-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcurrent.bitdefender.sdkrfilereader.properties
168 lines (166 loc) · 23.8 KB
/
current.bitdefender.sdkrfilereader.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#created by John Rogers (john. rogers outlook.com) with assistance from Peter Titov from HPE
trim.tokens=true
regex=gravityzone: \\[(\\w+)\\](.*)
token.count=2
token[0].name=eventType
token[1].name=msg
submessage.messageid.token=eventType
submessage.token=msg
submessage.count=7
# Static Field Sets
event.deviceEventClassId=eventType
event.deviceVendor=__stringConstant("BitDefender")
event.flexString1Label=__stringConstant("bdAgentHostname")
event.flexString2Label=__stringConstant("bdAgentAddress")
#
#=========================AntiVirus=========================
submessage[0].messageid=av
submessage[0].pattern.count=3
# Malware Event - Host is a VM
submessage[0].pattern[0].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","VM_NAME":"([^"]+)","VM_ID":"([^"]+)","UUID_INSTANCE":"([^"]+)","UUID_BIOS":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"malware_type":"([^"]+)","malware_name":"([^"]+)","file_path":"([^"]+)","final_status":"([^"]+)","timestamp":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","module":"([^"]+)"\\}
submessage[0].pattern[0].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.sourceUserId,event.sourceUserName,event.deviceCustomString6,event.name,event.filePath,event.deviceAction,event.endTime,event.deviceProcessName
submessage[0].pattern[0].types=String,String,String,String,String,String,String,String,String,String,String,String,String,String,String,TimeStamp,String
submessage[0].pattern[0].formats=null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null
submessage[0].pattern[0].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("VM_Name")|event.deviceCustomString3Label=__stringConstant("VM_Id")|event.deviceCustomString4Label=__stringConstant("UUID_Instance")|event.deviceCustomString5Label=__stringConstant("UUID_BIOS")|event.deviceCustomString6Label=__stringConstant("malwareType")|event.message=__stringConstant("Host infected with malware. Host is a VM.")
#
# Malware Event
submessage[0].pattern[1].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"malware_type":"([^"]+)","malware_name":"([^"]+)","file_path":"([^"]+)","final_status":"([^"]+)","timestamp":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","module":"([^"]+)"\\}
submessage[0].pattern[1].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.sourceUserId,event.sourceUserName,event.deviceCustomString6,event.name,event.filePath,event.deviceAction,event.endTime,event.deviceProcessName
submessage[0].pattern[1].types=String,String,String,String,String,String,String,String,String,String,String,TimeStamp,String
submessage[0].pattern[1].formats=null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null
submessage[0].pattern[1].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString6Label=__stringConstant("malwareType")|event.message=__stringConstant("Host infected with malware.")
#
# Malware Event - VM OLD
submessage[0].pattern[2].regex=\\{"computer_name":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","VM_NAME":"([^"]+)","VM_ID":"([^"]+)","UUID_INSTANCE":"([^"]+)","UUID_BIOS":"([^"]+)","malware_type":"([^"]+)","malware_name":"([^"]+)","file_path":"([^"]+)","final_status":"([^"]+)","timestamp":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","module":"([^"]+)"\\}
submessage[0].pattern[2].fields=event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.name,event.filePath,event.deviceAction,event.endTime,event.deviceProcessName
submessage[0].pattern[2].types=String,String,String,String,String,String,String,String,String,String,String,String,TimeStamp,String
submessage[0].pattern[2].formats=null,null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null
submessage[0].pattern[2].extramappings=event.deviceCustomString3Label=__stringConstant("VM_Id")|event.deviceCustomString4Label=__stringConstant("UUID_Instance")|event.deviceCustomString5Label=__stringConstant("UUID_BIOS")|event.deviceCustomString6Label=__stringConstant("malwareType")|event.message=__stringConstant("Host infected with malware. Host is a VM. OLD")
#
#=========================Firewall=========================
submessage[1].messageid=fw
submessage[1].pattern.count=6
#
# External Traffic
submessage[1].pattern[0].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","status":"([^"]+)","protocol_id":"(\\d+)","source_ip":"(\\d{1,3}.\\d{1,3}.\\d{1,3}.\\d{1,3})","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)".*
submessage[1].pattern[0].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.name,event.transportProtocol,event.sourceAddress,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[1].pattern[0].types=String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[1].pattern[0].formats=null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[1].pattern[0].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.message=__stringConstant("External traffic to the host was blocked.")
#
# External Traffic IPv6
submessage[1].pattern[1].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","status":"([^"]+)","protocol_id":"(\\d+)","source_ip":"([0-9A-F:]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[1].pattern[1].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.name,event.transportProtocol,event.deviceCustomIPv6Address1,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[1].pattern[1].types=String,String,String,String,String,String,String,IPv6Address,TimeStamp,Integer,String
submessage[1].pattern[1].formats=null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[1].pattern[1].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomIPv6Address1Label=__stringConstant("sourceAddress")|event.message=__stringConstant("External traffic over IPv6 to the host was blocked.")
#
# Blocked App
submessage[1].pattern[2].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"status":"([^"]+)","local_port":"([^"]+)","protocol_id":"(\\d+)","application_path":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[1].pattern[2].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.sourceUserId,event.sourceUserName,event.name,event.sourcePort,event.transportProtocol,event.fileName,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[1].pattern[2].types=String,String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[1].pattern[2].formats=null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[1].pattern[2].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.message=__stringConstant("An application was blocked by the firewall.")
#
# Blocked App - No User
submessage[1].pattern[3].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","user":\\{"id":null,"name":null},"status":"([^"]+)","local_port":"([^"]+)","protocol_id":"(\\d+)","application_path":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[1].pattern[3].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.name,event.sourcePort,event.transportProtocol,event.fileName,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[1].pattern[3].types=String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[1].pattern[3].formats=null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[1].pattern[3].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.message=__stringConstant("An application was blocked by the firewall. User information is not provided.")
#
# External Traffic - VM Info
submessage[1].pattern[4].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","VM_NAME":"([^"]+)","VM_ID":"([^"]+)","UUID_INSTANCE":"([^"]+)","UUID_BIOS":"([^"]+)","status":"([^"]+)","protocol_id":"(\\d+)","source_ip":"(\\d{1,3}.\\d{1,3}.\\d{1,3}.\\d{1,3})","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[1].pattern[4].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.name,event.transportProtocol,event.sourceAddress,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[1].pattern[4].types=String,String,String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[1].pattern[4].formats=null,null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[1].pattern[4].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("VM_Name")|event.deviceCustomString3Label=__stringConstant("VM_Id")|event.deviceCustomString4Label=__stringConstant("UUID_Instance")|event.deviceCustomString5Label=__stringConstant("UUID_BIOS")|event.message=__stringConstant("External traffic to the host was blocked. The host is a Virtual Machine.")
#
# External Traffic - VM IPv6
submessage[1].pattern[5].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","VM_NAME":"([^"]+)","VM_ID":"([^"]+)","UUID_INSTANCE":"([^"]+)","UUID_BIOS":"([^"]+)","status":"([^"]+)","protocol_id":"(\\d+)","source_ip":"([0-9A-F:]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[1].pattern[5].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.name,event.transportProtocol,event.deviceCustomIPv6Address1,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[1].pattern[5].types=String,String,String,String,String,String,String,String,String,String,String,IPv6Address,TimeStamp,Integer,String
submessage[1].pattern[5].formats=null,null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[1].pattern[5].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("VM_Name")|event.deviceCustomString3Label=__stringConstant("VM_Id")|event.deviceCustomString4Label=__stringConstant("UUID_Instance")|event.deviceCustomString5Label=__stringConstant("UUID_BIOS")|event.deviceCustomIPv6Address1Label=__stringConstant("sourceAddress")|event.message=__stringConstant("External traffic over IPv6 to the host was blocked. The host is a Virtual Machine.")
#
#=========================Advanced Threat Control=========================
submessage[2].messageid=avc
submessage[2].pattern.count=3
#
# Blocked App - VM
submessage[2].pattern[0].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","VM_NAME":"([^"]+)","VM_ID":"([^"]+)","UUID_INSTANCE":"([^"]+)","UUID_BIOS":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"exploit_type":"([^"]+)","exploit_path":"([^"]+)","status":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[2].pattern[0].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.sourceUserId,event.sourceUserName,event.name,event.filePath,event.deviceAction,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[2].pattern[0].types=String,String,String,String,String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[2].pattern[0].formats=null,null,null,null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[2].pattern[0].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("VM_Name")|event.deviceCustomString3Label=__stringConstant("VM_Id")|event.deviceCustomString4Label=__stringConstant("UUID_Instance")|event.deviceCustomString5Label=__stringConstant("UUID_BIOS")|event.message=__stringConstant("App blocked by AVC. User information is available. Host is a Virtual Machine.")
#
# Blocked App - No User
submessage[2].pattern[1].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","exploit_type":"([^"]+)","exploit_path":"([^"]+)","status":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[2].pattern[1].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.name,event.filePath,event.deviceAction,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[2].pattern[1].types=String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[2].pattern[1].formats=null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[2].pattern[1].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.message=__stringConstant("App blocked by AVC. No user information is available.")
#
# Blocked App - User Info
submessage[2].pattern[2].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"exploit_type":"([^"]+)","exploit_path":"([^"]+)","status":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[2].pattern[2].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.sourceUserId,event.sourceUserName,event.name,event.filePath,event.deviceAction,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[2].pattern[2].types=String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[2].pattern[2].formats=null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[2].pattern[2].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.message=__stringConstant("App blocked by AVC. User information is included.")
#
#
#=========================AntiPhishing=========================
submessage[3].messageid=aph
submessage[3].pattern.count=2
#
# Phishing Event - User Info
submessage[3].pattern[0].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"aph_type":"([^"]+)","url":"([^"]+)","status":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[3].pattern[0].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.sourceUserId,event.sourceUserName,event.deviceCustomString6,event.requestUrl,event.name,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[3].pattern[0].types=String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[3].pattern[0].formats=null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[3].pattern[0].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("product_installed")|event.message=__stringConstant("Phishing attempt blocked.")|event.deviceCustomString6Label=__stringConstant("aphType")
#
# Phishing Event - User Info VM
submessage[3].pattern[1].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","VM_NAME":"([^"]+)","VM_ID":"([^"]+)","UUID_INSTANCE":"([^"]+)","UUID_BIOS":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"aph_type":"([^"]+)","url":"([^"]+)","status":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[3].pattern[1].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.sourceUserId,event.sourceUserName,event.deviceCustomString6,event.requestUrl,event.name,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[3].pattern[1].types=String,String,String,String,String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[3].pattern[1].formats=null,null,null,null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[3].pattern[1].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("VM_Name")|event.deviceCustomString3Label=__stringConstant("VM_Id")|event.deviceCustomString4Label=__stringConstant("UUID_Instance")|event.deviceCustomString5Label=__stringConstant("UUID_BIOS")|event.deviceCustomString6Label=__stringConstant("reason")|event.message=__stringConstant("Phishing attempt blocked. Host is a Virtual Machine.")
#
#
#=========================User Control=========================
submessage[4].messageid=uc
submessage[4].pattern.count=2
#
#
submessage[4].pattern[0].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"uc_type":"([^"]+)","url":"([^"]+)","block_type":"([^"]+)","categories":"([^"]*)","status":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[4].pattern[0].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.sourceUserId,event.sourceUserName,event.deviceCustomString2,event.requestUrl,event.deviceCustomString4,event.deviceCustomString3,event.name,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[4].pattern[0].types=String,String,String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[4].pattern[0].formats=null,null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[4].pattern[0].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("ucType")|event.deviceCustomString3Label=__stringConstant("category")|event.deviceCustomString4Label=__stringConstant("blockType")|event.message=__stringConstant("Site blocked and includes block type.")
#
#
submessage[4].pattern[1].regex=\\{"computer_name":"([^"]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)","user":\\{"id":"([^"]+)","name":"([^"]+)"\\},"uc_type":"([^"]+)","url":"([^"]+)","categories":"([^"]*)","status":"([^"]+)","last_blocked":"(\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.\\d{3})Z","count":(\\d+),"module":"([^"]+)"\\}
submessage[4].pattern[1].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.sourceUserId,event.sourceUserName,event.deviceCustomString2,event.requestUrl,event.deviceCustomString3,event.name,event.endTime,event.baseEventCount,event.deviceProcessName
submessage[4].pattern[1].types=String,String,String,String,String,String,String,String,String,String,String,TimeStamp,Integer,String
submessage[4].pattern[1].formats=null,null,null,null,null,null,null,null,null,null,null,yyyy-MM-dd'T'HH:mm:ss.SSS,null,null
submessage[4].pattern[1].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.deviceCustomString2Label=__stringConstant("uc_type")|event.deviceCustomString3Label=__stringConstant("category")|event.message=__stringConstant("Site blocked. ")
#
#
#=========================Module Status=========================
submessage[5].messageid=modules
submessage[5].pattern.count=1
#
#
submessage[5].pattern[0].regex=\\{"computer_name":"([^".]+)","computer_fqdn":"([^"]+)","computer_ip":"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})","computer_id":"([^"]+)","product_installed":"([^"]+)",("malware_status":\\d+,"aph_status":\\d+,"firewall_status":\\d+,"avc_status":\\d+,"uc_web_filtering":\\d+,"uc_categ_filtering":\\d+,"uc_application_status":\\d+,"dp_status":\\d+,"pu_status":\\d+,"dlp_status":\\d+),"module":"([^"]+)"\\}
submessage[5].pattern[0].fields=event.deviceCustomString1,event.flexString1,event.flexString2,event.deviceExternalId,event.deviceProduct,event.message,event.deviceProcessName
submessage[5].pattern[0].types=String,String,String,String,String,String,String
submessage[5].pattern[0].formats=null,null,null,null,null,null,null
submessage[5].pattern[0].extramappings=event.deviceCustomString1Label=__stringConstant("computerName")|event.name=__stringConstant("Module Status")
#
#
#==========================UNPARSED=========================
submessage[6].pattern.count=1
submessage[6].pattern[0].regex=(\\{.*\\})
submessage[6].pattern[0].fields=event.message
submessage[6].pattern[0].extramappings=event.name=__stringConstant("Unparsed BitDefender Event")