AnsweredAssumed Answered

Help with CEF custom fields

Question asked by Maximiliano Cittadini on Dec 13, 2019
Latest reply on Dec 16, 2019 by Jay Shah

Hi all, I have a customer who is running Kaspersky and he doesn't have access to the SQL Express instance (it seems that the kaspersky solution install and creates it own db engine with sql express, with a custom admin user and it isn't available)

The long story, shor: the customer is sending to Netwitness Log Collector (v. 11.3.2) a CEF syslog like this:


CEF:0|KasperskyLab|SecurityCenter||GNRL_EV_VIRUS_FOUND|Se detectó un objeto malicioso|4|msg=Resultado: Detectados: HEUR:Trojan.Win32.Generic\r\nUsuario: NT AUTHORITY\\SYSTEM (Usuario del sistema)\r\nObjeto: F:\\odcavatrmwrfmgsnvrbjk.txt\r\nMotivo: Análisis de expertos\r\nFecha de lanzamiento de la base de datos: 12/13/2019 3:51:00 AM\r\nHash: 6397d76fcc16bc182173ddee33f13d5648ec2f8af8cc480640d7be5088a1a790\r\n rt=1576253094000 dhost=workstation1 dst= cs2=KES cs2Label=ProductName cs3= cs3Label=ProductVersion cs4=6397d76fcc16bc182173ddee33f13d5648ec2f8af8cc480640d7be5088a1a790 cs4Label=SHA256 filePath=F:\\odcavatrmwrfmgsnvrbjk.txt cs1=HEUR:Trojan.Win32.Generic cs1Label=VirusName duser=NT AUTHORITY\\SYSTEM


everything works pretty good, but, I can't see the virusname in the metas.

I have checked the tablemap and the virusname is not transient.

I think I need to map the cs1 to virusname meta, but, the cs1 field is used for other thing depending on the type of message.

Is there any way to tell the CEF parser "if the csLabel is virusname, then cs1 value goes to virunams meta"?