| 123456789101112131415161718 |
- <!--
- SOC custom decoders (production-focused baseline)
- - Decodes real correlation payloads produced by SOC Integrator
- - Decodes real DNS IOC payloads
- -->
- <decoder name="soc-prod-dns">
- <prematch>soc_event=dns_ioc</prematch>
- <regex type="pcre2">event_type=(\S+)(?:.*?src_ip=([\d.]+))?</regex>
- <order>status, srcip</order>
- </decoder>
- <decoder name="soc-prod-integrator">
- <prematch>soc_event=correlation</prematch>
- <regex type="pcre2">event_type=(\S+)(?:.*?user="([^"]+)")?(?:.*?src_ip=([\d.]+))?</regex>
- <order>status, srcuser, srcip</order>
- </decoder>
|
