{
Name = mcafee-es-cef-alert-trigger-success-portblocking
ParserVersion = v1.0.0
Product = McAfee Endpoint Security
Conditions = [ """CEF""","""|McAfee|ePolicy Orchestrator|""", """Port blocking""" ]
cef-mcafee-epo-alert = {
Vendor = McAfee
TimeFormat = "epoch"
Fields = [
"""\srt=({time}\d{13})""",
"""\sdvc=({host}\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""",
"""\sdvchost=({host}[^\s]+)""",
"""\sdhost=({src_host}[^\s]+)""",
"""\sdst=(?:0.0.0.0|({src_ip}((([0-9a-fA-F.]{1,4}):{1,2}){7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?)""",
"""\sfname=({malware_url}.+?)\s+(\w+=)""",
"""\sfname=({malware_url}[^=]+?\\+({malware_file_name}[^\\=]+?))\s+\w+=""",
"""\sduser=(SYSTEM|N\/A|(({domain}[^=\\]+)\\+)?({user}.+?))\s+(\w+=|$)""",
"""\sdntdom=(?:\(none\)|({domain}[^\s]+))""",
"""\seventId=({alert_id}\d+)""",
"""\sexternalId=({alert_id}\d+)""",
"""\|McAfee\|ePolicy[^|]+?\|[^|]+?\|[^|]+?\|({alert_name}[^.|]+)""",
"""\scs1=(?:none|({alert_name}.+?))\s+(\w+=|$)""",
"""\scat=({threat_category}.+?)\s+(\w+=|$)""",
"""\|McAfee\|ePolicy[^|]+?\|[^|]+?\|[^|]+?\|({alert_type}[^.|]+)""",
"""\|McAfee\|ePolicy[^|]+?\|[^|]+?\|[^|]+?\|[^|]+?\|({alert_severity}[^\|]+)""",
"""\scategoryOutcome=/?({result}.+?)\s+(\w+=|$)""",
]
DupFields = ["malware_file_name->file_name"
}