Skip to content

Latest commit

 

History

History
36 lines (34 loc) · 1.22 KB

pC_sentinelonesingularitypkvappactivitysuccessmalware.md

File metadata and controls

36 lines (34 loc) · 1.22 KB
Raw

Parser Content

{
Name = "sentinelone-singularityp-kv-app-activity-success-malware"
Vendor = "SentinelOne"
Product = "Singularity Platform"
TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ"
Conditions = [
""" SentinelOne """
"""[eventDesc@"""
"""[eventSeverity@"""
"""cat="MALWARE"""
]
Fields = [
  """\sdeviceAddress="({host}[a-fA-F\d.:]+)"""
  """\sdeviceHostName ="({host}[^"]+)"""
  """\seventDesc="({alert_name}[^"]+)"""
  """\seventSeverity="({alert_severity}[^"]+)"""
  """\ssourceDnsDomain="({domain}[^"]+)"""
  """\ssourceUserName ="(traps|({user}[\w\.\-\!\#\^\~]{1,40}\$?))"""
  """\ssourceIpAddresses\.0="({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){1,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?"""
  """\ssourceMacAddresses\.0="({src_mac}[^"]+)"""
  """\sthreatClassification="({alert_type}[^"]+)"""
  """\sthreatID="({alert_id}[^"]+)"""
  """\sfileName ="({alert_name}[^"]+)"""
  """\s*fileContentHash="({hash_md5}[^"]+)"""
  """\s*(D|d)etecting(E|e)ngine="({additional_info}[^"]+)"""
  """\screatedAt="({time}\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\.\d+Z)"""
  """\Wcat="({category}[^"]+)"""
  """\sdata.filePath="({process_path}[^"]+\\({process_name}[^"]+))"""
]
ParserVersion = "v1.0.0"


}