From 4f7db787d28fecffe3cbd1be20c54bb14d09985c Mon Sep 17 00:00:00 2001
From: MehmedSalihbasic <mehmed_salihbasic@cargill.com>
Date: Mon, 23 Sep 2024 15:32:21 -0500
Subject: [PATCH] adding vuln cve parsing

---
 config/processors/syslog_security_symantec.endpoint.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/processors/syslog_security_symantec.endpoint.conf b/config/processors/syslog_security_symantec.endpoint.conf
index eb4f7814..1a302e96 100644
--- a/config/processors/syslog_security_symantec.endpoint.conf
+++ b/config/processors/syslog_security_symantec.endpoint.conf
@@ -531,6 +531,11 @@ filter {
       remove_field => ["[event][name]"]
     }
   }
+  if [rule][name] =~ "^.*?(cve|CVE)-\d+-\d+" {
+    grok {
+    match => { "[rule][name]" => "^.*?(?<[vulnerability][id]>(cve|CVE)-\d+-\d+)" }
+    }
+  }
 }
 output {
   pipeline { send_to => [enrichments] }