Awesome, thanks for this.
I had to alter a few fields slightly:
110. [symantec:ep:security:file]
112. EXTRACT-security_event_desc = Event\sDescription\:\s(?<Event_Description>.[^\.]+)
121. EXTRACT-security_local_ip = Local\sHost\sIP\:\s+(?<Local_Host_IP>\d[^\,]+)
133. EXTRACT-security_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Traffic_Direction>\w[^\,]+)\,(?<Network_Protocol>[^\,]*)\,(?<Hack_Type>\w*)
139. [symantec:ep:traffic:file]
155. EXTRACT-traffic_local_ip = Local\sHost\sIP\:\s+(?<Local_Host_IP>\d[^\,]+)
156. EXTRACT-traffic_remote_mac = Remote\sHost\sMAC\:\s(?<Remote_Host_MAC>\d[^\,]+)\,(?<Network_Protocol>\d[^\,]*)\,(?<Traffic_Direction>\w[^\,]+)
... View more