// SentinelOne AI SIEM Parser: Linux OS
// OCSF Schema Version: 1.1.0
// Maps Linux syslog/auth/audit logs to OCSF classes
// Primary Classes: Authentication (3002), Process Activity (1007), Account Change (3001)

{
  "parserName": "LinuxOS-OCSF",
  "version": "1.0.0",
  "vendor": "Linux",
  "product": "Linux OS",
  "format": "syslog",
  
  "patterns": [
    // SSH successful login
    {
      "pattern": "sshd\\[\\d+\\]:\\s+Accepted\\s+(\\w+)\\s+for\\s+(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        {"set": "category_uid", "value": "3"},
        {"set": "category_name", "value": "Identity & Access Management"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Logon"},
        {"set": "type_uid", "value": "300201"},
        
        // Metadata
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "OpenSSH"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)", "group": 2, "to": "device.hostname"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Auth method
        {"group": 1, "to": "auth_protocol"},
        
        // User
        {"group": 2, "to": "user.name"},
        
        // Source
        {"group": 3, "to": "src_endpoint.ip"},
        {"group": 4, "to": "src_endpoint.port"},
        
        // SSH key fingerprint
        {"regex": "SHA256:(\\S+)", "group": 1, "to": "user.credential_uid"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // SSH failed login
    {
      "pattern": "sshd\\[\\d+\\]:\\s+Failed\\s+(\\w+)\\s+for\\s+(invalid user\\s+)?(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Logon"},
        {"set": "status_id", "value": "2"},
        {"set": "status", "value": "Failure"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "OpenSSH"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Auth method
        {"group": 1, "to": "auth_protocol"},
        
        // User
        {"group": 3, "to": "user.name"},
        {"set": "user.type", "value": "Invalid", "if": "invalid user"},
        
        // Source
        {"group": 4, "to": "src_endpoint.ip"},
        {"group": 5, "to": "src_endpoint.port"},
        
        // Severity
        {"set": "severity_id", "value": "3"},
        {"set": "severity", "value": "Medium"}
      ]
    },
    
    // Sudo command execution
    {
      "pattern": "sudo:\\s+(\\S+)\\s+:\\s+TTY=(\\S+)\\s+;\\s+PWD=(\\S+)\\s+;\\s+USER=(\\S+)\\s+;\\s+COMMAND=(.+)$",
      "rewrites": [
        {"set": "class_uid", "value": "1007"},
        {"set": "class_name", "value": "Process Activity"},
        {"set": "category_uid", "value": "1"},
        {"set": "category_name", "value": "System Activity"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Launch"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "sudo"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Actor
        {"group": 1, "to": "actor.user.name"},
        {"group": 2, "to": "actor.session.terminal"},
        {"group": 3, "to": "process.cwd"},
        
        // Target user (run as)
        {"group": 4, "to": "user.name"},
        
        // Command
        {"group": 5, "to": "process.cmd_line"},
        
        // Privilege escalation indicator
        {"set": "is_privileged", "value": "true"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Sudo denied
    {
      "pattern": "sudo:\\s+(\\S+)\\s+:\\s+user NOT in sudoers",
      "rewrites": [
        {"set": "class_uid", "value": "3003"},
        {"set": "class_name", "value": "Authorization"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Deny"},
        {"set": "status_id", "value": "2"},
        {"set": "status", "value": "Failure"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "sudo"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // User
        {"group": 1, "to": "actor.user.name"},
        
        // Extract command attempted
        {"regex": "COMMAND=(.+)$", "group": 1, "to": "process.cmd_line"},
        
        // Severity
        {"set": "severity_id", "value": "4"},
        {"set": "severity", "value": "High"}
      ]
    },
    
    // User creation (useradd)
    {
      "pattern": "useradd\\[\\d+\\]:\\s+new user:\\s+name=(\\S+),\\s+UID=(\\d+),\\s+GID=(\\d+),\\s+home=(\\S+),\\s+shell=(\\S+)",
      "rewrites": [
        {"set": "class_uid", "value": "3001"},
        {"set": "class_name", "value": "Account Change"},
        {"set": "category_uid", "value": "3"},
        {"set": "category_name", "value": "Identity & Access Management"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Create"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "useradd"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // New user
        {"group": 1, "to": "user.name"},
        {"group": 2, "to": "user.uid"},
        {"group": 3, "to": "user.gid"},
        {"group": 4, "to": "user.home"},
        {"group": 5, "to": "user.shell"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // User modification (usermod)
    {
      "pattern": "usermod\\[\\d+\\]:\\s+add\\s+'(\\S+)'\\s+to\\s+group\\s+'(\\S+)'",
      "rewrites": [
        {"set": "class_uid", "value": "3004"},
        {"set": "class_name", "value": "Group Membership"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Add"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "usermod"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // User and group
        {"group": 1, "to": "user.name"},
        {"group": 2, "to": "group.name"},
        
        // Severity for privileged groups
        {"set": "severity_id", "value": "4", "if": "wheel|sudo|root|admin"},
        {"set": "severity", "value": "High", "if": "wheel|sudo|root|admin"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // UFW firewall block
    {
      "pattern": "kernel:\\s+\\[UFW BLOCK\\]\\s+IN=(\\S*)\\s+OUT=(\\S*).*SRC=([\\d.]+)\\s+DST=([\\d.]+).*PROTO=(\\w+)\\s+SPT=(\\d+)\\s+DPT=(\\d+)",
      "rewrites": [
        {"set": "class_uid", "value": "4001"},
        {"set": "class_name", "value": "Network Activity"},
        {"set": "category_uid", "value": "4"},
        {"set": "category_name", "value": "Network Activity"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Deny"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "UFW"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Interfaces
        {"group": 1, "to": "src_endpoint.interface_name"},
        {"group": 2, "to": "dst_endpoint.interface_name"},
        
        // Endpoints
        {"group": 3, "to": "src_endpoint.ip"},
        {"group": 4, "to": "dst_endpoint.ip"},
        {"group": 6, "to": "src_endpoint.port"},
        {"group": 7, "to": "dst_endpoint.port"},
        
        // Protocol
        {"group": 5, "to": "connection_info.protocol_name"},
        
        // Status
        {"set": "status_id", "value": "2"},
        {"set": "status", "value": "Failure"}
      ]
    },
    
    // Audit EXECVE (command execution)
    {
      "pattern": "auditd\\[\\d+\\]:\\s+EXECVE\\s+argc=(\\d+)\\s+(.+)$",
      "rewrites": [
        {"set": "class_uid", "value": "1007"},
        {"set": "class_name", "value": "Process Activity"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Launch"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "auditd"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Arguments
        {"group": 1, "to": "process.argc"},
        {"group": 2, "to": "process.cmd_line", "transform": "parseAuditArgs"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Systemd service start
    {
      "pattern": "systemd\\[1\\]:\\s+Started\\s+(.+?)(?:\\s+-\\s+(.+))?\\.?$",
      "rewrites": [
        {"set": "class_uid", "value": "1006"},
        {"set": "class_name", "value": "Service Activity"},
        {"set": "category_uid", "value": "1"},
        {"set": "category_name", "value": "System Activity"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Start"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "systemd"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Service
        {"group": 1, "to": "service.name"},
        {"group": 2, "to": "service.desc"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Cron job execution
    {
      "pattern": "cron\\[\\d+\\]:\\s+\\((\\S+)\\)\\s+CMD\\s+\\((.+)\\)$",
      "rewrites": [
        {"set": "class_uid", "value": "1007"},
        {"set": "class_name", "value": "Process Activity"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Launch"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "cron"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // User
        {"group": 1, "to": "actor.user.name"},
        
        // Command
        {"group": 2, "to": "process.cmd_line"},
        
        // Scheduled task indicator
        {"set": "is_scheduled", "value": "true"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Password change
    {
      "pattern": "passwd\\[\\d+\\]:\\s+password changed for\\s+(\\S+)\\s+by\\s+(\\S+)",
      "rewrites": [
        {"set": "class_uid", "value": "3001"},
        {"set": "class_name", "value": "Account Change"},
        {"set": "activity_id", "value": "3"},
        {"set": "activity_name", "value": "Password Change"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "passwd"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Target user
        {"group": 1, "to": "user.name"},
        
        // Actor
        {"group": 2, "to": "actor.user.name"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // SSH disconnect
    {
      "pattern": "sshd\\[\\d+\\]:\\s+Received disconnect from\\s+([\\d.]+)\\s+port\\s+(\\d+):(\\d+):\\s+(.+)$",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Logoff"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "OpenSSH"},
        {"set": "metadata.product.vendor_name", "value": "Linux"},
        
        // Time
        {"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
        
        // Source
        {"group": 1, "to": "src_endpoint.ip"},
        {"group": 2, "to": "src_endpoint.port"},
        
        // Disconnect code and reason
        {"group": 3, "to": "status_code"},
        {"group": 4, "to": "status_detail"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    }
  ],
  
  "transforms": {
    "parseAuditArgs": {
      "description": "Parse audit EXECVE arguments a0=\"/bin/bash\" a1=\"-c\" to command line",
      "regex": "a\\d+=\"([^\"]+)\"",
      "join": " "
    }
  }
}
