sample CEF: May 20 20:44:51 10.XX.XX.XX May 20 2019 20:44:51 avcm02.com CEF:0|AV|Control Manager|7.0|BM:1000|Behavior Monitoring|3|rt=May 20 2019 03:34:47 GMT+00:00 dvchost=AV1 cn1Label=Risk_Level cn1=1 cs2Label=Policy cs2=1000 sproc=C:\\Windows\\System32\\taskeng.exe cn2Label=Event_Type cn2=1 cs1Label=Target cs1=C:\\Windows\\system32\\wscript.exe act=3 cn3Label=Operation cn3=101 shost=229Y9G2 src=10.XX.XX.XX deviceFacility=OfficeScan
our AV forwarding multiple type of events, in above mentioned "Behavior Monitoring " event's , I want to convert corresponding shost to field dhost . how should I place it in props/transforms .?
↧