// SentinelOne AI SIEM Parser: SIM Generic Log DSM
// OCSF Schema Version: 1.1.0
// Maps generic syslog-style logs to OCSF classes
// Primary Classes: Base Event (0), Application Activity (6001)

{
  "parserName": "SIMGeneric-OCSF",
  "version": "1.0.0",
  "vendor": "Generic",
  "product": "SIM Generic Log",
  "format": "syslog",
  
  "patterns": [
    // Generic syslog with key=value pairs
    {
      "pattern": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)\\s+(\\S+)\\[(\\d+)\\]:\\s+(\\w+)\\s+(.*)$",
      "rewrites": [
        {"set": "class_uid", "value": "6001"},
        {"set": "class_name", "value": "Application Activity"},
        {"set": "category_uid", "value": "6"},
        {"set": "category_name", "value": "Application Activity"},
        
        // Metadata
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "Generic Application"},
        {"set": "metadata.product.vendor_name", "value": "Unknown"},
        {"group": 2, "to": "device.hostname"},
        {"group": 3, "to": "app_name"},
        {"group": 4, "to": "actor.process.pid"},
        
        // Time
        {"group": 1, "to": "time", "transform": "syslogTimestamp"},
        
        // Severity from log level
        {"group": 5, "to": "severity"},
        {"lookup": "severity", "map": {
          "CRITICAL": 5, "FATAL": 6, "ERROR": 4, "WARNING": 3, "WARN": 3,
          "INFO": 1, "DEBUG": 0, "TRACE": 0
        }, "to": "severity_id"},
        
        // Message
        {"group": 6, "to": "message"},
        
        // Extract key=value pairs from message
        {"kvExtract": "$6", "to": "unmapped"}
      ]
    },
    
    // Authentication events
    {
      "pattern": "(login|logon|auth|authentication)",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        
        // Extract user
        {"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "user.name"},
        
        // Extract source IP
        {"regex": "(?:src_ip|ip|from)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
        
        // Extract session
        {"regex": "session[_id]*[=:]\\s*(\\S+)", "group": 1, "to": "session.uid"},
        
        // Determine success/failure
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Logon"},
        {"set": "status_id", "value": "1", "if": "success|successful|accepted"},
        {"set": "status", "value": "Success", "if": "success|successful|accepted"},
        {"set": "status_id", "value": "2", "if": "fail|failed|denied|invalid"},
        {"set": "status", "value": "Failure", "if": "fail|failed|denied|invalid"}
      ]
    },
    
    // File operations
    {
      "pattern": "(file|upload|download)",
      "rewrites": [
        {"set": "class_uid", "value": "1001"},
        {"set": "class_name", "value": "File Activity"},
        
        // Extract filename
        {"regex": "filename[=:]\\s*(\\S+)", "group": 1, "to": "file.name"},
        
        // Extract size
        {"regex": "size[_bytes]*[=:]\\s*(\\d+)", "group": 1, "to": "file.size"},
        
        // Extract user
        {"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
        
        // Extract destination
        {"regex": "destination[=:]\\s*(\\S+)", "group": 1, "to": "file.path"},
        
        // Activity
        {"set": "activity_id", "value": "2", "if": "upload"},
        {"set": "activity_name", "value": "Upload", "if": "upload"},
        {"set": "activity_id", "value": "3", "if": "download"},
        {"set": "activity_name", "value": "Download", "if": "download"}
      ]
    },
    
    // Security alerts
    {
      "pattern": "(security|alert|attack|injection|malware|threat)",
      "rewrites": [
        {"set": "class_uid", "value": "2001"},
        {"set": "class_name", "value": "Security Finding"},
        {"set": "category_uid", "value": "2"},
        {"set": "category_name", "value": "Findings"},
        
        // Extract source IP
        {"regex": "(?:src_ip|ip)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
        
        // Extract target
        {"regex": "(?:target_url|url)[=:]\\s*(\\S+)", "group": 1, "to": "finding_info.src_url"},
        
        // Extract payload
        {"regex": "payload[=:]\\s*\"([^\"]+)\"", "group": 1, "to": "finding_info.data_sources"},
        
        // Severity
        {"set": "severity_id", "value": "4"},
        {"set": "severity", "value": "High"}
      ]
    },
    
    // Configuration changes
    {
      "pattern": "(config|configuration|setting|changed)",
      "rewrites": [
        {"set": "class_uid", "value": "5001"},
        {"set": "class_name", "value": "Configuration"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Update"},
        
        // Extract setting
        {"regex": "setting[=:]\\s*(\\S+)", "group": 1, "to": "config.name"},
        
        // Extract old/new values
        {"regex": "old_value[=:]\\s*(\\S+)", "group": 1, "to": "prev_config.value"},
        {"regex": "new_value[=:]\\s*(\\S+)", "group": 1, "to": "config.value"},
        
        // Extract who changed
        {"regex": "changed_by[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"}
      ]
    },
    
    // Service events
    {
      "pattern": "(service|started|stopped|restart)",
      "rewrites": [
        {"set": "class_uid", "value": "1006"},
        {"set": "class_name", "value": "Service Activity"},
        
        // Extract service name
        {"regex": "service_name[=:]\\s*(\\S+)", "group": 1, "to": "service.name"},
        
        // Extract version
        {"regex": "version[=:]\\s*(\\S+)", "group": 1, "to": "service.version"},
        
        // Extract port
        {"regex": "port[=:]\\s*(\\d+)", "group": 1, "to": "service.port"},
        
        // Extract PID
        {"regex": "pid[=:]\\s*(\\d+)", "group": 1, "to": "service.pid"},
        
        // Activity
        {"set": "activity_id", "value": "1", "if": "started"},
        {"set": "activity_name", "value": "Start", "if": "started"},
        {"set": "activity_id", "value": "2", "if": "stopped"},
        {"set": "activity_name", "value": "Stop", "if": "stopped"}
      ]
    }
  ],
  
  "transforms": {
    "syslogTimestamp": {
      "formats": [
        "MMM dd HH:mm:ss",
        "MMM  d HH:mm:ss"
      ],
      "timezone": "local"
    }
  }
}
