🔐 Karlo Luiten

Think Evil, DO Good

Uncategorized

Found ArcSight parser functions

By karlo

Updated 2020-08-27

=__BASE64Decode
=__LOOKUP
=__byteArrayToIPv6
=__byteArrayToIPv6String
=__collection
=__concatenate
=__concatenateDeleting
=__createGMTTimeStamp
=__createLocalTimeStampFromGMT
=__createLocalTimeStampFromGMTSecondsMillis
=__createLocalTimeStampFromNTP
=__createLocalTimeStampFromNanoSeconds
=__createLocalTimeStampFromSecondsMicrosZone
=__createLocalTimeStampFromSecondsSinceEpoch
=__createLocalTimeStampStringFromGMTMilliseconds
=__createLocalTimeStampStringFromLocalMilliseconds
=__createOptionalTimeStampFromString
=__createSafeLocalTimeStamp
=__createTimeStamp
=__createTimeStampByHexEncodedTime
=__createTimeStampByStartTimeElapsed
=__createTimeStampForOpsecStartTime
=__doubleToAddress
=__extractNTDomain
=__extractNTUser
=__extractProtocol
=__foundScanHostName
=__getCEFSeverity
=__getDeviceDirection
=__getIpV6AddressFromHighLow
=__getIronMailActions
=__getIronMailAlertImpact
=__getIronMailEventStatus
=__getLongMACAddressByHexString
=__getLongMACAddressByString
=__getManhuntPriority
=__getNormalizedOS
=__getNotZeroPort
=__getOriginator
=__getOriginatorFromSourcePort
=__getProtocolName
=__getProtocolNameFromString
=__getSymantecNSPriority
=__getTimeZone
=__getTrendMicroHostName
=__getTrendMircoUser
=__getType
=__getVendor
=__getVulnerabilityCategory
=__getXForceStringFor
=__hexStringToAddress
=__hexStringToIPV6Address
=__hexStringToLong
=__hexStringToString
=__hourMinuteSecondsToSeconds
=__ifAorBThenElse
=__ifGreaterOrEqual
=__ifThenElse
=__ifThenElseAddress
=__ifTrueThenElse
=__ignoreZeroIp
=__ignoreZeroMac
=__integerConstant
=__integerToAddressMcAfee
=__integerToLong
=__length
=__longToDot4QuadAddress
=__longToInteger
=__longToString
=__longToTimeStamp
=__mazuProfilerDestinationAddress
=__multilineRegexToken
=__noDot4QuadStringsToAddress
=__numberToAddress
=__oneOf
=__oneOfAddress
=__oneOfDateTime
=__oneOfHostName
=__oneOfInteger
=__oneOfLong
=__oneOfMac
=__oneOfNetBIOSName
=__parseMultipleTimeStamp
=__parseMutableTimeStamp
=__parseMutableTimeStampSilently
=__parseSignedLong
=__regexToken
=__regexTokenAsAddress
=__regexTokenAsInteger
=__regexTokenAsLong
=__regexTokenFindAndJoin
=__regexTokenNoWarning
=__replaceAll
=__replaceFirst
=__safeToDate
=__safeToDouble
=__safeToInteger
=__safeToLong
=__safeToRoundedLong
=__setYearToCurrentYear
=__signedNumberToAddress
=__simpleMap
=__split
=__splitAsAddress
=__splitAsInteger
=__stringConstant
=__stringToIPv6Address
=__stringTrim
=__subParse
=__sum
=__toGMTTimeStamp
=__toHex
=__toLocalTimeStamp
=__toLongTimeStamp
=__toLowerCase
=__toUpperCase
=__uri
=__useCurrentYear
=__variableTypeToAddress
=__verifyHexString

Examples
event.deviceCustomString3=__BASE64Decode(fromAttacker)
event.deviceCustomString4=__BASE64Decode(fromVictim)
event.deviceCustomString3=__BASE64Decode(fromAttacker)
event.deviceCustomString4=__BASE64Decode(__oneOf(fromTarget,contextFromTarget))
event.deviceCustomString3=__BASE64Decode(fromAttacker)

token[1].format=__LOOKUP(datablock,${BlockType})
token[1].format=__LOOKUP(datablock2,${BlockType})
token[4].format=__LOOKUP(record,${RecordType})
token[2].format=__LOOKUP(record,${RecordType})
token[10].format=__LOOKUP(rna-event-2.0,${EventType},${EventSubtype})

event.deviceCustomString2=__byteArrayToIPv6String(sourceIPv6)
event.deviceCustomString3=__byteArrayToIPv6String(targetIPv6)
event.deviceCustomIPv6Address2=__byteArrayToIPv6(sourceIPv6)
event.deviceCustomIPv6Address3=__byteArrayToIPv6(targetIPv6)
event.deviceCustomIPv6Address3=__byteArrayToIPv6(IPV6)

event.deviceCustomString2=__byteArrayToIPv6String(sourceIPv6)
event.deviceCustomString3=__byteArrayToIPv6String(targetIPv6)
event.deviceCustomString2=__byteArrayToIPv6String(ThreatSourceIPv6)
event.deviceCustomString3=__byteArrayToIPv6String(IPv6)
event.deviceCustomString2=__byteArrayToIPv6String(ThreatSourceIPv6)

token[1].format=__collection(Name,false,false)

event.deviceCustomString1=__concatenate(inode,rest)
event.message=__concatenate(mergedevent.message,__concatenate(inode,rest))
event.deviceEventClassId=__concatenate(EventSource,":",EventID)
conditionalmap[4].mappings[0].event.deviceCustomString6=__concatenate(Target Domain,"\\",Target Account Name)
conditionalmap[4].mappings[1].event.deviceCustomString6=__concatenate(New Domain,"\\",New Account Name)

extra.queries[0].event.deviceEventClassId=__concatenateDeleting("AppDetective=",CheckID,"#",CheckName,"#",Risk,"#","::Description:: ",VulnerabilityDescription," ::Solution:: ",Fix,"%CVE=",CVEReference,"%|#=/@*")
extra.queries[0].event.deviceEventClassId=__concatenateDeleting("Nessus=",naslId,"#",PluginName,"#",naslRisk,"#",vulnName,"%|#=/@")
extra.queries[0].event.deviceEventClassId=__concatenateDeleting("Faultline=",FaultlineID,"#",Name,"#",Risk,"#","::Description:: ",Description," ::Observation:: ",Observation," ::RiskText:: ",RiskText," ::Recommendation:: ",Recommendation,"%CVE=",CVE,"%Bugtraq=",BID,"%X-Force=",ISSID,"%|#=/@")
extra.queries[0].event.deviceEventClassId=__concatenateDeleting("Faultline=",FaultlineID,"#",Name,"#",Risk,"#","::Description:: ",Description," ::Observation:: ",Observation," ::RiskText:: ",RiskText," ::Recommendation:: ",Recommendation,"%CVE=",CVE,"%|#=/@")
extra.queries[0].event.deviceEventClassId=__concatenateDeleting("Faultline=",FaultlineID,"#",VulnName,"#",Risk,"#","::Description:: ",VulnDescription," ::Observation:: ",Observation," ::RiskText:: ",RiskText," ::Recommendation:: ",Recommendation,"%CVE=",CVE,"%|#=/@")

event.detectTime=__createGMTTimeStamp(Date,Time)
event.detectTime=__createGMTTimeStamp(LocalDatestamp,LocalTimestamp)
event.detectTime=__createGMTTimeStamp(LocalDatestamp,LocalTimestamp)
event.deviceReceiptTime=__createGMTTimeStamp(date,time)
event.deviceReceiptTime=__createGMTTimeStamp(LocalDatestamp,LocalTimestamp)

event.deviceReceiptTime=__createLocalTimeStampFromGMT(GMTDatestamp,GMTTimestamp)
event.detectTime=__createLocalTimeStampFromGMT(GMTDatestamp,GMTTimestamp)
event.deviceReceiptTime=__createLocalTimeStampFromGMT(date,time)
event.deviceReceiptTime=__createLocalTimeStampFromGMT(date,time)
event.deviceReceiptTime=__createLocalTimeStampFromGMT(date,time)

event.detectTime=__createLocalTimeStampFromGMTSecondsMillis(tv_sec,tv_usec)

event.deviceReceiptTime=__createLocalTimeStampFromNTP(sidaAlertTimeStamp)
event.deviceReceiptTime=__createLocalTimeStampFromNTP(sidaAlertTimeStamp)

event.deviceReceiptTime=__createLocalTimeStampFromNanoSeconds(time)
event.deviceReceiptTime=__createLocalTimeStampFromNanoSeconds(time)
event.deviceReceiptTime=__createLocalTimeStampFromNanoSeconds(time)
event.deviceReceiptTime=__createLocalTimeStampFromNanoSeconds(time)
event.deviceReceiptTime=__createLocalTimeStampFromNanoSeconds(time)

event.deviceReceiptTime=__createLocalTimeStampFromSecondsMicrosZone(SECONDS,MSECONDS,null)
event.startTime=__createLocalTimeStampFromSecondsMicrosZone(STARTTIME,null,null)
event.endTime=__createLocalTimeStampFromSecondsMicrosZone(STOPTIME,null,null)
event.deviceReceiptTime=__createLocalTimeStampFromSecondsMicrosZone(__hexStringToLong(__regexToken(timeStamp,"(0x.{8}).*")),__hexStringToLong(__regexToken(timeStamp,"0x.{8}(.*)")),"GMT")
event.deviceReceiptTime=__createLocalTimeStampFromSecondsMicrosZone(Timestamp,0,)

event.deviceCustomDate1=__createLocalTimeStampFromSecondsSinceEpoch(start_time)
event.deviceCustomDate2=__createLocalTimeStampFromSecondsSinceEpoch(stop_time)
event.deviceReceiptTime=__createLocalTimeStampFromSecondsSinceEpoch(Timestamp)
event.startTime=__createLocalTimeStampFromSecondsSinceEpoch(__safeToLong(Start))
event.endTime=__createLocalTimeStampFromSecondsSinceEpoch(__safeToLong(End))

extra.queries[0].event.deviceCustomString3=__createLocalTimeStampStringFromGMTMilliseconds(TimeResolved)
extra.queries[0].event.deviceCustomString4=__createLocalTimeStampStringFromGMTMilliseconds(LastModified)
extra.queries[0].event.deviceCustomString5=__createLocalTimeStampStringFromGMTMilliseconds(TimeRaised)

event.customString6=__createLocalTimeStampStringFromLocalMilliseconds(CollectionTime)

submessage[11].pattern[1].extramappings=event.deviceCustomString1=__stringConstant("done")|event.deviceCustomDate2=__createOptionalTimeStampFromString($5,"yyyy-MM-dd HH:mm:ss zzz")|event.deviceCustomString6Label=__stringConstant("Managed Object")|event.deviceCustomNumber2Label=__stringConstant("Duration")
submessage[12].pattern[1].extramappings=event.deviceCustomString1=__stringConstant("done")|event.deviceCustomDate2=__createOptionalTimeStampFromString($5,"yyyy-MM-dd HH:mm:ss zzz")|event.deviceCustomString6Label=__stringConstant("Managed Object")|event.deviceCustomNumber2Label=__stringConstant("Duration")
submessage[13].pattern[1].extramappings=event.deviceCustomString1=__stringConstant("done")|event.deviceCustomDate2=__createOptionalTimeStampFromString($4,"yyyy-MM-dd HH:mm:ss zzz")|event.deviceCustomString6Label=__stringConstant("Managed Object")
submessage[14].pattern[1].extramappings=event.deviceCustomString1=__stringConstant("done")|event.deviceCustomDate2=__createOptionalTimeStampFromString($4,"yyyy-MM-dd HH:mm:ss zzz")|event.deviceCustomString6Label=__stringConstant("Managed Object")
submessage[15].pattern[1].extramappings=event.deviceCustomString1=__stringConstant("done")|event.deviceCustomDate2=__createOptionalTimeStampFromString($1,"yyyy-MM-dd HH:mm:ss zzz")

conditionalmap[17].mappings[0].event.deviceCustomDate1=__createSafeLocalTimeStamp(__ifThenElse(__regexToken(Previous Date,"(\\d+/\\d+/\\d+)"),,Previous Time,__concatenate(Previous Time," ",Previous Date)),"hh:mm:ss aa MM/dd/yyyy")
conditionalmap[18].mappings[0].event.deviceCustomDate2=__createSafeLocalTimeStamp(__ifThenElse(__regexToken(New Date,"(\\d+/\\d+/\\d+)"),,New Time,__concatenate(New Time," ",New Date)),"hh:mm:ss aa MM/dd/yyyy")
event.deviceReceiptTime=__createSafeLocalTimeStamp(__regexToken(eventTime,"(.*)Z"),"yyyy-MM-dd'T'HH\:mm\:ss")
extra.queries[0].event.deviceReceiptTime=__createSafeLocalTimeStamp(StartTime,"yyyyMMddHHmmss")
extra.queries[1].event.deviceReceiptTime=__createSafeLocalTimeStamp(StartTime,"yyyyMMddHHmmss")

event.deviceReceiptTime=__createTimeStamp(Date,Time)
event.deviceReceiptTime=__createTimeStamp(Date,Time)
event.deviceReceiptTime=__createTimeStamp(Date,Time)
event.deviceReceiptTime=__createTimeStamp(Date,Time)
event.deviceReceiptTime=__createTimeStamp(Date,Time)

event.deviceReceiptTime=__createTimeStampByHexEncodedTime(HexEncodedTime)
event.deviceReceiptTime=__createTimeStampByHexEncodedTime(HexEncodedTime)
event.deviceReceiptTime=__createTimeStampByHexEncodedTime(HexEncodedTime)

event.endTime=__createTimeStampByStartTimeElapsed(start_time,elapsed)
event.endTime=__createTimeStampByStartTimeElapsed(start_time,elapsed)
event.endTime=__createTimeStampByStartTimeElapsed(start_time,elapsed)

event.startTime=__createTimeStampForOpsecStartTime(start_time)
event.startTime=__createTimeStampForOpsecStartTime(start_time)
event.deviceReceiptTime=__createTimeStampForOpsecStartTime(time)
event.deviceReceiptTime=__createTimeStampForOpsecStartTime(time)
event.startTime=__createTimeStampForOpsecStartTime(start_time)

extra.queries[0].event.destinationAddress=__doubleToAddress(IPAddress)
extra.queries[1].event.destinationAddress=__doubleToAddress(IPAddress)
extra.queries[2].event.destinationAddress=__doubleToAddress(IPAddress)
extra.queries[5].event.destinationAddress=__doubleToAddress(IPAddress)
extra.queries[0].event.destinationAddress=__doubleToAddress(IPAddress)

conditionalmap[6].mappings[0].event.sourceNtDomain=__extractNTDomain(User)
conditionalmap[7].mappings[1].event.destinationNtDomain=__extractNTDomain(Supplied Realm Name)
conditionalmap[7].mappings[2].event.destinationNtDomain=__extractNTDomain(User Domain)
conditionalmap[7].mappings[3].event.destinationNtDomain=__extractNTDomain(User ID)
conditionalmap[7].mappings[4].event.destinationNtDomain=__extractNTDomain(Logon by)

conditionalmap[2].mappings[0].event.sourceUserName=__extractNTUser(__oneOf(Caller User Name,Client User Name,Account,Account Name,Logon account,User account,User Name))
conditionalmap[2].mappings[2].event.sourceUserName=__extractNTUser(User)
conditionalmap[3].mappings[0].event.destinationUserName=__extractNTUser(__oneOf(New Account Name,Primary User Name,Target Account Name,Assigned To,Target User Name,User))
conditionalmap[3].mappings[2].event.destinationUserName=__extractNTUser(Logon account)
conditionalmap[3].mappings[3].event.destinationUserName=__extractNTUser(User Name)

event.protocol=__extractProtocol(InputType)
event.protocol=__extractProtocol(InputType)
event.protocol=__extractProtocol(InputType)

extra.queries[0].event.destinationHostName=__foundScanHostName(DNSName)
extra.queries[1].event.destinationHostName=__foundScanHostName(DNSName)
extra.queries[2].event.destinationHostName=__foundScanHostName(DNSName)
extra.queries[5].event.destinationHostName=__foundScanHostName(DNSName)
extra.queries[0].event.destinationHostName=__foundScanHostName(DNSName)

event.agentSeverity=__getCEFSeverity(Severity)
event.agentSeverity=__getCEFSeverity(Severity)
event.agentSeverity=__getCEFSeverity(__stringConstant(Low))

conditionalmap[0].mappings[2].event.deviceDirection=__getDeviceDirection(Method)
event.deviceDirection=__getDeviceDirection(connectionDirection)
submessage[29].pattern[34].extramappings=event.deviceEventClassId\=__stringConstant("srv_S1_VPN_IKEv2\: Deleting SPI")|event.name\=__stringConstant("Deleting SPI")|event.deviceCustomString2Label\=__stringConstant("SPI")|event.deviceCustomString6Label\=__stringConstant("Tunnel")|event.deviceDirection\=__getDeviceDirection($6)
submessage[29].pattern[37].extramappings=event.deviceEventClassId\=__stringConstant("srv_S1_VPN_IKEv2\: Query SA")|event.name\=__stringConstant("Query SA")|event.deviceCustomString2Label\=__stringConstant("SPI")|event.deviceCustomString6Label\=__stringConstant("Tunnel")|event.deviceDirection\=__getDeviceDirection($6)
submessage[29].pattern[39].extramappings=event.deviceEventClassId\=__stringConstant("srv_S1_VPN_IKEv2\: SA Direction")|event.name\=__stringConstant("SA Direction")|event.deviceCustomString6Label\=__stringConstant("Tunnel")|event.deviceDirection\=__getDeviceDirection($5)

additionaldata.SourceIpV6Address=__getIpV6AddressFromHighLow(SrcIPv6High,SrcIPv6Low)
additionaldata.DestinationIpV6Address=__getIpV6AddressFromHighLow(DestIPv6High,DestIPv6Low)
additionaldata.SourceIpV6Address=__getIpV6AddressFromHighLow(SrcIPv6High,SrcIPv6Low)
additionaldata.DestinationIpV6Address=__getIpV6AddressFromHighLow(DestIPv6High,DestIPv6Low)
additionaldata.SourceIpV6Address=__getIpV6AddressFromHighLow(SrcIPv6High,SrcIPv6Low)

event.deviceAction=__getIronMailActions(sidaAlertActionsTaken)
event.deviceAction=__getIronMailActions(sidaAlertActionsTaken)

event.name=__getIronMailAlertImpact(sidaAlertImpact)

event.deviceCustomString1=__getIronMailEventStatus(sidaAlertEventStatus)

event.sourceMacAddress=__getLongMACAddressByHexString(__oneOf(in_src_mac,out_src_mac,__ifThenElse(direction,"1",staMacAddress,)))
event.destinationMacAddress=__getLongMACAddressByHexString(__oneOf(in_dst_mac,out_dst_mac,__ifThenElse(direction,"0",staMacAddress,)))
event.deviceMacAddress=__getLongMACAddressByHexString(wtpMacAddress)
event.sourceMacAddress=__getLongMACAddressByHexString(sourceMAC)
event.sourceMacAddress=__getLongMACAddressByHexString(MAC_Address)

event.sourceMacAddress=__getLongMACAddressByString(__oneOf(OffenderMac,__ifThenElse(Offender,,__regexToken(device,"^([\\w:]+).*$"),__regexToken(Offender,"^.*?,([\\w:]+).*$"))))
event.destinationMacAddress=__getLongMACAddressByString(__oneOf(SensorMac,__regexToken(sensor,"^([\\w:]+).*$"),Sensor))
event.sourceMacAddress=__getLongMACAddressByString(mac)
submessage[0].pattern[0].extramappings=event.name=__concatenate("Station ",$4," KEY_MGMT")|event.destinationMacAddress=__getLongMACAddressByString($3)
submessage[1].pattern[0].extramappings=event.name=__stringConstant(Deauthenticating Station)|event.destinationMacAddress=__getLongMACAddressByString($2)

event.deviceSeverity=__getManhuntPriority(SEVERITY,RELIABILITY)
extra.queries[0].event.deviceSeverity=__getManhuntPriority(SEVERITY,RELIABILITY)
event.deviceSeverity=__getManhuntPriority(SEVERITY,RELIABILITY)
extra.queries[0].event.deviceSeverity=__getManhuntPriority(SEVERITY,RELIABILITY)
event.deviceSeverity=__getManhuntPriority(SEVERITY,RELIABILITY)

extra.queries[2].event.filePath=__getNormalizedOS(os)
extra.queries[2].event.filePath=__getNormalizedOS(OSName)
extra.queries[2].event.filePath=__getNormalizedOS(OSName)
extra.queries[1].event.filePath=__getNormalizedOS(OSName)
extra.queries[1].event.filePath=__getNormalizedOS(OSName)

event.sourcePort=__getNotZeroPort(srcport)
event.destinationPort=__getNotZeroPort(dstport)
event.sourcePort=__getNotZeroPort(srcport)
event.destinationPort=__getNotZeroPort(dstport)

submessage[6].pattern[2].extramappings=event.originator=__getOriginatorFromSourcePort($3,1024)
submessage[0].pattern[8].extramappings=event.name=__concatenate($8," time stamp reply")|event.deviceCustomString3Label=__stringConstant("Protocol")|event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__concatenate($8," time stamp reply")|event.originator=__getOriginator(Destination)
submessage[0].pattern[10].extramappings=event.name=__concatenate($8," time exceeded in-transit")|event.deviceCustomString3Label=__stringConstant("Protocol")|event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__concatenate($8," time exceeded in-transit")|event.originator=__getOriginator(Destination)
submessage[0].pattern[11].extramappings=event.name=__concatenate($8," router solicitation")|event.deviceCustomString3Label=__stringConstant("Protocol")|event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__concatenate($8," router solicitation")|event.originator=__getOriginator(Destination)
submessage[0].pattern[14].extramappings=event.deviceCustomString3Label=__stringConstant(Fragment)|event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.name=__concatenate($10," packet")|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__concatenate($10," packet")|event.originator=__getOriginatorFromSourcePort($7,1024)

submessage[6].pattern[2].extramappings=event.originator=__getOriginatorFromSourcePort($3,1024)
submessage[0].pattern[14].extramappings=event.deviceCustomString3Label=__stringConstant(Fragment)|event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.name=__concatenate($10," packet")|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__concatenate($10," packet")|event.originator=__getOriginatorFromSourcePort($7,1024)
submessage[0].pattern[15].extramappings=event.deviceCustomString3Label=__stringConstant(Fragment)|event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.name=__concatenate("Failed ",$10," packet")|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__concatenate("Failed ",$10," packet")|event.originator=__getOriginatorFromSourcePort($7,1024)
submessage[0].pattern[35].extramappings=event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.name=__stringConstant(DNS PTR request)|event.deviceCustomString1Label=__stringConstant(requestedAddress)|event.applicationProtocol=__stringConstant(DNS)|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__stringConstant(DNS PTR request)|event.originator=__getOriginatorFromSourcePort($7,1024)
submessage[0].pattern[36].extramappings=event.deviceCustomNumber1Label=__stringConstant(TTL)|event.deviceCustomNumber2Label=__stringConstant(IPID)|event.deviceCustomNumber3Label=__stringConstant(IPLength)|event.name=__stringConstant(Failed DNS PTR request)|event.deviceCustomString1Label=__stringConstant(requestedAddress)|event.applicationProtocol=__stringConstant(DNS)|event.deviceCustomString6Label=__stringConstant(IPFlags)|event.deviceEventClassId=__stringConstant(Failed DNS PTR request)|event.originator=__getOriginatorFromSourcePort($7,1024)

event.applicationProtocol=__getProtocolName(proto)
event.transportProtocol=__getProtocolName(protocol)
event.protocol=__getProtocolName(DragonProtocol)
event.protocol=__getProtocolName(DragonProtocol)
event.transportProtocol=__getProtocolName(protocol)

event.applicationProtocol=__getProtocolNameFromString(service)

submessage[0].pattern[0].extramappings=event.deviceSeverity=__getSymantecNSPriority($1,$2)|event.deviceCustomNumber1Label=__stringConstant("Severity")|event.deviceCustomNumber2Label=__stringConstant("Reliability")|event.deviceCustomString2Label=__stringConstant("IncidentID")

event.deviceTimeZone=__getTimeZone(timezone)
event.deviceTimeZone=__getTimeZone(__regexToken(timezone,"\\-?(.*)"))
event.deviceTimeZone=__getTimeZone(TimeZone)
event.deviceTimeZone=__getTimeZone(offset)
event.deviceTimeZone=__getTimeZone(offset)

event.sourceHostName=__getTrendMicroHostName(VLF_InfectionSource)
event.destinationHostName=__getTrendMicroHostName(VLF_InfectionDestination)
event.sourceHostName=__getTrendMicroHostName(VLF_InfectionSource)
event.destinationHostName=__getTrendMicroHostName(VLF_InfectionDestination)
event.sourceHostName=__getTrendMicroHostName(VLF_InfectionSource)

event.sourceUserName=__getTrendMircoUser(VLF_InfectionSource)
event.destinationUserName=__getTrendMircoUser(VLF_InfectionDestination,FVL_LoginUser)
event.sourceUserName=__getTrendMircoUser(VLF_InfectionSource)
event.destinationUserName=__getTrendMircoUser(VLF_InfectionDestination,FVL_LoginUser)
event.sourceUserName=__getTrendMircoUser(VLF_InfectionSource)

event.type=__getType("AGGREGATED")
event.type=__getType("AGGREGATED")
submessage[4].pattern[1].extramappings=event.type=__getType("AGGREGATED")|event.deviceEventClassId=__stringConstant(arcsight:4:1)
submessage[10].pattern[21].extramappings=event.type=__getType("AGGREGATED")|event.deviceEventClassId=__stringConstant(arcsight:10:20)
submessage[0].pattern[4].extramappings=event.type=__getType("AGGREGATED")

event.deviceVendor=__getVendor("Microsoft")
event.deviceVendor=__getVendor(Microsoft)
event.deviceVendor=__getVendor(Microsoft)
event.deviceVendor=__getVendor(Microsoft)
event.deviceVendor=__getVendor(Microsoft)

extra.queries[0].event.categoryTechnique=__getVulnerabilityCategory(0)
extra.queries[1].event.categoryTechnique=__getVulnerabilityCategory(1)
extra.queries[0].event.categoryTechnique=__getVulnerabilityCategory(4)
extra.queries[0].event.categoryTechnique=__getVulnerabilityCategory(4)
extra.queries[0].event.categoryTechnique=__getVulnerabilityCategory(0)

extra.queries[0].event.deviceEventClassId=__getXForceStringFor(vulnId)
extra.queries[0].event.deviceEventClassId=__getXForceStringFor(vulnId)

submessage[1566].pattern[9].mappings=__hexStringToAddress($1)|__hexStringToAddress($2)
submessage[1566].pattern[12].mappings=__hexStringToAddress($1)|__hexStringToAddress($2)
event.sourceAddress=__hexStringToAddress(SOURCE_IP)
event.targetAddress=__hexStringToAddress(TARGET_IP)
event.deviceAddress=__hexStringToAddress(SENSOR_IP)

event.deviceCustomIPv6Address2=__hexStringToIPV6Address(SOURCE_IP)
event.deviceCustomIPv6Address3=__hexStringToIPV6Address(TARGET_IP)
event.deviceCustomIPv6Address1=__hexStringToIPV6Address(SENSOR_IP)
event.deviceCustomIPv6Address2=__hexStringToIPV6Address(SOURCE_IP)
event.deviceCustomIPv6Address3=__hexStringToIPV6Address(TARGET_IP)

event.deviceCustomNumber1=__hexStringToLong(numberOfReads)
event.fileSize=__hexStringToLong(fileSize)
event.bytesIn=__hexStringToLong(bytesWritten)
event.bytesOut=__hexStringToLong(bytesRead)

event.requestUrl=__hexStringToString(Resource)
additionaldata.request=__hexStringToString(Request)
event.destinationUserName=__hexStringToString(user)
event.requestUrl=__hexStringToString(Resource)
additionaldata.decryption_failure=__hexStringToString(Decryption_failure)

submessage[111].pattern[0].extramappings=event.deviceCustomNumber3=__hourMinuteSecondsToSeconds($14)|event.bytesIn=__safeToInteger($15)|event.deviceAction=__stringConstant("Teardown connection")
submessage[111].pattern[1].extramappings=event.deviceCustomNumber3=__hourMinuteSecondsToSeconds($13)|event.bytesIn=__safeToInteger($14)|event.deviceAction=__stringConstant("Teardown connection")
submessage[111].pattern[2].extramappings=event.deviceCustomNumber3=__hourMinuteSecondsToSeconds($14)|event.bytesIn=__safeToInteger($15)|event.deviceAction=__stringConstant("Teardown connection")
submessage[111].pattern[3].extramappings=event.deviceCustomNumber3=__hourMinuteSecondsToSeconds($14)|event.bytesIn=__safeToInteger($15)|event.deviceAction=__stringConstant("Teardown connection")
submessage[111].pattern[4].extramappings=event.deviceCustomNumber3=__hourMinuteSecondsToSeconds($12)|event.bytesIn=__safeToInteger($13)|event.deviceAction=__stringConstant("Teardown connection")

conditionalmap[2].mappings[4].event.sourceUserName=__ifAorBThenElse(\
conditionalmap[3].mappings[1].event.destinationUserName=__ifAorBThenElse(\
event.oldFileName=__ifAorBThenElse(__regexTokenNoWarning(AUTHENTICATION_TYPE,".*?HOST=(\\d+\\.\\d+\\.\\d+\\.\\d+).*"),"",,,__concatenate("Host : ",__regexTokenNoWarning(AUTHENTICATION_TYPE,".*?HOST=(\\d+\\.\\d+\\.\\d+\\.\\d+).*"),"   Port : ",__regexTokenNoWarning(AUTHENTICATION_TYPE,".*?PORT=(\\d+).*"),"   Protocol : ",__regexTokenNoWarning(AUTHENTICATION_TYPE,".*?PROTOCOL=(\\S*?)\\)\\(.*")))
event.oldFilePath=__ifAorBThenElse(__regexTokenNoWarning(COMMENT_TEXT,".*?HOST=(\\d+\\.\\d+\\.\\d+\\.\\d+).*"),"",,,__concatenate("Host : ",__regexTokenNoWarning(COMMENT_TEXT,".*?HOST=(\\d+\\.\\d+\\.\\d+\\.\\d+).*"),"    Port : ",__regexTokenNoWarning(COMMENT_TEXT,".*?PORT=(\\d+).*"),"   Protocol : ",__regexTokenNoWarning(COMMENT_TEXT,".*?PROTOCOL=(\\S*?)\\)\\(.*")))
event.deviceCustomDate1Label=__ifAorBThenElse(threatTime,,"",,__stringConstant("Threat Time"))

event.eventOutcome=__ifGreaterOrEqual(EventStatus,"0","Success","Failure")
event.eventOutcome=__ifGreaterOrEqual(EventStatus,"0","Success","Failure")
event.eventOutcome=__ifGreaterOrEqual(EventStatus,"0","Success","Failure")
event.eventOutcome=__ifGreaterOrEqual(EventStatus,"0","Success","Failure")
event.eventOutcome=__ifGreaterOrEqual(EventStatus,"0","Success","Failure")

event.flexString2Label=__ifThenElse(ppid,,,__stringConstant("Parent Process ID"))
event.deviceCustomString6=__ifThenElse(terminal,"?",,terminal)
event.sourceHostName=__ifThenElse(hostname,__regexToken(hostname,"([^?&&\\S]+).*"),__split(hostname,",",1),)
event.flexString2Label=__ifThenElse(direction,,,__stringConstant("Device Direction"))
conditionalmap[14].mappings[1].event.destinationHostName=__ifThenElse(Client Address,"127.0.0.1",ComputerName,Client Address)

event.sourceAddress=__ifThenElseAddress(ID,"30",__ifThenElseAddress(_DEVICE_VERSION,"2003",__splitAsAddress(__reverseDottedDecimalAddressByteOrder(__longToDot4QuadAddress(IP_Address)),,),IP_Address),IP_Address)
conditionalmap[0].mappings[4].event.destinationAddress=__ifThenElseAddress(mergedevent.destinationAddress,,ip,mergedevent.destinationAddress)

event.sourceHostName=__ifTrueThenElse(__contains(UserName,"::"),__split(UserName,"::","1"),)
event.sourceHostName=__ifTrueThenElse(__contains(user,"::"),__split(user,"::","1"),)
event.sourceHostName=__ifTrueThenElse(__contains(User,"::"),__split(__regexTokenNoWarning(User,"(\\S+)"),"::","1"),)
additionaldata.defaultHostName=__ifTrueThenElse(__contains(User,"::"),__split(User,"::","1"),)
additionaldata.FIELDNAME=__ifTrueThenElse(__contains(FIELDNAME,"."),__replaceAll(__regexToken(FIELDNAME,".*\\.(.*)")," ",""),FIELDNAME)

event.destinationAddress=__ignoreZeroIp(IP_ADDR1)
event.deviceAddress=__ignoreZeroIp(SERVER_IP)
conditionalmap[0].mappings[0].event.sourceAddress=__ignoreZeroIp(LOCAL_HOST_IP)
conditionalmap[0].mappings[0].event.destinationAddress=__ignoreZeroIp(REMOTE_HOST_IP)
conditionalmap[0].mappings[1].event.sourceAddress=__ignoreZeroIp(REMOTE_HOST_IP)

conditionalmap[0].mappings[0].event.sourceMacAddress=__ignoreZeroMac(__getLongMACAddressByHexString(LOCAL_HOST_MAC))
conditionalmap[0].mappings[0].event.destinationMacAddress=__ignoreZeroMac(__getLongMACAddressByHexString(REMOTE_HOST_MAC))
conditionalmap[0].mappings[1].event.sourceMacAddress=__ignoreZeroMac(__getLongMACAddressByHexString(REMOTE_HOST_MAC))
conditionalmap[0].mappings[1].event.destinationMacAddress=__ignoreZeroMac(__getLongMACAddressByHexString(LOCAL_HOST_MAC))
conditionalmap[0].mappings[0].event.sourceMacAddress=__ignoreZeroMac(__getLongMACAddressByHexString(LOCAL_HOST_MAC))

submessage[0].pattern[1].extramappings=event.destinationPort=__integerConstant(80)
submessage[0].pattern[2].extramappings=event.destinationPort=__integerConstant(443)
submessage[0].pattern[4].extramappings=event.destinationPort=__integerConstant(80)
submessage[0].pattern[5].extramappings=event.destinationPort=__integerConstant(443)

event.sourceAddress=__integerToAddressMcAfee(__safeToInteger(sourceaddress))
event.destinationAddress=__integerToAddressMcAfee(__safeToInteger(targetipaddress))
event.sourceAddress=__integerToAddressMcAfee(__safeToInteger(ThreatSourceIPv4))
event.destinationAddress=__integerToAddressMcAfee(__safeToInteger(IPv4))
event.sourceAddress=__integerToAddressMcAfee(__safeToInteger(ThreatSourceIPv4))

event.deviceCustomNumber1=__integerToLong(count)
event.deviceCustomNumber1=__integerToLong(vlanid)

conditionalmap[0].mappings[3].event.deviceCustomNumber3=__length(%3)

event.deviceCustomString1=__longToDot4QuadAddress(nexthop)
event.deviceCustomString1=__longToDot4QuadAddress(ipv4_next_hop)
event.deviceCustomString1=__longToDot4QuadAddress(ip_next_hop)

conditionalmap[0].mappings[6].event.destinationProcessId=__longToInteger(__oneOfLong(__ifThenElse(Process Information:Process ID,,"",__hexStringToLong(__ifThenElse(Process Information:Process ID,,"",Process Information:Process ID)))))
conditionalmap[0].mappings[10].event.destinationProcessId=__longToInteger(__oneOfLong(__ifThenElse(Process Information:Process ID,,"",__hexStringToLong(__ifThenElse(Process Information:Process ID,,"",Process Information:Process ID)))))
conditionalmap[0].mappings[11].event.sourceProcessId=__longToInteger(__oneOfLong(__ifThenElse(Process Information:Caller Process ID,,"",__hexStringToLong(__ifThenElse(Process Information:Caller Process ID,,"",Process Information:Caller Process ID)))))
conditionalmap[0].mappings[14].event.destinationProcessId=__longToInteger(__oneOfLong(__ifThenElse(Process Information:Process ID,,"",__hexStringToLong(__ifThenElse(Process Information:Process ID,,"",Process Information:Process ID)))))
conditionalmap[0].mappings[22].event.destinationProcessId=__longToInteger(__oneOfLong(__ifThenElse(Process Information:Process ID,,"",__hexStringToLong(__ifThenElse(Process Information:Process ID,,"",Process Information:Process ID)))))

event.deviceCustomString5=__longToString(HOSTID)
event.flexString1=__longToString(AnalyzerContentCreationDate)
event.deviceInboundInterface=__longToString(interface_input_snmp)
event.deviceOutboundInterface=__longToString(interface_output_snmp)
event.deviceSeverity=__longToString(__oneOfLong(__safeToLong(status),__hexStringToLong(status)))

event.deviceReceiptTime=__longToTimeStamp(__safeToLong(__regexTokenFindAndJoin(timestamp,"(\\d+)",,,)))
event.deviceCustomDate1=__longToTimeStamp(registeredAt)
conditionalmap[0].mappings[2].event.deviceCustomDate1=__longToTimeStamp(__safeToLong(__concatenate(time,"000")))
conditionalmap[0].mappings[3].event.deviceCustomDate1=__longToTimeStamp(__safeToLong(__concatenate(time,"000")))
conditionalmap[0].mappings[4].event.deviceCustomDate1=__longToTimeStamp(__safeToLong(__concatenate(time,"000")))

event.destinationAddress=__mazuProfilerDestinationAddress(__longToString(__safeToLong(type)),dst_ip_csv)

event.deviceCustomString1=__multilineRegexToken(Result,"(?s)(.{0,1023}).*")
additionaldata.expltDescription=__multilineRegexToken(ExpltDescription,"(?s)(.{0,1023}).*")
additionaldata.expltDescription=__multilineRegexToken(ExpltDescription,"(?s)(.{0,1023}).*")
conditionalmap[0].mappings[13].event.deviceCustomString1=__multilineRegexToken(%5,"(?s).*Unrepairable virus (.*) was found.*")
conditionalmap[0].mappings[13].event.deviceCustomString4=__multilineRegexToken(%4,"(?s).*Rule:\\s*(.*)\\s*")

event.targetAddress=__noDot4QuadStringsToAddress(DSTIP_A,DSTIP_B,DSTIP_C,DSTIP_D)
event.sourceAddress=__noDot4QuadStringsToAddress(SRCIP_A,SRCIP_B,SRCIP_C,SRCIP_D)
event.targetAddress=__noDot4QuadStringsToAddress(dest_ip1,dest_ip2,dest_ip3,dest_ip4)
event.sourceAddress=__noDot4QuadStringsToAddress(src_ip1,src_ip2,src_ip3,src_ip4)

event.deviceAddress=__numberToAddress(__safeToLong(orig))
event.sourceAddress=__numberToAddress(__safeToLong(client_ip))
event.deviceAddress=__numberToAddress(__oneOfLong(orig,endpoint_ip))
event.sourceAddress=__numberToAddress(__oneOfLong(src,Src))
event.destinationAddress=__numberToAddress(__oneOfLong(dst,Dst))

event.sourcePort=__oneOfInteger(src,sport,rport)
event.sourceProcessId=__oneOfInteger(pid,Spid)
event.destinationProcessName=__oneOf(exe,comm)
event.destinationUserId=__oneOf(__regexToken(auid,"([a-zA-Z0-9:?]*)"),new auid,__oneOf(old auid,old-auid))
event.destinationPort=__oneOfInteger(dest,dport,__regexToken(lport,"(\\d+).*"))

event.sourceAddress=__oneOfAddress(Client Address,Source Network Address)
conditionalmap[0].mappings[1].event.destinationAddress=__oneOfAddress(Key[0])
conditionalmap[0].mappings[3].event.sourceAddress=__oneOfAddress(Key[0])
conditionalmap[0].mappings[11].event.destinationAddress=__oneOfAddress(Key[0])
conditionalmap[0].mappings[26].event.destinationAddress=__oneOfAddress(Key[1])

event.deviceReceiptTime=__oneOfDateTime(__safeToDate(__concatenate(date," ",time," GMT"),"yyyy-MM-dd HH:mm:ss Z"),__safeToDate(__regexTokenNoWarning(localtime,"\\[([^\\]]+)\\]"),"dd/MMM/yyyy:HH:mm:ss Z"))
event.deviceReceiptTime=__oneOfDateTime(__safeToDate(__concatenate(date," ",time," GMT"),"yyyy-MM-dd HH:mm:ss Z"),__safeToDate(__regexTokenNoWarning(localtime,"\\[([^\\]]+)\\]"),"dd/MMM/yyyy:HH:mm:ss Z"))
event.deviceReceiptTime=__oneOfDateTime(__safeToDate(__concatenate(date," ",time," GMT"),"yyyy-MM-dd HH:mm:ss Z"),__safeToDate(__regexTokenNoWarning(localtime,"\\[([^\\]]+)\\]"),"dd/MMM/yyyy:HH:mm:ss Z"))
event.deviceReceiptTime=__oneOfDateTime(__safeToDate(__concatenate(date," ",time," GMT"),"yyyy-MM-dd HH:mm:ss Z"),__safeToDate(__regexTokenNoWarning(localtime,"\\[([^\\]]+)\\]"),"dd/MMM/yyyy:HH:mm:ss Z"))
event.deviceCustomDate1=__oneOfDateTime(__createTimeStampForOpsecStartTime(local_time),__createTimeStampByStartTimeElapsed(start_time,elapsed))

event.destinationHostName=__oneOfHostName(TargetHostName,TargetHostNameRegistered)
event.destinationHostName=__oneOfHostName(TargetHostName,TargetHostNameRegistered)
event.targetHostName=__oneOfHostName(TargetHostName,TargetHostNameRegistered)
event.destinationHostName=__oneOfHostName(TargetHostName,TargetHostNameRegistered)
event.destinationHostName=__oneOfHostName(TargetHostName,TargetHostNameRegistered)

event.sourcePort=__oneOfInteger(src,sport,rport)
event.sourceProcessId=__oneOfInteger(pid,Spid)
event.destinationPort=__oneOfInteger(dest,dport,__regexToken(lport,"(\\d+).*"))
event.destinationProcessId=__oneOfInteger(Process ID,Target Process ID,Source Process ID,New Process ID)
conditionalmap[0].mappings[10].event.bytesOut=__oneOfInteger(Key[9])

event.deviceCustomNumber2=__oneOfLong(ses,new ses,__oneOfLong(old ses,old-ses))
conditionalmap[0].mappings[10].event.deviceCustomNumber1=__oneOfLong(Key[7])
conditionalmap[0].mappings[10].event.deviceCustomNumber2=__oneOfLong(Key[8])
submessage[29].pattern[28].extramappings=event.deviceEventClassId\=__stringConstant("srv_S1_VPN_IKEv2\: Policy Refcount")|event.name\=__stringConstant("Policy Refcount")|event.deviceCustomNumber2\=__oneOfLong($6,$7)|event.deviceCustomNumber2Label\=__stringConstant("Refcount")|event.deviceCustomString6Label\=__stringConstant("Tunnel")|event.deviceCustomString2Label\=__stringConstant("Policy")
event.deviceCustomNumber1=__oneOfLong(Payload,__hourMinuteSecondsToSeconds(elapsed))

event.destinationMacAddress=__oneOfMac(DestMac)
event.sourceMacAddress=__oneOfMac(SourceMacAddress)
event.destinationMacAddress=__oneOfMac(DestinationMacAddress)
event.deviceMacAddress=__oneOfMac(__regexTokenNoWarning(Accesspoint,"(\\S+)\\@\\S+"))
event.sourceMacAddress=__oneOfMac(Calling-Station-ID)

event.sourceHostName=__oneOfNetBIOSName(Address,Source Workstation,Workstation Name,Workstation,Caller Machine Name,Client Name)
event.sourceHostName=__oneOfNetBIOSName(Subject:Client Name,Network Information:Workstation Name,Source Workstation,Additional Information:Client Name)
conditionalmap[18].mappings[0].event.sourceHostName=__oneOfNetBIOSName(Address,Source Workstation,Workstation Name,Workstation,Caller Machine Name,Client Name)
conditionalmap[0].mappings[12].event.sourceHostName=__oneOfNetBIOSName(WorkstationName)
conditionalmap[0].mappings[19].event.sourceHostName=__oneOfNetBIOSName(WorkstationName)

conditionalmap[0].mappings[6].event.deviceCustomDate1=__parseMultipleTimeStamp(__ifThenElse(__regexToken(Previous Date,"(\\d+/\\d+/\\d+)"),,Previous Time,__concatenate(Previous Date," ",Previous Time)),"MM/dd/yyyy hh:mm:ss aa","yyyy-MM-dd'T'HH:mm:ss")
conditionalmap[0].mappings[6].event.deviceCustomDate2=__parseMultipleTimeStamp(__ifThenElse(__regexToken(New Date,"(\\d+/\\d+/\\d+)"),,New Time,__concatenate(New Date," ",New Time)),"MM/dd/yyyy hh:mm:ss aa","yyyy-MM-dd'T'HH:mm:ss")
conditionalmap[0].mappings[11].event.deviceCustomDate1=__parseMultipleTimeStamp(Previous Time,"MM/dd/yyyy hh:mm:ss aa","yyyy-MM-dd'T'HH:mm:ss")
conditionalmap[0].mappings[11].event.deviceCustomDate2=__parseMultipleTimeStamp(New Time,"MM/dd/yyyy hh:mm:ss aa","yyyy-MM-dd'T'HH:mm:ss")
conditionalmap[0].mappings[10].event.startTime=__parseMultipleTimeStamp(__concatenate(Key[3]," ",Key[4]),"MM/dd/yyyy hh:mm aa")

event.startTime=__parseMutableTimeStampSilently(start)
event.endTime=__parseMutableTimeStampSilently(end)
event.deviceReceiptTime=__parseMutableTimeStampSilently(rt)
event.agentReceiptTime=__parseMutableTimeStampSilently(art)
event.managerReceiptTime=__parseMutableTimeStampSilently(mrt)

event.startTime=__parseMutableTimeStampSilently(start)
event.endTime=__parseMutableTimeStampSilently(end)
event.deviceReceiptTime=__parseMutableTimeStampSilently(rt)
event.agentReceiptTime=__parseMutableTimeStampSilently(art)
event.managerReceiptTime=__parseMutableTimeStampSilently(mrt)

event.deviceCustomNumber1=__parseSignedLong(delta)

event.sourceUserName=__regexToken(__oneOf(user,old-seuser),"([a-zA-Z0-9]*).*?")
event.sourceAddress=__regexTokenAsAddress(__oneOf(addr,saddr),"([0-9.]*).*")
event.sourceUserId=__regexToken(__oneOf(sauid,uid),"([a-zA-Z0-9?]*)")
event.destinationUserName=__regexToken(__oneOf(new-seuser,acct),"([a-zA-Z0-9]*).*?")
event.destinationAddress=__regexTokenAsAddress(__oneOf(daddr,laddr),"([0-9.]*).*")

event.sourceAddress=__regexTokenAsAddress(__oneOf(addr,saddr),"([0-9.]*).*")
event.destinationAddress=__regexTokenAsAddress(__oneOf(daddr,laddr),"([0-9.]*).*")
event.sourceAddress=__regexTokenAsAddress(addr,"([0-9.]*).*")
event.destinationAddress=__regexTokenAsAddress(laddr,"([0-9.]*).*")
conditionalmap[0].mappings[7].event.sourceAddress=__regexTokenAsAddress(Key[0],"(\\d+.\\d+.\\d+.\\d+):\\d+")

event.destinationPort=__regexTokenAsInteger(lport,"(\\d+).*")
event.sourcePort=__regexTokenAsInteger(rport,"(\\d+).*")
event.targetPort=__regexTokenAsInteger(Port number,"\\s*(\\d+)")
conditionalmap[0].mappings[4].event.sourcePort=__regexTokenAsInteger(Key[2],"\\S+-(\\d+)")
conditionalmap[0].mappings[5].event.sourcePort=__regexTokenAsInteger(Key[1],"\\S+-(\\d+)")

conditionalmap[0].mappings[37].event.deviceCustomNumber3=__regexTokenAsLong(Key[1],"(\\d*)")
conditionalmap[0].mappings[30].event.deviceCustomNumber3=__regexTokenAsLong(Key[1],"(\\d*)")
event.fileSize=__regexTokenAsLong(file_size,".*(\\d*)")
event.deviceCustomNumber1=__regexTokenAsLong(EscalationValue,"0*(\\d*)")
event.deviceCustomNumber2=__regexTokenAsLong(datversion,\\d.\\d.(\\d+))

event.deviceCustomString2=__regexTokenFindAndJoin(INFO,"((?:CVE|CAN)\\-\\d+\\-\\d+)",",","","")
conditionalmap[0].mappings[3].event.deviceCustomString6=__regexTokenFindAndJoin(__replaceAll(%3,"\\n","\\$\\$"),"((?:Invoke\\-WmiMethod|Get\\-WmiObject|Get\\-CimAssociatedInstance|Get\\-CimClass|Get\\-CimInstance|Get\\-CimSession|Set\\-WmiInstance|Set\\-CmiInstance|Invoke\\-WmiMethod|Invode\\-CimMethod|New\\-CimInstance|New\\-CimSesstion|New\\-CimSesstionOption|Register\\-CmiIndicationEvent|Register\\-WmiEvent|Remove\\-CimInstance|Remove\\-WmiObject|Remove\\-CimSession) .*?)\\$\\$","|",,)

conditionalmap[0].mappings[0].event.destinationHostName=__regexTokenNoWarning(additionalEventData,.*loginTo.*?:\\"([^\"]+)\\".*)
conditionalmap[0].mappings[0].event.eventOutcome=__regexTokenNoWarning(responseElements,".*ConsoleLogin:\"([^\"]+)\"")
conditionalmap[0].mappings[0].event.deviceCustomString6=__regexTokenNoWarning(additionalEventData,.*MFAUsed.*?:\\"([^\"]+)\\".*)
conditionalmap[0].mappings[0].event.deviceCustomString5=__regexTokenNoWarning(additionalEventData,.*SamlProviderArn.*?:\\"([^\"]+)\\".*)
conditionalmap[0].mappings[1].event.destinationHostName=__regexTokenNoWarning(requestParameters,.*bucketName.*?:\\"([^\"]+)\\".*)

conditionalmap[4].mappings[3].event.deviceCustomString6=__replaceAll(Changes made,";  ","|")
conditionalmap[4].mappings[4].event.deviceCustomString6=__replaceAll(Changes made,";  ","|")
conditionalmap[0].mappings[61].event.deviceCustomString6=__replaceAll(Changes Made,";  ","|")
conditionalmap[0].mappings[62].event.deviceCustomString6=__replaceAll(Changes Made,";  ","|")
submessage[61].pattern[0].extramappings=event.deviceCustomString3Label=__stringConstant("Track Type")|event.deviceCustomNumber3Label=__stringConstant("Preced")|event.deviceCustomNumber2Label=__stringConstant("Channel")|event.name=__replaceAll($2,"\\,","")

event.name=__replaceFirst(Operation,"([\\s\\.]*$)","")
event.deviceEventClassId=__replaceFirst(Operation,"([\\s\\.]*$)","")
event.deviceAction=__replaceFirst(Operation,"([\\s\\.]*$)","")

event.deviceCustomDate1=__safeToDate(userIdentity->sessionContext->attributes->creationDate,"yyyy-MM-dd'T'HH:mm:ssX")
submessage[0].pattern[0].extramappings=event.deviceCustomDate1=__safeToDate($1,"HH:mm MM/dd/yy")
submessage[1].pattern[0].extramappings=event.deviceCustomDate1=__safeToDate($1,"HH:mm MM/dd/yy")
submessage[4].pattern[0].extramappings=event.startTime=__safeToDate($3,"HH:mm MM/dd/yy")
event.endTime=__safeToDate(last-became-relevant,"EEE, dd MMM yyyy HH:mm:ss Z")

event.deviceCustomFloatingPoint1=__safeToDouble(eventVersion)
event.deviceCustomFloatingPoint1=__safeToDouble(eventVersion)
event.deviceCustomFloatingPoint1=__safeToDouble(suppress_for)
conditionalmap[0].mappings[2].event.deviceCustomFloatingPoint2=__safeToDouble(flags)
conditionalmap[0].mappings[2].event.deviceCustomFloatingPoint3=__safeToDouble(sequencenum)

event.sourcePort=__safeToInteger(__oneOf(Source Port,Port number))
event.sourcePort=__safeToInteger(__oneOf(Network Information:Source Port,Network Information:Port,Network Information:Client Port))
event.destinationPort=__safeToInteger(Network Information:Destination Port)
event.sourcePort=__safeToInteger(__oneOf(Network Information:Source Port,Network Information:Port,Network Information:Client Port))
event.destinationPort=__safeToInteger(Network Information:Destination Port)

event.deviceCustomNumber3=__safeToLong(__regexToken(uid,"([a-zA-Z0-9?]*)"))
conditionalmap[11].mappings[0].event.deviceCustomNumber3=__safeToLong(Number of audit messages discarded)
event.deviceCustomNumber1=__safeToLong(__oneOf(Logon Type,Pre-Authentication Type))
event.deviceCustomNumber2=__safeToLong(New Process ID)
event.deviceCustomNumber1=__safeToLong(session_id)

event.deviceCustomNumber1=__safeToRoundedLong(triggerDistance)
event.deviceCustomNumber2=__safeToRoundedLong(distance)

event.deviceReceiptTime=__setYearToCurrentYear(Date)
event.deviceReceiptTime=__setYearToCurrentYear(Date)
event.detectTime=__setYearToCurrentYear(Date)
event.deviceReceiptTime=__setYearToCurrentYear(DetectTime)

event.sourceAddress=__signedNumberToAddress(ip_src)
event.targetAddress=__signedNumberToAddress(ip_dst)

conditionalmap[0].mappings[58].event.deviceCustomString5=__simpleMap(Trust Information:Trust Type,"1=The other domain is pre-Win2k (NTLM only supported)","2=The other domain is Win2k or later (Windows Kerberos supported)","3=Other domain is actually an MIT Kerberos Realm (probably UNIX)","4=The trusted domain is a DCE realm")
conditionalmap[0].mappings[58].event.deviceCustomString3=__simpleMap(Trust Information:Trust Direction,"0=Disabled","1=Inbound","2=Outbound","3=Bidirectional")
conditionalmap[0].mappings[64].event.deviceCustomString5=__simpleMap(New Trust Information:Trust Type,"1=The other domain is pre-Win2k (NTLM only supported)","2=The other domain is Win2k or later (Windows Kerberos supported)","3=Other domain is actually an MIT Kerberos Realm (probably UNIX)","4=The trusted domain is a DCE realm")
conditionalmap[0].mappings[64].event.deviceCustomString3=__simpleMap(New Trust Information:Trust Direction,"0=Disabled","1=Inbound","2=Outbound","3=Bidirectional")
conditionalmap[0].mappings[64].event.deviceCustomString5=__simpleMap(Trust Information:Trust Type,"1=The other domain is pre-Win2k (NTLM only supported)","2=The other domain is Win2k or later (Windows Kerberos supported)","3=Other domain is actually an MIT Kerberos Realm (probably UNIX)","4=The trusted domain is a DCE realm")

conditionalmap[2].mappings[1].event.sourceUserName=__split(Assigned By,"=",2)
conditionalmap[5].mappings[0].additionaldata.SamAccountName=__split(Changed Attributes,"=",2)
event.sourceAddress=__splitAsAddress(__ifThenElse(EventID,"30",__reverseDottedDecimalAddressByteOrder(Address),Address),,)
extra.queries[0].event.destinationAddress=__splitAsAddress(IPAddress,,)
extra.queries[1].event.destinationAddress=__splitAsAddress(IPAddress,,)

event.sourceAddress=__splitAsAddress(__ifThenElse(EventID,"30",__reverseDottedDecimalAddressByteOrder(Address),Address),,)
extra.queries[0].event.destinationAddress=__splitAsAddress(IPAddress,,)
extra.queries[1].event.destinationAddress=__splitAsAddress(IPAddress,,)
extra.queries[0].event.destinationAddress=__splitAsAddress(IPAddress,,)
extra.queries[1].event.destinationAddress=__splitAsAddress(IPAddress,,)

conditionalmap[0].mappings[19].event.destinationPort=__splitAsInteger(addr,":",2)
event.sourcePort=__splitAsInteger(src,"/",2)
event.destinationPort=__splitAsInteger(dst,"/",2)
event.translatedSourcePort=__splitAsInteger(svsrc,"/",2)

event.deviceCustomString1Label=__stringConstant(dev)
event.deviceCustomString2Label=__stringConstant(key)
event.deviceCustomNumber2Label=__stringConstant(ses)
event.deviceCustomString3Label=__stringConstant(success/res)
event.deviceCustomString4Label=__stringConstant(syscall)

event.deviceCustomIPv6Address2=__stringToIPv6Address(__oneOf(Network Information:Source Network Address,Local Network Address,Additional Information:Client Address,Network Information:Network Address,Network Information:Source Address,Client Machine:Calling Station Identifier,Network Information:Client Address))
conditionalmap[0].mappings[115].event.deviceCustomIPv6Address3=__stringToIPv6Address(Network Information:Client Address)
conditionalmap[0].mappings[116].event.deviceCustomIPv6Address3=__stringToIPv6Address(Network Information:Client Address)
conditionalmap[0].mappings[117].event.deviceCustomIPv6Address3=__stringToIPv6Address(Network Information:Client Address)
conditionalmap[0].mappings[118].event.deviceCustomIPv6Address3=__stringToIPv6Address(Network Information:Client Address)

conditionalmap[0].mappings[0].event.fileName=__stringTrim(ASSSODSN)
conditionalmap[0].mappings[0].event.sourceUserName=__stringTrim(ACSMFLID)
conditionalmap[0].mappings[0].event.deviceCustomString1=__stringTrim(JOB)
conditionalmap[0].mappings[1].event.sourceUserName=__stringTrim(ACSMFLID)
conditionalmap[0].mappings[1].event.deviceCustomString1=__stringTrim(JOB)

token[3].format=__subParse(azure_active_directory/azure_active_directory.base.subparsers.map.csv)
token[15].format=__subParse(exchange/exchange.mailbox.subparsers.map.csv)
token[1].format=__subParse(office365.subparsers.map.csv)
token[5].format=__subParse(sharepoint/sharepoint.base.subparsers.map.csv)

event.baseEventCount=__sum(RepeatCount,1)

event.detectTime=__toGMTTimeStamp(LocalTimestamp)
event.detectTime=__toGMTTimeStamp(TimeStamp)
event.detectTime=__toGMTTimeStamp(TimeStamp)
event.detectTime=__toGMTTimeStamp(TimeStamp)
event.deviceReceiptTime=__toGMTTimeStamp(TimeStamp)

event.deviceCustomString2=__toHex(PacketFlags,4)
event.deviceEventClassId=__toHex(EVENT_ID,8)
event.externalId=__toHex(EVENT_ID,8)
event.deviceEventClassId=__toHex(EVENT_ID,4)

event.deviceReceiptTime=__toLocalTimeStamp(CreationTime)
event.deviceCustomDate1=__toLocalTimeStamp(CollectionTime)
event.deviceCustomDate2=__toLocalTimeStamp(TIME_CREATED)
event.detectTime=__toLocalTimeStamp(EVENTTIME)
event.deviceCustomDate1=__toLocalTimeStamp(STARTTIME)

event.flexNumber1=__toLongTimeStamp(reportStartTime)
event.flexNumber2=__toLongTimeStamp(reportEndTime)
event.flexNumber1=__toLongTimeStamp(reportStartTime)
event.flexNumber2=__toLongTimeStamp(reportEndTime)
event.flexNumber1=__toLongTimeStamp(reportStartTime)

event.destinationNtDomain=__toLowerCase(__oneOf(Supplied Realm Name,New Domain,Primary Domain,Target Domain,Domain Name,Domain,User Domain,__extractNTDomain(New Account Name),__extractNTDomain(Primary User Name),__extractNTDomain(Target Account Name),__extractNTDomain(Assigned To),__extractNTDomain(User)))
event.deviceHostName=__toLowerCase(__oneOf(__regexToken(ComputerName,"(.*?)\\..*"),ComputerName))
conditionalmap[6].mappings[1].event.sourceNtDomain=__toLowerCase(\
conditionalmap[7].mappings[0].event.destinationNtDomain=__toLowerCase(\
conditionalmap[13].mappings[1].event.sourceHostName=__toLowerCase(\

event.transportProtocol=__toUpperCase(proto)
event.transportProtocol=__toUpperCase(proto)
event.transportProtocol=__toUpperCase(proto)
event.protocol=__toUpperCase(protocol)
event.deviceCustomString4=__toUpperCase(__regexTokenNoWarning(sourceMAC,"(\\S{1,6}).*"))

token[1].format=__uri()
token[2].format=__uri()
token[3].format=__uri()
token[1].format=__uri()
token[2].format=__uri()

event.deviceReceiptTime=__useCurrentYear(__parseMultipleTimeStamp(datetime,"MMM dd HH:mm:ss"))

extra.queries[0].event.destinationAddress=__variableTypeToAddress(IPAddress)
extra.queries[1].event.destinationAddress=__variableTypeToAddress(IPAddress)
extra.queries[2].event.destinationAddress=__variableTypeToAddress(IPAddress)
extra.queries[5].event.destinationAddress=__variableTypeToAddress(IPAddress)

event.fileHash=__verifyHexString(__ifThenElse(__oneOf(proctitle,data),,,__concatenate(__ifThenElse(proctitle,,"data","proctitle"),": ",__verifyHexString(__oneOf(proctitle,data)))))

By karlo

Related Post

Uncategorized

Elasticsearch start fail on debian 11 after install from ES repos

karlo
Uncategorized

Apache2 (apache) forward https headers

karlo
Uncategorized

Postgres read long lines (wrap text)

karlo

Posts

Woocommerce

Woocommerce: make address optional

Victron

Victron ESS console behind apache2 proxy

CLI and tools

Python upgrade venv python binary/version

CLI and tools Debian Linux

Git use different ssh key once