// SentinelOne AI SIEM Parser: SAP HANA Database
// OCSF Schema Version: 1.1.0
// Maps SAP HANA audit JSON logs to OCSF classes
// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003)

{
  "parserName": "HANADatabase-OCSF",
  "version": "1.0.0",
  "vendor": "SAP",
  "product": "HANA Database",
  "format": "json",
  
  "patterns": [
    // Connection events (CONNECT/DISCONNECT)
    {
      "pattern": "\"audit_action\":\\s*\"CONNECT\"",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        {"set": "category_uid", "value": "3"},
        {"set": "category_name", "value": "Identity & Access Management"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Logon"},
        {"set": "type_uid", "value": "300201"},
        
        // Metadata
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        {"jsonPath": "$.host", "to": "device.hostname"},
        {"jsonPath": "$.component", "to": "metadata.product.feature.name"},
        {"jsonPath": "$.source_file", "to": "metadata.log_name"},
        {"jsonPath": "$.source_line", "to": "metadata.log_line"},
        {"jsonPath": "$.thread_id", "to": "metadata.uid"},
        
        // Time
        {"jsonPath": "$.timestamp", "to": "time"},
        
        // User
        {"jsonPath": "$.user_name", "to": "user.name"},
        {"jsonPath": "$.application_user", "to": "actor.user.name"},
        {"jsonPath": "$.application_name", "to": "app_name"},
        
        // Session
        {"jsonPath": "$.connection_id", "to": "session.uid"},
        
        // Source endpoint
        {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
        {"jsonPath": "$.client_port", "to": "src_endpoint.port"},
        
        // Audit policy
        {"jsonPath": "$.audit_policy_name", "to": "policy.name"},
        {"jsonPath": "$.audit_level", "to": "severity"},
        
        // Comment
        {"jsonPath": "$.comment", "to": "message"},
        
        // Status - check for error
        {"set": "status_id", "value": "1", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"},
        {"set": "status", "value": "Success", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"}
      ]
    },
    
    // Failed connection
    {
      "pattern": "\"audit_action\":\\s*\"CONNECT\".*\"error_code\":\\s*[1-9]",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Logon"},
        {"set": "status_id", "value": "2"},
        {"set": "status", "value": "Failure"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        
        {"jsonPath": "$.timestamp", "to": "time"},
        {"jsonPath": "$.user_name", "to": "user.name"},
        {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
        {"jsonPath": "$.error_code", "to": "status_code"},
        {"jsonPath": "$.error_message", "to": "status_detail"},
        
        // Severity
        {"set": "severity_id", "value": "3"},
        {"set": "severity", "value": "Medium"}
      ]
    },
    
    // Disconnect
    {
      "pattern": "\"audit_action\":\\s*\"DISCONNECT\"",
      "rewrites": [
        {"set": "class_uid", "value": "3002"},
        {"set": "class_name", "value": "Authentication"},
        {"set": "activity_id", "value": "2"},
        {"set": "activity_name", "value": "Logoff"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        
        {"jsonPath": "$.timestamp", "to": "time"},
        {"jsonPath": "$.user_name", "to": "user.name"},
        {"jsonPath": "$.connection_id", "to": "session.uid"},
        {"jsonPath": "$.session_duration_seconds", "to": "session.duration"},
        
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // SELECT queries
    {
      "pattern": "\"audit_action\":\\s*\"SELECT\"",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "Database Activity"},
        {"set": "category_uid", "value": "4"},
        {"set": "category_name", "value": "Network Activity"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Query"},
        {"set": "type_uid", "value": "400301"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        
        {"jsonPath": "$.timestamp", "to": "time"},
        {"jsonPath": "$.user_name", "to": "actor.user.name"},
        {"jsonPath": "$.connection_id", "to": "actor.session.uid"},
        {"jsonPath": "$.transaction_id", "to": "transaction.uid"},
        {"jsonPath": "$.statement_id", "to": "query_info.uid"},
        
        // Query details
        {"jsonPath": "$.statement", "to": "query_info.query_string"},
        {"jsonPath": "$.executed_statement", "to": "query_info.executed_query"},
        {"set": "query_info.query_type", "value": "SELECT"},
        
        // Performance
        {"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"},
        {"jsonPath": "$.execution_time_ms", "to": "query_info.duration"},
        
        // Source
        {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
        {"jsonPath": "$.application_name", "to": "app_name"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Data modification (INSERT/UPDATE/DELETE)
    {
      "pattern": "\"audit_action\":\\s*\"(INSERT|UPDATE|DELETE)\"",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "Database Activity"},
        {"set": "category_uid", "value": "4"},
        {"set": "category_name", "value": "Network Activity"},
        
        {"jsonPath": "$.audit_action", "to": "activity_name"},
        {"lookup": "activity_name", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        
        {"jsonPath": "$.timestamp", "to": "time"},
        {"jsonPath": "$.user_name", "to": "actor.user.name"},
        {"jsonPath": "$.connection_id", "to": "actor.session.uid"},
        {"jsonPath": "$.transaction_id", "to": "transaction.uid"},
        
        // Query
        {"jsonPath": "$.statement", "to": "query_info.query_string"},
        {"jsonPath": "$.executed_statement", "to": "query_info.executed_query"},
        {"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"},
        {"jsonPath": "$.execution_time_ms", "to": "query_info.duration"},
        
        // Source
        {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
        
        // Severity for data modification
        {"set": "severity_id", "value": "2"},
        {"set": "severity", "value": "Low"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // GRANT/REVOKE (privilege changes)
    {
      "pattern": "\"audit_action\":\\s*\"GRANT\"",
      "rewrites": [
        {"set": "class_uid", "value": "3003"},
        {"set": "class_name", "value": "Authorization"},
        {"set": "category_uid", "value": "3"},
        {"set": "category_name", "value": "Identity & Access Management"},
        {"set": "activity_id", "value": "1"},
        {"set": "activity_name", "value": "Grant"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        
        {"jsonPath": "$.timestamp", "to": "time"},
        {"jsonPath": "$.user_name", "to": "actor.user.name"},
        {"jsonPath": "$.connection_id", "to": "actor.session.uid"},
        
        // Privilege details
        {"jsonPath": "$.statement", "to": "message"},
        {"jsonPath": "$.executed_statement", "to": "privileges"},
        
        // Source
        {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
        
        // Severity for privilege grants
        {"set": "severity_id", "value": "4"},
        {"set": "severity", "value": "High"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Backup operations
    {
      "pattern": "\"audit_action\":\\s*\"BACKUP DATA\"",
      "rewrites": [
        {"set": "class_uid", "value": "4003"},
        {"set": "class_name", "value": "Database Activity"},
        {"set": "activity_id", "value": "5"},
        {"set": "activity_name", "value": "Backup"},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        
        {"jsonPath": "$.timestamp", "to": "time"},
        {"jsonPath": "$.user_name", "to": "actor.user.name"},
        {"jsonPath": "$.application_user", "to": "actor.user.account.name"},
        {"jsonPath": "$.application_name", "to": "app_name"},
        
        // Backup details
        {"jsonPath": "$.statement", "to": "message"},
        {"jsonPath": "$.backup_id", "to": "backup.uid"},
        {"jsonPath": "$.backup_size_mb", "to": "backup.size"},
        
        // Source
        {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
        
        // Status
        {"set": "status_id", "value": "1"},
        {"set": "status", "value": "Success"}
      ]
    },
    
    // Critical audit level events
    {
      "pattern": "\"audit_level\":\\s*\"CRITICAL\"",
      "rewrites": [
        {"set": "class_uid", "value": "2001"},
        {"set": "class_name", "value": "Security Finding"},
        {"set": "category_uid", "value": "2"},
        {"set": "category_name", "value": "Findings"},
        {"set": "finding_info.types", "value": ["Database Security Event"]},
        
        {"set": "metadata.version", "value": "1.1.0"},
        {"set": "metadata.product.name", "value": "SAP HANA"},
        {"set": "metadata.product.vendor_name", "value": "SAP"},
        
        {"jsonPath": "$.timestamp", "to": "time"},
        {"jsonPath": "$.user_name", "to": "actor.user.name"},
        {"jsonPath": "$.audit_action", "to": "finding_info.title"},
        {"jsonPath": "$.comment", "to": "finding_info.desc"},
        {"jsonPath": "$.statement", "to": "finding_info.data_sources"},
        
        // Source
        {"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
        
        // Severity
        {"set": "severity_id", "value": "5"},
        {"set": "severity", "value": "Critical"}
      ]
    }
  ],
  
  "audit_action_mappings": {
    "CONNECT": {"class": "Authentication", "activity": "Logon"},
    "DISCONNECT": {"class": "Authentication", "activity": "Logoff"},
    "SELECT": {"class": "Database Activity", "activity": "Query"},
    "INSERT": {"class": "Database Activity", "activity": "Insert"},
    "UPDATE": {"class": "Database Activity", "activity": "Update"},
    "DELETE": {"class": "Database Activity", "activity": "Delete"},
    "CREATE": {"class": "Database Activity", "activity": "Create"},
    "DROP": {"class": "Database Activity", "activity": "Delete"},
    "ALTER": {"class": "Database Activity", "activity": "Update"},
    "GRANT": {"class": "Authorization", "activity": "Grant"},
    "REVOKE": {"class": "Authorization", "activity": "Revoke"},
    "BACKUP DATA": {"class": "Database Activity", "activity": "Backup"},
    "RESTORE": {"class": "Database Activity", "activity": "Restore"}
  }
}
