Skip to content

Latest commit

 

History

History
26 lines (25 loc) · 989 Bytes

pC_lumensionlkvperipheralstorageinsertsuccessmediuminserted.md

File metadata and controls

26 lines (25 loc) · 989 Bytes

Parser Content

{
Name = lumension-l-kv-peripheral-storage-insert-success-mediuminserted
  ParserVersion = "v1.0.0"
  Conditions = [ """ MEDIUM-INSERTED """, """ DeviceType="""", """ DeviceName ="""" ]

lumension-usb-activity = {
  Vendor = Lumension
  Product = Lumension
  TimeFormat = "yyyy-MM-dd'T'HH:mm:ssZ"
  Fields = [
    """({time}\d\d\d\d-\d\d-\d\dT\d\d(:|-)\d\d(:|-)\d\dZ) (|({host}[\w\-.]+)) scomc.+?({operation}\S+) \[""",
    """User="({user_sid}[^"]+)""",
    """UserName ="((NT AUTHORITY|({domain}[^"\\]+))\\+)?(SYSTEM|({user}[\w\.\-\!\#\^\~]{1,40}\$?))""",
    """DeviceType="(Unknown|({device_class}[^"]+))""",
    """DeviceName ="({device_id}[^"]+)""",
    """Filename="({file_path}[^"]+)""",
    """Filename="[^"]*\\+({file_name}[^\\"]+?(\.({file_ext}[^\.\s"]+))?)"""",
    """Reason="({operation_details}[^"]+)""",
    """({bytes}\d+) bytes""",
    """VID_({device_vid}[^&]+)&(amp;)?PID_({device_pid}[^\\&]+)"""
  ]
  DupFields = [ "host->dest_host" 
}