Sophos Parser XML

arben-alia · ‎07-19-2024

Hi All,

I'm using FortiSIEM 7.2.1

I'm pretty new to the FortiSIEM solution and I'm trying to clone the Sophos Central Parser in order to parse the file path in the detections

the log that I'm trying to parse is this

<30>CEF:0|sophos|sophos central|1.0|Event::Endpoint::CorePuaDetection|PUA detected: 'Generic ML PUA' at 'C:\\Users\\test.user\\Downloads\\EplanMiddleware.resources2\\EplanMiddleware.resources\\EplanMiddleware.resources.dll'|5|threat=Generic ML PUA source_info_ip=192.168.108.132 customer_id=dfee9bae-fa58-4c7d-dc2f-f5f2f6c0726c endpoint_id=bddac434-c165-4d65-b7ba-ed30dcb19a29 endpoint_type=computer origin=ML appSha256=4e04650857c458c17590e9bd937ac2994f30b091341b452a8c8d4de5e8312f40 id=27eac4ea-d3fb-47a7-b42a-69a96aedc0f2 group=PUA datastream=event duid=630fef82a294c21089deb9e9 rt=2024-07-18T12:28:30.773Z end=2024-07-18T12:28:27.325Z dhost=WORKSTATION10 suser=Test User

I'm trying to parse only the path portion: C:\\Users\\test.user\\Downloads\\EplanMiddleware.resources2\\EplanMiddleware.resources\\EplanMiddleware.resources.dll

the default parser already parses the filed actionName into [name]

however I need some help on how to edit the XML in order to extract this value from actionName with a regex.

Thanks in advance to anyone that responds

premchanderr · ‎10-03-2024

Hi @arben-alia ,

In sophos central parser version 7.2.2 this field is already obtained:

<attrKeyMap attr="filePath" key="[filePath]="/>

Could you further clarify with an example on what you need to further fine tune.

Regards,
Prem Chander R

Sophos Parser XML

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website