RULE_MVISION_EDR_THREAT.xml

<?xml version="1.0" encoding="utf-8"?>
<nitro_policy esm="FF61:235F" time="07/08/2019 17:27:47" user="NGCP" build="11.1.3 20190212030652" model="ENMELM-VM4" version="11001003">
  <rules count="1">
    <rule>
      <id>5000001</id>
      <normid>805306368</normid>
      <revision>0</revision>
      <sid>0</sid>
      <class>2</class>
      <message>MVISION EDR Threat detected</message>
      <description>MVISION EDR threat detected</description>
      <origin>1</origin>
      <severity>50</severity>
      <type>1</type>
      <action>5</action>
      <action_initial>5</action_initial>
      <action_disallowed>0</action_disallowed>
      <other_bits_default>4</other_bits_default>
      <other_bits_disallowed>0</other_bits_disallowed>
      <text><![CDATA[any any any -> any any (msg:"MVISION EDR Threat detected";adsid:777;content:"\"origin\": \"FT\"";json;pcre:"\{.*\"origin\":\s*\"FT\".*\}";var@{File_Path}:${threat.interpreterFileAttrs.path};var@{firsttime}:${threat.detectionDate};var@{Hash}:${threat.threatAttrs.sha256};var@{Hash_Type}:${SHA256};var@{Incoming_ID}:${threat.id};var@{lasttime}:${timestamp};var@{Message_Text}:"https://ui.soc.mcafee.com/monitoring/#/workspace/72,TOTAL_THREATS,84653,.,./traces/.?sha256="${threat.threatAttrs.sha256}"&traceId="${threat.id}"&maGuid="${threat.maGuid};var@{severity}:${threat.severity};var@{src_guid}:${threat.maGuid};var@{UserIDSrc}:${user};var@{Threat_Category}:${threat.threatType};var@{Threat_Name}:${threat.interpreterFileAttrs.name};fmt@{firsttime, lasttime}:"%Y-%m-%dT%H:%M:%S.%.3f";map@severity:"s0"="25","s1"="25","s2"="50","s3"="50","s4"="75","s5"="75";)]]></text>
      <tag origin="0">1310720</tag>
    </rule>
  </rules>
</nitro_policy>