id->sourceId", "alert_type->malwareCategory", "alert_severity->sourceSeverity", "malware_url->malwareAttackerUrl"]
NameTemplate = """FireEye Alert ${alert_name} found"""
ProjectName = "SOC"
EntityFields = [
{EntityType="device", Name ="url", Fields=["malware_url->url"]
}