SCEP Linux Log File Malware Event Data Source Type

Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS (DataSourceModuleType)

Element properties:

Member Modules:

Overrideable Parameters:

Source Code:

<DataSourceModuleType ID="Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS" Accessibility="Public" Batching="false">

  <Configuration>

    <xsd:element minOccurs="1" name="Host" type="xsd:string"/>

    <xsd:element minOccurs="1" name="LogFile" type="xsd:string"/>

    <xsd:element minOccurs="1" name="RegExpFilter" type="xsd:string"/>

  </Configuration>

  <OverrideableParameters>

    <OverrideableParameter ID="LogFilePath" Selector="$Config/LogFile$" ParameterType="string"/>

  </OverrideableParameters>

  <ModuleImplementation Isolation="Any">

    <Composite>

      <MemberModules>

        <DataSource ID="SCXLog" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

          <Host>$Config/Host$</Host>

          <LogFile>$Config/LogFile$</LogFile>

          <RegExpFilter>$Config/RegExpFilter$</RegExpFilter>

        </DataSource>

        <ProbeAction ID="Parser" TypeID="Windows!Microsoft.Windows.PowerShellPropertyBagProbe">

          <ScriptName>ParseMalwareEventData.ps1</ScriptName>

          <ScriptBody><Script>

param([string]$CmdOutput)

$api = new-object -comObject 'MOM.ScriptAPI'

$RowKW = "&lt;row&gt;"

[datetime]$nDateTimeNow = get-date

	

while (($CmdOutput.length -ne 0) -and (($nIdx = $CmdOutput.IndexOf($RowKW)) -ne -1))

{

	$CmdOutput = $CmdOutput.Substring($nIdx + $RowKW.length) 

	$EventData = $CmdOutput.Substring(0, $CmdOutput.IndexOf("&lt;/row&gt;"))

	

    [array]$lineList = $EventData.split(";")

	$lineList | ForEach-Object -process {

    

		[array]$varList = $_.split(",;")

		$varList | ForEach-Object -process {

			

			[array]$rLineItems = $_.split("=");

			[string]$sName = $rLineItems[0]

			[string]$sValue = $rLineItems[1]

			

			if ($sName -like "*date") 

			{

   				$DetectionTime = $sValue

			} 

			else 

			{ 

				if ($sName -like "*virus")

				{

					if ($oBag)

					{

						$oBag.AddValue("DetectionTime", $DetectionTime)

						$oBag.AddValue("MalwareName", $MalwareName)

						$oBag.AddValue("MalwareLocation", $MalwareLocation)

						$oBag.AddValue("MalwareCategory", $MalwareCategory)

						$oBag.AddValue("MalwareSeverity", $MalwareSeverity)

						$oBag.AddValue("AlertSeverity", $AlertSeverity)

						$oBag.AddValue("AlertPriority", $AlertPriority)

						$api.AddItem($oBag)

						$oBag

						Remove-variable oBag

					}

					

					$oBag = $api.CreatePropertyBag()

    				$MalwareName = $sValue

    			}

    			else

    			{ 

    				if ($sName -like "*name")

    				{   					

    					$MalwareLocation = $sValue

    				}

    				else

    				{ 

						if ($sName -like "*malware_category")

						{

							$MalwareCategory = $sValue

						}

						else

						{ 

							if ($sName -like "*malware_severity")

							{   							

								$MalwareSeverity = $sValue

							}

							else

							{ 

								if ($sName -like "*alert_severity")

								{   					

									if ($sValue -match "Information")

									{ 

										$AlertSeverity = 0

									}

									else

									{

										if ($sValue -match "Warning")

										{ 

											$AlertSeverity = 1

										}

										else

										{

											if ($sValue -match "Critical")

											{ 

												$AlertSeverity = 2

											}

											else

											{

												$AlertSeverity = 2

											}

										}

									}

								}

								else

								{ 

									if ($sName -like "*alert_priority")

									{   							

										if ($sValue -match "Low")

										{ 

											$AlertPriority = 0

										}

										else

										{

											if ($sValue -match "Medium")

											{ 

												$AlertPriority = 1

											}

											else

											{

												if ($sValue -match "High")

												{ 

													$AlertPriority = 2

												}

												else

												{

													$AlertPriority = 2

												}

											}

										}

									}

								}

							}

						}

    				}

			    }

		    }	

		}

        



	}

}



if ($oBag)

{

	$oBag.AddValue("DetectionTime", $DetectionTime)

	$oBag.AddValue("MalwareName", $MalwareName)

	$oBag.AddValue("MalwareLocation", $MalwareLocation)

	$oBag.AddValue("MalwareCategory", $MalwareCategory)

	$oBag.AddValue("MalwareSeverity", $MalwareSeverity)

	$oBag.AddValue("AlertSeverity", $AlertSeverity)

	$oBag.AddValue("AlertPriority", $AlertPriority)

	$api.AddItem($oBag)

	$oBag

	Remove-variable oBag

}

  

$api

Remove-variable api

  </Script></ScriptBody>

          <Parameters>

            <Parameter>

              <Name>CmdOutput</Name>

              <Value>$Data$</Value>

            </Parameter>

          </Parameters>

          <TimeoutSeconds>600</TimeoutSeconds>

        </ProbeAction>

        <ConditionDetection ID="ErrorFilter" TypeID="System!System.ExpressionFilter">

          <Expression>

            <Not>

              <Expression>

                <Exists>

                  <ValueExpression>

                    <XPathQuery Type="String">WsManData/ErrorCode</XPathQuery>

                  </ValueExpression>

                </Exists>

              </Expression>

            </Not>

          </Expression>

        </ConditionDetection>

      </MemberModules>

      <Composition>

        <Node ID="Parser">

          <Node ID="ErrorFilter">

            <Node ID="SCXLog"/>

          </Node>

        </Node>

      </Composition>

    </Composite>

  </ModuleImplementation>

  <OutputType>System!System.PropertyBagData</OutputType>

</DataSourceModuleType>