Skip to content

Latest commit

 

History

History
26 lines (24 loc) · 1.07 KB

pC_wizwjsonalerttriggersuccessddosattack.md

File metadata and controls

26 lines (24 loc) · 1.07 KB

Parser Content

{
Name = wiz-w-json-alert-trigger-success-ddosattack
 Vendor = Wiz
 Product = Wiz
 ExtractionType = json
 TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSSZ"
 Conditions = [ """"category":"Detection"""", """DDoS Attack""", """"name":""", """"CLOUD_EVENTS"""" ]
 Fields = [
   """exa_json_path=$.event.timestamp,exa_field_name=time""",
   """exa_json_path=$.event.actor.IP,exa_field_name=src_ip""",
   """exa_json_path=$.event.actor.name,exa_regex=(({email_address}([A-Za-z0-9]+[!#$%&'+-\/=?^_`~])*[A-Za-z0-9]+@[^\]\s"\\,\|]+\.[^\]\s"\\,\|]+)|({user}[\w\.\-\!\#\^\~]{1,40}\$?))""",
   """exa_json_path=$.event.eventURL,exa_field_name=url""",
   """exa_regex=({app}wiz)"""
   """exa_json_path=$.event,exa_regex="matchedRules":.+ruleName:\s*({rule}[^,]+?)\s*",""",
   """exa_json_path=$.event.matchedRules,exa_regex=ruleId:\s*({rule_id}[^";,]+)""",
   """exa_json_path=$.event.subjectResource.region,exa_field_name=region""",
   """exa_json_path=$.event.subjectResource.account.id,exa_field_name=alert_id""",
 ]
 ParserVersion = v1.0.0
 DupFields = [ "rule->alert_name" ]


}