{
Name = wiz-w-json-alert-trigger-success-malwareinstance
ParserVersion = v1.0.0
Vendor = Wiz
Product = Wiz
ExtractionType = json
TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ"
Conditions = [ """"changedBy":"Wiz"""", """"status":"FileReputationStatusMalicious"""", """"type":"PUA"""", """MALWARE_INSTANCE""" ]
Fields = [
"""exa_json_path=$.issue.created,exa_field_name=time""",
"""exa_json_path=$.resource.evidence[0]..type,exa_field_name=alert_type""",
"""exa_json_path=$.resource.evidence[0]..sha1,exa_field_name=sha""",
"""exa_json_path=$.resource.evidence[0]..familyName,exa_field_name=malware_family""",
"""exa_json_path=$.resource.evidence[0][1].name,exa_field_name=malware_file_name""",
"""exa_json_path=$.issue.findingUrl,exa_field_name=malware_url""",
"""exa_json_path=$.issue.severity,exa_field_name=alert_severity""",
"""exa_json_path=$.control.name,exa_field_name=alert_name""",
"""exa_json_path=$.control.id,exa_field_name=alert_id""",
"""exa_json_path=$.trigger,exa_regex="updatedFields":"\s*({additional_info}[^"]+)\s"""",
"""exa_json_path=$.trigger.changedBy,exa_field_name=app""",
"""exa_json_path=$.trigger.ruleName,exa_field_name=rule""",
"""exa_json_path=$.trigger.ruleId,exa_field_name=rule_id""",
"""exa_json_path=$.resource.evidence[0]..status,exa_field_name=event_name"""
]
}