• 1.  FortiSIEM - MCAS - Parser

    Posted May 19, 2020 04:54 PM
      |   view attached

    We have fix an issue on Microsoft MCAS Parser, to fix an issue on message for Exhange online, to collect inbox rules names, folders, etc...

    msg=Run command: task New-InboxRule; Parameters: Session ID f455268c-8fd0-4707-89c8-0ad00asd0a, property AlwaysDeleteOutlookRulesBlob False, property Force False, property CopyToFolder Conversation History, property From user-xxxx@..., property MoveToFolder Assinaturas do RSS, property Name Fraud Detection, property SubjectContainsWords Teste de Fraude Detection, property StopProcessingRules True

    So we have change the parser to collect this fields by collectFieldsByKeyValuePair, we share with the comunity for you FSM.

    Note: this V2 parser will only work in msg that contain "Run command" or event types that contain "Run command"

    To add new values go to the parser and add attributes from witch fields do you to collect from Exchange, Sharepoint, etc..