Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

FireEye MPS

 

The JSA FireEye MPS Content Extension adds new custom properties for FireEye MPS.

About the FireEye MPS Extension

Use the JSA FireEye MPS content extension to use your firewall event data more efficiently in searches or reports.

JSA FireEye MPS Content Extension V2.0.2

The following table shows the custom properties that are updated in JSA FireEye MPS Content Extension V2.0.2.

Table 1: Changed Custom Properties in JSA FireEye MPS Content Extension V2.0.1

Name

Optimized

Capture Group

Regex

Filename

Yes

1

fname=([^\t\^]+)

(Back to top)The JSA FireEye MPS Content Extension adds new custom properties for FireEye MPS.

JSA FireEye MPS Content Extension V2.0.1

The following table shows the custom properties that are new or updated in JSA FireEye MPS Content Extension V2.0.1.

Table 2: Changed Custom Properties in JSA FireEye MPS Content Extension V2.0.1

Name

Optimized

Capture Group

Regex

Message

No

1

msg=([^\t\^]+)

JSA FireEye MPS Content Extension V2.0.0

The following table shows the custom properties that are new or updated in JSA FireEye MPS Content Extension V2.0.0.

Table 3: Changed Custom Properties in JSA FireEye MPS Content Extension V2.0.0

Name

Optimized

Capture Group

Regex

Attack Mode

Yes

1

(?:attack-mode|attack_mode)=([^\t\^]+)

Content Type

Yes

1

fileType=([^\t\^]+)

Content-Type:\s([^\:]+)\:\:\~\~

File Path

Yes

1

filePath=([^\t\^]+)

Filename

Yes

1

fname=([^\t\^]+)

Malware

Yes

1

cs\dLabel=sname\scs\d=([^\t\^]+)

(?:signame|sname)=([^\t\^]+)

Malware Family

Yes

1

cs\dLabel=IOC Name\scs\d=([^\t\^]+)

Message

Yes

1

msg=([^\t\^]+)

OS Name

Yes

1

osinfo=([^\t\^]+)

cs\dLabel=Target OS\scs\d=([^\t\^]+)

Process Name

Yes

1

cs\dLabel=Process Name\scs\d=([^\t\^]+)

URL

Yes

1

(?:url|link)=([^\t^\^]+)

cs\dLabel=link\scs\d=([^\t\^]+)

JSA FireEye MPS Content Extension V1.0.0

The following table shows the custom properties that are new or updated in JSA FireEye MPS Content Extension V1.0.0.

Table 4: Changed Custom Properties in JSA FireEye MPS Content Extension V1.0.0

Name

Optimized

Capture Group

Regex

Action

Yes

1

action\s?=(\w+)

File Hash

Yes

1

fileHash=(\w+)

Previous Versions

For more information about previous versions of the JSA FireEye MPS Content Extension, see JSA FireEye MPS Content Extension.