How to import MISP data threat feeds in to FortiSIEMNote: requires "jq"
to be installed on the Supervisor node. wget -O jq
https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64chmod
+x ./jqcp jq /usr/bin
Pantashaa As Christian said the "_message" above variable will contain
that data .. you can add a second function to read that variable later
in the parser and extract the needed data.
Again replace the attr"_abc" values above
with th...
Try this ... its hard to build a parser and event format recognizer from
one single event sample.It should work for the above ... but I think it
will need work when additional samples are provided.You would still need
to map in the collectAndSetAttrB...
Try this as an absolute base parser ..
\s+<_day:gPatDay>\s+<_time:gPatTime>\s+M?FTD1:\s+<_body:gPatMesgBody>]]>
toDateTime($_mon, $_day, $_time)
Cisco-FMC-Audit-Event
1
You could use an Advanced Search (SQL) to do this, as long as your event
database is ClickHouse. If you want to use a rule, make sure the SQL
display columns do not contain spaces.
