{
Name = json-malwarebytes-web-activity-denied
Vendor = Malwarebytes
Product = Malwarebytes Endpoint Protection
Lms = Direct
DataType = "web-activity"
TimeFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSZ"
Conditions = [ """"status":"blocked"""", """"threat_name":"web"""", """"event":"detection"""", """machine_ip":""", """"machine_name":"""" ]
Fields = [
"""exabeam_host=({host}[\w.\-]{1,2000})""",
""""machine_name":"({src_host}[^"]{1,2000})"""",
""""reported_at":"({time}\d{1,100}-\d{1,100}-\d{1,100}T\d{1,100}:\d{1,100}:\d{1,100}.\d{1,100}Z)""",
""""machine_ip":"({src_ip}[^"]{1,2000})"""",
"""threat_name":"({categories}[^"]{1,2000})""",
""""status":"({action}[^"]{1,2000})""",
""""path"{1,100}:"{1,100}({referrer}[^"\(]{1,2000})?(\(({dest_ip}[^\)]{1,200}):({dest_port}\d{1,100})\))?""",
""""event":"({event_name}[^"]{1,2000})""",
""""category":"({category}[^"]{1,2000})""",
]
}