// SentinelOne AI SIEM Parser: ISC BIND DNS Server
// OCSF Schema Version: 1.1.0
// Maps ISC BIND query/security logs to OCSF classes
// Primary Class: DNS Activity (4003)

{
  "parserName": "ISCBIND-OCSF",
  "version": "1.0.0",
  "vendor": "ISC",
  "product": "BIND",
  "format": "syslog",
  
  "patterns": [
    // Query logs
    {
      "pattern": "queries:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query:\\s+(\\S+)\\s+IN\\s+(\\w+)",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "DNS Activity"},
        {"set": "category_uid", "value": "4"},
        {"set": "category_name", "value": "Network Activity"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Query"},
        {"set": "type_uid", "value": "400301"},
        
        // Metadata
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "ISC BIND"},
        {"set": "metadata.product.vendor_name", "value": "ISC"},
        {"group": 1, "to": "metadata.uid"},
        
        // Time (from syslog header)
        {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
        
        // Client
        {"group": 2, "to": "src_endpoint.ip"},
        {"group": 3, "to": "src_endpoint.port"},
        
        // Query info
        {"group": 4, "to": "query_info.opcode"},
        {"group": 5, "to": "query_info.hostname"},
        {"group": 6, "to": "query_info.type"},
        
        // DNS server
        {"regex": "\\(([\\d.]+)\\)$", "group": 1, "to": "dst_endpoint.ip"},
        
        // Observables
        {"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$2"}},
        {"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$5"}},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Security - Zone transfer denied
    {
      "pattern": "security:\\s+warning:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+zone transfer\\s+'([^']+)'\\s+denied",
      "rewrites": [
        {"set": "class_uid", "value": "2001"},
        {"set": "class_name", "value": "Security Finding"},
        {"set": "category_uid", "value": "2"},
        {"set": "category_name", "value": "Findings"},
        {"set": "finding_info.types", "value": ["DNS Zone Transfer Attempt"]},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "ISC BIND"},
        {"set": "metadata.product.vendor_name", "value": "ISC"},
        
        // Time
        {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
        
        // Client
        {"group": 2, "to": "src_endpoint.ip"},
        {"group": 3, "to": "src_endpoint.port"},
        
        // Zone
        {"group": 5, "to": "finding_info.title"},
        {"set": "finding_info.desc", "value": "Unauthorized zone transfer attempt"},
        
        // Severity
        {"set": "severity_id", "value": "4"},
        {"set": "severity", "value": "High"},
        
        // Status
        {"set": "status_id", "value": "2"},
        {"set": "status", "value": "Failure"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Deny"}
      ]
    },
    
    // Security - Query denied
    {
      "pattern": "security:\\s+error:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query\\s+\\(cache\\)\\s+'([^']+)'\\s+denied",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "DNS Activity"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Query Denied"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "ISC BIND"},
        {"set": "metadata.product.vendor_name", "value": "ISC"},
        
        // Time
        {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
        
        // Client
        {"group": 2, "to": "src_endpoint.ip"},
        {"group": 3, "to": "src_endpoint.port"},
        
        // Query
        {"group": 5, "to": "query_info.hostname"},
        
        // Status
        {"set": "status_id", "value": "2"},
        {"set": "status", "value": "Failure"},
        {"set": "rcode", "value": "REFUSED"},
        
        // Severity
        {"set": "severity_id", "value": "3"},
        {"set": "severity", "value": "Medium"}
      ]
    },
    
    // Zone transfer (AXFR) - successful
    {
      "pattern": "xfer-out:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+transfer of\\s+'([^']+)':\\s+AXFR\\s+(started|ended)",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "DNS Activity"},
        
        {"group": 6, "to": "transfer_status"},
        {"lookup": "transfer_status", "map": {"started": 3, "ended": 4}, "to": "activity_id"},
        {"lookup": "transfer_status", "map": {"started": "Zone Transfer Start", "ended": "Zone Transfer Complete"}, "to": "activity_name"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "ISC BIND"},
        {"set": "metadata.product.vendor_name", "value": "ISC"},
        
        // Time
        {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
        
        // Client (secondary DNS)
        {"group": 2, "to": "dst_endpoint.ip"},
        {"group": 3, "to": "dst_endpoint.port"},
        
        // Zone
        {"group": 5, "to": "query_info.hostname"},
        {"set": "query_info.type", "value": "AXFR"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Dynamic update
    {
      "pattern": "update:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+updating zone\\s+'([^']+)':\\s+(adding|deleting)\\s+an RR at\\s+'([^']+)'\\s+(\\w+)\\s+(\\S+)",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "DNS Activity"},
        
        {"group": 6, "to": "update_action"},
        {"lookup": "update_action", "map": {"adding": 5, "deleting": 6}, "to": "activity_id"},
        {"lookup": "update_action", "map": {"adding": "Record Add", "deleting": "Record Delete"}, "to": "activity_name"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "ISC BIND"},
        {"set": "metadata.product.vendor_name", "value": "ISC"},
        
        // Time
        {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
        
        // Client
        {"group": 2, "to": "src_endpoint.ip"},
        {"group": 3, "to": "src_endpoint.port"},
        
        // Zone and record
        {"group": 5, "to": "query_info.zone"},
        {"group": 7, "to": "query_info.hostname"},
        {"group": 8, "to": "query_info.type"},
        {"group": 9, "to": "answers.rdata"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Rate limiting
    {
      "pattern": "rate-limit:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+):\\s+rate limit\\s+(\\w+)\\s+(\\w+)\\s+response",
      "rewrites": [
        {"set": "class_uid", "value": "2001"},
        {"set": "class_name", "value": "Security Finding"},
        {"set": "finding_info.types", "value": ["DNS Rate Limiting"]},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "ISC BIND"},
        {"set": "metadata.product.vendor_name", "value": "ISC"},
        
        // Time
        {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
        
        // Client
        {"group": 2, "to": "src_endpoint.ip"},
        {"group": 3, "to": "src_endpoint.port"},
        
        // Rate limit action
        {"group": 4, "to": "activity_name"},
        {"group": 5, "to": "finding_info.title"},
        
        // Severity
        {"set": "severity_id", "value": "3"},
        {"set": "severity", "value": "Medium"}
      ]
    },
    
    // DNSSEC events
    {
      "pattern": "dnssec:\\s+info:\\s+zone\\s+(\\S+):\\s+DNSKEY\\s+(\\d+)/(\\w+)\\s+\\((\\w+)\\)\\s+is now\\s+(\\w+)",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "DNS Activity"},
        {"set": "activity_id", "value": "7"},
        {"set": "activity_name", "value": "DNSSEC Key Event"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "ISC BIND"},
        {"set": "metadata.product.vendor_name", "value": "ISC"},
        
        // Time
        {"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
        
        // Zone
        {"group": 1, "to": "query_info.zone"},
        
        // Key info
        {"group": 2, "to": "dnssec.key_tag"},
        {"group": 3, "to": "dnssec.algorithm"},
        {"group": 4, "to": "dnssec.key_type"},
        {"group": 5, "to": "dnssec.key_state"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    }
  ],
  
  "query_type_mappings": {
    "A": 1, "AAAA": 28, "MX": 15, "TXT": 16, "CNAME": 5,
    "NS": 2, "SOA": 6, "PTR": 12, "SRV": 33, "AXFR": 252, "ANY": 255
  }
}
