Uploaded image for project: 'Metron (Retired)'
  1. Metron (Retired)
  2. METRON-158

Create McAfee ePO Parser

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: To Do
    • Minor
    • Resolution: Unresolved
    • None
    • None

    Description

      Creating a parser for McAfee ePO.

      The log should look like this:
      <13> computer.website.com "2016-04-11 14:20:15" timestamp="2016-04-11 14:20:15.693", AutoID="136424372", signature="WRITE_DENIED", threat_type="none", signature_id="20719", category="cc.file.block", severity_id="3", event_description="File Write Denied", detected_timestamp="2016-04-11 13:29:09.0", file_name="c:\windows\system32\folder\file", detection_method="NULL", vendor_action="deny write", threat_handled="1", logon_user="NT AUTHORITY\NETWORK SERVICE", user="abc123", dest_nt_domain="APL", dest_dns="IMCAVA12345", dest_nt_host="IMCAVA12345", fqdn="IMCAVA12345.something.website.com", dest_ip="100.170.200.100", dest_mac="000000000000", os="Windows 7", sp="Service Pack 1", os_version="6.1", os_build="7601", timezone="Eastern Standard Time", src_dns="NULL", src_ip="200.23.55.70", src_mac="NULL", process="NULL", url="NULL", source_logon_user="NULL", is_laptop="1", product="Solidifier", product_version="6.1.3.436", engine_version="NULL", dat_version="NULL", vse_dat_version="8130.0000", vse_engine64_version="5800.7501", vse_engine_version="5800.7501", vse_hotfix="5", vse_product_version="8.8.0.1385"

      And the output json should look like this:

      {
      "priority": 13,
      "timestamp": 1460384415693,
      "AutoID": "136424372",
      "signature": "WRITE_DENIED",
      "threat_type": "none",
      "signature_id": "20719",
      "category": "cc.file.block",
      "severity_id": "3",
      "event_description": "File Write Denied",
      "detected_timestamp": "2016-04-11 13:29:09.0",
      "file_name": "c:\\windows\\system32\folder\file",
      "detection_method": "NULL",
      "vendor_action": "deny write",
      "threat_handled": "1",
      "logon_user": "NT AUTHORITY
      NETWORK SERVICE",
      "user": "abc123",
      "dest_nt_domain": "APL",
      "dest_dns": "IMCAVA12345",
      "dest_nt_host": "IMCAVA12345",
      "fqdn": "IMCAVA12345.something.website.com",
      "ip_dst_addr": "100.170.200.100",
      "dst_mac": "000000000000",
      "os": "Windows 7",
      "sp": "Service Pack 1",
      "os_version": "6.1",
      "os_build": "7601",
      "timezone": "Eastern Standard Time",
      "ip_src_addr": "200.23.55.70",
      "is_laptop": "1",
      "product": "Solidifier",
      "product_version": "6.1.3.436",
      "vse_dat_version": "8130.0000",
      "vse_engine64_version": "5800.7501",
      "vse_engine_version": "5800.7501",
      "vse_hotfix": "5",
      "vse_product_version": "8.8.0.1385"
      }

      Attachments

        Activity

          People

            Unassigned Unassigned
            JonathanRider Jonathan Rider
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified