1 of 1 people found this helpful
Can you post here screenshots with an event example ? I don't think there is a custom_type associated with Object and Command or they have another meaning in your event.
I certainly would, but it appears McAfee's website does not play nice with our security settings. It's Signature ID 278-111010, and under custom types, there's the following fields:
Command: 'configure terminal'
Source User: 'enable_15'
I think I may be on to something though.
Found it. It appears in order to get the custom fields generated by the parser, you must use the rule parser name (similar to my initial try). The parsing rule identifies the target fields as "CommandID" and "ObjectID". When inserting the variable in the template, it requires the use of a percent sign (%) after the dollar sign ($), just like in the UserIDSrc variable from my initial example.
Thanks for making me take a closer look at it, and I hope this helps someone else out one day.