Update

exa-content-sec · exa-content-sec · commit d4ca7835ed49 · 2023-02-09T17:17:29.000Z
diff --git a/DataSources/Varonis/Data_Security_Platform/Ps/pC_qvaronisfileactivity.md b/DataSources/Varonis/Data_Security_Platform/Ps/pC_qvaronisfileactivity.md
@@ -22,12 +22,12 @@ Name = q-varonis-file-activity
     """Affected_Object_Path=(|({file_path}[^=]{1,2000}?))\s{1,10}(\w{1,100}=|$)""",
     """Affected_Object_Path=({file_parent}[^=]{1,2000}?)\\[^\\]{1,2000}\s{1,10}(\w{1,100}=|$)""",
     """cat=({category}[^=]{1,2000}?)\s{1,10}(\w{1,100}=|$)""",
-    """DatAdvantage\|[^\\]{1,1000}?\|({additional_info}[^\\]{1,2000}?)\|""",
+    """DatAdvantage\|[^\\]{1,1000}?\|({alert_name}[^\\]{1,2000}?)\|""",
     """Device_Name =({src_host}[^=]{1,2000}?)\s{1,10}(\w{1,100}=|$)""",
     """usrName =(({domain}[^\\]{1,100})\\)?({user}[^=]{1,1000}?)\s{1,10}(\w{1,100}=|$)""",
     """accountName =({user}[^=]{1,2000}?)\s{1,10}(\w{1,100}=|$)""",
   ]
-  DupFields = [ "accesses->event_code" ]
+  DupFields = [ "accesses->event_code", "alert_name->additional_info" ]
 
 
 }

Original file line number	Diff line number	Diff line change
`@@ -22,12 +22,12 @@ Name = q-varonis-file-activity`
`22`	`22`	`"""Affected_Object_Path=(\|({file_path}[^=]{1,2000}?))\s{1,10}(\w{1,100}=\|$)""",`
`23`	`23`	`"""Affected_Object_Path=({file_parent}[^=]{1,2000}?)\\[^\\]{1,2000}\s{1,10}(\w{1,100}=\|$)""",`
`24`	`24`	`"""cat=({category}[^=]{1,2000}?)\s{1,10}(\w{1,100}=\|$)""",`
`25`		`- """DatAdvantage\\|[^\\]{1,1000}?\\|({additional_info}[^\\]{1,2000}?)\\|""",`
	`25`	`+ """DatAdvantage\\|[^\\]{1,1000}?\\|({alert_name}[^\\]{1,2000}?)\\|""",`
`26`	`26`	`"""Device_Name =({src_host}[^=]{1,2000}?)\s{1,10}(\w{1,100}=\|$)""",`
`27`	`27`	`"""usrName =(({domain}[^\\]{1,100})\\)?({user}[^=]{1,1000}?)\s{1,10}(\w{1,100}=\|$)""",`
`28`	`28`	`"""accountName =({user}[^=]{1,2000}?)\s{1,10}(\w{1,100}=\|$)""",`
`29`	`29`	`]`
`30`		`- DupFields = [ "accesses->event_code" ]`
	`30`	`+ DupFields = [ "accesses->event_code", "alert_name->additional_info" ]`
`31`	`31`
`32`	`32`
`33`	`33`	`}`