0 Replies Latest reply on Apr 26, 2017 2:10 AM by ivanpigo

    Symantec ATP - combined CEF and json log

    ivanpigo

      Hello,

       

      Does anyone know how to handle type of events, when you have CEF format, but also one of the values is json. In Parsing when creating ASP rule I can only select one or the other. The example log would be from Symantec ATP:

       

      Oct 26 13:49:01 localhost lcp_sep_alert_event: INFO - localhost CEF:0|Symantec|ATPU|2.0|0|lcp_sep_alert_event|0| json={"actual_action":"Quarantined","actual_action_idx":1,"agent_infected":0, "agent_version":"12.1.6168.6000","alert":"Virus found","data_source_url_domain":"10.219.218.22", "device_ip":"192.168.1.69","device_name":"win2003-client", "device_time":"2015-10-26T17:45:08.000Z","device_uid":"75e59551-3e5a-4e49-b1b8- 2523fc9f2745", "domain_name":"virtual.net","external_ip":"","file":{"app_name":"XTNqSWSM.dll.p art", "company_name":"null","confidence":0,"detection_type":"Heuristic","disposition" :127, "folder":"C:\\Documents and Settings\\Administrator\\Local Settings\\Temp", "name":"8wIPXRr6.dll.part", "sha2":"abeb06191c2ba2083a8167d1b432116fc2f7d396752cfbcd448319a8f9d9c3c4"}, "host_name":"win2003-client","local_host_mac":"00-0c-29-fa-f3-75","no_of_viruse s":1, "sep_mid":"c3cfe66a6e6ba4d81ebcd95d78400aab","source":"Real Time Scan","type_id":4123, "user_name":"Administrator","virus_def":"2015-10-25 rev. 021","virus_name":"Trojan Horse"}

       

       

      Taken from http://help.symantec.com/cs/SATP_P_QA/ATP_P/v106663531_v113989298/title?locale=E N_US

       

      I really don't want to type the regex for this, since it's already a structured data in there -)