Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sync upstream features; preserve fork KV scanner, parsers, verifier

Browse Source 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
This commit is contained in:
marc
2026-05-22 18:19:52 +02:00
parent a7ebcac9a6
commit 7c1687efce
102 changed files with 13912 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files
parsers/Avelios-Medical-OCSF
+77
View File
@@ -0,0 +1,77 @@
{
// Avelios Medical OCSF Parser - OCSF v1.3.0
// Hospital Information System (HIS) - BSI / NIS2 compliance events
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Avelios",
"metadata.product.name": "Avelios Medical HIS",
"metadata.log_provider": "hec",
"Category": "healthcare",
"dataSource.vendor": "Avelios",
"dataSource.name": "Avelios Medical",
"dataSource.category": "Healthcare"
},
formats: [
{
// Auto-extract every JSON top-level field as an attribute
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// ─── OCSF classification by event_category ──────────────────────
{ input: "event_category", output: "category_uid", match: "authentication", replace: "3" },
{ input: "event_category", output: "category_name", match: "authentication", replace: "Identity & Access Management" },
{ input: "event_category", output: "class_uid", match: "authentication", replace: "3002" },
{ input: "event_category", output: "class_name", match: "authentication", replace: "Authentication" },
{ input: "event_category", output: "category_uid", match: "patient_access", replace: "6" },
{ input: "event_category", output: "category_name", match: "patient_access", replace: "Application Activity" },
{ input: "event_category", output: "class_uid", match: "patient_access", replace: "6001" },
{ input: "event_category", output: "class_name", match: "patient_access", replace: "Web Resources Activity" },
{ input: "event_category", output: "category_uid", match: "administrative", replace: "6" },
{ input: "event_category", output: "category_name", match: "administrative", replace: "Application Activity" },
{ input: "event_category", output: "class_uid", match: "administrative", replace: "6001" },
{ input: "event_category", output: "class_name", match: "administrative", replace: "Web Resources Activity" },
{ input: "event_category", output: "category_uid", match: "data_transfer", replace: "4" },
{ input: "event_category", output: "category_name", match: "data_transfer", replace: "Network Activity" },
{ input: "event_category", output: "class_uid", match: "data_transfer", replace: "4001" },
{ input: "event_category", output: "class_name", match: "data_transfer", replace: "Network Activity" },
{ input: "event_category", output: "category_uid", match: "security", replace: "2" },
{ input: "event_category", output: "category_name", match: "security", replace: "Findings" },
{ input: "event_category", output: "class_uid", match: "security", replace: "2001" },
{ input: "event_category", output: "class_name", match: "security", replace: "Security Finding" },
{ input: "event_category", output: "category_uid", match: "system", replace: "6" },
{ input: "event_category", output: "category_name", match: "system", replace: "Application Activity" },
{ input: "event_category", output: "class_uid", match: "system", replace: "6007" },
{ input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" },
// ─── Severity mapping (string + OCSF int 0-6) ───────────────────
{ input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" },
{ input: "severity", output: "severity_id", match: "(?i)high", replace: "5" },
{ input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" },
{ input: "severity", output: "severity_id", match: "(?i)low", replace: "2" },
{ input: "severity", output: "severity_id", match: "(?i)info", replace: "1" },
{ input: "severity", output: "severity_str", match: ".*", replace: "$0" },
// ─── Status mapping ─────────────────────────────────────────────
{ input: "outcome", output: "status_id", match: "success", replace: "1" },
{ input: "outcome", output: "status_id", match: "failure", replace: "2" },
{ input: "outcome", output: "status_id", match: "detected", replace: "2" },
{ input: "outcome", output: "status", match: ".*", replace: "$0" },
// ─── Activity / message ─────────────────────────────────────────
{ input: "event_type", output: "activity_name", match: ".*", replace: "$0" },
{ input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" },
{ input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" },
{ input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" },
// ─── Compliance tags (BSI / NIS2 / GDPR) ────────────────────────
{ input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,GDPR" }
]
}
]
}
parsers/CheckPoint-OCSF
+277
View File
@@ -0,0 +1,277 @@
{
// Check Point pipe-delimited parser — OCSF v1.3.0 (v3: Gateway + Mgmt)
//
// Discrimination is done via the `format:` string (Scalyr ignores `match:`).
// Rules are ordered most-specific → most-generic with halt:true.
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Check Point",
"metadata.product.name": "Quantum Security",
"metadata.log_provider": "syslog",
"Category": "security",
"dataSource.vendor": "Check Point",
"dataSource.name": "Check Point"
},
patterns: {
word: "[^|]+",
num: "\\d+",
ip: "\\d+\\.\\d+\\.\\d+\\.\\d+"
},
formats: [
// 1. MGMT — SmartCenter Server
{
id: "cp_mgmt_smartcenter",
attributes: {
"dataSource.category": "management",
category_uid: 6, category_name: "Application Activity",
class_uid: 6003, class_name: "API Activity",
activity_id: 3, activity_name: "Update",
type_uid: 600303,
severity_id: 2, severity: "Low",
status_id: 1, status: "Success"
},
format: ".*[|]product=SmartCenter Server.*",
halt: true,
rewrites: [
{ input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" },
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" },
{ input: "message", output: "object_name", match: ".*[|]objectname=([^|]+).*", replace: "$1" },
{ input: "message", output: "object_type", match: ".*[|]objecttype=([^|]+).*", replace: "$1" },
{ input: "message", output: "client_name", match: ".*[|]client_name=([^|]+).*", replace: "$1" },
{ input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" },
{ input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" }
]
},
// 2. MGMT — Multi-Domain Server
{
id: "cp_mgmt_mds",
attributes: {
"dataSource.category": "management",
category_uid: 6, category_name: "Application Activity",
class_uid: 6003, class_name: "API Activity",
activity_id: 1, activity_name: "Create",
type_uid: 600301,
severity_id: 2, severity: "Low",
status_id: 1, status: "Success"
},
format: ".*[|]product=Multi-Domain Server.*",
halt: true,
rewrites: [
{ input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" },
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" },
{ input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" },
{ input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" }
]
},
// 3. MGMT — Endpoint Security Mgmt
{
id: "cp_mgmt_endpoint",
attributes: {
"dataSource.category": "management",
category_uid: 6, category_name: "Application Activity",
class_uid: 6003, class_name: "API Activity",
activity_id: 3, activity_name: "Update",
type_uid: 600303,
severity_id: 2, severity: "Low",
status_id: 1, status: "Success"
},
format: ".*[|]product=Endpoint Security Management.*",
halt: true,
rewrites: [
{ input: "message", output: "user_name", match: ".*[|]administrator=([^|]*).*", replace: "$1" },
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "device_host", match: ".*[|]origin=([^|]+).*", replace: "$1" },
{ input: "message", output: "object_name", match: ".*[|]objectname=([^|]+).*", replace: "$1" },
{ input: "message", output: "operation", match: ".*[|]operation=([^|]+).*", replace: "$1" },
{ input: "operation", output: "finding_title", match: "(.*)", replace: "Check Point Management Audit: $1" }
]
},
// 4. IPS — discriminator: protection_type=ips
{
id: "cp_ips",
attributes: {
"dataSource.category": "ids",
category_uid: 2, category_name: "Findings",
class_uid: 2004, class_name: "Detection Finding",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked"
},
format: ".*[|]protection_type=ips.*",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" },
{ input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" },
{ input: "message", output: "attack", match: ".*[|]attack=([^|]+).*", replace: "$1" },
{ input: "message", output: "protection", match: ".*[|]protection_name=([^|]+).*", replace: "$1" },
{ input: "message", output: "cp_severity", match: ".*[|]severity=([^|]+).*", replace: "$1" },
{ input: "cp_severity", output: "severity", match: "(?si)^\\s*critical\\s*$", replace: "Critical" },
{ input: "cp_severity", output: "severity_id", match: "(?si)^\\s*critical\\s*$", replace: "5" },
{ input: "attack", output: "finding_title", match: "(?i).*", replace: "Check Point IPS: $0" }
]
},
// 5. ANTI-BOT / AV / TE — discriminator: malware_family=…
{
id: "cp_antibot_av",
attributes: {
"dataSource.category": "antivirus",
category_uid: 2, category_name: "Findings",
class_uid: 2004, class_name: "Detection Finding",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*[|]malware_family=$malware_family=word$.*",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "malware_name", match: ".*[|]malware_name=([^|]+).*", replace: "$1" },
{ input: "message", output: "malware_action", match: ".*[|]malware_action=([^|]+).*", replace: "$1" },
{ input: "message", output: "ioc_url", match: ".*[|]resource=([^|]+).*", replace: "$1" },
{ input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" },
{ input: "cp_action", output: "disposition", match: "(?i)^detect$", replace: "Allowed" },
{ input: "cp_action", output: "disposition_id", match: "(?i)^detect$", replace: "1" },
{ input: "malware_name", output: "finding_title", match: "(?i).*", replace: "Check Point Malware: $0" }
]
},
// 6. APP CTRL / URL FILTERING — discriminator: app_name=…
{
id: "cp_app_control",
attributes: {
"dataSource.category": "application",
category_uid: 4, category_name: "Network Activity",
class_uid: 4002, class_name: "HTTP Activity",
activity_id: 1, activity_name: "Connection",
type_uid: 400201,
severity_id: 2, severity: "Low",
disposition_id: 1, disposition: "Allowed"
},
format: ".*[|]app_name=$app_name=word$.*",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" },
{ input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" },
{ input: "message", output: "app_category", match: ".*[|]app_category=([^|]+).*", replace: "$1" },
{ input: "message", output: "app_risk", match: ".*[|]app_risk=([^|]+).*", replace: "$1" },
{ input: "message", output: "user_name", match: ".*[|]user=([^|]+).*", replace: "$1" },
{ input: "message", output: "url", match: ".*[|]resource=([^|]+).*", replace: "$1" },
{ input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" },
{ input: "cp_action", output: "disposition", match: "(?i)^drop$|^reject$", replace: "Blocked" },
{ input: "cp_action", output: "disposition_id", match: "(?i)^drop$|^reject$", replace: "2" }
]
},
// 7. FW Drop fallback — discriminator: action=Drop
{
id: "cp_drop",
attributes: {
"dataSource.category": "firewall",
category_uid: 2, category_name: "Findings",
class_uid: 2004, class_name: "Detection Finding",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
finding_title: "Check Point Firewall Drop",
severity_id: 3, severity: "Medium",
disposition_id: 2, disposition: "Blocked"
},
format: ".*[|]action=Drop.*",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" },
{ input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" },
{ input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" }
]
},
// 8. FW Reject — discriminator: action=Reject
{
id: "cp_reject",
attributes: {
"dataSource.category": "firewall",
category_uid: 2, category_name: "Findings",
class_uid: 2004, class_name: "Detection Finding",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
finding_title: "Check Point Firewall Reject",
severity_id: 3, severity: "Medium",
disposition_id: 2, disposition: "Blocked"
},
format: ".*[|]action=Reject.*",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" },
{ input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" },
{ input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" }
]
},
// 9. FW Accept — discriminator: action=Accept
{
id: "cp_accept",
attributes: {
"dataSource.category": "firewall",
category_uid: 4, category_name: "Network Activity",
class_uid: 4001, class_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106,
disposition_id: 1, disposition: "Allowed",
severity_id: 1, severity: "Informational"
},
format: ".*[|]action=Accept.*",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" },
{ input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" },
{ input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" }
]
},
// 10. CATCH-ALL — any Check Point log not matched above
{
id: "cp_catchall",
attributes: {
"dataSource.category": "security",
category_uid: 5, category_name: "Discovery",
class_uid: 5001, class_name: "Device Inventory Info",
activity_id: 1, activity_name: "Log",
type_uid: 500101,
severity_id: 1, severity: "Informational"
},
format: ".*time=\\d+[|].*",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*[|]src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*[|]dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "src_port", match: ".*[|]s_port=(\\d+).*", replace: "$1" },
{ input: "message", output: "dst_port", match: ".*[|]service=(\\d+).*", replace: "$1" },
{ input: "message", output: "protocol", match: ".*[|]proto=([^|]+).*", replace: "$1" },
{ input: "message", output: "cp_product", match: ".*[|]product=([^|]+).*", replace: "$1" },
{ input: "message", output: "cp_action", match: ".*[|]action=([^|]+).*", replace: "$1" }
]
}
]
}
parsers/Darktrace-JSON-OCSF
+135
View File
@@ -0,0 +1,135 @@
{
// Darktrace JSON parser - OCSF v1.3.0
// Handles JSON-formatted Darktrace events from serverHost='darktrace_darktrace_logs-latest'
//
// Supports:
// 1. Model Breach events (with "model.name", "device.*", "score")
// 2. AI Analyst Incidents (with "summary", "title", "incidentId", "groupSeverity")
//
// Maps to OCSF Detection Finding (class_uid 2004) for Library Detection compatibility.
attributes: {
"marc_ocsf_signature": "MARC-OCSF-PARSER-ACTIVE-77777",
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Darktrace",
"metadata.product.name": "Enterprise Immune System",
"metadata.log_provider": "darktrace-integration",
"dataSource.vendor": "Darktrace",
"dataSource.name": "Darktrace",
"dataSource.category": "ndr",
"category_uid": 2,
"category_name": "Findings",
"class_uid": 2004,
"class_name": "Detection Finding",
"type_uid": 200401,
"activity_id": 1,
"event.type": "Create",
"event.category": "security",
"status_id": 1,
"status": "New"
},
formats: [
// ============================================================
// 1. Model Breach (has "model.name" and "pbid")
// ============================================================
{
id: "dt_model_breach_json",
attributes: {
finding_title: "Darktrace Model Breach"
},
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// Extract nested JSON fields via regex on raw message (parse=json doesn't flatten nested)
{ input: "message", output: "unmapped.model.then.name",
match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "model_name",
match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "finding_title",
match: ".*\"model\"\\s*:\\s*\\{[^}]*\"name\"\\s*:\\s*\"([^\"]+)\".*", replace: "Darktrace: $1" },
// Device → asset/host fields (extract from nested device object)
{ input: "message", output: "src_ip",
match: ".*\"device\"\\s*:\\s*\\{[^}]*\"ip\"\\s*:\\s*\"([0-9.]+)\".*", replace: "$1" },
{ input: "message", output: "src_hostname",
match: ".*\"device\"\\s*:\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "endpoint.name",
match: ".*\"device\"\\s*:\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "endpoint.os",
match: ".*\"device\"\\s*:\\s*\\{[^}]*\"os\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "src_mac",
match: ".*\"device\"\\s*:\\s*\\{[^}]*\"mac\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
// Score (0.0-1.0) → severity_id (OCSF 0-6)
{ input: "score", output: "severity_id", match: "^0\\.[0-1].*", replace: "1" }, // Info
{ input: "score", output: "severity_id", match: "^0\\.[2-3].*", replace: "2" }, // Low
{ input: "score", output: "severity_id", match: "^0\\.[4-5].*", replace: "3" }, // Medium
{ input: "score", output: "severity_id", match: "^0\\.[6-7].*", replace: "4" }, // High
{ input: "score", output: "severity_id", match: "^0\\.[8-9].*", replace: "5" }, // Critical
{ input: "score", output: "severity_id", match: "^1(\\.0)?$", replace: "5" }, // Critical
{ input: "score", output: "severity", match: "^0\\.[0-1].*", replace: "Informational" },
{ input: "score", output: "severity", match: "^0\\.[2-3].*", replace: "Low" },
{ input: "score", output: "severity", match: "^0\\.[4-5].*", replace: "Medium" },
{ input: "score", output: "severity", match: "^0\\.[6-7].*", replace: "High" },
{ input: "score", output: "severity", match: "^0\\.[8-9].*", replace: "Critical" },
{ input: "score", output: "severity", match: "^1(\\.0)?$", replace: "Critical" },
// IDs (top-level pbid works, nested model.id/uuid via regex)
{ input: "pbid", output: "external_id", match: ".*", replace: "$0" },
{ input: "message", output: "rule_uid",
match: ".*\"model\"\\s*:\\s*\\{[^}]*\"id\"\\s*:\\s*([0-9]+).*", replace: "$1" },
{ input: "message", output: "rule_uuid",
match: ".*\"model\"\\s*:\\s*\\{[^}]*\"uuid\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
// Timestamps
{ input: "creationTime", output: "finding_info.created_time", match: ".*", replace: "$0" },
{ input: "time", output: "finding_info.last_seen_time", match: ".*", replace: "$0" }
]
},
// ============================================================
// 2. AI Analyst Incident (has "title", "summary", "incidentId")
// ============================================================
{
id: "dt_aianalyst_json",
attributes: {
finding_title: "Darktrace AI Analyst Incident",
severity_id: 4,
severity: "High"
},
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// Title → model name (so Library Detections can match)
{ input: "title", output: "unmapped.model.then.name", match: ".*", replace: "AI Analyst / $0" },
{ input: "title", output: "model_name", match: ".*", replace: "AI Analyst / $0" },
{ input: "title", output: "finding_title", match: ".*", replace: "Darktrace AI Analyst: $0" },
{ input: "summary", output: "finding_info.desc", match: ".*", replace: "$0" },
// groupSeverity (0-100) → severity_id
{ input: "groupSeverity", output: "severity_id", match: "^[0-1]?[0-9]$", replace: "1" }, // 0-19 = Info
{ input: "groupSeverity", output: "severity_id", match: "^[2-3][0-9]$", replace: "2" }, // 20-39 = Low
{ input: "groupSeverity", output: "severity_id", match: "^[4-5][0-9]$", replace: "3" }, // 40-59 = Medium
{ input: "groupSeverity", output: "severity_id", match: "^[6-7][0-9]$", replace: "4" }, // 60-79 = High
{ input: "groupSeverity", output: "severity_id", match: "^([8-9][0-9]|100)$", replace: "5" }, // 80-100 = Critical
// First device IP/hostname from devices array (regex on raw message)
{ input: "message", output: "src_ip",
match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"ip\"\\s*:\\s*\"([0-9.]+)\".*", replace: "$1" },
{ input: "message", output: "src_hostname",
match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "endpoint.name",
match: ".*\"devices\"\\s*:\\s*\\[\\s*\\{[^}]*\"hostname\"\\s*:\\s*\"([^\"]+)\".*", replace: "$1" },
// IDs
{ input: "incidentId", output: "external_id", match: ".*", replace: "$0" }
]
}
]
}
parsers/Darktrace-OCSF
+173
View File
@@ -0,0 +1,173 @@
{
// Darktrace CEF / syslog parser — OCSF v1.3.0
//
// Supports the four canonical Darktrace log streams:
// 1. Model Breach → Detection Finding (severity from score)
// 2. AI Analyst Incident → Detection Finding (Critical)
// 3. Antigena (autonomous response) → Detection Finding (action: Blocked)
// 4. Admin / authentication events → Authentication (3002)
//
// Wire format is CEF: pipe-separated header + space-separated key=value extension.
// CEF:0|Darktrace|<product>|<ver>|<sigID>|<name>|<sev>|<extension>
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Darktrace",
"metadata.product.name": "Enterprise Immune System",
"metadata.log_provider": "syslog",
"Category": "security",
"dataSource.vendor": "Darktrace",
"dataSource.name": "Darktrace",
"dataSource.category": "ndr",
"event.type": "Alert",
"event.category": "security",
"category_uid": 2,
"category_name": "Findings",
"class_uid": 2004,
"class_name": "Detection Finding",
"activity_id": 1,
"type_uid": 200401,
"severity_id": 3
},
patterns: {
word: "[^ |]+",
phrase: "[^|]+",
rest: ".*",
num: "\\d+",
ip: "\\d+\\.\\d+\\.\\d+\\.\\d+",
ext: ".*"
},
formats: [
// ============================================================
// 1. MODEL BREACH — sigID 100, name="Model Breach"
// Example:
// CEF:0|Darktrace|DCIP|6.1|100|Model Breach|7|src=10.1.1.5 dst=8.8.8.8
// spt=54321 dpt=443 cs1=Anomalous Connection / Suspicious Self-Signed SSL
// cs1Label=Model cn1=85 cn1Label=Score duser=jsmith deviceExternalId=12345
// cs2=Compliance cs2Label=Category act=alert
// ============================================================
{
id: "dt_model_breach",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Darktrace Model Breach",
"event.type": "Alert", "event.category": "security",
severity_id: 4,
severity: "High",
disposition_id: 1, disposition: "Allowed",
status_id: 1, status: "Detected"
},
format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]100[|]Model Breach[|]$cef_severity=num$[|]$cef_extension=ext$",
halt: true,
rewrites: [
// Pull common fields out of the CEF extension key=value bag
{ input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "src_port", match: ".*spt=(\\d+).*", replace: "$1" },
{ input: "message", output: "dst_port", match: ".*dpt=(\\d+).*", replace: "$1" },
{ input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "model_name", match: ".*cs1=([^=\\n]+?)\\s+\\w+=.*", replace: "$1" },
{ input: "message", output: "model_category",match: ".*cs2=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "score", match: ".*cn1=(\\d+).*", replace: "$1" },
{ input: "model_name", output: "finding_title", match: "(?i).*",
replace: "Darktrace Model Breach: $0" }
]
},
// ============================================================
// 2. AI ANALYST INCIDENT — sigID 200, name contains "AI Analyst"
// ============================================================
{
id: "dt_aianalyst",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Darktrace AI Analyst Incident",
"event.type": "Alert", "event.category": "security",
severity_id: 5, severity: "Critical",
disposition_id: 1, disposition: "Allowed",
status_id: 1, status: "Detected"
},
format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]200[|]$incident_name=phrase$[|]$cef_severity=num$[|]$cef_extension=ext$",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "incident_id", match: ".*externalId=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "summary", match: ".*msg=([^=\\n]+?)(?:\\s+\\w+=.*|$)", replace: "$1" },
{ input: "incident_name", output: "finding_title",match: ".*", replace: "Darktrace $0" }
]
},
// ============================================================
// 3. ANTIGENA (Autonomous Response) — sigID 300
// ============================================================
{
id: "dt_antigena",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Darktrace Antigena Autonomous Action",
"event.type": "Action", "event.category": "security",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked",
status_id: 1, status: "Detected"
},
format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]300[|]Antigena Action[|]$cef_severity=num$[|]$cef_extension=ext$",
halt: true,
rewrites: [
{ input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "dst_ip", match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" },
{ input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "device_id", match: ".*deviceExternalId=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "action", match: ".*act=([^ \\n]+).*", replace: "$1" }
]
},
// ============================================================
// 4. ADMIN / AUTH EVENTS — sigID 400 (login success/failure)
// ============================================================
{
id: "dt_auth_fail",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
type_uid: 300201, activity_id: 1,
"event.type": "Login", "event.category": "authentication",
status_id: 2, status: "Failure",
finding_title: "Darktrace Admin Login Failure"
},
format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Failure[|]$cef_severity=num$[|]$cef_extension=ext$",
halt: true,
rewrites: [
{ input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }
]
},
{
id: "dt_auth_ok",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
type_uid: 300201, activity_id: 1,
"event.type": "Login", "event.category": "authentication",
status_id: 1, status: "Success"
},
format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Success[|]$cef_severity=num$[|]$cef_extension=ext$",
halt: true,
rewrites: [
{ input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*", replace: "$1" },
{ input: "message", output: "src_ip", match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*", replace: "$1" }
]
}
]
}
parsers/Developer-Workstation-OCSF
+118
View File
@@ -0,0 +1,118 @@
{
// Developer-Workstation OCSF Parser — OCSF v1.3.0
// Endpoint EDR-style events for software-supply-chain hunts (H1..H18)
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Synthetic",
"metadata.product.name": "Developer Workstation EDR",
"metadata.log_provider": "hec",
"Category": "endpoint",
"dataSource.vendor": "Synthetic",
"dataSource.name": "Developer Workstation",
"dataSource.category": "Endpoint"
},
formats: [
{
// Auto-extract every JSON top-level + nested field as attributes.
// Nested objects flatten with dot-notation: process.image_name,
// endpoint.name, file.path, dns.query, registry.key_path, etc.
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// ─── OCSF classification by event_type ──────────────────────────
{ input: "event_type", output: "category_uid", match: "PROCESS_START", replace: "1" },
{ input: "event_type", output: "category_name", match: "PROCESS_START", replace: "System Activity" },
{ input: "event_type", output: "class_uid", match: "PROCESS_START", replace: "1007" },
{ input: "event_type", output: "class_name", match: "PROCESS_START", replace: "Process Activity" },
{ input: "event_type", output: "category_uid", match: "FILE_CREATE", replace: "1" },
{ input: "event_type", output: "category_name", match: "FILE_CREATE", replace: "System Activity" },
{ input: "event_type", output: "class_uid", match: "FILE_CREATE", replace: "1001" },
{ input: "event_type", output: "class_name", match: "FILE_CREATE", replace: "File System Activity" },
{ input: "event_type", output: "category_uid", match: "FILE_WRITE", replace: "1" },
{ input: "event_type", output: "category_name", match: "FILE_WRITE", replace: "System Activity" },
{ input: "event_type", output: "class_uid", match: "FILE_WRITE", replace: "1001" },
{ input: "event_type", output: "class_name", match: "FILE_WRITE", replace: "File System Activity" },
{ input: "event_type", output: "category_uid", match: "FILE_READ", replace: "1" },
{ input: "event_type", output: "category_name", match: "FILE_READ", replace: "System Activity" },
{ input: "event_type", output: "class_uid", match: "FILE_READ", replace: "1001" },
{ input: "event_type", output: "class_name", match: "FILE_READ", replace: "File System Activity" },
{ input: "event_type", output: "category_uid", match: "DNS_QUERY", replace: "4" },
{ input: "event_type", output: "category_name", match: "DNS_QUERY", replace: "Network Activity" },
{ input: "event_type", output: "class_uid", match: "DNS_QUERY", replace: "4003" },
{ input: "event_type", output: "class_name", match: "DNS_QUERY", replace: "DNS Activity" },
{ input: "event_type", output: "category_uid", match: "REGISTRY_SET", replace: "1" },
{ input: "event_type", output: "category_name", match: "REGISTRY_SET", replace: "System Activity" },
{ input: "event_type", output: "class_uid", match: "REGISTRY_SET", replace: "201101" },
{ input: "event_type", output: "class_name", match: "REGISTRY_SET", replace: "Registry Key Activity" },
// ─── Severity mapping (string + OCSF int 0-6) ───────────────────
{ input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" },
{ input: "severity", output: "severity_id", match: "(?i)high", replace: "5" },
{ input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" },
{ input: "severity", output: "severity_id", match: "(?i)low", replace: "2" },
{ input: "severity", output: "severity_id", match: "(?i)info", replace: "1" },
{ input: "severity", output: "severity_str", match: ".*", replace: "$0" },
// ─── Activity / finding ─────────────────────────────────────────
{ input: "event_type", output: "activity_name", match: ".*", replace: "$0" },
{ input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" },
{ input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" },
// ─── Compliance tags ─────────────────────────────────────────
{ input: "event_type", output: "compliance.standard", match: ".*", replace: "NIS2,SLSA,SSDF" },
// ─── Explicit extraction of nested fields from the raw message blob
// (the auto-flatten only handles top-level keys; nested objects like
// process.image_name remain inside `message`).
{ input: "message", output: "endpoint.name",
match: "^.*?\"endpoint\":\\s*\\{\"name\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "endpoint.os",
match: "^.*?\"endpoint\":\\s*\\{\"name\":\\s*\"[^\"]+\",\\s*\"os\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "actor.user.name",
match: "^.*?\"actor\":\\s*\\{\"user\":\\s*\\{\"name\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "process.image_name",
match: "^.*?\"process\":\\s*\\{\"image_name\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "process.image_path",
match: "^.*?\"process\":\\s*\\{\"image_name\":\\s*\"[^\"]+\",\\s*\"image_path\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "process.command_line",
match: "^.*?\"image_path\":\\s*\"[^\"]+\",\\s*\"command_line\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$",
replace: "$1" },
{ input: "message", output: "process.parent.image_name",
match: "^.*?\"parent\":\\s*\\{\"image_name\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "process.parent.command_line",
match: "^.*?\"parent\":\\s*\\{\"image_name\":\\s*\"[^\"]+\",\\s*\"command_line\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$",
replace: "$1" },
{ input: "message", output: "file.path",
match: "^.*?\"file\":\\s*\\{\"path\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "file.action",
match: "^.*?\"file\":\\s*\\{\"path\":\\s*\"[^\"]+\",\\s*\"action\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "file.content",
match: "^.*?\"content_sample\":\\s*\"((?:[^\"\\\\]|\\\\.)*)\".*$",
replace: "$1" },
{ input: "message", output: "dns.query",
match: "^.*?\"dns\":\\s*\\{\"query\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "registry.key_path",
match: "^.*?\"registry\":\\s*\\{\"key_path\":\\s*\"([^\"]+)\".*$",
replace: "$1" },
{ input: "message", output: "scenario",
match: "^.*?\"_scenario\":\\s*\"([^\"]+)\".*$",
replace: "$1" }
]
}
]
}
parsers/EntraID-OCSF
+87
View File
@@ -0,0 +1,87 @@
{
// Microsoft Entra ID (Azure AD) JSON parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Microsoft",
"metadata.product.name": "Entra ID",
"metadata.log_provider": "azure-monitor",
"Category": "iam",
"dataSource.vendor": "Microsoft",
"dataSource.name": "Entra ID",
"dataSource.category": "identity",
"category_uid": 3,
"category_name": "IAM",
"class_uid": 3002,
"class_name": "Authentication",
"activity_id": 1,
"activity_name": "Logon",
"type_uid": 300201,
"status_id": 1,
"status": "Success",
"severity_id": 1,
"severity": "Informational"
},
formats: [
{
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// Top-level fields
{ input: "callerIpAddress", output: "src_endpoint.ip", match: ".*", replace: "$0" },
{ input: "callerIpAddress", output: "src_ip", match: ".*", replace: "$0" },
{ input: "tenantId", output: "tenant_id", match: ".*", replace: "$0" },
{ input: "correlationId", output: "correlation_id", match: ".*", replace: "$0" },
{ input: "category", output: "metadata.event_type", match: ".*", replace: "$0" },
{ input: "resultType", output: "result_code", match: ".*", replace: "$0" },
{ input: "resultDescription", output: "status_detail", match: ".*", replace: "$0" },
{ input: "identity", output: "actor.user.name", match: ".*", replace: "$0" },
// Status: errorCode 0 = Success, anything else = Failure
{ input: "resultType", output: "status_id", match: "^0$", replace: "1" },
{ input: "resultType", output: "status", match: "^0$", replace: "Success" },
{ input: "resultType", output: "status_id", match: "^[1-9].*", replace: "2" },
{ input: "resultType", output: "status", match: "^[1-9].*", replace: "Failure" },
{ input: "resultType", output: "status_id", match: "^Success$", replace: "1" },
{ input: "resultType", output: "status", match: "^Success$", replace: "Success" },
// ═══════════ DETECTION FINDING PROMOTION ═══════════
// 1) High risk sign-in
{ input: "riskLevelAggregated", output: "class_uid", match: "^high$", replace: "2004" },
{ input: "riskLevelAggregated", output: "class_name", match: "^high$", replace: "Detection Finding" },
{ input: "riskLevelAggregated", output: "category_uid", match: "^high$", replace: "2" },
{ input: "riskLevelAggregated", output: "category_name", match: "^high$", replace: "Findings" },
{ input: "riskLevelAggregated", output: "type_uid", match: "^high$", replace: "200401" },
{ input: "riskLevelAggregated", output: "finding_title", match: "^high$", replace: "Entra ID High-Risk Sign-In" },
{ input: "riskLevelAggregated", output: "finding_info.title", match: "^high$", replace: "Entra ID High-Risk Sign-In" },
{ input: "riskLevelAggregated", output: "severity_id", match: "^high$", replace: "5" },
{ input: "riskLevelAggregated", output: "severity", match: "^high$", replace: "Critical" },
{ input: "riskLevelAggregated", output: "severity_id", match: "^medium$", replace: "4" },
{ input: "riskLevelAggregated", output: "severity", match: "^medium$", replace: "High" },
// 2) Tor exit node detected (riskDetail field)
{ input: "riskDetail", output: "class_uid", match: "(?i)^.*Tor.*$", replace: "2004" },
{ input: "riskDetail", output: "class_name", match: "(?i)^.*Tor.*$", replace: "Detection Finding" },
{ input: "riskDetail", output: "category_uid", match: "(?i)^.*Tor.*$", replace: "2" },
{ input: "riskDetail", output: "category_name", match: "(?i)^.*Tor.*$", replace: "Findings" },
{ input: "riskDetail", output: "type_uid", match: "(?i)^.*Tor.*$", replace: "200401" },
{ input: "riskDetail", output: "finding_title", match: "(?i)^.*Tor.*$", replace: "Entra ID Tor Exit Node Sign-In" },
{ input: "riskDetail", output: "finding_info.title", match: "(?i)^.*Tor.*$", replace: "Entra ID Tor Exit Node Sign-In" },
{ input: "riskDetail", output: "severity_id", match: "(?i)^.*Tor.*$", replace: "5" },
{ input: "riskDetail", output: "severity", match: "(?i)^.*Tor.*$", replace: "Critical" },
// 3) Failed authentication (resultType non-zero)
{ input: "resultDescription", output: "class_uid", match: "(?i)^.*Invalid username or password.*$", replace: "2004" },
{ input: "resultDescription", output: "class_name", match: "(?i)^.*Invalid username or password.*$", replace: "Detection Finding" },
{ input: "resultDescription", output: "category_uid", match: "(?i)^.*Invalid username or password.*$", replace: "2" },
{ input: "resultDescription", output: "category_name", match: "(?i)^.*Invalid username or password.*$", replace: "Findings" },
{ input: "resultDescription", output: "type_uid", match: "(?i)^.*Invalid username or password.*$", replace: "200401" },
{ input: "resultDescription", output: "finding_title", match: "(?i)^.*Invalid username or password.*$", replace: "Entra ID Authentication Failure" },
{ input: "resultDescription", output: "finding_info.title", match: "(?i)^.*Invalid username or password.*$", replace: "Entra ID Authentication Failure" },
{ input: "resultDescription", output: "severity_id", match: "(?i)^.*Invalid username or password.*$", replace: "4" },
{ input: "resultDescription", output: "severity", match: "(?i)^.*Invalid username or password.*$", replace: "High" }
]
}
]
}
parsers/F5APM-OCSF
+84
View File
@@ -0,0 +1,84 @@
{
// F5 BIG-IP APM (VPN/Access) parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "F5",
"metadata.product.name": "BIG-IP APM",
"metadata.log_provider": "syslog",
"Category": "iam",
"dataSource.vendor": "F5",
"dataSource.name": "BIG-IP APM",
"dataSource.category": "vpn",
"category_uid": 3,
"category_name": "IAM",
"class_uid": 3005,
"class_name": "User Access Management",
"activity_id": 1,
"type_uid": 300501,
"status_id": 1,
"severity_id": 1
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
untilC: "[^\\n]*?",
rest: ".*"
},
formats: [
// Session authentication failed → Detection Finding (HIGH)
{
id: "apm_auth_fail",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "F5 APM Authentication Failure",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked",
status_id: 2, status: "Failure"
},
format: ".*Session authentication failed - User: $user_name=word$ Client IP: $src_ip=ipv4$.*",
halt: true
},
// Access policy denied → Detection Finding
{
id: "apm_access_deny",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "F5 APM Access Policy Deny",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked"
},
format: ".*Access policy result: Deny.*$reason=rest$",
halt: true
},
// New session created
{
id: "apm_new_session",
attributes: {
class_uid: 3005, class_name: "User Access Management",
type_uid: 300501
},
format: ".*New session created - Client IP: $src_ip=ipv4$.*",
halt: true
},
// Successful AD auth
{
id: "apm_ad_success",
attributes: {
class_uid: 3002, class_name: "Authentication",
activity_id: 1, type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*AD Auth query - User: $user_name=word$ Domain: $domain=word$.*Result: Success.*",
halt: true
}
]
}
parsers/F5BigIP-OCSF
+86
View File
@@ -0,0 +1,86 @@
{
// F5 BIG-IP LTM iRule + ASM parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "F5",
"metadata.product.name": "BIG-IP LTM",
"metadata.log_provider": "syslog",
"Category": "network",
"dataSource.vendor": "F5",
"dataSource.name": "BIG-IP LTM",
"dataSource.category": "load-balancer",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4002,
"class_name": "HTTP Activity",
"activity_id": 1,
"type_uid": 400201,
"status_id": 1,
"severity_id": 1
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
untilSpace: "[^ ]+",
untilC: "[^\\n]*?",
rest: ".*"
},
formats: [
// BLOCKED iRule WAF event → Detection Finding (CRITICAL)
{
id: "f5_blocked",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "F5 BIG-IP WAF Block",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*BLOCKED.*Client $src_ip=ipv4$:$src_port=word$.*",
halt: true
},
// SSL handshake failed → Detection Finding (MEDIUM)
{
id: "f5_ssl_fail",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "F5 SSL Handshake Failure",
severity_id: 3, severity: "Medium"
},
format: ".*SSL Handshake failed for TCP $src_ip=ipv4$:$src_port=word$.*",
halt: true
},
// ASM violation (key=value style)
{
id: "f5_asm_violation",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "F5 ASM Web Application Attack",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*ASM:.*ip_client=\"$src_ip=ipv4$\".*",
halt: true
},
// Standard HTTP request (informational)
{
id: "f5_http",
attributes: {
class_uid: 4002, class_name: "HTTP Activity",
type_uid: 400201
},
format: ".*Client $src_ip=ipv4$:$src_port=word$ -> VIP $vip_ip=ipv4$:$vip_port=word$.*",
halt: true
}
]
}
parsers/FortiGate-OCSF
+72
View File
@@ -0,0 +1,72 @@
{
// FortiGate KV-format parser — OCSF v1.3.0
// Uses explicit anchors around each KV pair instead of generic kv type
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Fortinet",
"metadata.product.name": "FortiGate",
"metadata.log_provider": "syslog",
"Category": "network",
"dataSource.vendor": "Fortinet",
"dataSource.name": "FortiGate",
"dataSource.category": "firewall",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"activity_id": 6,
"type_uid": 400106,
"status_id": 1,
"severity_id": 1
},
patterns: {
qval: "(\"[^\"]*\"|\\S+)",
word: "\\S+",
rest: ".*"
},
formats: [
// IPS / UTM threat → Detection Finding
{
id: "fgt_ips",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "FortiGate IPS Detection",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*type=\"ips\".* srcip=$src_ip=word$ .*dstip=$dst_ip=word$ .*attack=\"$attack=qval$\".*",
halt: true
},
// Forward traffic - Deny
{
id: "fgt_deny",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "FortiGate Firewall Deny",
severity_id: 3, severity: "Medium",
disposition_id: 2, disposition: "Blocked"
},
format: ".*action=\"deny\".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$.*",
halt: true
},
// Forward traffic - Allow (passes through to default)
{
id: "fgt_traffic",
attributes: {
class_uid: 4001, class_name: "Network Activity",
type_uid: 400106,
disposition_id: 1, disposition: "Allowed"
},
format: ".* srcip=$src_ip=word$ .*srcport=$src_port=word$ .*dstip=$dst_ip=word$ .*dstport=$dst_port=word$ .*proto=$protocol=word$ .*action=\"$action=qval$\".*",
halt: true
}
]
}
parsers/HANADatabase-OCSF
+170
View File
@@ -0,0 +1,170 @@
{
// SAP HANA Database SDL Parser
// OCSF v1.3.0 — emits Detection Finding (2004) for risky events
// so they appear in XDR / AI SIEM Findings UI
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "SAP",
"metadata.product.name": "HANA Database",
"metadata.log_provider": "hana-audit",
"Category": "database",
"dataSource.vendor": "SAP",
"dataSource.name": "HANA Database",
"dataSource.category": "database",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Database Activity",
"activity_id": 0,
"activity_name": "Unknown",
"type_uid": 400100,
"status_id": 1,
"status": "Success",
"severity_id": 1,
"severity": "Informational",
"disposition_id": 0,
"disposition": "Unknown"
},
formats: [
{
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// Field extraction
{ input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" },
{ input: "user_name", output: "user.name", match: ".*", replace: "$0" },
{ input: "application_user", output: "actor.user.account.name", match: ".*", replace: "$0" },
{ input: "application_name", output: "app_name", match: ".*", replace: "$0" },
{ input: "client_ip", output: "src_endpoint.ip", match: ".*", replace: "$0" },
{ input: "client_ip", output: "src_ip", match: ".*", replace: "$0" },
{ input: "client_port", output: "src_endpoint.port", match: ".*", replace: "$0" },
{ input: "host", output: "device.hostname", match: ".*", replace: "$0" },
{ input: "component", output: "device.type", match: ".*", replace: "$0" },
{ input: "connection_id", output: "actor.session.uid", match: ".*", replace: "$0" },
{ input: "connection_id", output: "session.uid", match: ".*", replace: "$0" },
{ input: "transaction_id", output: "transaction.uid", match: ".*", replace: "$0" },
{ input: "statement_id", output: "query_info.uid", match: ".*", replace: "$0" },
{ input: "statement", output: "query_info.query_string", match: ".*", replace: "$0" },
{ input: "executed_statement", output: "query_info.executed_query", match: ".*", replace: "$0" },
{ input: "rows_affected", output: "query_info.rows_affected", match: ".*", replace: "$0" },
{ input: "execution_time_ms", output: "query_info.duration", match: ".*", replace: "$0" },
{ input: "audit_action", output: "activity_name", match: ".*", replace: "$0" },
{ input: "audit_action", output: "query_info.query_type", match: ".*", replace: "$0" },
{ input: "audit_policy_name", output: "policy.name", match: ".*", replace: "$0" },
{ input: "comment", output: "raw_data", match: ".*", replace: "$0" },
// Status
{ input: "error_code", output: "status_id", match: "^0$", replace: "1" },
{ input: "error_code", output: "status", match: "^0$", replace: "Success" },
{ input: "error_code", output: "status_id", match: "^[1-9].*", replace: "2" },
{ input: "error_code", output: "status", match: "^[1-9].*", replace: "Failure" },
{ input: "error_code", output: "status_code", match: ".*", replace: "$0" },
{ input: "error_message", output: "status_detail", match: ".*", replace: "$0" },
// OCSF class routing by audit_action — Authentication
{ input: "audit_action", output: "class_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3002" },
{ input: "audit_action", output: "class_name", match: "^(CONNECT|DISCONNECT)$", replace: "Authentication" },
{ input: "audit_action", output: "category_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3" },
{ input: "audit_action", output: "category_name", match: "^(CONNECT|DISCONNECT)$", replace: "IAM" },
{ input: "audit_action", output: "activity_id", match: "^CONNECT$", replace: "1" },
{ input: "audit_action", output: "type_uid", match: "^CONNECT$", replace: "300201" },
{ input: "audit_action", output: "activity_id", match: "^DISCONNECT$", replace: "2" },
{ input: "audit_action", output: "type_uid", match: "^DISCONNECT$", replace: "300202" },
// Authorization (GRANT / REVOKE)
{ input: "audit_action", output: "class_uid", match: "^(GRANT|REVOKE)$", replace: "3003" },
{ input: "audit_action", output: "class_name", match: "^(GRANT|REVOKE)$", replace: "Authorization" },
{ input: "audit_action", output: "category_uid", match: "^(GRANT|REVOKE)$", replace: "3" },
{ input: "audit_action", output: "category_name", match: "^(GRANT|REVOKE)$", replace: "IAM" },
{ input: "audit_action", output: "activity_id", match: "^GRANT$", replace: "1" },
{ input: "audit_action", output: "type_uid", match: "^GRANT$", replace: "300301" },
{ input: "audit_action", output: "activity_id", match: "^REVOKE$", replace: "2" },
// Database Activity (DML / DDL / Backup)
{ input: "audit_action", output: "class_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4001" },
{ input: "audit_action", output: "class_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Database Activity" },
{ input: "audit_action", output: "category_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4" },
{ input: "audit_action", output: "category_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Network Activity" },
{ input: "audit_action", output: "activity_id", match: "^SELECT$", replace: "1" },
{ input: "audit_action", output: "activity_id", match: "^INSERT$", replace: "2" },
{ input: "audit_action", output: "activity_id", match: "^UPDATE$", replace: "3" },
{ input: "audit_action", output: "activity_id", match: "^DELETE$", replace: "4" },
{ input: "audit_action", output: "activity_id", match: "^BACKUP DATA$", replace: "5" },
// Severity from audit_level
{ input: "audit_level", output: "severity_id", match: "(?i)info", replace: "1" },
{ input: "audit_level", output: "severity", match: "(?i)info", replace: "Informational" },
{ input: "audit_level", output: "severity_id", match: "(?i)warning", replace: "3" },
{ input: "audit_level", output: "severity", match: "(?i)warning", replace: "Medium" },
{ input: "audit_level", output: "severity_id", match: "(?i)alert", replace: "4" },
{ input: "audit_level", output: "severity", match: "(?i)alert", replace: "High" },
{ input: "audit_level", output: "severity_id", match: "(?i)critical", replace: "5" },
{ input: "audit_level", output: "severity", match: "(?i)critical", replace: "Critical" },
// Promote risky events to Detection Finding (2004) so they show in XDR
// 1) Failed authentication
{ input: "error_code", output: "class_uid", match: "^[1-9].*", replace: "2004" },
{ input: "error_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" },
{ input: "error_code", output: "category_uid", match: "^[1-9].*", replace: "2" },
{ input: "error_code", output: "category_name", match: "^[1-9].*", replace: "Findings" },
{ input: "error_code", output: "activity_id", match: "^[1-9].*", replace: "1" },
{ input: "error_code", output: "type_uid", match: "^[1-9].*", replace: "200401" },
{ input: "error_code", output: "finding_title", match: "^[1-9].*", replace: "HANA Authentication Failure" },
{ input: "error_code", output: "finding_info.title", match: "^[1-9].*", replace: "HANA Authentication Failure" },
{ input: "error_code", output: "disposition_id", match: "^[1-9].*", replace: "2" },
{ input: "error_code", output: "disposition", match: "^[1-9].*", replace: "Blocked" },
{ input: "error_code", output: "severity_id", match: "^[1-9].*", replace: "4" },
{ input: "error_code", output: "severity", match: "^[1-9].*", replace: "High" },
// 2) Mass data extraction (rows_affected >= 10000)
{ input: "rows_affected", output: "class_uid", match: "^[1-9][0-9]{4,}$", replace: "2004" },
{ input: "rows_affected", output: "class_name", match: "^[1-9][0-9]{4,}$", replace: "Detection Finding" },
{ input: "rows_affected", output: "category_uid", match: "^[1-9][0-9]{4,}$", replace: "2" },
{ input: "rows_affected", output: "category_name", match: "^[1-9][0-9]{4,}$", replace: "Findings" },
{ input: "rows_affected", output: "type_uid", match: "^[1-9][0-9]{4,}$", replace: "200401" },
{ input: "rows_affected", output: "finding_title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" },
{ input: "rows_affected", output: "finding_info.title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" },
{ input: "rows_affected", output: "severity_id", match: "^[1-9][0-9]{4,}$", replace: "5" },
{ input: "rows_affected", output: "severity", match: "^[1-9][0-9]{4,}$", replace: "Critical" },
// 3) SQL injection signature (more specific than mass extraction — wins on overlap)
{ input: "statement", output: "class_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2004" },
{ input: "statement", output: "class_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Detection Finding" },
{ input: "statement", output: "category_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" },
{ input: "statement", output: "category_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Findings" },
{ input: "statement", output: "type_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "200401" },
{ input: "statement", output: "finding_title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" },
{ input: "statement", output: "finding_info.title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" },
{ input: "statement", output: "severity_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "5" },
{ input: "statement", output: "severity", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Critical" },
{ input: "statement", output: "disposition_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" },
{ input: "statement", output: "disposition", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Blocked" },
// 4) GRANT ALL PRIVILEGES (anchor with ^...$)
{ input: "statement", output: "class_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2004" },
{ input: "statement", output: "class_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Detection Finding" },
{ input: "statement", output: "category_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2" },
{ input: "statement", output: "category_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Findings" },
{ input: "statement", output: "type_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "200401" },
{ input: "statement", output: "finding_title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" },
{ input: "statement", output: "finding_info.title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" },
{ input: "statement", output: "severity_id", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "5" },
{ input: "statement", output: "severity", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Critical" },
// 5) Backup to /tmp/ (anchor with ^...$)
{ input: "statement", output: "class_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2004" },
{ input: "statement", output: "class_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Detection Finding" },
{ input: "statement", output: "category_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2" },
{ input: "statement", output: "category_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Findings" },
{ input: "statement", output: "type_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "200401" },
{ input: "statement", output: "finding_title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" },
{ input: "statement", output: "finding_info.title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" },
{ input: "statement", output: "severity_id", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "5" },
{ input: "statement", output: "severity", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Critical" }
]
}
]
}
parsers/ISCBIND-OCSF
+90
View File
@@ -0,0 +1,90 @@
{
// ISC BIND DNS query log parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "ISC",
"metadata.product.name": "BIND",
"metadata.log_provider": "syslog",
"Category": "network",
"dataSource.vendor": "ISC",
"dataSource.name": "BIND",
"dataSource.category": "dns",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4003,
"class_name": "DNS Activity",
"activity_id": 1,
"activity_name": "Query",
"type_uid": 400301,
"status_id": 1,
"status": "Success",
"severity_id": 1,
"severity": "Informational"
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
rest: ".*"
},
formats: [
// Standard query log
{
id: "bind_query",
attributes: {
class_uid: 4003, class_name: "DNS Activity",
category_uid: 4, activity_id: 1, type_uid: 400301
},
format: ".*queries: info: client @$session_handle=word$ $src_ip=ipv4$#$src_port=word$ \\($query_name=word$\\): query: $query_name2=word$ IN $query_type=word$ .*",
halt: true,
rewrites: [
// AXFR zone transfer attempt → Detection Finding
{ input: "query_type", output: "class_uid", match: "^AXFR$", replace: "2004" },
{ input: "query_type", output: "class_name", match: "^AXFR$", replace: "Detection Finding" },
{ input: "query_type", output: "category_uid", match: "^AXFR$", replace: "2" },
{ input: "query_type", output: "category_name", match: "^AXFR$", replace: "Findings" },
{ input: "query_type", output: "type_uid", match: "^AXFR$", replace: "200401" },
{ input: "query_type", output: "finding_title", match: "^AXFR$", replace: "BIND DNS Zone Transfer Attempt" },
{ input: "query_type", output: "finding_info.title", match: "^AXFR$", replace: "BIND DNS Zone Transfer Attempt" },
{ input: "query_type", output: "severity_id", match: "^AXFR$", replace: "4" },
{ input: "query_type", output: "severity", match: "^AXFR$", replace: "High" },
// Long base64-looking query → DNS tunneling
{ input: "query_name", output: "class_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "2004" },
{ input: "query_name", output: "class_name", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Detection Finding" },
{ input: "query_name", output: "category_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "2" },
{ input: "query_name", output: "category_name", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Findings" },
{ input: "query_name", output: "type_uid", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "200401" },
{ input: "query_name", output: "finding_title", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "BIND DNS Tunneling Suspected" },
{ input: "query_name", output: "finding_info.title", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "BIND DNS Tunneling Suspected" },
{ input: "query_name", output: "severity_id", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "5" },
{ input: "query_name", output: "severity", match: "^[A-Za-z0-9+/=]{60,}.*$", replace: "Critical" },
// Known-bad TLDs (dyndns, no-ip, etc.) → Suspicious DNS
{ input: "query_name", output: "class_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "2004" },
{ input: "query_name", output: "class_name", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "Detection Finding" },
{ input: "query_name", output: "category_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "2" },
{ input: "query_name", output: "category_name", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "Findings" },
{ input: "query_name", output: "type_uid", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "200401" },
{ input: "query_name", output: "finding_title", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "BIND Suspicious Dynamic DNS Query" },
{ input: "query_name", output: "finding_info.title", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "BIND Suspicious Dynamic DNS Query" },
{ input: "query_name", output: "severity_id", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "4" },
{ input: "query_name", output: "severity", match: "^.*\\.(dyndns|no-ip|hopto|dnsdynamic|webhop)\\..*$", replace: "High" }
]
},
// Security warning (zone transfer denied, etc)
{
id: "bind_security",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, type_uid: 200401,
finding_title: "BIND Security Warning",
severity_id: 4, severity: "High"
},
format: ".*security: warning: $detail=rest$",
halt: true
}
]
}
parsers/LinuxOS-OCSF
+152
View File
@@ -0,0 +1,152 @@
{
// Linux syslog/auditd parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Linux",
"metadata.product.name": "Linux OS",
"metadata.log_provider": "syslog",
"Category": "host",
"dataSource.vendor": "Linux",
"dataSource.name": "Linux OS",
"dataSource.category": "host",
"category_uid": 1,
"category_name": "System Activity",
"class_uid": 1001,
"class_name": "File System Activity",
"activity_id": 0,
"activity_name": "Unknown",
"type_uid": 100100,
"status_id": 1,
"status": "Success",
"severity_id": 1,
"severity": "Informational"
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
rest: ".*",
creds: "(mimikatz|hashdump|secretsdump|kerbrute)",
revshell: ".*socket\\.socket.*"
},
formats: [
// SSH failed authentication
{
id: "ssh_failed",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
finding_title: "Linux SSH Authentication Failure",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked"
},
format: ".*Failed password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*",
halt: true
},
// SSH successful authentication
{
id: "ssh_success",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "IAM",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*Accepted password for $user_name=word$ from $src_ip=ipv4$ port $src_port=word$.*",
halt: true
},
// sudo NOT in sudoers (priv-esc attempt)
{
id: "sudo_not_in_sudoers",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
finding_title: "Linux Sudo Not In Sudoers",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*sudo: $user_name=word$ : user NOT in sudoers ; TTY=$tty=word$ ; PWD=$pwd=word$ ; USER=$target_user=word$ ; COMMAND=$process_cmd_line=rest$",
halt: true
},
// useradd — new user account created
{
id: "useradd",
attributes: {
class_uid: 3001, class_name: "Account Change",
category_uid: 3, category_name: "IAM",
activity_id: 1, activity_name: "Create",
type_uid: 300101,
finding_title: "Linux New User Account Created",
severity_id: 4, severity: "High"
},
format: ".*useradd\\[$pid=word$\\]: new user: name=$new_user=word$, UID=$uid=word$, GID=$gid=word$.*",
halt: true
},
// Mimikatz / credential dumping signatures
{
id: "credential_dump",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Linux Credential Dumping Tool",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*$tool=creds$.*",
halt: true
},
// Reverse shell (python -c socket)
{
id: "reverse_shell",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Linux Reverse Shell Execution",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*python$ver=word$ -c $cmd=revshell$.*",
halt: true
},
// Generic auditd EXECVE
{
id: "auditd_execve",
attributes: {
class_uid: 1007, class_name: "Process Activity",
category_uid: 1, category_name: "System Activity",
activity_id: 1, activity_name: "Launch",
type_uid: 100701
},
format: ".*auditd\\[$pid=word$\\]: EXECVE argc=$argc=word$ a0=\"$process_name=word$\" $cmdline=rest$",
halt: true
},
// Cron job executed (suspicious if from /tmp/.hidden)
{
id: "cron_suspicious",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Linux Suspicious Cron Job",
severity_id: 4, severity: "High"
},
format: ".*cron\\[$pid=word$\\]: \\($cron_user=word$\\) CMD \\($cron_cmd=rest$\\)",
halt: true
}
]
}
parsers/MicrosoftDHCP-OCSF
+61
View File
@@ -0,0 +1,61 @@
{
// Microsoft DHCP server CSV parser — OCSF v1.3.0
// Format: ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name,...
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Microsoft",
"metadata.product.name": "DHCP Server",
"Category": "network",
"dataSource.vendor": "Microsoft",
"dataSource.name": "DHCP Server",
"dataSource.category": "network",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4004,
"class_name": "DHCP Activity",
"activity_id": 1,
"type_uid": 400401,
"status_id": 1,
"severity_id": 1
},
patterns: {
csv: "[^,]*"
},
formats: [
// Standard DHCP event
{
id: "dhcp_event",
attributes: {
class_uid: 4004, class_name: "DHCP Activity",
type_uid: 400401
},
format: "$event_id=csv$,$date=csv$,$time=csv$,$action=csv$,$client_ip=csv$,$host_name=csv$,$mac=csv$,$user_name=csv$,.*",
halt: true,
rewrites: [
{ input: "client_ip", output: "src_endpoint.ip", match: ".*", replace: "$0" },
{ input: "client_ip", output: "src_ip", match: ".*", replace: "$0" },
{ input: "mac", output: "src_endpoint.mac", match: ".*", replace: "$0" },
{ input: "host_name", output: "device.hostname", match: ".*", replace: "$0" },
{ input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" },
{ input: "action", output: "activity_name", match: ".*", replace: "$0" },
// Activity ID by event_id
{ input: "event_id", output: "activity_id", match: "^10$", replace: "1" }, // Assign
{ input: "event_id", output: "activity_id", match: "^11$", replace: "2" }, // Renew
{ input: "event_id", output: "activity_id", match: "^12$", replace: "3" }, // Release
{ input: "event_id", output: "activity_id", match: "^13$", replace: "4" }, // Conflict
// Detection Finding: rogue DHCP / IP conflict
{ input: "event_id", output: "class_uid", match: "^13$", replace: "2004" },
{ input: "event_id", output: "class_name", match: "^13$", replace: "Detection Finding" },
{ input: "event_id", output: "category_uid", match: "^13$", replace: "2" },
{ input: "event_id", output: "type_uid", match: "^13$", replace: "200401" },
{ input: "event_id", output: "finding_title", match: "^13$", replace: "DHCP IP Address Conflict" },
{ input: "event_id", output: "severity_id", match: "^13$", replace: "4" },
{ input: "event_id", output: "severity", match: "^13$", replace: "High" }
]
}
]
}
parsers/MicrosoftDNS-OCSF
+48
View File
@@ -0,0 +1,48 @@
{
// Microsoft DNS debug log parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Microsoft",
"metadata.product.name": "DNS Server",
"Category": "network",
"dataSource.vendor": "Microsoft",
"dataSource.name": "DNS Server",
"dataSource.category": "dns",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4003,
"class_name": "DNS Activity",
"activity_id": 1,
"type_uid": 400301,
"status_id": 1,
"severity_id": 1
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
rest: ".*"
},
formats: [
{
id: "msdns_query",
attributes: {
class_uid: 4003, class_name: "DNS Activity",
type_uid: 400301
},
format: ".* $proto=word$ $direction=word$ $src_ip=ipv4$ .* Q .* $query_type=word$ .* $query_name=rest$",
halt: true,
rewrites: [
// DNS tunneling (very long query)
{ input: "query_name", output: "class_uid", match: "^.{120,}$", replace: "2004" },
{ input: "query_name", output: "class_name", match: "^.{120,}$", replace: "Detection Finding" },
{ input: "query_name", output: "category_uid", match: "^.{120,}$", replace: "2" },
{ input: "query_name", output: "type_uid", match: "^.{120,}$", replace: "200401" },
{ input: "query_name", output: "finding_title", match: "^.{120,}$", replace: "MS-DNS Suspected Tunneling (long query)" },
{ input: "query_name", output: "severity_id", match: "^.{120,}$", replace: "4" },
{ input: "query_name", output: "severity", match: "^.{120,}$", replace: "High" }
]
}
]
}
parsers/Omniconnect-OCSF
+88
View File
@@ -0,0 +1,88 @@
{
// Omniconnect TI Gateway OCSF Parser - OCSF v1.3.0
// Secures HIS <-> German Telematics Infrastructure (TI) traffic
// BSI / NIS2 / gematik compliance events
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Omniconnect",
"metadata.product.name": "Omniconnect TI Gateway",
"metadata.log_provider": "hec",
"Category": "healthcare",
"dataSource.vendor": "Omniconnect",
"dataSource.name": "Omniconnect",
"dataSource.category": "Healthcare"
},
formats: [
{
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// ─── OCSF classification by event_category ──────────────────────
{ input: "event_category", output: "category_uid", match: "ti_connection", replace: "4" },
{ input: "event_category", output: "category_name", match: "ti_connection", replace: "Network Activity" },
{ input: "event_category", output: "class_uid", match: "ti_connection", replace: "4001" },
{ input: "event_category", output: "class_name", match: "ti_connection", replace: "Network Activity" },
{ input: "event_category", output: "category_uid", match: "card_operations", replace: "3" },
{ input: "event_category", output: "category_name", match: "card_operations", replace: "Identity & Access Management" },
{ input: "event_category", output: "class_uid", match: "card_operations", replace: "3002" },
{ input: "event_category", output: "class_name", match: "card_operations", replace: "Authentication" },
{ input: "event_category", output: "category_uid", match: "vsdm", replace: "6" },
{ input: "event_category", output: "category_name", match: "vsdm", replace: "Application Activity" },
{ input: "event_category", output: "class_uid", match: "vsdm", replace: "6001" },
{ input: "event_category", output: "class_name", match: "vsdm", replace: "Web Resources Activity" },
{ input: "event_category", output: "category_uid", match: "erezept", replace: "6" },
{ input: "event_category", output: "category_name", match: "erezept", replace: "Application Activity" },
{ input: "event_category", output: "class_uid", match: "erezept", replace: "6001" },
{ input: "event_category", output: "class_name", match: "erezept", replace: "Web Resources Activity" },
{ input: "event_category", output: "category_uid", match: "epa", replace: "6" },
{ input: "event_category", output: "category_name", match: "epa", replace: "Application Activity" },
{ input: "event_category", output: "class_uid", match: "epa", replace: "6001" },
{ input: "event_category", output: "class_name", match: "epa", replace: "Web Resources Activity" },
{ input: "event_category", output: "category_uid", match: "kim", replace: "4" },
{ input: "event_category", output: "category_name", match: "kim", replace: "Network Activity" },
{ input: "event_category", output: "class_uid", match: "kim", replace: "4009" },
{ input: "event_category", output: "class_name", match: "kim", replace: "Email Activity" },
{ input: "event_category", output: "category_uid", match: "security", replace: "2" },
{ input: "event_category", output: "category_name", match: "security", replace: "Findings" },
{ input: "event_category", output: "class_uid", match: "security", replace: "2001" },
{ input: "event_category", output: "class_name", match: "security", replace: "Security Finding" },
{ input: "event_category", output: "category_uid", match: "system", replace: "6" },
{ input: "event_category", output: "category_name", match: "system", replace: "Application Activity" },
{ input: "event_category", output: "class_uid", match: "system", replace: "6007" },
{ input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" },
// ─── Severity ───────────────────────────────────────────────────
{ input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" },
{ input: "severity", output: "severity_id", match: "(?i)high", replace: "5" },
{ input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" },
{ input: "severity", output: "severity_id", match: "(?i)low", replace: "2" },
{ input: "severity", output: "severity_id", match: "(?i)info", replace: "1" },
{ input: "severity", output: "severity_str", match: ".*", replace: "$0" },
// ─── Status ─────────────────────────────────────────────────────
{ input: "outcome", output: "status_id", match: "success", replace: "1" },
{ input: "outcome", output: "status_id", match: "failure", replace: "2" },
{ input: "outcome", output: "status_id", match: "detected", replace: "2" },
{ input: "outcome", output: "status_id", match: "revoked", replace: "3" },
{ input: "outcome", output: "status", match: ".*", replace: "$0" },
// ─── Activity / finding ─────────────────────────────────────────
{ input: "event_type", output: "activity_name", match: ".*", replace: "$0" },
{ input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" },
{ input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" },
{ input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" },
// ─── Compliance tags (BSI / NIS2 / gematik / GDPR) ──────────────
{ input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,gematik-TI,GDPR" }
]
}
]
}
parsers/OracleRDBMS-OCSF
+62
View File
@@ -0,0 +1,62 @@
{
// Oracle RDBMS audit trail parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Oracle",
"metadata.product.name": "Database",
"Category": "database",
"dataSource.vendor": "Oracle",
"dataSource.name": "Oracle Database",
"dataSource.category": "database",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Database Activity",
"activity_id": 1,
"type_uid": 400101,
"status_id": 1,
"severity_id": 1
},
patterns: {
word: "\\S+",
rest: ".*"
},
formats: [
{
id: "oracle_audit",
attributes: {
class_uid: 4001, class_name: "Database Activity",
type_uid: 400101
},
format: "Audit trail: ACTION: $action_id=word$ TIMESTAMP: $ts=word$ $tz=word$ SESSIONID: $session_id=word$ ENTRYID: $entry_id=word$ STATEMENT: $stmt_id=word$ USERID: $user_name=word$ USERHOST: $user_host=word$ TERMINAL: $terminal=word$ ACTION_NAME: $activity_name=word$ RETURNCODE: $return_code=word$ $rest=rest$",
halt: true,
rewrites: [
{ input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" },
{ input: "user_host", output: "device.hostname", match: ".*", replace: "$0" },
{ input: "session_id", output: "actor.session.uid", match: ".*", replace: "$0" },
// Failed (return_code != 0) → Detection Finding
{ input: "return_code", output: "class_uid", match: "^[1-9].*", replace: "2004" },
{ input: "return_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" },
{ input: "return_code", output: "category_uid", match: "^[1-9].*", replace: "2" },
{ input: "return_code", output: "type_uid", match: "^[1-9].*", replace: "200401" },
{ input: "return_code", output: "finding_title", match: "^[1-9].*", replace: "Oracle Database Failed Operation" },
{ input: "return_code", output: "severity_id", match: "^[1-9].*", replace: "4" },
{ input: "return_code", output: "severity", match: "^[1-9].*", replace: "High" },
{ input: "return_code", output: "status_id", match: "^[1-9].*", replace: "2" },
{ input: "return_code", output: "status", match: "^[1-9].*", replace: "Failure" },
// Privilege grants → Detection Finding
{ input: "activity_name", output: "class_uid", match: "^GRANT$", replace: "2004" },
{ input: "activity_name", output: "class_name", match: "^GRANT$", replace: "Detection Finding" },
{ input: "activity_name", output: "category_uid", match: "^GRANT$", replace: "2" },
{ input: "activity_name", output: "type_uid", match: "^GRANT$", replace: "200401" },
{ input: "activity_name", output: "finding_title", match: "^GRANT$", replace: "Oracle Privilege Grant" },
{ input: "activity_name", output: "severity_id", match: "^GRANT$", replace: "4" },
{ input: "activity_name", output: "severity", match: "^GRANT$", replace: "High" }
]
}
]
}
parsers/PaloAlto-OCSF
+72
View File
@@ -0,0 +1,72 @@
{
// Palo Alto PAN-OS CSV parser — OCSF v1.3.0
// Format: domain,receive_time,serial,type,subtype,...,src_ip,dst_ip,natsrc_ip,natdst_ip,rule,...
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Palo Alto Networks",
"metadata.product.name": "PAN-OS",
"Category": "network",
"dataSource.vendor": "Palo Alto Networks",
"dataSource.name": "PAN-OS",
"dataSource.category": "firewall",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"activity_id": 6,
"type_uid": 400106,
"status_id": 1,
"status": "Success",
"severity_id": 1
},
patterns: {
word: "[^,]*",
csv: "[^,]+"
},
formats: [
// TRAFFIC log
{
id: "panos_traffic",
attributes: {
class_uid: 4001, class_name: "Network Activity",
type_uid: 400106
},
format: "$domain=csv$,$receive_time=csv$,$serial=csv$,TRAFFIC,$subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*",
halt: true
},
// THREAT log → Detection Finding
{
id: "panos_threat",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Palo Alto Threat Detected",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: "$domain=csv$,$receive_time=csv$,$serial=csv$,THREAT,$threat_subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*",
halt: true,
rewrites: [
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*vulnerability.*$", replace: "Palo Alto Vulnerability Exploit Attempt" },
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*virus.*$", replace: "Palo Alto Malware Detected" },
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*spyware.*$", replace: "Palo Alto Spyware/C2 Detected" },
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*url.*$", replace: "Palo Alto Malicious URL" }
]
},
// URL filtering log
{
id: "panos_url",
attributes: {
class_uid: 4002, class_name: "HTTP Activity",
type_uid: 400201
},
format: "$domain=csv$,$receive_time=csv$,$serial=csv$,URL,.*",
halt: true
}
]
}
parsers/QRadar-OCSF
+58
View File
@@ -0,0 +1,58 @@
{
// QRadar JSON parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "IBM",
"metadata.product.name": "QRadar",
"Category": "siem",
"dataSource.vendor": "IBM",
"dataSource.name": "QRadar",
"dataSource.category": "siem",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"activity_id": 6,
"type_uid": 400106,
"status_id": 1,
"status": "Success",
"severity_id": 1,
"severity": "Informational"
},
formats: [
{
format: "$=json{parse=json}$",
halt: true,
rewrites: [
{ input: "sourceIP", output: "src_endpoint.ip", match: ".*", replace: "$0" },
{ input: "sourceIP", output: "src_ip", match: ".*", replace: "$0" },
{ input: "sourcePort", output: "src_endpoint.port", match: ".*", replace: "$0" },
{ input: "destinationIP", output: "dst_endpoint.ip", match: ".*", replace: "$0" },
{ input: "destinationIP", output: "dst_ip", match: ".*", replace: "$0" },
{ input: "destinationPort", output: "dst_endpoint.port", match: ".*", replace: "$0" },
{ input: "protocol", output: "connection_info.protocol_name", match: ".*", replace: "$0" },
{ input: "username", output: "actor.user.name", match: ".*", replace: "$0" },
{ input: "username", output: "user_name", match: ".*", replace: "$0" },
{ input: "category", output: "metadata.event_type", match: ".*", replace: "$0" },
// QRadar magnitude → severity
{ input: "magnitude", output: "severity_id", match: "^[1-3]$", replace: "2" },
{ input: "magnitude", output: "severity_id", match: "^[4-6]$", replace: "3" },
{ input: "magnitude", output: "severity_id", match: "^[7-8]$", replace: "4" },
{ input: "magnitude", output: "severity_id", match: "^(9|10)$", replace: "5" },
// Detection Finding for "Suspicious" / "Authentication" categories
{ input: "category", output: "class_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2004" },
{ input: "category", output: "class_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Detection Finding" },
{ input: "category", output: "category_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2" },
{ input: "category", output: "category_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Findings" },
{ input: "category", output: "type_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "200401" },
{ input: "category", output: "finding_title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" },
{ input: "category", output: "finding_info.title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" },
{ input: "category", output: "severity_id", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "4" },
{ input: "category", output: "severity", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "High" }
]
}
]
}
parsers/SIMGeneric-OCSF
+74
View File
@@ -0,0 +1,74 @@
{
// Generic SIM application syslog parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Generic",
"metadata.product.name": "SIM Generic Application",
"Category": "application",
"dataSource.vendor": "Generic",
"dataSource.name": "Generic Application",
"dataSource.category": "application",
"category_uid": 3,
"category_name": "IAM",
"class_uid": 3002,
"class_name": "Authentication",
"activity_id": 1,
"type_uid": 300201,
"status_id": 1,
"severity_id": 1
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
rest: ".*"
},
formats: [
// Successful login
{
id: "generic_login_success",
attributes: {
class_uid: 3002, class_name: "Authentication",
type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*INFO User login successful user=$user_name=word$ src_ip=$src_ip=ipv4$ session_id=$session_id=word$",
halt: true
},
// Failed authentication → Detection Finding
{
id: "generic_auth_fail",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, type_uid: 200401,
finding_title: "Generic Application Authentication Failure",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked",
status_id: 2, status: "Failure"
},
format: ".*WARNING Failed authentication attempt user=$user_name=word$ src_ip=$src_ip=ipv4$ reason=$reason=word$ attempts=$attempts=word$",
halt: true,
rewrites: [
// Bump severity if attempts >= 5 (likely brute force)
{ input: "attempts", output: "finding_title", match: "^[5-9]$|^\\d{2,}$", replace: "Generic Application Brute Force" },
{ input: "attempts", output: "severity_id", match: "^[5-9]$|^\\d{2,}$", replace: "5" },
{ input: "attempts", output: "severity", match: "^[5-9]$|^\\d{2,}$", replace: "Critical" }
]
},
// Generic ERROR
{
id: "generic_error",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, type_uid: 200401,
finding_title: "Generic Application Error",
severity_id: 3, severity: "Medium"
},
format: ".*ERROR $detail=rest$",
halt: true
}
]
}
parsers/WatchGuard-OCSF
+70
View File
@@ -0,0 +1,70 @@
{
// WatchGuard Fireware syslog parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "WatchGuard",
"metadata.product.name": "Fireware",
"Category": "network",
"dataSource.vendor": "WatchGuard",
"dataSource.name": "Fireware",
"dataSource.category": "firewall",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"activity_id": 6,
"type_uid": 400106,
"status_id": 1,
"status": "Success",
"severity_id": 1
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
rest: ".*"
},
formats: [
// Allowed traffic
{
id: "wg_allow",
attributes: {
class_uid: 4001, class_name: "Network Activity",
type_uid: 400106,
disposition_id: 1, disposition: "Allowed"
},
format: "$ts=rest$ firewall Allow $src_ip=ipv4$ $dst_ip=ipv4$ $service=word$ $src_port=word$ $dst_port=word$ .*",
halt: true
},
// Denied traffic → Detection Finding
{
id: "wg_deny",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "WatchGuard Firewall Deny",
severity_id: 3, severity: "Medium",
disposition_id: 2, disposition: "Blocked"
},
format: "$ts=rest$ firewall Deny $src_ip=ipv4$ $dst_ip=ipv4$ $service=word$ $src_port=word$ $dst_port=word$ .*",
halt: true
},
// IPS detection (proxy)
{
id: "wg_ips",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, type_uid: 200401,
finding_title: "WatchGuard IPS Detection",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: ".*IPS-detected $detail=rest$",
halt: true
}
]
}
parsers/WindowsSecurity-OCSF
+103
View File
@@ -0,0 +1,103 @@
{
// Windows Security Event XML parser — OCSF v1.3.0
// Uses non-greedy patterns that stop at the next XML tag/quote
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Microsoft",
"metadata.product.name": "Windows Security",
"metadata.log_provider": "winlogbeat",
"Category": "host",
"dataSource.vendor": "Microsoft",
"dataSource.name": "Windows Security",
"dataSource.category": "endpoint",
"category_uid": 3,
"category_name": "IAM",
"class_uid": 3002,
"class_name": "Authentication",
"activity_id": 1,
"type_uid": 300201,
"status_id": 1,
"severity_id": 1
},
patterns: {
// Anything until next "<" — perfect for XML content
untilLT: "[^<]*",
// Anything until next ">"
untilGT: "[^>]*",
word: "\\S+",
rest: ".*"
},
formats: [
// 4625 = Failed logon → Detection Finding (HIGH)
{
id: "win_4625",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows Logon Failure (4625)",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked",
status_id: 2, status: "Failure"
},
format: ".*<EventID>4625</EventID>.*<Data Name=\"TargetUserName\">$user_name=untilLT$</Data>.*<Data Name=\"IpAddress\">$src_ip=untilLT$</Data>.*",
halt: true
},
// 4720 = User account created → Detection Finding (HIGH)
{
id: "win_4720",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows New User Account Created (4720)",
severity_id: 4, severity: "High"
},
format: ".*<EventID>4720</EventID>.*<Data Name=\"TargetUserName\">$new_user=untilLT$</Data>.*",
halt: true
},
// 4732 = User added to security group → Detection Finding (CRITICAL)
{
id: "win_4732",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows User Added to Privileged Group (4732)",
severity_id: 5, severity: "Critical"
},
format: ".*<EventID>4732</EventID>.*<Data Name=\"MemberName\">$member=untilLT$</Data>.*<Data Name=\"TargetUserName\">$group_name=untilLT$</Data>.*",
halt: true
},
// 1102 = Audit log cleared (anti-forensics) → Detection Finding (CRITICAL)
{
id: "win_1102",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows Audit Log Cleared (1102)",
severity_id: 5, severity: "Critical"
},
format: ".*<EventID>1102</EventID>.*",
halt: true
},
// 4624 = Successful logon (informational)
{
id: "win_4624",
attributes: {
class_uid: 3002, class_name: "Authentication",
activity_id: 1, type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*<EventID>4624</EventID>.*<Data Name=\"TargetUserName\">$user_name=untilLT$</Data>.*<Data Name=\"IpAddress\">$src_ip=untilLT$</Data>.*",
halt: true
}
]
}
parsers/alerts
+106
View File
@@ -0,0 +1,106 @@
{
"alerts": [
{
"trigger": "class_uid='2004' AND severity_id='5' | group n=count() by serverHost, finding_title | filter n >= 1",
"alertTime": 300,
"renotifyPeriodMinutes": 60,
"description": "[Critical] Critical OCSF Detection Findings (any source) \u2014 Fires when any data source reports a Detection Finding with severity_id=5 (Critical). Catches HANA Mass Exfil, SQL Injection, Linux reverse shells, Windows audit clearing, F5 WAF blocks, Palo Alto threats."
},
{
"trigger": "class_uid='2004' AND severity_id='4' | group n=count() by serverHost, finding_title | filter n >= 1",
"alertTime": 300,
"renotifyPeriodMinutes": 120,
"description": "[High] High-Severity Detection Findings \u2014 All HIGH severity OCSF findings \u2014 SSH brute force, sudo not in sudoers, F5 auth failures, Windows logon failures, Entra ID risky sign-ins."
},
{
"trigger": "serverHost='linux-ocsf' | parse 'Failed password for $f_user$ from $f_ip$' | parse 'Accepted password for $a_user$ from $a_ip$' | group fails=count(f_user), success=count(a_user) by serverHost, f_ip | filter fails >= 3 and success >= 1",
"alertTime": 600,
"renotifyPeriodMinutes": 60,
"description": "[Critical] Linux SSH Brute-Force Then Successful Logon (Correlation) \u2014 Detects 3+ failed SSH logins followed by a successful logon from the same source IP \u2014 classic credential stuffing kill chain."
},
{
"trigger": "class_uid='2004' AND src_ip != null | group sources=count() by src_ip | filter sources >= 5",
"alertTime": 3600,
"renotifyPeriodMinutes": 60,
"description": "[Critical] Multi-Source Coordinated Attack (Correlation) \u2014 Same source IP triggers Detection Findings across 2+ different data sources within 1h \u2014 indicates coordinated multi-stage attack (e.g., port scan + brute force + exfil)."
},
{
"trigger": "serverHost='hana-ocsf' AND class_uid='2004' AND (finding_title contains 'SQL Injection' OR finding_title contains 'Mass Data Extraction')",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[Critical] HANA Database SQL Injection or Mass Exfiltration \u2014 Critical SAP HANA detection: SQL injection patterns OR rows_affected > 1000 indicating data exfiltration."
},
{
"trigger": "(serverHost='bind-ocsf' OR serverHost='msdns-ocsf') AND class_uid='2004' | group n=count() by finding_title | filter n >= 1",
"alertTime": 600,
"renotifyPeriodMinutes": 60,
"description": "[High] DNS Suspicious Activity (BIND or Microsoft DNS) \u2014 BIND or Microsoft DNS detected suspicious query \u2014 security warnings, AXFR zone transfers, base64 tunneling, or dynamic DNS."
},
{
"trigger": "serverHost='entra-ocsf' AND class_uid='2004' | group n=count() by finding_title | filter n >= 1",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[High] Cloud Identity Risky Sign-In \u2014 Microsoft Entra ID flagged a sign-in failure or risky activity (auth failure, high-risk, Tor exit node, etc.)."
},
{
"trigger": "serverHost='f5ltm-ocsf' AND class_uid='2004' AND (finding_title contains 'WAF' OR finding_title contains 'ASM')",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[Critical] Web Application Attack (F5 WAF) \u2014 F5 BIG-IP WAF blocked SQL injection, XSS, or other web attack pattern."
},
{
"trigger": "serverHost='paloalto-ocsf' AND class_uid='2004'",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[Critical] Palo Alto Threat / C2 Detection \u2014 Palo Alto IPS/threat engine detected vulnerability exploit, spyware/C2, or malware."
},
{
"trigger": "serverHost='windows-ocsf' AND class_uid='2004' | group n=count() by finding_title | filter n >= 1",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[High] Windows Security Detection Finding \u2014 Any Windows Security Detection Finding \u2014 failed logons (4625), new accounts (4720), privileged group changes (4732), or audit log clearing (1102)."
},
{
"trigger": "serverHost='windows-ocsf' AND class_uid='2004' AND (finding_title contains '4720' OR finding_title contains '4732')",
"alertTime": 600,
"renotifyPeriodMinutes": 60,
"description": "[High] Windows New User Account Or Privilege Escalation \u2014 EventID 4720 (new user) or 4732 (added to privileged group) \u2014 persistence + privesc."
},
{
"trigger": "class_uid='3002' AND status_id='2' | group attempts=count() by user_name | filter attempts >= 10",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[High] Authentication Failure Burst (Cross-Source) \u2014 10+ authentication failures (class_uid=3002 status=Failure) across all IAM sources within 5 min \u2014 likely brute force."
},
{
"trigger": "serverHost='linux-ocsf' AND class_uid='2004' AND (finding_title contains 'Reverse Shell' OR finding_title contains 'Credential Dumping')",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[Critical] Linux Reverse Shell or Credential Dumping Tool \u2014 Linux process activity detected mimikatz / hashdump / kerbrute / python socket reverse shell."
},
{
"trigger": "(serverHost='fortigate-ocsf' OR serverHost='checkpoint-ocsf') AND class_uid='2004' | group n=count() by serverHost, src_ip | filter n >= 10",
"alertTime": 600,
"renotifyPeriodMinutes": 60,
"description": "[High] Network Firewall Deny / Block (Spike) \u2014 FortiGate or Check Point firewall denied 10+ connections \u2014 likely port scan, lateral movement attempt, or C2 callback."
},
{
"trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'AI Analyst' | group n=count() by finding_title | filter n >= 1",
"alertTime": 300,
"renotifyPeriodMinutes": 30,
"description": "[Critical] Darktrace AI Analyst Incident \u2014 Darktrace AI Analyst raised an incident (lateral movement, data exfil, suspicious SaaS activity, etc.) \u2014 top-priority NDR alert."
},
{
"trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'Antigena' | group n=count() by finding_title | filter n >= 1",
"alertTime": 300,
"renotifyPeriodMinutes": 60,
"description": "[High] Darktrace Antigena Autonomous Response Triggered \u2014 Darktrace Antigena autonomously blocked traffic \u2014 confirms a high-confidence threat that the system already mitigated."
},
{
"trigger": "serverHost='darktrace-ocsf' AND class_uid='2004' AND finding_title contains 'Model Breach' | group n=count() by finding_title | filter n >= 1",
"alertTime": 600,
"renotifyPeriodMinutes": 60,
"description": "[High] Darktrace Model Breach High Score (>=80) \u2014 Darktrace Model Breach with anomaly score >=80 (out of 100) \u2014 high-confidence behavioural anomaly worth investigating."
}
]
}
parsers/bsi-nis2-healthcare-overview
+585
View File
@@ -0,0 +1,585 @@
{
"configType": "TABBED",
"duration": "24h",
"description": "BSI / NIS2 healthcare compliance \u2014 Avelios Medical HIS + Omniconnect TI Gateway",
"tabs": [
{
"tabName": "Overview",
"graphs": [
{
"title": "BSI / NIS2 Healthcare Compliance \u2014 Overview",
"graphStyle": "markdown",
"markdown": "**Scope:** Avelios Medical Hospital Information System (HIS) + Omniconnect HIS\u2194Telematics Infrastructure (TI) gateway.\n\n**Frameworks:** BSI-Grundschutz \u00b7 NIS2 \u00b7 GDPR \u00b7 gematik TI.\n\nAll events are OCSF-enriched (v1.3.0) by the deployed parsers `Avelios-Medical-OCSF` and `Omniconnect-OCSF`.",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Healthcare Events",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": " events"
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "Avelios Events",
"graphStyle": "number",
"query": "serverHost='avelios-medical' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "Omniconnect Events",
"graphStyle": "number",
"query": "serverHost='omniconnect' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Critical Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_id='6' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Events by Source",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() by serverHost",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 12
}
},
{
"title": "OCSF Severity Distribution",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_str=* | group ct=count() by severity_str",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 12
}
},
{
"title": "Events by OCSF Class (per source)",
"graphStyle": "stacked_bar",
"xAxis": "grouped_data",
"yScale": "linear",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') class_name=* | group ct=count() by class_name, serverHost | sort -ct",
"layout": {
"w": 60,
"h": 16,
"x": 0,
"y": 26
}
},
{
"title": "Recent HIGH / CRITICAL events",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (severity_str='HIGH' or severity_str='CRITICAL') | columns timestamp, serverHost, event_category, event_type, severity_str | sort -timestamp | limit 25",
"layout": {
"w": 60,
"h": 18,
"x": 0,
"y": 42
}
}
]
},
{
"tabName": "Avelios HIS",
"graphs": [
{
"title": "Avelios Medical \u2014 Hospital Information System",
"graphStyle": "markdown",
"markdown": "Patient-data access (PHI / GDPR Art. 32), authentication, administrative changes and security findings.\n\n**Relevant BSI controls:** ORP.4 (Identity Management), OPS.1.1 (Logging), CON.3 (Data Protection), DER.1 (Detection).",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Avelios Events",
"graphStyle": "number",
"query": "serverHost='avelios-medical' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "PHI Access Events",
"graphStyle": "number",
"query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "Auth Failures",
"graphStyle": "number",
"query": "serverHost='avelios-medical' event_category='authentication' outcome='failure' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Security Findings",
"graphStyle": "number",
"query": "serverHost='avelios-medical' category_uid='2' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Avelios \u2014 Event Categories",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='avelios-medical' event_category=* | group ct=count() by event_category",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 12
}
},
{
"title": "Avelios \u2014 Severity Mix",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='avelios-medical' severity_str=* | group ct=count() by severity_str",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 12
}
},
{
"title": "PHI Access (BSI CON.3 / GDPR Art. 32)",
"graphStyle": "table",
"query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() by event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 26
}
},
{
"title": "Authentication Outcomes",
"graphStyle": "table",
"query": "serverHost='avelios-medical' event_category='authentication' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 26
}
},
{
"title": "Administrative Changes (BSI ORP.4)",
"graphStyle": "table",
"query": "serverHost='avelios-medical' event_category='administrative' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 40
}
},
{
"title": "Avelios Security Findings",
"graphStyle": "table",
"query": "serverHost='avelios-medical' category_uid='2' | columns timestamp, event_type, severity_str | sort -timestamp | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 40
}
}
]
},
{
"tabName": "Omniconnect",
"graphs": [
{
"title": "Omniconnect \u2014 HIS \u2194 Telematics Infrastructure (TI)",
"graphStyle": "markdown",
"markdown": "Konnektor health, eGK / HBA / SMC-B card operations, eRezept, ePA, VSDM and KIM secure messaging.\n\n**Relevant frameworks:** gematik TI, BSI TR-03116, NIS2 Annex II.",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Omniconnect Events",
"graphStyle": "number",
"query": "serverHost='omniconnect' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "TI Connection Events",
"graphStyle": "number",
"query": "serverHost='omniconnect' event_category='ti_connection' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "Card Operations",
"graphStyle": "number",
"query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Cert / Crypto Failures",
"graphStyle": "number",
"query": "serverHost='omniconnect' (event_type='CERTIFICATE_EXPIRED' or event_type='CERTIFICATE_VALIDATION_FAILED' or event_type='ENCRYPTION_FAILED' or event_type='SIGNATURE_VERIFICATION_FAILED') | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Omniconnect \u2014 Event Categories",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='omniconnect' event_category=* | group ct=count() by event_category",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 12
}
},
{
"title": "Omniconnect \u2014 Severity Mix",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='omniconnect' severity_str=* | group ct=count() by severity_str",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 12
}
},
{
"title": "TI Connection Issues",
"graphStyle": "table",
"query": "serverHost='omniconnect' event_category='ti_connection' outcome!='success' | group ct=count() by event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 26
}
},
{
"title": "Card Operations (eGK / HBA / SMC-B)",
"graphStyle": "table",
"query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 26
}
},
{
"title": "eRezept Activity",
"graphStyle": "table",
"query": "serverHost='omniconnect' event_category='erezept' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 40
}
},
{
"title": "ePA / KIM Activity",
"graphStyle": "table",
"query": "serverHost='omniconnect' (event_category='epa' or event_category='kim') | group ct=count() by event_category, event_type | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 40
}
}
]
},
{
"tabName": "Compliance",
"graphs": [
{
"title": "BSI / NIS2 Compliance Findings",
"graphStyle": "markdown",
"markdown": "OCSF Security Findings (`category_uid=2`) across both healthcare platforms, mapped to BSI-Grundschutz controls and NIS2 Annex II obligations (incident handling, encryption, access control, supply-chain security).",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "CRITICAL Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='CRITICAL' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "HIGH Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='HIGH' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Auth Failures (24h)",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='USER_LOGIN_FAILURE' or event_type='CARD_AUTHENTICATION_FAILED' or event_type='CARD_PIN_FAILED') | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Findings by Type per Source (NIS2 Annex II)",
"graphStyle": "stacked_bar",
"xAxis": "grouped_data",
"yScale": "linear",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() by event_type, serverHost | sort -ct",
"layout": {
"w": 60,
"h": 18,
"x": 0,
"y": 12
}
},
{
"title": "BSI ORP.4 \u2014 Identity & Access Anomalies",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='ACCOUNT_LOCKED' or event_type='UNAUTHORIZED_ACCESS_ATTEMPT' or event_type='PRIVILEGE_ESCALATION_ATTEMPT' or event_type='CARD_PIN_BLOCKED') | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 30
}
},
{
"title": "BSI CON.1 \u2014 Crypto / Certificate Issues",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type contains 'CERTIFICATE' or event_type contains 'ENCRYPTION' or event_type contains 'SIGNATURE') outcome!='success' | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 30
}
},
{
"title": "BSI DER.1 \u2014 Threats & Intrusions",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='MALWARE_DETECTED' or event_type='INTRUSION_DETECTED' or event_type='TAMPER_DETECTION' or event_type='SECURITY_POLICY_VIOLATION') | columns timestamp, serverHost, event_type, severity_str | sort -timestamp | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 44
}
},
{
"title": "GDPR Art. 32 \u2014 Data-Processing Events",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='EMERGENCY_ACCESS_OVERRIDE' or event_type='PATIENT_RECORD_DELETE' or event_type='DATA_EXPORT_INITIATED' or event_type='AUDIT_LOG_EXPORT' or event_type='EPA_EMERGENCY_ACCESS') | group ct=count() by serverHost, event_type | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 44
}
},
{
"title": "Compliance Control Mapping",
"graphStyle": "markdown",
"markdown": "| Control | BSI / NIS2 ref | Evidence query |\n|---|---|---|\n| Identity & Access | BSI ORP.4 / NIS2 Art. 21(2)(i) | `event_category in (authentication, card_operations)` |\n| Logging & Audit | BSI OPS.1.1 / NIS2 Art. 21(2)(b) | All ingested events |\n| Cryptography | BSI CON.1 / NIS2 Art. 21(2)(h) | `event_type contains CERTIFICATE/ENCRYPTION/SIGNATURE` |\n| Incident Detection | BSI DER.1 / NIS2 Art. 21(2)(c) | `category_uid=2` |\n| Data Protection | BSI CON.3 / GDPR Art. 32 | `event_category=patient_access OR epa` |\n| Supply Chain (TI) | BSI TR-03116 / NIS2 Art. 21(2)(d) | `event_category=ti_connection` |",
"layout": {
"w": 60,
"h": 12,
"x": 0,
"y": 58
}
}
]
}
]
}
parsers/checkpoint
+385
View File
@@ -0,0 +1,385 @@
{
attributes: {
"metadata.version": "3.0.0",
"dataSource.vendor": "Check Point",
"dataSource.name": "Check Point Firewall",
"dataSource.category": "security",
"metadata.product.vendor_name": "Check Point",
"metadata.product.name": "Next Generation Firewall",
"metadata.log_provider": "syslog",
"severity_id": 1,
"severity": "Informational"
},
patterns: {
ip: "\\d+\\.\\d+\\.\\d+\\.\\d+",
num: "\\d+",
word: "[\\w-]+",
qval: "[^;\"]+",
uuid: "\\{[^}]+\\}",
rest: ".*"
},
formats: [
// ═══════════════════════════════════════════════════════════════════════════
// PIPE-DELIMITED: time=...|action=...|src=...|dst=...
// ═══════════════════════════════════════════════════════════════════════════
// PIPE - Firewall Accept
{
id: "cp_pipe_accept",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106,
disposition_id: 1, disposition: "Allowed"
},
format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$[|]layer_name=$layer_name=word$[|]action=Accept[|]rule_uid=$rule_uid=qval$[|]ifdir=$iface_dir=word$[|]ifname=$iface_name=word$[|]loguid=$log_uid=uuid$[|]origin=$origin_ip=ip$[|]src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$[|]s_port=$src_port=num$[|]service=$dst_port=num$.*",
halt: true
},
// PIPE - Firewall Drop
{
id: "cp_pipe_drop",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
disposition_id: 2, disposition: "Blocked",
severity_id: 3, severity: "Medium",
"finding_info.title": "Check Point Firewall Block",
confidence_id: 3, confidence: "High"
},
format: "time=$time_epoch=num$[|]hostname=$cp_hostname=word$[|]product=$cp_product=word$.*action=Drop.*src=$src_ip=ip$[|]dst=$dst_ip=ip$[|]proto=$proto_num=num$.*",
halt: true
},
// PIPE - Generic firewall fallback (any pipe format with src/dst)
{
id: "cp_pipe_fw",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106
},
format: "time=$time_epoch=num$[|].*src=$src_ip=ip$[|]dst=$dst_ip=ip$.*",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// SEMICOLON FORMAT: [field:"value"; ...]
// Fields appear in alphabetical order in CP Log Exporter
// ═══════════════════════════════════════════════════════════════════════════
// IDENTITY AWARENESS - Auth Success (no dst field, must precede generic Accept)
{
id: "cp_auth_ok",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*action:\"Accept\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*identity_src:\"$identity_src=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// IDENTITY AWARENESS - Auth Failure
{
id: "cp_auth_fail",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 2, status: "Failure",
severity_id: 3, severity: "Medium"
},
format: ".*action:\"Reject\";.*product:\"Identity Awareness\";.*user:\"$user_name=qval$\";.*auth_method:\"$auth_method=qval$\";.*reason:\"$status_detail=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// ANTI-BOT
{
id: "cp_antibot",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
severity_id: 5, severity: "Critical",
"finding_info.title": "Check Point Anti-Bot Detection",
confidence_id: 3, confidence: "High"
},
format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Bot\";.*malware_name:\"$malware_name=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// ANTI-VIRUS
{
id: "cp_antivirus",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
severity_id: 5, severity: "Critical",
"finding_info.title": "Check Point Anti-Virus Detection",
confidence_id: 3, confidence: "High"
},
format: ".*action:\"$cp_action=word$\";.*product:\"Anti-Virus\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// THREAT EMULATION
{
id: "cp_te",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
severity_id: 6, severity: "Fatal",
"finding_info.title": "Check Point Threat Emulation",
confidence_id: 3, confidence: "High"
},
format: ".*action:\"$cp_action=word$\";.*product:\"Threat Emulation\";.*malware:\"$malware_name=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// IPS
{
id: "cp_ips",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
severity_id: 4, severity: "High",
"finding_info.title": "Check Point IPS Detection",
confidence_id: 3, confidence: "High"
},
format: ".*action:\"$cp_action=word$\";.*product:\"IPS\";.*attack:\"$attack=qval$\";.*protection_name:\"$protection=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// SMARTDEFENSE (Legacy IPS)
{
id: "cp_smartdef",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
severity_id: 4, severity: "High",
"finding_info.title": "Check Point SmartDefense"
},
format: ".*action:\"$cp_action=word$\";.*product:\"SmartDefense\";.*attack:\"$attack=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// URL FILTERING - Block
{
id: "cp_urlf_block",
attributes: {
class_uid: 4002, class_name: "HTTP Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400206,
disposition_id: 2, disposition: "Blocked",
severity_id: 2, severity: "Low"
},
format: ".*action:\"Block\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// URL FILTERING - Allow
{
id: "cp_urlf_allow",
attributes: {
class_uid: 4002, class_name: "HTTP Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400206,
disposition_id: 1, disposition: "Allowed"
},
format: ".*action:\"$cp_action=word$\";.*product:\"URL Filtering\";.*resource:\"$url=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// APPLICATION CONTROL
{
id: "cp_appc",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106
},
format: ".*action:\"$cp_action=word$\";.*product:\"Application Control\";.*appi_name:\"$app_name=qval$\";.*app_category:\"$app_cat=qval$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// VPN
{
id: "cp_vpn",
attributes: {
class_uid: 4014, class_name: "Tunnel Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Open",
type_uid: 401401,
status_id: 1, status: "Success"
},
format: ".*action:\"$cp_action=qval$\";.*product:\"VPN\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\";.*user:\"$user_name=qval$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// DLP
{
id: "cp_dlp",
attributes: {
class_uid: 2006, class_name: "Data Security Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200601,
severity_id: 4, severity: "High",
"finding_info.title": "Check Point DLP Violation"
},
format: ".*action:\"$cp_action=word$\";.*product:\"DLP\";.*dlp_rule_name:\"$dlp_rule=qval$\";.*file_name:\"$file_name=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// SMARTCONSOLE Audit
{
id: "cp_audit",
attributes: {
class_uid: 3004, class_name: "Entity Management",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 0, activity_name: "Unknown",
type_uid: 300400
},
format: ".*product:\"SmartConsole\";.*administrator:\"$admin_user=qval$\";.*operation:\"$operation=qval$\";.*object_name:\"$obj_name=qval$\";.*object_type:\"$obj_type=qval$\";.*src:\"$src_ip=ip$\";.*origin:\"$origin_ip=ip$\";.*loguid:\"$log_uid=uuid$\".*",
halt: true
},
// FIREWALL ACCEPT - generic with rule_name
{
id: "cp_fw_accept",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106,
disposition_id: 1, disposition: "Allowed"
},
format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
halt: true
},
// FIREWALL ACCEPT - without rule_name
{
id: "cp_fw_accept_norule",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106,
disposition_id: 1, disposition: "Allowed"
},
format: ".*action:\"Accept\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
halt: true
},
// FIREWALL DROP
{
id: "cp_fw_drop",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
disposition_id: 2, disposition: "Blocked",
severity_id: 3, severity: "Medium",
"finding_info.title": "Check Point Firewall Block",
confidence_id: 3, confidence: "High"
},
format: ".*action:\"Drop\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
halt: true
},
// FIREWALL REJECT
{
id: "cp_fw_reject",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
activity_id: 1, activity_name: "Create",
type_uid: 200401,
disposition_id: 2, disposition: "Blocked",
severity_id: 3, severity: "Medium",
"finding_info.title": "Check Point Firewall Reject",
confidence_id: 3, confidence: "High"
},
format: ".*action:\"Reject\";.*loguid:\"$log_uid=uuid$\";.*origin:\"$origin_ip=ip$\";.*product:\"$cp_product=qval$\";.*proto:\"$proto_num=num$\";.*rule_name:\"$rule_name=qval$\";.*s_port:\"$src_port=num$\";.*service:\"$dst_port=num$\";.*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*",
halt: true
},
// GENERIC FALLBACK - just extract src/dst if present
{
id: "cp_fallback",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 0, activity_name: "Unknown",
type_uid: 400100
},
format: ".*src:\"$src_ip=ip$\";.*dst:\"$dst_ip=ip$\".*"
}
],
mappings: {
version: 1,
mappings: [
{
transformations: [
{ rename: { from: "src_ip", to: "src_endpoint.ip" } },
{ rename: { from: "dst_ip", to: "dst_endpoint.ip" } },
{ rename: { from: "src_port", to: "src_endpoint.port" } },
{ rename: { from: "dst_port", to: "dst_endpoint.port" } },
{ rename: { from: "iface_name", to: "src_endpoint.interface_name" } },
{ rename: { from: "proto_num", to: "connection_info.protocol_num" } },
{ rename: { from: "iface_dir", to: "connection_info.direction" } },
{ rename: { from: "user_name", to: "actor.user.name" } },
{ rename: { from: "admin_user", to: "actor.user.name" } },
{ rename: { from: "rule_name", to: "firewall_rule.name" } },
{ rename: { from: "rule_uid", to: "firewall_rule.uid" } },
{ rename: { from: "app_name", to: "app.name" } },
{ rename: { from: "app_cat", to: "app.category" } },
{ rename: { from: "url", to: "http_request.url.original" } },
{ rename: { from: "malware_name", to: "malware.name" } },
{ rename: { from: "attack", to: "finding_info.title" } },
{ rename: { from: "protection", to: "finding_info.desc" } },
{ rename: { from: "file_name", to: "file.name" } },
{ rename: { from: "auth_method", to: "auth_protocol" } },
{ rename: { from: "dlp_rule", to: "policy.name" } },
{ rename: { from: "operation", to: "activity_name" } },
{ rename: { from: "obj_name", to: "entity.name" } },
{ rename: { from: "obj_type", to: "entity.type" } },
{ rename: { from: "status_detail", to: "status_detail" } },
{ rename: { from: "origin_ip", to: "device.ip" } },
{ rename: { from: "cp_hostname", to: "device.hostname" } },
{ rename: { from: "cp_product", to: "metadata.product.feature.name" } },
{ rename: { from: "log_uid", to: "metadata.uid" } },
{ rename: { from: "cp_action", to: "unmapped.action" } },
{ rename: { from: "layer_name", to: "unmapped.layer_name" } },
{ rename: { from: "identity_src", to: "unmapped.identity_source" } },
{ rename: { from: "time_epoch", to: "unmapped.time_epoch" } }
]
}
]
}
}
parsers/cisco_ise_logs-latest
+77
View File
@@ -0,0 +1,77 @@
{
attributes: {
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"metadata.version": "1.0.0"
},
patterns: {
timestamp: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}(?:\\.\\d{3})?[+-]\\d{2}:\\d{2}|\\w{3}\\s+\\d{1,2}\\s+\\d{2}:\\d{2}:\\d{2}",
ipv4: "(?:\\d{1,3}\\.){3}\\d{1,3}",
macaddr: "([0-9a-fA-F]{2}[:-]){5}[0-9a-fA-F]{2}"
},
formats: [
{
attributes: {
class_uid: "3002",
category_uid: "3",
severity_id: "1",
class_name: "Authentication",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_System_Alarms $log_id$,$log_id2$,$severity$,$category$,$message$,$user$,$ip=ipv4$,$mac=macaddr$,$endpoint_id$,$auth_method$,$auth_protocol$"
},
{
attributes: {
class_uid: "3002",
category_uid: "3",
severity_id: "2",
class_name: "Authentication",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_Passed_Authentications $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Framed-IP-Address=$ip=ipv4$,Authentication passed"
},
{
attributes: {
class_uid: "3002",
category_uid: "3",
severity_id: "4",
class_name: "Authentication",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_Failed_Attempts $log_id$,$log_id2$,$severity$,$category$,User-Name=$user$,NAS-IP-Address=$nas_ip=ipv4$,Calling-Station-Id=$mac=macaddr$,Authentication failed,$failure_reason$"
},
{
attributes: {
class_uid: "3001",
category_uid: "3",
severity_id: "2",
class_name: "Account Change",
category_name: "Identity & Access Management",
"metadata.product.name": "Cisco Identity Services Engine",
"metadata.product.vendor_name": "Cisco",
"dataSource.category": "security",
"dataSource.name": "Cisco ISE",
"dataSource.vendor": "Cisco"
},
format: "$timestamp=timestamp$ $hostname$ CISE_Administrator $log_id$,$log_id2$,$severity$,$category$,Admin-Name=$admin_user$,Admin-Session-Id=$session_id$,Object-Name=$object_name$,Change-Type=$change_type$,Object-Type=$object_type$"
}
]
}
parsers/cisco_umbrella-latest
+25
View File
@@ -0,0 +1,25 @@
{
// specify a time zone if the timestamps in your log are not in GMT
// timezone: "GMT-0800"
patterns: {
tsPattern: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}"
},
formats: [
{
format: "\"$timestamp=tsPattern$\",\"$PolicyIdentityLabel$\",\"$InternalClientIP$\",\"$ExternalClientIP$\",\"$DestinationIP$\",\"$ContentType$\",\"$Action$\",\"$url$\",\"$Referer$\",\"$UserAgent$\",\"$StatusCode$\",\"$RequestSize$\",\"$ResponseSize$\",\"$ResponseBodySize$\",\"$SHA-SHA256$\",\"$Categories$\",\"$AVDetections$\",\"$PUAs$\",\"$AMPDisposition$\",\"$AMPMalwareName$\",\"$AMPScore$\",\"$PolicyIdentityType$\",\"$BlockedCategories$\",\"$Identities$\",\"$IdentityTypes$\",\"$RequestMethod$\",\"$DLPStatus$\",\"$CertificateErrors$\",\"$Filename$\",\"$RulesetID$\",\"$RuleID$\",\"$DestinationsListIDs$\"",
attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "proxylogs"},
halt: true
},
{
format: "\"$timestamp=tsPattern$\",\"$MostGranularIdentity$\",\"$Identities$\",\"$InternalIP$\",\"$ExternalIP$\",\"$Action$\",\"$QueryType$\",\"$ResponseCode$\",\"$Domain$\",\"$Categories$\",\"$MostGranularIdentityType$\",\"$IdentityTypes$\",\"$BlockedCategories$\"",
attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "dnslogs"},
halt: true
},
{
format: "\"$ID$\",\"$timestamp=tsPattern$\",\"$Email$\",\"$User$\",\"$Type$\",\"$Action$\",\"$LoggedInFrom$\",\"$Before$\",\"$After$\"",
attributes: {"dataSource.vendor": "Cisco", "dataSource.name": "Cisco Umbrella", "LogType": "auditlogs"},
halt: true
}
]
}
parsers/claude_test_mikrotik
+136
View File
@@ -0,0 +1,136 @@
{
attributes: {
// Required pipeline defaults
"metadata.version": "1.1.0",
"dataSource.vendor": "MikroTik",
"dataSource.name": "MikroTik RouterOS",
"dataSource.category": "network",
// Product metadata
"metadata.product.vendor_name": "MikroTik",
"metadata.product.name": "RouterOS",
"metadata.log_provider": "syslog"
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
mac: "[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}",
number: "\\d+",
word: "\\w+",
iface: "[\\w.-]+"
},
formats: [
// ─────────────────────────────────────────────────────────────────────────
// FIREWALL (Network Activity 4001)
// ─────────────────────────────────────────────────────────────────────────
{
// forward in:ether1 out:ether2, src-mac 00:11:22:33:44:55, proto TCP, 192.168.1.10:54321->8.8.8.8:443, len 64
id: "firewall_full",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic"
},
format:
"$disposition=word$ in:$src_endpoint.interface_name=iface$ out:$dst_endpoint.interface_name=iface$, " +
"src-mac $src_endpoint.mac=mac$, proto $connection_info.protocol_name=word$, " +
"$src_endpoint.ip=ipv4$:$src_endpoint.port=number$->$dst_endpoint.ip=ipv4$:$dst_endpoint.port=number$, len $traffic.bytes=number$",
halt: true
},
{
// forward: in:ether1 out:ether2, src-address 192.168.1.10, dst-address 8.8.8.8
id: "firewall_simple",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic"
},
format:
"$disposition=word$: in:$src_endpoint.interface_name=iface$ out:$dst_endpoint.interface_name=iface$, " +
"src-address $src_endpoint.ip=ipv4$, dst-address $dst_endpoint.ip=ipv4$",
halt: true
},
// ─────────────────────────────────────────────────────────────────────────
// DHCP (DHCP Activity 4004)
// ─────────────────────────────────────────────────────────────────────────
{
// dhcp,info leased 192.168.1.100 for 00:11:22:33:44:55
id: "dhcp_lease",
attributes: {
class_uid: 4004, class_name: "DHCP Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Lease"
},
format: "$dhcp.action=word$ $dst_endpoint.ip=ipv4$ for $dst_endpoint.mac=mac$",
halt: true
},
// ─────────────────────────────────────────────────────────────────────────
// WIRELESS (Network Activity 4001)
// ─────────────────────────────────────────────────────────────────────────
{
// connected, 00:11:22:33:44:55@wlan1, signal-strength=-65
id: "wireless",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Open"
},
format: "$status=word$, $src_endpoint.mac=mac$@$src_endpoint.interface_name=iface$, signal-strength=$unmapped.wireless_signal$",
halt: true
},
// ─────────────────────────────────────────────────────────────────────────
// AUTHENTICATION (Authentication 3002)
// ─────────────────────────────────────────────────────────────────────────
{
// user admin logged in from 192.168.1.5 via winbox
id: "login",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon"
},
format: "user $actor.user.name=word$ $status$ from $src_endpoint.ip=ipv4$ via $auth_protocol=word$",
halt: true
},
{
// <ppp-user1> connected from 203.0.113.50
id: "vpn_connect",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon",
auth_protocol: "PPP"
},
format: "<$actor.user.name$> $status=word$ from $src_endpoint.ip=ipv4$",
halt: true
},
{
// <ppp-user1> disconnected, uptime 1h30m, bytes-in=12345, bytes-out=67890
id: "vpn_disconnect",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 2, activity_name: "Logoff",
auth_protocol: "PPP"
},
format: "<$actor.user.name$> disconnected, uptime $session.duration$, bytes-in=$traffic.bytes_in=number$, bytes-out=$traffic.bytes_out=number$",
halt: true
},
// ─────────────────────────────────────────────────────────────────────────
// GENERIC FALLBACK
// ─────────────────────────────────────────────────────────────────────────
{
id: "generic",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 0, activity_name: "Unknown"
},
format: "$unmapped.facility=word$,$unmapped.topic=word$: $unmapped.body$"
}
]
}
parsers/darktrace_darktrace_logs-latest
+70
View File
@@ -0,0 +1,70 @@
{
"attributes": {
"dataSource.vendor": "Darktrace",
"dataSource.name": "Darktrace",
"marc_test_signature": "MARC-PARSER-ACTIVE-99999",
"dataSource.category": "ndr",
"metadata.product.vendor_name": "Darktrace",
"metadata.product.name": "Enterprise Immune System",
"metadata.version": "1.3.0"
},
"formats": [
{
"format": "$unmapped.{parse=json}$",
"rewrites": []
}
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "true",
"transformations": [
{ "constant": { "value": 2, "field": "category_uid" } },
{ "constant": { "value": "Findings", "field": "category_name" } },
{ "constant": { "value": 2004, "field": "class_uid" } },
{ "constant": { "value": "Detection Finding", "field": "class_name" } },
{ "constant": { "value": 200401, "field": "type_uid" } },
{ "constant": { "value": "Detection Finding: Create", "field": "type_name" } },
{ "constant": { "value": 1, "field": "activity_id" } },
{ "constant": { "value": "Create", "field": "activity_name" } },
{ "constant": { "value": 1, "field": "status_id" } },
{ "constant": { "value": "New", "field": "status" } },
{ "copy": { "from": "unmapped.creationTime", "to": "time" } },
{ "copy": { "from": "unmapped.creationTime", "to": "finding_info.created_time" } },
{ "copy": { "from": "unmapped.time", "to": "finding_info.last_seen_time" } },
{ "copy": { "from": "unmapped.pbid", "to": "external_id" } },
{ "copy": { "from": "unmapped.pbid", "to": "metadata.correlation_uid" } },
{ "copy": { "from": "unmapped.incidentId", "to": "external_id" } },
{ "copy": { "from": "unmapped.title", "to": "finding_title" } },
{ "copy": { "from": "unmapped.title", "to": "finding.title" } },
{ "copy": { "from": "unmapped.summary", "to": "finding_info.desc" } },
{ "copy": { "from": "unmapped.category", "to": "metadata.product.feature.uid" } },
{ "copy": { "from": "unmapped.model.name", "to": "finding_title" } },
{ "copy": { "from": "unmapped.model.name", "to": "finding.title" } },
{ "copy": { "from": "unmapped.model.uuid", "to": "finding_uid" } },
{ "copy": { "from": "unmapped.model.uuid", "to": "finding.uid" } },
{ "copy": { "from": "unmapped.model.description", "to": "finding_info.description" } },
{ "copy": { "from": "unmapped.device.ip", "to": "src_ip" } },
{ "copy": { "from": "unmapped.device.ip", "to": "src_endpoint.ip" } },
{ "copy": { "from": "unmapped.device.ip", "to": "device.ip" } },
{ "copy": { "from": "unmapped.device.hostname", "to": "src_endpoint.hostname" } },
{ "copy": { "from": "unmapped.device.hostname", "to": "device.hostname" } },
{ "copy": { "from": "unmapped.device.hostname", "to": "device.name" } },
{ "copy": { "from": "unmapped.device.mac", "to": "src_endpoint.mac" } },
{ "copy": { "from": "unmapped.device.mac", "to": "device.mac" } },
{ "copy": { "from": "unmapped.device.os", "to": "device.os.name" } },
{ "copy": { "from": "unmapped.device.type", "to": "device.type" } },
{ "copy": { "from": "unmapped.score", "to": "risk_score" } },
{ "copy": { "from": "unmapped.score", "to": "confidence_score" } }
]
}
]
}
}
parsers/f5_networks_logs-latest
+26
View File
@@ -0,0 +1,26 @@
{
attributes: {
class_uid: "5002",
category_uid: "4",
severity_id: "0",
class_name: "F5 Web Traffic",
category_name: "F5 HTTP Access Logs",
"metadata.product.name": "F5 BIG-IP",
"metadata.product.vendor_name": "F5 Networks",
"dataSource.category": "network",
"dataSource.name": "F5 BIG-IP",
"dataSource.vendor": "F5"
},
patterns: {
timestamp: "\\d{4}/\\d{2}/\\d{2}\\s+\\d{2}:\\d{2}:\\d{2}",
ipv4: "(?:\\d{1,3}\\.){3}\\d{1,3}",
quote: "\"[^\"]*\"",
number: "\\d+"
},
formats: [
{
format: ".*$_=identifier$=$_$(?:\\,|\\r)",
repeat: true
}
]
}
parsers/fortinet_fortigate_candidate_logs-latest
+316
View File
@@ -0,0 +1,316 @@
{
/*
* A parser for Fortigate syslog.
*
* It will split every key/value pair to a field 'fortinet.fieldname'
* Uses rewrites to rewrite the field to OCSF field used by SentinelOne SDL
*
* Instructions:
*
* - Use the format "default" in FortiGate configuration:
* - ssh to fg device
* commands:
* config log syslogd settings
* set format default
* end
*
* - fill in site ID if you want the data to be surfaced in the context of a SITE, or remove the attribute below.
*
*
* Contributors: Mischa Deden <mischa.deden@sentinelone.com>, Jan Tietze <jant@sentinelone.com> (original parser)
*/
"patterns":
{
"dateTimePattern": "date=\\d+-\\d+-\\d+ time=\\d+:\\d+:\\d+"
},
"attributes":
{
"dataSource.category": "security",
"dataSource.name": "Fortigate",
"dataSource.vendor": "Fortinet"
},
"formats": [
{
"format": "^<$syslog.priority{parse=syslogPriority}$>$datetime=dateTimePattern$",
"rewrites": [
{
"input": "datetime",
"output": "timestamp",
"match": "date=(\\d+-\\d+-\\d+) time=(\\d+:\\d+:\\d+)",
"replace": "$1 $2"
}
]
}, {
"format": ".*$_=identifier$=$fortinet._=quoteOrSpace$",
"repeat": true,
"rewrites": [
{
"input": "fortinet.action",
"output": "event.network.connectionStatus",
"match": ".*",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"output": "event.network.direction",
"match": ".*",
"replace": "$0"
},
{
"input": "fortinet.service",
"output": "event.network.protocolName",
"match": ".*",
"replace": "$0"
},
{
"input": "fortinet.srcip",
"match": ".*",
"output": "event.source",
"replace": "$0"
},
{
"input": "fortinet.srcip",
"match": ".*",
"output": "src_endpoint.ip",
"replace": "$0"
},
{
"input": "fortinet.srcport",
"match": ".*",
"output": "src_endpoint.port",
"replace": "$0"
},
{
"input": "fortinet.srcmac",
"match": ".*",
"output": "src_endpoint.mac",
"replace": "$0"
},
{
"input": "fortinet.dstip",
"match": ".*",
"output": "dst_endpoint.ip",
"replace": "$0"
},
{
"input": "fortinet.dstip",
"match": ".*",
"output": "dst.ipaddress",
"replace": "$0"
},
{
"input": "fortinet.dstip",
"match": ".*",
"output": "event.target",
"replace": "$0"
},
{
"input": "fortinet.dstport",
"match": ".*",
"output": "dst_endpoint.port",
"replace": "$0"
},
{
"input": "fortinet.dstport",
"match": ".*",
"output": "dst.port.number",
"replace": "$0"
},
{
"input": "fortinet.dstmac",
"match": ".*",
"output": "dst_endpoint.mac",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"match": ".*",
"output": "activity_name",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"match": ".*",
"output": "activity_id",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"match": ".*",
"output": "event.type",
"replace": "$0"
},
{
"input": "fortinet.severity",
"match": ".*",
"output": "severity_id",
"replace": "99"
},
{
"input": "fortinet.severity",
"match": "^information$",
"output": "severity_id",
"replace": "1"
},
{
"input": "fortinet.severity",
"match": "^critical$",
"output": "severity_id",
"replace": "5"
},
{
"input": "fortinet.severity",
"match": "^Emergency$",
"output": "severity_id",
"replace": "6"
},
{
"input": "fortinet.severity",
"match": "^information$",
"output": "severity_id",
"replace": "1"
},
{
"input": "fortinet.severity",
"match": "^critical$",
"output": "severity_id",
"replace": "5"
},
{
"input": "fortinet.severity",
"match": "^Emergency$",
"output": "severity_id",
"replace": "6"
},
{
"input": "fortinet.action",
"match": ".*",
"output": "activity_name",
"replace": "$0"
},
{
"input": "fortinet.action",
"match": "^(accept|permit)$",
"output": "activity_name",
"replace": "Open"
},
{
"input": "fortinet.action",
"match": "^(dropped|close|shutdown)$",
"output": "activity_name",
"replace": "Close"
},
{
"input": "fortinet.action",
"match": "^clear_session",
"output": "activity_name",
"replace": "Reset"
},
{
"input": "fortinet.action",
"match": "^(block|blocked)$",
"output": "activity_name",
"replace": "Refuse"
},
{
"input": "activity_name",
"match": ".*",
"output": "activity_id",
"replace": "99"
},
{
"input": "activity_name",
"match": "^Open",
"output": "activity_id",
"replace": "1"
},
{
"input": "activity_name",
"match": "^Close",
"output": "activity_id",
"replace": "2"
},
{
"input": "activity_name",
"match": "^Reset",
"output": "activity_id",
"replace": "3"
},
{
"input": "activity_name",
"match": "^Refuse",
"output": "activity_id",
"replace": "5"
},
{
"input": "activity_name",
"match": ".*",
"output": "event.type",
"replace": "$0"
},
{
"input": "fortinet.severity",
"match": ".*",
"output": "severity_id",
"replace": "99"
},
{
"input": "fortinet.severity",
"match": "^(information|Information)$",
"output": "severity_id",
"replace": "1"
},
{
"input": "fortinet.severity",
"match": "^(critical|Critical)$",
"output": "severity_id",
"replace": "5"
},
{
"input": "fortinet.severity",
"match": "^(emergency|Emergency)$",
"output": "severity_id",
"replace": "6"
},
{
"input": "activity_id",
"match": "(.*)",
"output": "type_uid",
"replace": "40010$0"
},
{
"input": "activity_id",
"match": "99",
"output": "type_uid",
"replace": "400199"
},
{
"input": "activity_name",
"match": "(.*)",
"output": "type_name",
"replace": "Network Activity: $0"
},
{
"input": "fortinet.sentbyte",
"match": "(.*)",
"output": "traffic.bytes_in",
"replace": "$0"
},
{
"input": "fortinet.rcvdbyte",
"match": "(.*)",
"output": "traffic.bytes_out",
"replace": "$0"
},
{
"input": "message",
"match": ".*srcip\\=(\\S+)\\s.*dstip\\=(\\S+)\\s.*dstmac\\=\"(.*?)\"\\s.*",
"output": "observables",
"replace": "\\[\\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.srcip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.dstip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"fortinet.dstmac\"\\, \"value\"\\: \"$3\"\\}\\]"
}
]
}
]
}
parsers/github_audit-latest
+75
View File
@@ -0,0 +1,75 @@
{
"attributes": {
"dataSource.vendor": "GitHub",
"dataSource.name": "GitHub Audit",
"dataSource.category": "security",
"dataSource.technology": "source_control"
},
"formats": [
{
"id": "github_audit_json",
"format": "$unmapped.{parse=gron}$",
"attributes": {
"class_uid": 8001,
"class_name": "DevOps Activity",
"category_uid": 8,
"category_name": "System Activity",
"type_uid": 800101,
"activity_id": 1,
"activity_name": "Repository Activity",
"severity_id": 1
},
"rewrites": [
{
"input": "timestamp",
"output": "time",
"match": ".*",
"replace": "$0"
},
{
"input": "actor",
"output": "user.name",
"match": ".*",
"replace": "$0"
},
{
"input": "source_ip",
"output": "src_endpoint.ip",
"match": ".*",
"replace": "$0"
},
{
"input": "org",
"output": "metadata.tenant_uid",
"match": ".*",
"replace": "$0"
},
{
"input": "repository",
"output": "resource.name",
"match": ".*",
"replace": "$0"
},
{
"input": "action",
"output": "activity_name",
"match": ".*",
"replace": "$0"
},
{
"input": "outcome",
"output": "status",
"match": ".*",
"replace": "$0"
},
{
"input": "description",
"output": "message",
"match": ".*",
"replace": "$0"
}
]
}
]
}
parsers/harness_ci-latest
+261
View File
@@ -0,0 +1,261 @@
{
"attributes": {
"dataSource.vendor": "Harness",
"dataSource.name": "Harness CI/CD",
"dataSource.category": "security",
"metadata.product.vendor_name": "Harness",
"metadata.product.name": "Harness CI/CD",
"metadata.version": "1.0.0"
},
"formats": [
{
"format": "$timestamp$ Harness pipelineId=\"$pipeline_id$\" executionId=\"$execution_id$\" status=\"$status$\" trigger=\"$trigger$\" initiator=\"$initiator$\" message=\"$message$\"",
"rewrites": [
{
"input": "timestamp",
"output": "timestamp",
"match": ".*",
"replace": "$0"
},
{
"input": "pipeline_id",
"output": "job.name",
"match": ".*",
"replace": "$0"
},
{
"input": "execution_id",
"output": "job.uid",
"match": ".*",
"replace": "$0"
},
{
"input": "status",
"output": "status_detail",
"match": ".*",
"replace": "$0"
},
{
"input": "trigger",
"output": "job.run_type",
"match": ".*",
"replace": "$0"
},
{
"input": "initiator",
"output": "actor.user.name",
"match": ".*",
"replace": "$0"
},
{
"input": "message",
"output": "message",
"match": ".*",
"replace": "$0"
}
]
}
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "status_detail = *",
"transformations": [
{
"constant": {
"value": 6003,
"field": "class_uid"
}
},
{
"constant": {
"value": "Job Activity",
"field": "class_name"
}
},
{
"constant": {
"value": 6,
"field": "category_uid"
}
},
{
"constant": {
"value": "Application Activity",
"field": "category_name"
}
},
{
"constant": {
"value": 1,
"field": "activity_id",
"predicate": "status_detail = 'STARTED' OR status_detail = 'RUNNING'"
}
},
{
"constant": {
"value": "Start",
"field": "activity_name",
"predicate": "status_detail = 'STARTED' OR status_detail = 'RUNNING'"
}
},
{
"constant": {
"value": 2,
"field": "activity_id",
"predicate": "status_detail = 'SUCCEEDED'"
}
},
{
"constant": {
"value": "Complete",
"field": "activity_name",
"predicate": "status_detail = 'SUCCEEDED'"
}
},
{
"constant": {
"value": 3,
"field": "activity_id",
"predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'"
}
},
{
"constant": {
"value": "Cancel",
"field": "activity_name",
"predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'"
}
},
{
"constant": {
"value": 99,
"field": "activity_id",
"predicate": "status_detail = 'FAILED'"
}
},
{
"constant": {
"value": "Other",
"field": "activity_name",
"predicate": "status_detail = 'FAILED'"
}
},
{
"constant": {
"value": 1,
"field": "status_id",
"predicate": "status_detail = 'SUCCEEDED' OR status_detail = 'STARTED' OR status_detail = 'RUNNING'"
}
},
{
"constant": {
"value": "Success",
"field": "status",
"predicate": "status_detail = 'SUCCEEDED' OR status_detail = 'STARTED' OR status_detail = 'RUNNING'"
}
},
{
"constant": {
"value": 2,
"field": "status_id",
"predicate": "status_detail = 'FAILED'"
}
},
{
"constant": {
"value": "Failure",
"field": "status",
"predicate": "status_detail = 'FAILED'"
}
},
{
"constant": {
"value": 99,
"field": "status_id",
"predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'"
}
},
{
"constant": {
"value": "Other",
"field": "status",
"predicate": "status_detail = 'CANCELLED' OR status_detail = 'PAUSED'"
}
},
{
"constant": {
"value": 1,
"field": "severity_id"
}
},
{
"constant": {
"value": "Informational",
"field": "severity"
}
},
{
"constant": {
"value": 600301,
"field": "type_uid"
}
},
{
"copy": {
"from": "job.name",
"to": "job.name"
}
},
{
"copy": {
"from": "job.uid",
"to": "job.uid"
}
},
{
"copy": {
"from": "job.run_type",
"to": "job.run_type"
}
},
{
"copy": {
"from": "actor.user.name",
"to": "actor.user.name"
}
},
{
"copy": {
"from": "status_detail",
"to": "status_detail"
}
},
{
"copy": {
"from": "message",
"to": "message"
}
}
]
}
]
},
"observables": {
"fields": [
{
"name": "actor.user.name",
"type": "User"
},
{
"name": "job.name",
"type": "Other"
},
{
"name": "job.uid",
"type": "Other"
}
]
}
}
parsers/hashicorp_vault-latest
+287
View File
@@ -0,0 +1,287 @@
{
"attributes": {
"dataSource.vendor": "HashiCorp",
"dataSource.name": "HashiCorp Vault",
"dataSource.category": "security",
"metadata.product.vendor_name": "HashiCorp",
"metadata.product.name": "HashiCorp Vault",
"metadata.version": "1.0.0"
},
"formats": [
{
"format": "$unmapped.{parse=json}$",
"rewrites": [
{
"input": "unmapped.time",
"output": "timestamp",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.timestamp",
"output": "timestamp",
"match": ".*",
"replace": "$0"
}
]
}
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "true",
"transformations": [
{
"constant": {
"value": 6001,
"field": "class_uid"
}
},
{
"constant": {
"value": "Vault Activity",
"field": "class_name"
}
},
{
"constant": {
"value": 6,
"field": "category_uid"
}
},
{
"constant": {
"value": "Application Activity",
"field": "category_name"
}
},
{
"copy": {
"from": "unmapped.time",
"to": "time"
}
},
{
"copy": {
"from": "unmapped.timestamp",
"to": "time"
}
},
{
"cast": {
"field": "time",
"type": "iso8601TimestampToEpochSec"
}
},
{
"copy": {
"from": "unmapped.request.id",
"to": "metadata.uid"
}
},
{
"copy": {
"from": "unmapped.type",
"to": "message"
}
},
{
"copy": {
"from": "unmapped.request.operation",
"to": "activity_name"
}
},
{
"copy": {
"from": "unmapped.auth.display_name",
"to": "user.name"
}
},
{
"copy": {
"from": "unmapped.auth.entity_id",
"to": "user.uid"
}
},
{
"copy": {
"from": "unmapped.auth.token_type",
"to": "user.type"
}
},
{
"copy": {
"from": "unmapped.request.client_ip",
"to": "src_endpoint.ip"
}
},
{
"copy": {
"from": "unmapped.request.client_token",
"to": "session.uid"
}
},
{
"copy": {
"from": "unmapped.request.path",
"to": "http_request.url.path"
}
},
{
"copy": {
"from": "unmapped.request.namespace.path",
"to": "http_request.url.path"
}
},
{
"copy": {
"from": "unmapped.response.data.accessor",
"to": "dst_endpoint.uid"
}
},
{
"copy": {
"from": "unmapped.response.data.entity_id",
"to": "dst_endpoint.uid"
}
},
{
"copy": {
"from": "unmapped.error",
"to": "status_detail"
}
},
{
"copy": {
"from": "unmapped.auth.policies",
"to": "metadata.extensions.policies"
}
},
{
"copy": {
"from": "unmapped.request.mount_type",
"to": "metadata.extensions.mount_type"
}
},
{
"copy": {
"from": "unmapped.request.mount_point",
"to": "metadata.extensions.mount_point"
}
},
{
"copy": {
"from": "unmapped.response.mount_type",
"to": "metadata.extensions.mount_type"
}
},
{
"copy": {
"from": "unmapped.response.secret",
"to": "metadata.extensions.secret"
}
},
{
"copy": {
"from": "unmapped.response.data.lease_id",
"to": "metadata.extensions.lease_id"
}
},
{
"copy": {
"from": "unmapped.response.data.lease_duration",
"to": "metadata.extensions.lease_duration"
}
},
{
"copy": {
"from": "unmapped.response.data.renewable",
"to": "metadata.extensions.renewable"
}
},
{
"constant": {
"value": 1,
"field": "activity_id",
"predicate": "unmapped.error == \"\""
}
},
{
"constant": {
"value": 2,
"field": "activity_id",
"predicate": "unmapped.error != \"\""
}
},
{
"constant": {
"value": 1,
"field": "severity_id",
"predicate": "unmapped.error == \"\""
}
},
{
"constant": {
"value": 3,
"field": "severity_id",
"predicate": "unmapped.error != \"\""
}
},
{
"constant": {
"value": 1,
"field": "status_id",
"predicate": "unmapped.error == \"\""
}
},
{
"constant": {
"value": 2,
"field": "status_id",
"predicate": "unmapped.error != \"\""
}
},
{
"constant": {
"value": "Success",
"field": "status",
"predicate": "unmapped.error == \"\""
}
},
{
"constant": {
"value": "Failure",
"field": "status",
"predicate": "unmapped.error != \"\""
}
}
]
}
]
},
"observables": {
"fields": [
{
"name": "user.name",
"type": "User"
},
{
"name": "src_endpoint.ip",
"type": "IP Address"
},
{
"name": "session.uid",
"type": "Other"
},
{
"name": "http_request.url.path",
"type": "Other"
},
{
"name": "metadata.extensions.lease_id",
"type": "Other"
}
]
}
}
parsers/imperva_waf_logs-latest
+84
View File
@@ -0,0 +1,84 @@
{
// specify a time zone if the timestamps in your log are not in GMT
// timezone: "GMT-0800"
attributes: {
"dataSource.name": "Imperva WAF",
"dataSource.vendor": "Imperva",
"dataSource.category": "security"
"metadata.product.name": "Imperva WAF",
"metadata.product.vendor_name": "Imperva"
},
patterns: {
tsPattern: "\\d+",
value: "[^\\s]+",
toDrop: "^(?!CEF).*$"
},
formats: [
//drop logs
{
id: "drop",
format: "$unwanted=toDrop$",
discard: true
},
{
format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|",
},
{
format: ".*\\sstart=$timestamp=tsPattern$",
},
{
format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility",
},
{
format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer",
},
{
format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt",
},
{
format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s",
},
{
format: ".*$_=identifier$=$unmapped._=value$",
repeat: true
}
],
mappings: {
version: 0,
mappings: [
{
predicate: "",
renames: [
{
inputs : ["unmapped.dst"],
output : "dst_endpoint.ip",
type: "string"
},
{
inputs: ["unmapped.dpt"],
output: "dst_endpoint.port",
type: "string"
},
{
inputs: ["unmapped.src"],
output: "src_endpoint.ip",
type: "string"
},
{
inputs: ["unmapped.spt"],
output: "src_endpoint.port",
type: "string"
},
{
inputs: ["unmapped.Customer"],
output: "Account Name",
type: "string"
}
]
}
]
}
}
parsers/json-app-logs
+80
View File
@@ -0,0 +1,80 @@
{
// OCSF-compliant parser for JSON application logs
// Schema: OCSF v1.3.0 - Security Finding (class_uid 2001)
// https://schema.ocsf.io/1.3.0/classes/security_finding
attributes: {
// ─── OCSF Metadata ──────────────────────────────────────────────
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "GenericApp",
"metadata.product.name": "Application Logger",
"metadata.product.version": "1.0.0",
"metadata.log_provider": "hec",
// ─── OCSF Classification (Security Finding) ──────────────────────
"category_uid": 2,
"category_name": "Findings",
"class_uid": 2001,
"class_name": "Security Finding",
"activity_id": 1,
"activity_name": "Create",
"type_uid": 200101,
"type_name": "Security Finding: Create",
// ─── OCSF Finding state defaults (overridable via rewrites) ─────
"status_id": 1, // 1=New
"status": "New",
"disposition_id": 0, // 0=Unknown
"disposition": "Unknown",
// ─── SDL/S1 routing fields (non-OCSF) ───────────────────────────
"Category": "security",
"dataSource.vendor": "GenericApp",
"dataSource.name": "alert",
"dataSource.category": "security",
"finding_info.types": ["Authentication"]
},
formats: [
{
// Auto-extract every JSON top-level field as an attribute
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// ─── Time handling ─────────────────────────────────────────────
// Source JSON uses `event_iso` (ISO string). NEVER use the bare
// `time` attr (SDL reserved, expects epoch ms) or any `*_time`
// suffix (AI SIEM auto-parses as date, shows "Invalid Date" for
// ISO strings).
{ input: "event_iso", output: "finding_info.created_time_dt", match: ".*", replace: "$0" },
// ─── Actor (user) ───────────────────────────────────────────
{ input: "user", output: "actor.user.name", match: ".*", replace: "$0" },
{ input: "user", output: "actor.user.uid", match: ".*", replace: "$0" },
// ─── Finding info ───────────────────────────────────────────
{ input: "msg", output: "finding_info.title", match: ".*", replace: "$0" },
{ input: "msg", output: "finding_info.desc", match: ".*", replace: "$0" },
// finding_info.uid: use the original log line hash; SDL has no hash fn,
// so fall back to msg+user concatenation (callers SHOULD add an `id` field)
{ input: "msg", output: "finding_info.uid", match: ".*", replace: "$0" },
// ─── Raw log preservation (OCSF: raw_data) ──────────────────
{ input: "msg", output: "raw_data", match: ".*", replace: "$0" },
// ─── Severity (string + int, OCSF v1.3.0 ranges) ────────────
// NOTE: SDL reserves the bare `severity` field name and renames our
// attribute to `severity_`. We populate `severity_str` (queryable) and
// `severity_id` (OCSF integer 0-6).
{ input: "level", output: "severity_id", match: "(?i)error", replace: "5" },
{ input: "level", output: "severity_id", match: "(?i)warn", replace: "4" },
{ input: "level", output: "severity_id", match: "(?i)info", replace: "3" },
{ input: "level", output: "severity_id", match: "(?i)debug", replace: "1" },
{ input: "level", output: "severity_str", match: "(?i)error", replace: "Critical" },
{ input: "level", output: "severity_str", match: "(?i)warn", replace: "High" },
{ input: "level", output: "severity_str", match: "(?i)info", replace: "Informational" },
{ input: "level", output: "severity_str", match: "(?i)debug", replace: "Other" }
]
}
]
}
parsers/marcparser
+59
View File
@@ -0,0 +1,59 @@
{
attributes: {
"dataSource.vendor": "pfSense",
"dataSource.name": "pfSense Firewall",
"dataSource.category": "security"
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
ipv6: "[0-9A-Fa-f:]+",
ipv46: "(\\d+\\.\\d+\\.\\d+\\.\\d+|[0-9A-Fa-f:]+)",
number: "\\d+"
},
formats: [
{
// ACCEPT TCP 4f48:...:55177 -> f7b0:...:10680 - Rule: 4891 - Bytes: 1234
id: "flow",
format:
"$pf_action$ $network_protocol$ " +
"$src_ip=ipv46$:$src_port=number$ -> " +
"$dst_ip=ipv46$:$dst_port=number$ - Rule: " +
"$fw_rule_id=number$ - Bytes: $bytes=number$",
halt: true
},
{
// INTRUSION DETECTED: DDoS from 92.191.154.186 - Blocked by rule 7936 - Severity: HIGH
id: "ids",
format:
"INTRUSION DETECTED: $attack_type$ from " +
"$src_ip=ipv4$ - Blocked by rule $fw_rule_id=number$ - Severity: $severity$",
halt: true
}
],
mappings: {
version: 1,
mappings: [
{
predicate: "true",
transformations: [
{ "rename": { "from": "src_ip", "to": "src.ip.address" } },
{ "rename": { "from": "dst_ip", "to": "dst.ip.address" } },
{ "rename": { "from": "src_port", "to": "src.port.number" } },
{ "rename": { "from": "dst_port", "to": "dst.port.number" } },
{ "rename": { "from": "network_protocol", "to": "network.protocol" } },
{ "rename": { "from": "fw_rule_id", "to": "unmapped.firewall.rule_id" } },
{ "rename": { "from": "bytes", "to": "network.bytes" } },
{ "rename": { "from": "pf_action", "to": "event.outcome" } },
{ "rename": { "from": "severity", "to": "severity" } },
{ "rename": { "from": "attack_type", "to": "unmapped.attack.type" } },
{ "constant": { "field": "event.category", "value": "network" } },
{ "constant": { "field": "class_name", "value": "Network Activity" } }
]
}
]
}
}
parsers/marcpfsense
+63
View File
@@ -0,0 +1,63 @@
{
attributes: {
"dataSource.vendor": "pfSense",
"dataSource.name": "pfSense",
"dataSource.category": "security"
},
patterns: {
tsPattern: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2}",
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
ipv6: "[a-fA-F0-9:]+",
ipv46: "(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+)",
ipv: "(4|6)",
hex: "([a-f0-9]+x[a-f0-9]+){0,1}",
tcpflags: "[SA\\.FRPUEW]+",
numberOrNone: "[0-9]{0,}",
textOrNone: "[a-zA-Z-\\.0-9]{0,}"
},
formats: [
{
// Base filterlog header
format: "$timestamp=tsPattern$ $hostname=ipv46$ filterlog: " +
"$pfRule=numberOrNone$,$pfSubRule=numberOrNone$," +
"$pfAnchor=textOrNone$,$pfTracker=numberOrNone$," +
"$pfInterface$,$pfReason=identifier$," +
"$pfAction=identifier$,$pfDirection=identifier$,.*"
},
{
// IPv4 header-specific fields
attributes: { pfIpv: 4 },
format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " +
"(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " +
"([a-zA-Z0-9-\\.]+,|,){8}4," +
"$pfTos=hex$,$pfEcn$,$pfTtl=numberOrNone$," +
"$pfPacketId=numberOrNone$,$pfOffset=numberOrNone$," +
"$pfIPFlags=identifier$,$pfProtocolID$,$msg$"
},
{
// TCP flow
attributes: { pfProtocol: "tcp" },
format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " +
"(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " +
"([a-zA-Z0-9-\\.]+,|,){16}tcp," +
"$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," +
"$pfSourcePort=number$,$pfDestPort=number$," +
"$pfDataLen=number$,$pfTCPFlags=tcpflags$," +
"$pfSeq=numberOrNone$,$pfAck=numberOrNone$," +
"$pfWindow=numberOrNone$,$pfUrg=textOrNone$,$pfTcpOptions$",
halt: true
},
{
// UDP flow
attributes: { pfProtocol: "udp" },
format: "\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\+\\d{2}:\\d{2} " +
"(\\d+\\.\\d+\\.\\d+\\.\\d+|[a-zA-Z0-9:]+) filterlog: " +
"([a-zA-Z0-9-\\.]+,|,){16}udp," +
"$pfPacketLen=number$,$pfSourceIP=ipv4$,$pfDestIP=ipv4$," +
"$pfSourcePort=number$,$pfDestPort=number$,$pfDataLen=number$",
halt: true
}
]
}
parsers/microsoft_365_collaboration-latest
+147
View File
@@ -0,0 +1,147 @@
{
"attributes": {
"dataSource.name": "Microsoft 365 Collaboration",
"dataSource.vendor": "Microsoft",
"dataSource.category": "security",
"metadata.product.name": "Microsoft 365 SharePoint/OneDrive",
"metadata.product.vendor_name": "Microsoft",
"metadata.version": "1.0.0"
},
"formats": [
{
"format": "$unmapped.{parse=gron}$",
"rewrites": [
{
"input": "unmapped.TimeStamp",
"output": "timestamp",
"match": ".*",
"replace": "$0"
}
]
}
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "true",
"transformations": [
{
"constant": {
"value": 1,
"field": "activity_id"
}
},
{
"constant": {
"value": "Create",
"field": "activity_name"
}
},
{
"constant": {
"value": 1,
"field": "category_uid"
}
},
{
"constant": {
"value": 1006,
"field": "class_uid"
}
},
{
"constant": {
"value": "File Activity",
"field": "class_name"
}
},
{
"constant": {
"value": "System Activity",
"field": "category_name"
}
},
{
"constant": {
"value": 100601,
"field": "type_uid"
}
},
{
"constant": {
"value": "File Activity: Create",
"field": "type_name"
}
},
{
"copy": {
"from": "unmapped.TimeStamp",
"to": "time"
}
},
{
"cast": {
"field": "time",
"type": "iso8601TimestampToEpochSec"
}
},
{
"rename": {
"from": "unmapped.UserId",
"to": "actor.user.email_addr"
}
},
{
"rename": {
"from": "unmapped.Operation",
"to": "activity_name"
}
},
{
"rename": {
"from": "unmapped.SiteUrl",
"to": "src_endpoint.url.url_string"
}
},
{
"rename": {
"from": "unmapped.ObjectId",
"to": "file.path"
}
},
{
"rename": {
"from": "unmapped.FileName",
"to": "file.name"
}
},
{
"rename": {
"from": "unmapped.TargetUser",
"to": "user.email_addr"
}
},
{
"rename": {
"from": "unmapped.RequestedBy",
"to": "actor.user.name"
}
},
{
"rename": {
"from": "unmapped.Details",
"to": "message"
}
},
{
"constant": {
"value": "Microsoft 365",
"field": "cloud.provider"
}
}
]
}
]
}
}
parsers/microsoft_windows_eventlog-latest
+39
View File
@@ -0,0 +1,39 @@
{
// Default Attributes
attributes: {
"dataSource.category": "security",
"dataSource.name": "Windows Event Logs",
"dataSource.vendor": "Microsoft",
"event.type": "Windows Event Log Creation"
},
patterns: {
SystemTimePattern: "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{7}Z"
},
formats: [
{
// Match Event ID : 4743
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.userName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.domainName$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match Event ID : 4742
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.Task$\",\"Provider\":\"$winEventLog.rendering_info.Provider$\",\"Opcode\":\"$winEventLog.rendering_info.Opcode$\",\"Message\":\"$winEventLog.rendering_info.Message$\",\"Level\":\"$winEventLog.rendering_info.Level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.Keywords.Keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.Culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserSid$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"ComputerAccountChange\":\\{\"Text\":\"$winEventLog.EventData.ComputerAccountChange$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match Event ID : 4741
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":\\{\"Keyword\":\"$winEventLog.rendering_info.keywords.keyword$\"},\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"UserWorkstations\":\\{\"Text\":\"$winEventLog.EventData.UserWorkstations$\"},\"UserPrincipalName\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"UserParameters\":\\{\"Text\":\"$winEventLog.EventData.UserParameters$\"},\"UserAccountControl\":\\{\"Text\":\"$winEventLog.EventData.UserAccountControl$\"},\"TargetUserName\":\\{\"Text\":\"$winEventLog.EventData.TargetUserName$\"},\"TargetSid\":\\{\"Text\":\"$winEventLog.EventData.TargetSid$\"},\"TargetDomainName\":\\{\"Text\":\"$winEventLog.EventData.TargetDomainName$\"},\"SubjectUserSid\":\\{\"Text\":\"$winEventLog.EventData.userSID$\"},\"SubjectUserName\":\\{\"Text\":\"$winEventLog.EventData.SubjectUserName$\"},\"SubjectLogonId\":\\{\"Text\":\"$winEventLog.EventData.logonId$\"},\"SubjectDomainName\":\\{\"Text\":\"$winEventLog.EventData.SubjectDomainName$\"},\"SidHistory\":\\{\"Text\":\"$winEventLog.EventData.SidHistory$\"},\"ServicePrincipalNames\":\\{\"Text\":\"$winEventLog.EventData.ServicePrincipalNames$\"},\"ScriptPath\":\\{\"Text\":\"$winEventLog.EventData.ScriptPath$\"},\"SamAccountName\":\\{\"Text\":\"$winEventLog.EventData.SamAccountName$\"},\"ProfilePath\":\\{\"Text\":\"$winEventLog.EventData.ProfilePath$\"},\"PrivilegeList\":\\{\"Text\":\"$winEventLog.EventData.PrivilegeList$\"},\"PrimaryGroupId\":\\{\"Text\":\"$winEventLog.EventData.PrimaryGroupId$\"},\"PasswordLastSet\":\\{\"Text\":\"$winEventLog.EventData.PasswordLastSet$\"},\"OldUacValue\":\\{\"Text\":\"$winEventLog.EventData.OldUacValue$\"},\"NewUacValue\":\\{\"Text\":\"$winEventLog.EventData.NewUacValue$\"},\"LogonHours\":\\{\"Text\":\"$winEventLog.EventData.LogonHours$\"},\"HomePath\":\\{\"Text\":\"$winEventLog.EventData.UserPrincipalName$\"},\"HomeDirectory\":\\{\"Text\":\"$winEventLog.EventData.HomeDirectory$\"},\"DnsHostName\":\\{\"Text\":\"$winEventLog.EventData.DnsHostName$\"},\"DisplayName\":\\{\"Text\":\"$winEventLog.EventData.DisplayName$\"},\"AllowedToDelegateTo\":\\{\"Text\":\"$winEventLog.EventData.AllowedToDelegateTo$\"},\"AccountExpires\":\\{\"Text\":\"$winEventLog.EventData.AccountExpires$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match Event ID : 8002
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":\\{\"UserID\":\"$winEventLog.user_id$\"},\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",\"Correlation\":$winEventLog.correlation$,\"Computer\":\"$endpoint.name$\",\"Channel\":\"$winEventLog.channel$\"},\"RenderingInfo\":\\{\"Task\":\"$winEventLog.rendering_info.task$\",\"Provider\":\"$winEventLog.rendering_info.provider$\",\"Opcode\":\"$winEventLog.rendering_info.opcode$\",\"Message\":\"$winEventLog.message$\",\"Level\":\"$winEventLog.rendering_info.level$\",\"Keywords\":$winEventLog.rendering_info.keywords$,\"Channel\":\"$winEventLog.rendering_info.channel$\",\"Culture\":\"$winEventLog.rendering_info.culture$\"},\"EventData\":\\{\"Data\":\\{\"ProcessName\":\\{\"Text\":\"$src.process.name$\"},\"MechanismOID\":\\{\"Text\":\"$src.process.mechanism_oid$\"},\"ClientUserName\":\\{\"Text\":\"$src.process.user$\"},\"ClientLUID\":\\{\"Text\":\"$src.process.uid$\"},\"ClientDomainName\":\\{\"Text\":\"$src.process.domain$\"},\"CallerPID\":\\{\"Text\":\"$src.process.callerid$\"}}},\"xmlns\":\"$winEventLog.xmlns$\"},\"timestamp\":\"$winEventLog.timestamp=SystemTimePattern$\",\"name\":\"$winEventLog.name$\",\"monitor\":\"$winEventLog.monitor$\"}"
halt: true
},
{
// Match all rest
format: "^\\{\"Event\":\\{\"System\":\\{\"Version\":\"$winEventLog.version$\",\"TimeCreated\":\\{\"SystemTime\":\"$winEventLog.time=SystemTimePattern$\"},\"Task\":\"$winEventLog.task_id$\",\"Security\":null,\"Provider\":\\{\"Name\":\"$winEventLog.providerName$\",\"Guid\":\"$winEventLog.provider_guid$\"},\"Opcode\":\"$winEventLog.opcode$\",\"Level\":\"$winEventLog.level$\",\"Keywords\":\"$winEventLog.keywords$\",\"Execution\":\\{\"ThreadID\":\"$winEventLog.execution.thread_id$\",\"ProcessID\":\"$winEventLog.execution.process_id$\"},\"EventRecordID\":\"$winEventLog.event_record_id$\",\"EventID\":\"$winEventLog.event_id$\",$winEventLog.rest$"
}
]
}
parsers/mikrotik
+436
View File
@@ -0,0 +1,436 @@
{
attributes: {
"metadata.version": "2.0.0",
"dataSource.vendor": "MikroTik",
"dataSource.name": "MikroTik RouterOS",
"dataSource.category": "security",
"Category": "security",
"metadata.product.vendor_name": "MikroTik",
"metadata.product.name": "RouterOS",
"metadata.log_provider": "syslog",
"severity_id": 1,
"severity": "Informational"
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
ipv6: "[0-9a-fA-F:]+",
mac: "[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}",
num: "\\d+",
word: "\\w+",
iface: "[\\w().-]+",
proto: "[A-Z]+",
signal: "-?\\d+",
ts: "\\w+/\\d+/\\d+ \\d+:\\d+:\\d+|\\d+:\\d+:\\d+",
rest: ".*"
},
formats: [
// ═══════════════════════════════════════════════════════════════════════════
// FIREWALL (Network Activity 4001)
// ═══════════════════════════════════════════════════════════════════════════
// input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP, 10.1.101.1:520->10.1.101.255:520, len 452
{
id: "firewall_full",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106
},
format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$",
halt: true
},
// forward: in:ether1 out:ether2, connection-state:established, src-mac 00:11:22:33:44:55
{
id: "firewall_conntrack",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106
},
format: "$chain=word$: in:$in_iface=iface$ out:$out_iface=iface$, connection-state:$conn_state=word$, src-mac $src_mac=mac$",
halt: true
},
// Firewall DROP - appears in XDR as Detection Finding
// drop: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto TCP, 10.1.101.1:12345->10.1.101.255:22, len 64
{
id: "firewall_drop",
attributes: {
class_uid: 4002, class_name: "Detection Finding",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Create",
type_uid: 400201,
disposition_id: 2, disposition: "Blocked",
severity_id: 3, severity: "Medium",
"finding_info.title": "MikroTik Firewall Drop",
"finding_info.types": ["Network"],
confidence_id: 3, confidence: "High"
},
format: "drop: in:$in_iface=iface$ out:$out_iface=iface$, src-mac $src_mac=mac$, proto $protocol=proto$, $src_ip=ipv4$:$src_port=num$->$dst_ip=ipv4$:$dst_port=num$, len $pkt_len=num$",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// DHCP (DHCP Activity 4004)
// ═══════════════════════════════════════════════════════════════════════════
// defconf deassigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung
{
id: "dhcp_deassign",
attributes: {
class_uid: 4004, class_name: "DHCP Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 2, activity_name: "Release",
type_uid: 400402
},
format: "$dhcp_server=word$ deassigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$",
halt: true
},
// defconf assigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung
{
id: "dhcp_assign",
attributes: {
class_uid: 4004, class_name: "DHCP Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Lease",
type_uid: 400401
},
format: "$dhcp_server=word$ assigned $client_ip=ipv4$ for $client_mac=mac$ $hostname=rest$",
halt: true
},
// dhcp1 got address 192.168.1.100 from 192.168.1.1
{
id: "dhcp_client",
attributes: {
class_uid: 4004, class_name: "DHCP Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Lease",
type_uid: 400401
},
format: "$dhcp_client=word$ got address $client_ip=ipv4$ from $dhcp_server_ip=ipv4$",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// AUTHENTICATION (Authentication 3002)
// ═══════════════════════════════════════════════════════════════════════════
// user admin logged in from 10.1.101.212 via winbox
{
id: "login",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 1, status: "Success"
},
format: "user $user=word$ logged in from $src_ip=ipv4$ via $method=word$",
halt: true
},
// user admin logged out from 10.1.101.212 via telnet
{
id: "logout",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 2, activity_name: "Logoff",
type_uid: 300202,
status_id: 1, status: "Success"
},
format: "user $user=word$ logged out from $src_ip=ipv4$ via $method=word$",
halt: true
},
// login failure for user admin from 10.1.101.50 via ssh
// Using Detection Finding class for XDR visibility
{
id: "login_failure",
attributes: {
class_uid: 4002, class_name: "Detection Finding",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Create",
type_uid: 400201,
status_id: 2, status: "Failure",
severity_id: 3, severity: "Medium",
"finding_info.title": "MikroTik Login Failure",
"finding_info.types": ["Authentication"],
confidence_id: 3, confidence: "High"
},
format: "login failure for user $user=word$ from $src_ip=ipv4$ via $method=word$",
halt: true
},
// <ppp-user1> connected from 203.0.113.50
{
id: "ppp_connect",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 1, status: "Success",
auth_protocol: "PPP"
},
format: "<$user$> connected from $src_ip=ipv4$",
halt: true
},
// <ppp-user1> disconnected
{
id: "ppp_disconnect",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 2, activity_name: "Logoff",
type_uid: 300202,
auth_protocol: "PPP"
},
format: "<$user$> disconnected",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// CONFIGURATION (Entity Management 5004)
// ═══════════════════════════════════════════════════════════════════════════
// mangle rule added by admin
{
id: "config_added",
attributes: {
class_uid: 5004, class_name: "Entity Management",
category_uid: 5, category_name: "Discovery",
activity_id: 1, activity_name: "Create",
type_uid: 500401
},
format: "$object=rest$ added by $user=word$",
halt: true
},
// mangle rule changed by admin
{
id: "config_changed",
attributes: {
class_uid: 5004, class_name: "Entity Management",
category_uid: 5, category_name: "Discovery",
activity_id: 3, activity_name: "Update",
type_uid: 500403
},
format: "$object=rest$ changed by $user=word$",
halt: true
},
// mangle rule moved by admin
{
id: "config_moved",
attributes: {
class_uid: 5004, class_name: "Entity Management",
category_uid: 5, category_name: "Discovery",
activity_id: 3, activity_name: "Update",
type_uid: 500403
},
format: "$object=rest$ moved by $user=word$",
halt: true
},
// item removed by admin
{
id: "config_removed",
attributes: {
class_uid: 5004, class_name: "Entity Management",
category_uid: 5, category_name: "Discovery",
activity_id: 2, activity_name: "Delete",
type_uid: 500402
},
format: "$object=rest$ removed by $user=word$",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// SYSTEM (Operating System Patch State 6003)
// ═══════════════════════════════════════════════════════════════════════════
// router rebooted
{
id: "system_reboot",
attributes: {
class_uid: 6003, class_name: "Operating System Patch State",
category_uid: 6, category_name: "Application Activity",
activity_id: 0, activity_name: "Unknown",
type_uid: 600300,
severity_id: 2, severity: "Low"
},
format: "router rebooted",
halt: true
},
// system,error,critical kernel failure
{
id: "system_critical",
attributes: {
class_uid: 6003, class_name: "Operating System Patch State",
category_uid: 6, category_name: "Application Activity",
activity_id: 0, activity_name: "Unknown",
type_uid: 600300,
severity_id: 5, severity: "Critical"
},
format: "kernel $error_msg=rest$",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// WIRELESS (Network Activity 4001)
// ═══════════════════════════════════════════════════════════════════════════
// connected, 00:11:22:33:44:55@wlan1, signal-strength=-65
{
id: "wireless_connect",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Open",
type_uid: 400101
},
format: "connected, $client_mac=mac$@$iface=iface$, signal-strength=$signal=signal$",
halt: true
},
// disconnected, 00:11:22:33:44:55@wlan1
{
id: "wireless_disconnect",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 2, activity_name: "Close",
type_uid: 400102
},
format: "disconnected, $client_mac=mac$@$iface=iface$",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// DNS (DNS Activity 4003)
// ═══════════════════════════════════════════════════════════════════════════
// dns query from 192.168.1.10: example.com A
{
id: "dns_query",
attributes: {
class_uid: 4003, class_name: "DNS Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Query",
type_uid: 400301
},
format: "dns query from $src_ip=ipv4$: $query_hostname=rest$",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// ROUTING (Network Activity 4001)
// ═══════════════════════════════════════════════════════════════════════════
// ospf neighbor 10.0.0.1 state changed to Full
{
id: "ospf_neighbor",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 5, activity_name: "Update",
type_uid: 400105
},
format: "ospf neighbor $neighbor_ip=ipv4$ state changed to $neighbor_state=word$",
halt: true
},
// bgp peer 10.0.0.2 established
{
id: "bgp_established",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Open",
type_uid: 400101
},
format: "bgp peer $peer_ip=ipv4$ established",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// IPSEC/VPN (Tunnel Activity 4014)
// ═══════════════════════════════════════════════════════════════════════════
// ipsec,info phase1 negotiation succeeded for 203.0.113.1
{
id: "ipsec_phase1",
attributes: {
class_uid: 4014, class_name: "Tunnel Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Open",
type_uid: 401401
},
format: "phase1 negotiation $ipsec_result=word$ for $peer_ip=ipv4$",
halt: true
},
// ═══════════════════════════════════════════════════════════════════════════
// GENERIC FALLBACK
// ═══════════════════════════════════════════════════════════════════════════
{
id: "generic",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 0, activity_name: "Unknown",
type_uid: 400100
},
format: "$body=rest$"
}
],
mappings: {
version: 1,
mappings: [
{
transformations: [
{ rename: { from: "src_ip", to: "src_endpoint.ip" } },
{ rename: { from: "dst_ip", to: "dst_endpoint.ip" } },
{ rename: { from: "src_port", to: "src_endpoint.port" } },
{ rename: { from: "dst_port", to: "dst_endpoint.port" } },
{ rename: { from: "src_mac", to: "src_endpoint.mac" } },
{ rename: { from: "in_iface", to: "src_endpoint.interface_name" } },
{ rename: { from: "out_iface", to: "dst_endpoint.interface_name" } },
{ rename: { from: "protocol", to: "connection_info.protocol_name" } },
{ rename: { from: "pkt_len", to: "traffic.bytes" } },
{ rename: { from: "client_ip", to: "dst_endpoint.ip" } },
{ rename: { from: "client_mac", to: "dst_endpoint.mac" } },
{ rename: { from: "user", to: "actor.user.name" } },
{ rename: { from: "method", to: "auth_protocol" } },
{ rename: { from: "iface", to: "src_endpoint.interface_name" } },
{ rename: { from: "signal", to: "unmapped.wireless_signal" } },
{ rename: { from: "chain", to: "unmapped.firewall_chain" } },
{ rename: { from: "dhcp_server", to: "unmapped.dhcp_server" } },
{ rename: { from: "dhcp_server_ip", to: "unmapped.dhcp_server_ip" } },
{ rename: { from: "dhcp_client", to: "unmapped.dhcp_client" } },
{ rename: { from: "hostname", to: "dst_endpoint.hostname" } },
{ rename: { from: "object", to: "unmapped.config_object" } },
{ rename: { from: "conn_state", to: "connection_info.state" } },
{ rename: { from: "neighbor_ip", to: "dst_endpoint.ip" } },
{ rename: { from: "neighbor_state", to: "unmapped.ospf_state" } },
{ rename: { from: "peer_ip", to: "dst_endpoint.ip" } },
{ rename: { from: "query_hostname", to: "query.hostname" } },
{ rename: { from: "ipsec_result", to: "unmapped.ipsec_result" } },
{ rename: { from: "error_msg", to: "unmapped.error_message" } },
{ rename: { from: "body", to: "unmapped.raw_body" } }
]
}
]
}
}
parsers/npm_typosquats
+30
View File
@@ -0,0 +1,30 @@
{
"columnNames": ["suspect_name", "known_target"],
"rows": [
["expres", "express"],
["loadash", "lodash"],
["colorss", "colors"],
["requesst", "request"],
["eslint-config-airbnb-pro", "eslint-config-airbnb"],
["event-stream-helper", "event-stream"],
["ua-parser-utils", "ua-parser-js"],
["lodash-utils", "lodash"],
["lodaash", "lodash"],
["expresss", "express"],
["axios-lib", "axios"],
["axioss", "axios"],
["reactt", "react"],
["react-utility", "react"],
["vuetify-utils", "vuetify"],
["commaander", "commander"],
["yargs-plus", "yargs"],
["chalkk", "chalk"],
["chalk-cli", "chalk"],
["nextt", "next"],
["webpackk", "webpack"],
["typescriptt", "typescript"],
["debugg", "debug"],
["moment-tz", "moment"],
["uuid-gen", "uuid"]
]
}
parsers/ocsf-checkpoint
+197
View File
@@ -0,0 +1,197 @@
// SentinelOne AI SIEM Parser: Check Point Security Gateway
// OCSF Schema Version: 1.1.0
// Maps Check Point pipe-delimited logs to OCSF classes
// Primary Classes: Network Activity (4001), Security Finding (2001), Detection Finding (2004)
{
"parserName": "CheckPoint-OCSF",
"version": "1.0.0",
"vendor": "Check Point",
"product": "Security Gateway",
"format": "kv",
"delimiter": "|",
"kvSeparator": "=",
"patterns": [
// Firewall Traffic logs
{
"pattern": "product=VPN-1 & FireWall-1",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
// Activity mapping
{"lookup": "action", "map": {
"Accept": 1, "Drop": 2, "Reject": 2, "Block": 2, "Log": 0, "Detect": 1
}, "to": "activity_id"},
{"lookup": "action", "map": {
"Accept": "Traffic Allowed", "Drop": "Traffic Denied", "Reject": "Traffic Rejected",
"Block": "Traffic Blocked", "Log": "Traffic Logged", "Detect": "Traffic Detected"
}, "to": "activity_name"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Check Point Firewall"},
{"set": "metadata.product.vendor_name", "value": "Check Point"},
{"copy": "loguid", "to": "metadata.uid"},
{"copy": "origin", "to": "device.ip"},
{"copy": "originsicname", "to": "device.name"},
{"copy": "sequencenum", "to": "metadata.sequence"},
// Time
{"copy": "time", "to": "time", "transform": "epochToISO"},
// Source endpoint
{"copy": "src", "to": "src_endpoint.ip"},
{"copy": "s_port", "to": "src_endpoint.port"},
{"copy": "ifname", "to": "src_endpoint.interface_name"},
// Destination endpoint
{"copy": "dst", "to": "dst_endpoint.ip"},
{"copy": "service", "to": "dst_endpoint.port"},
// Connection info
{"copy": "proto", "to": "connection_info.protocol_num"},
{"lookup": "proto", "map": {"6": "TCP", "17": "UDP", "1": "ICMP"}, "to": "connection_info.protocol_name"},
{"copy": "conn_direction", "to": "connection_info.direction"},
// NAT
{"copy": "xlatesrc", "to": "proxy.ip"},
{"copy": "xlatesport", "to": "proxy.port"},
{"copy": "xlatedst", "to": "dst_endpoint.intermediate_ips"},
// Policy
{"copy": "rule_uid", "to": "policy.uid"},
{"copy": "rule_name", "to": "policy.name"},
{"copy": "layer_name", "to": "policy.group.name"},
{"copy": "rule_action", "to": "policy.rule.action"},
// Status
{"lookup": "action", "map": {"Accept": 1, "Drop": 2, "Reject": 2, "Block": 2}, "to": "status_id"},
{"lookup": "action", "map": {"Accept": "Success", "Drop": "Failure", "Reject": "Failure", "Block": "Failure"}, "to": "status"}
]
},
// IPS/SmartDefense logs
{
"pattern": "product=SmartDefense",
"rewrites": [
{"set": "class_uid", "value": "2004"},
{"set": "class_name", "value": "Detection Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Check Point IPS"},
{"set": "metadata.product.vendor_name", "value": "Check Point"},
// Finding info
{"copy": "attack", "to": "finding_info.title"},
{"copy": "attack_info", "to": "finding_info.desc"},
{"copy": "protection_id", "to": "finding_info.uid"},
{"copy": "protection_name", "to": "finding_info.types"},
{"copy": "protection_type", "to": "finding_info.type_uid"},
// Severity
{"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Info": 1}, "to": "severity_id"},
{"copy": "severity", "to": "severity"},
// Confidence
{"lookup": "confidence_level", "map": {"High": 3, "Medium": 2, "Low": 1}, "to": "confidence_id"},
{"copy": "confidence_level", "to": "confidence"},
// Performance impact
{"copy": "performance_impact", "to": "impact_score"},
// Endpoints
{"copy": "src", "to": "src_endpoint.ip"},
{"copy": "s_port", "to": "src_endpoint.port"},
{"copy": "dst", "to": "dst_endpoint.ip"},
{"copy": "service", "to": "dst_endpoint.port"},
// Action
{"lookup": "action", "map": {"Drop": 2, "Detect": 1, "Prevent": 2, "Log": 0}, "to": "activity_id"}
]
},
// Management/Audit logs
{
"pattern": "product=SmartCenter Server",
"rewrites": [
{"set": "class_uid", "value": "6002"},
{"set": "class_name", "value": "API Activity"},
{"set": "category_uid", "value": "6"},
{"set": "category_name", "value": "Application Activity"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Check Point SmartCenter"},
{"set": "metadata.product.vendor_name", "value": "Check Point"},
// Actor
{"copy": "administrator", "to": "actor.user.name"},
{"copy": "client_name", "to": "actor.app_name"},
{"copy": "client_version", "to": "actor.app_version"},
{"copy": "src", "to": "actor.session.ip"},
// Operation
{"copy": "operation", "to": "activity_name"},
{"copy": "objectname", "to": "resources.name"},
{"copy": "objecttype", "to": "resources.type"},
{"copy": "fieldschanges", "to": "resources.data"}
]
},
// Application Control logs
{
"pattern": "product=Application Control",
"rewrites": [
{"set": "class_uid", "value": "4002"},
{"set": "class_name", "value": "HTTP Activity"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Check Point Application Control"},
{"set": "metadata.product.vendor_name", "value": "Check Point"},
// Application
{"copy": "app_name", "to": "app_name"},
{"copy": "app_id", "to": "app.uid"},
{"copy": "app_category", "to": "app.category"},
{"copy": "app_risk", "to": "app.risk_level"},
{"copy": "appi_name", "to": "app.feature.name"},
// User
{"copy": "user", "to": "actor.user.name"},
{"copy": "matched_category", "to": "http_request.url.categories"}
]
},
// Anti-Bot/Threat Prevention logs
{
"pattern": "product=Anti-Bot",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "finding_info.types", "value": ["Malware", "Command and Control"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Check Point Anti-Bot"},
{"set": "metadata.product.vendor_name", "value": "Check Point"},
// Malware info
{"copy": "malware_name", "to": "malware.name"},
{"copy": "malware_family", "to": "malware.classification.family"},
{"copy": "malware_action", "to": "activity_name"},
{"copy": "resource", "to": "malware.path"},
// Severity
{"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2}, "to": "severity_id"},
{"copy": "severity", "to": "severity"},
// Confidence
{"copy": "confidence_level", "to": "confidence"}
]
}
]
}
parsers/ocsf-entra-id
+242
View File
@@ -0,0 +1,242 @@
// SentinelOne AI SIEM Parser: Microsoft Entra ID (Azure AD)
// OCSF Schema Version: 1.1.0
// Maps Entra ID JSON audit/sign-in logs to OCSF classes
// Primary Classes: Authentication (3002), Account Change (3001), Group Membership (3004)
{
"parserName": "EntraID-OCSF",
"version": "1.0.0",
"vendor": "Microsoft",
"product": "Entra ID",
"format": "json",
"patterns": [
// Sign-in logs (successful)
{
"pattern": "\"category\":\\s*\"SignInLogs\".*\"resultType\":\\s*\"0\"",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft Entra ID"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"jsonPath": "$.tenantId", "to": "metadata.tenant_uid"},
{"jsonPath": "$.correlationId", "to": "metadata.correlation_uid"},
{"jsonPath": "$.properties.id", "to": "metadata.uid"},
// Time
{"jsonPath": "$.time", "to": "time"},
// User
{"jsonPath": "$.properties.userDisplayName", "to": "user.full_name"},
{"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"},
{"jsonPath": "$.properties.userId", "to": "user.uid"},
// Source endpoint
{"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"},
{"jsonPath": "$.properties.ipAddress", "to": "src_endpoint.ip"},
{"jsonPath": "$.properties.deviceDetail.displayName", "to": "src_endpoint.name"},
{"jsonPath": "$.properties.deviceDetail.deviceId", "to": "src_endpoint.uid"},
{"jsonPath": "$.properties.deviceDetail.operatingSystem", "to": "src_endpoint.os.name"},
{"jsonPath": "$.properties.deviceDetail.browser", "to": "src_endpoint.browser"},
// Device compliance
{"jsonPath": "$.properties.deviceDetail.isCompliant", "to": "src_endpoint.is_compliant"},
{"jsonPath": "$.properties.deviceDetail.isManaged", "to": "src_endpoint.is_managed"},
{"jsonPath": "$.properties.deviceDetail.trustType", "to": "src_endpoint.trust_type"},
// Location
{"jsonPath": "$.properties.location.city", "to": "src_endpoint.location.city"},
{"jsonPath": "$.properties.location.state", "to": "src_endpoint.location.region"},
{"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"},
{"jsonPath": "$.properties.location.geoCoordinates.latitude", "to": "src_endpoint.location.lat"},
{"jsonPath": "$.properties.location.geoCoordinates.longitude", "to": "src_endpoint.location.long"},
// Application
{"jsonPath": "$.properties.appDisplayName", "to": "app_name"},
{"jsonPath": "$.properties.appId", "to": "app.uid"},
{"jsonPath": "$.properties.clientAppUsed", "to": "auth_protocol"},
{"jsonPath": "$.properties.userAgent", "to": "http_request.user_agent"},
// MFA
{"jsonPath": "$.properties.mfaDetail.authMethod", "to": "mfa.method"},
{"jsonPath": "$.properties.mfaDetail.authDetail", "to": "mfa.detail"},
// Conditional Access
{"jsonPath": "$.properties.conditionalAccessStatus", "to": "policy.result"},
// Risk
{"jsonPath": "$.properties.riskDetail", "to": "risk_detail"},
{"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"},
{"jsonPath": "$.properties.riskLevelDuringSignIn", "to": "risk_level_signin"},
{"jsonPath": "$.properties.riskState", "to": "risk_state"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Sign-in logs (failed)
{
"pattern": "\"category\":\\s*\"SignInLogs\".*\"resultType\":\\s*\"[^0]",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft Entra ID"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"jsonPath": "$.time", "to": "time"},
{"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"},
{"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"},
{"jsonPath": "$.resultType", "to": "status_code"},
{"jsonPath": "$.resultDescription", "to": "status_detail"},
{"jsonPath": "$.properties.status.errorCode", "to": "error.code"},
{"jsonPath": "$.properties.status.failureReason", "to": "error.message"},
// Location
{"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"},
// Risk
{"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"},
// Severity based on risk
{"lookup": "risk_level", "map": {"high": 4, "medium": 3, "low": 2, "none": 1}, "to": "severity_id"},
{"lookup": "risk_level", "map": {"high": "High", "medium": "Medium", "low": "Low", "none": "Informational"}, "to": "severity"}
]
},
// Risky sign-ins
{
"pattern": "\"category\":\\s*\"RiskySignIns\"",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "finding_info.types", "value": ["Identity Risk"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft Entra ID Protection"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"jsonPath": "$.time", "to": "time"},
{"jsonPath": "$.properties.userDisplayName", "to": "user.full_name"},
{"jsonPath": "$.properties.userPrincipalName", "to": "user.email_addr"},
{"jsonPath": "$.properties.userId", "to": "user.uid"},
{"jsonPath": "$.callerIpAddress", "to": "src_endpoint.ip"},
// Risk details
{"jsonPath": "$.properties.riskDetail", "to": "finding_info.title"},
{"jsonPath": "$.properties.riskEventTypes", "to": "finding_info.types"},
{"jsonPath": "$.properties.riskLevelAggregated", "to": "risk_level"},
{"jsonPath": "$.properties.riskState", "to": "risk_state"},
// Location
{"jsonPath": "$.properties.location.countryOrRegion", "to": "src_endpoint.location.country"},
// Severity
{"lookup": "risk_level", "map": {"high": 5, "medium": 4, "low": 3}, "to": "severity_id"},
{"lookup": "risk_level", "map": {"high": "Critical", "medium": "High", "low": "Medium"}, "to": "severity"}
]
},
// Audit logs - Group membership
{
"pattern": "\"category\":\\s*\"AuditLogs\".*\"activityDisplayName\":\\s*\"Add member to group\"",
"rewrites": [
{"set": "class_uid", "value": "3004"},
{"set": "class_name", "value": "Group Membership"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Add"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft Entra ID"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"jsonPath": "$.time", "to": "time"},
// Actor
{"jsonPath": "$.properties.initiatedBy.user.displayName", "to": "actor.user.full_name"},
{"jsonPath": "$.properties.initiatedBy.user.userPrincipalName", "to": "actor.user.email_addr"},
{"jsonPath": "$.properties.initiatedBy.user.id", "to": "actor.user.uid"},
{"jsonPath": "$.properties.initiatedBy.user.ipAddress", "to": "src_endpoint.ip"},
// Group
{"jsonPath": "$.properties.targetResources[0].displayName", "to": "group.name"},
{"jsonPath": "$.properties.targetResources[0].id", "to": "group.uid"},
// User added
{"jsonPath": "$.properties.targetResources[1].displayName", "to": "user.full_name"},
{"jsonPath": "$.properties.targetResources[1].userPrincipalName", "to": "user.email_addr"},
{"jsonPath": "$.properties.targetResources[1].id", "to": "user.uid"},
// Status
{"jsonPath": "$.properties.result", "to": "status"},
{"lookup": "status", "map": {"success": 1, "failure": 2}, "to": "status_id"}
]
},
// Audit logs - Password reset
{
"pattern": "\"category\":\\s*\"AuditLogs\".*\"activityDisplayName\":\\s*\"Reset user password\"",
"rewrites": [
{"set": "class_uid", "value": "3001"},
{"set": "class_name", "value": "Account Change"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "3"},
{"set": "activity_name", "value": "Password Reset"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft Entra ID"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"jsonPath": "$.time", "to": "time"},
// Actor
{"jsonPath": "$.properties.initiatedBy.user.displayName", "to": "actor.user.full_name"},
{"jsonPath": "$.properties.initiatedBy.user.userPrincipalName", "to": "actor.user.email_addr"},
{"jsonPath": "$.properties.initiatedBy.user.ipAddress", "to": "src_endpoint.ip"},
// Target user
{"jsonPath": "$.properties.targetResources[0].displayName", "to": "user.full_name"},
{"jsonPath": "$.properties.targetResources[0].userPrincipalName", "to": "user.email_addr"},
{"jsonPath": "$.properties.targetResources[0].id", "to": "user.uid"},
// Status
{"jsonPath": "$.properties.result", "to": "status"},
{"lookup": "status", "map": {"success": 1, "failure": 2}, "to": "status_id"},
// Severity for password changes
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
}
],
"error_code_mappings": {
"50126": "Invalid username or password",
"50053": "Account locked",
"50057": "Account disabled",
"50055": "Password expired",
"50076": "MFA required",
"50074": "Strong authentication required",
"53003": "Blocked by Conditional Access"
}
}
parsers/ocsf-f5-apm
+312
View File
@@ -0,0 +1,312 @@
// SentinelOne AI SIEM Parser: F5 Networks BIG-IP APM
// OCSF Schema Version: 1.1.0
// Maps F5 BIG-IP APM access policy logs to OCSF classes
// Primary Classes: Authentication (3002), Session Activity (3005)
{
"parserName": "F5APM-OCSF",
"version": "1.0.0",
"vendor": "F5 Networks",
"product": "BIG-IP APM",
"format": "syslog",
"patterns": [
// Session created
{
"pattern": "apmd\\[\\d+\\]:\\s+(\\d+):(\\d+):\\s+(/\\S+):Common:(\\S+):\\s+(?:New\\s+)?[Ss]ession\\s+created",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "metadata.log_level"},
{"group": 2, "to": "metadata.facility"},
// Policy and session
{"group": 3, "to": "policy.name"},
{"group": 4, "to": "session.uid"},
// Extract client IP
{"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Extract user agent
{"regex": "User Agent:\\s+(.+?)(?:\\s+$|\\s+\\w+:)", "group": 1, "to": "http_request.user_agent"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Session variable set (username)
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session variable\\s+'session\\.logon\\.last\\.username'\\s+set to\\s+'([^']+)'",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "0"},
{"set": "activity_name", "value": "Session Update"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "user.name"}
]
},
// AD Authentication
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+AD Auth query\\s+-\\s+User:\\s+(\\S+)\\s+Domain:\\s+(\\S+)\\s+Server:\\s+(\\S+)\\s+Result:\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "user.name"},
{"group": 4, "to": "user.domain"},
{"group": 5, "to": "auth_server"},
{"group": 6, "to": "auth_result"},
{"set": "auth_protocol", "value": "Active Directory"},
// Status
{"lookup": "auth_result", "map": {"Success": 1, "Failure": 2, "Failed": 2}, "to": "status_id"},
{"lookup": "auth_result", "map": {"Success": "Success", "Failure": "Failure", "Failed": "Failure"}, "to": "status"}
]
},
// AD Group query
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+AD Group query\\s+-\\s+User:\\s+(\\S+)\\s+Groups:\\s+(.+?)$",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "0"},
{"set": "activity_name", "value": "Group Query"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "user.name"},
{"group": 4, "to": "user.groups", "transform": "splitComma"}
]
},
// MFA Challenge
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+MFA\\s+(Challenge sent|Response received)\\s+-\\s+(?:Method:\\s+(\\S+))?\\s*(?:Server:\\s+(\\S+))?\\s*(?:Result:\\s+(\\w+))?",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "99"},
{"set": "activity_name", "value": "MFA"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "mfa.status"},
{"group": 4, "to": "mfa.method"},
{"group": 5, "to": "mfa.server"},
{"group": 6, "to": "mfa.result"},
// Status
{"lookup": "mfa.result", "map": {"Success": 1, "Failure": 2}, "to": "status_id"},
{"lookup": "mfa.result", "map": {"Success": "Success", "Failure": "Failure"}, "to": "status"}
]
},
// Access policy result
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Access policy result:\\s+(\\w+)(?:\\s+-\\s+(.+))?",
"rewrites": [
{"set": "class_uid", "value": "3003"},
{"set": "class_name", "value": "Authorization"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "policy.result"},
{"group": 4, "to": "policy.detail"},
// Activity
{"lookup": "policy.result", "map": {"Allow": 1, "Deny": 2}, "to": "activity_id"},
{"lookup": "policy.result", "map": {"Allow": "Grant", "Deny": "Deny"}, "to": "activity_name"},
// Status
{"lookup": "policy.result", "map": {"Allow": 1, "Deny": 2}, "to": "status_id"},
{"lookup": "policy.result", "map": {"Allow": "Success", "Deny": "Failure"}, "to": "status"},
// Extract assigned resources
{"regex": "Assigned resources:\\s+(.+?)$", "group": 1, "to": "resources.names"}
]
},
// Network Access tunnel
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Network Access tunnel established\\s+-\\s+Assigned IP:\\s+([\\d.]+)\\s+Lease Pool:\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "VPN Connect"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "src_endpoint.ip"},
{"group": 4, "to": "connection_info.pool"},
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Session authentication failed
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session authentication failed\\s+-\\s+User:\\s+(\\S+)\\s+Client IP:\\s+([\\d.]+)\\s+Reason:\\s+(.+?)$",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "user.name"},
{"group": 4, "to": "src_endpoint.ip"},
{"group": 5, "to": "status_detail"},
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// Session terminated
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Session terminated\\s+-\\s+User:\\s+(\\S+)\\s+Reason:\\s+(\\S+)\\s+Duration:\\s+(\\d+)\\s+seconds\\s+Bytes In:\\s+(\\d+)\\s+Bytes Out:\\s+(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Logoff"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "user.name"},
{"group": 4, "to": "logoff_type"},
{"group": 5, "to": "session.duration"},
{"group": 6, "to": "traffic.bytes_in"},
{"group": 7, "to": "traffic.bytes_out"},
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Anomaly detected
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Anomaly detected\\s+-\\s+User:\\s+(\\S+)\\s+Client IP:\\s+([\\d.]+)\\s+Risk:\\s+(.+?)$",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "finding_info.types", "value": ["User Behavior Anomaly"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "user.name"},
{"group": 4, "to": "src_endpoint.ip"},
{"group": 5, "to": "finding_info.title"},
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// Endpoint inspection
{
"pattern": "apmd\\[\\d+\\]:\\s+\\d+:\\d+:\\s+(/\\S+):Common:(\\S+):\\s+Endpoint inspection\\s+-\\s+OS:\\s+(\\S+)\\s+Antivirus:\\s+([^)]+\\))\\s+Firewall:\\s+(\\w+)\\s+Compliant:\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "5002"},
{"set": "class_name", "value": "Compliance"},
{"set": "category_uid", "value": "5"},
{"set": "category_name", "value": "Discovery"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Endpoint Check"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
{"group": 2, "to": "session.uid"},
{"group": 3, "to": "device.os.name"},
{"group": 4, "to": "device.antivirus"},
{"group": 5, "to": "device.firewall_status"},
{"group": 6, "to": "compliance.status"},
// Status
{"lookup": "compliance.status", "map": {"Yes": 1, "No": 2}, "to": "status_id"},
{"lookup": "compliance.status", "map": {"Yes": "Compliant", "No": "Non-Compliant"}, "to": "status"}
]
}
],
"transforms": {
"splitComma": {
"delimiter": ", ",
"type": "array"
}
}
}
parsers/ocsf-f5-bigip
+223
View File
@@ -0,0 +1,223 @@
// SentinelOne AI SIEM Parser: AMS - F5 Network Big IP
// OCSF Schema Version: 1.1.0
// Maps F5 BIG-IP LTM/ASM/APM logs to OCSF classes
// Primary Classes: HTTP Activity (4002), Security Finding (2001), Network Activity (4001)
{
"parserName": "F5BigIP-OCSF",
"version": "1.0.0",
"vendor": "F5 Networks",
"product": "BIG-IP",
"format": "syslog",
"patterns": [
// iRule HTTP Request logs
{
"pattern": "Rule\\s+(/\\S+)\\s+<HTTP_REQUEST>:",
"rewrites": [
{"set": "class_uid", "value": "4002"},
{"set": "class_name", "value": "HTTP Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Request"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP LTM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
// Client
{"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"},
// VIP
{"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.ip"},
{"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 2, "to": "dst_endpoint.port"},
// Pool/Member
{"regex": "Pool\\s+(\\S+)", "group": 1, "to": "dst_endpoint.svc_name"},
{"regex": "Member\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.intermediate_ips"},
// HTTP details
{"regex": "URI\\s+(\\S+)", "group": 1, "to": "http_request.url.path"},
{"regex": "Method\\s+(\\w+)", "group": 1, "to": "http_request.http_method"},
{"regex": "Host\\s+(\\S+)", "group": 1, "to": "http_request.url.hostname"},
{"regex": "User-Agent\\s+(.+?)(?:\\s+\\w+=|$)", "group": 1, "to": "http_request.user_agent"}
]
},
// iRule Security blocks
{
"pattern": "Rule\\s+(/\\S+)\\s+<HTTP_REQUEST>:\\s+BLOCKED",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Block"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP iRule"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Extract attack info
{"regex": "BLOCKED\\s+-\\s+(.+?)\\s+Client", "group": 1, "to": "finding_info.title"},
{"regex": "Client\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "URI\\s+(\\S+)", "group": 1, "to": "finding_info.src_url"},
{"regex": "Pattern matched:\\s+(.+?)$", "group": 1, "to": "finding_info.desc"},
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// SSL Handshake failures
{
"pattern": "SSL Handshake failed",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "activity_id", "value": "6"},
{"set": "activity_name", "value": "Fail"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP SSL"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 3, "to": "dst_endpoint.ip"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 4, "to": "dst_endpoint.port"},
{"regex": "-\\s+(.+)$", "group": 1, "to": "status_detail"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// APM Session events
{
"pattern": "apmd\\[\\d+\\]:",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Session
{"regex": ":Common:(\\w+):", "group": 1, "to": "session.uid"},
// User
{"regex": "User:\\s+(\\S+)", "group": 1, "to": "user.name"},
// Client IP
{"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Activity based on message
{"set": "activity_id", "value": "1", "if": "Session created|session created"},
{"set": "activity_name", "value": "Logon", "if": "Session created|session created"},
{"set": "activity_id", "value": "2", "if": "Session terminated|terminated"},
{"set": "activity_name", "value": "Logoff", "if": "Session terminated|terminated"},
// Status
{"set": "status_id", "value": "1", "if": "Allow|Success|success"},
{"set": "status", "value": "Success", "if": "Allow|Success|success"},
{"set": "status_id", "value": "2", "if": "Deny|failed|failure"},
{"set": "status", "value": "Failure", "if": "Deny|failed|failure"}
]
},
// ASM (WAF) logs
{
"pattern": "ASM:",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP ASM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Parse ASM fields
{"regex": "unit_hostname=\"([^\"]+)\"", "group": 1, "to": "device.hostname"},
{"regex": "management_ip_address=\"([^\"]+)\"", "group": 1, "to": "device.ip"},
{"regex": "policy_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"},
{"regex": "violations=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"},
{"regex": "request_status=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
{"regex": "response_code=\"([^\"]+)\"", "group": 1, "to": "http_response.code"},
{"regex": "ip_client=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.ip"},
{"regex": "method=\"([^\"]+)\"", "group": 1, "to": "http_request.http_method"},
{"regex": "protocol=\"([^\"]+)\"", "group": 1, "to": "connection_info.protocol_name"},
{"regex": "uri=\"([^\"]+)\"", "group": 1, "to": "http_request.url.path"},
{"regex": "sig_ids=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"},
{"regex": "sig_names=\"([^\"]+)\"", "group": 1, "to": "finding_info.desc"},
{"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"},
{"regex": "attack_type=\"([^\"]+)\"", "group": 1, "to": "finding_info.types"},
// Severity mapping
{"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Informational": 1}, "to": "severity_id"},
// Activity
{"lookup": "activity_name", "map": {"blocked": 2, "passed": 1, "alarmed": 1}, "to": "activity_id"}
]
},
// Pool member status
{
"pattern": "Pool\\s+(/\\S+)\\s+member\\s+([\\d.]+):(\\d+)\\s+monitor status\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "activity_id", "value": "99"},
{"set": "activity_name", "value": "Health Check"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP LTM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "dst_endpoint.svc_name"},
{"group": 2, "to": "dst_endpoint.ip"},
{"group": 3, "to": "dst_endpoint.port"},
{"group": 4, "to": "status"},
{"lookup": "status", "map": {"up": 1, "down": 2}, "to": "status_id"}
]
},
// Audit logs
{
"pattern": "AUDIT\\s+-\\s+user\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "6002"},
{"set": "class_name", "value": "API Activity"},
{"set": "category_uid", "value": "6"},
{"set": "category_name", "value": "Application Activity"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "actor.user.name"},
{"regex": "from host\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "modified object\\s+(\\S+)", "group": 1, "to": "resources.name"},
{"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 1, "to": "prev_state"},
{"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 2, "to": "state"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Update"}
]
}
]
}
parsers/ocsf-fortigate
+169
View File
@@ -0,0 +1,169 @@
// SentinelOne AI SIEM Parser: Fortinet FortiGate Security Gateway
// OCSF Schema Version: 1.1.0
// Maps FortiGate key=value logs to OCSF classes
// Primary Classes: Network Activity (4001), Security Finding (2001), Detection Finding (2004)
{
"parserName": "FortiGate-OCSF",
"version": "1.0.0",
"vendor": "Fortinet",
"product": "FortiGate",
"format": "kv",
"delimiter": " ",
"kvSeparator": "=",
"patterns": [
// Traffic logs
{
"pattern": "type=\"traffic\"",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
// Activity mapping
{"lookup": "action", "map": {"accept": 1, "deny": 2, "drop": 5, "close": 4}, "to": "activity_id"},
{"lookup": "action", "map": {"accept": "Traffic Allowed", "deny": "Traffic Denied", "drop": "Traffic Dropped", "close": "Connection Closed"}, "to": "activity_name"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "FortiGate"},
{"set": "metadata.product.vendor_name", "value": "Fortinet"},
{"copy": "devname", "to": "metadata.product.feature.uid"},
{"copy": "devid", "to": "device.uid"},
{"copy": "logid", "to": "metadata.log_name"},
// Time
{"parseTimestamp": "date time", "format": "yyyy-MM-dd HH:mm:ss", "to": "time"},
{"copy": "eventtime", "to": "time", "transform": "epochToISO"},
// Source endpoint
{"copy": "srcip", "to": "src_endpoint.ip"},
{"copy": "srcport", "to": "src_endpoint.port"},
{"copy": "srcintf", "to": "src_endpoint.interface_name"},
{"copy": "srccountry", "to": "src_endpoint.location.country"},
// Destination endpoint
{"copy": "dstip", "to": "dst_endpoint.ip"},
{"copy": "dstport", "to": "dst_endpoint.port"},
{"copy": "dstintf", "to": "dst_endpoint.interface_name"},
{"copy": "dstcountry", "to": "dst_endpoint.location.country"},
// Connection info
{"copy": "proto", "to": "connection_info.protocol_num"},
{"lookup": "proto", "map": {"6": "TCP", "17": "UDP", "1": "ICMP"}, "to": "connection_info.protocol_name"},
{"copy": "sessionid", "to": "connection_info.session.uid"},
{"copy": "duration", "to": "connection_info.session.duration"},
// Traffic stats
{"copy": "sentbyte", "to": "traffic.bytes_out"},
{"copy": "rcvdbyte", "to": "traffic.bytes_in"},
{"copy": "sentpkt", "to": "traffic.packets_out"},
{"copy": "rcvdpkt", "to": "traffic.packets_in"},
// Policy
{"copy": "policyid", "to": "policy.uid"},
{"copy": "policyname", "to": "policy.name"},
// Application
{"copy": "app", "to": "app_name"},
{"copy": "appcat", "to": "app.category"},
{"copy": "apprisk", "to": "app.risk_level"},
// NAT
{"copy": "transip", "to": "proxy.ip"},
{"copy": "transport", "to": "proxy.port"},
// Status
{"set": "status_id", "value": "1"},
{"lookup": "action", "map": {"accept": "Success", "deny": "Failure", "drop": "Failure"}, "to": "status"}
]
},
// IPS/UTM logs
{
"pattern": "type=\"utm\" subtype=\"ips\"",
"rewrites": [
{"set": "class_uid", "value": "2004"},
{"set": "class_name", "value": "Detection Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "FortiGate IPS"},
{"set": "metadata.product.vendor_name", "value": "Fortinet"},
// Finding info
{"copy": "attack", "to": "finding_info.title"},
{"copy": "attackid", "to": "finding_info.uid"},
{"copy": "ref", "to": "finding_info.src_url"},
{"copy": "msg", "to": "finding_info.desc"},
// Severity
{"lookup": "severity", "map": {"critical": 5, "high": 4, "medium": 3, "low": 2, "info": 1}, "to": "severity_id"},
{"copy": "severity", "to": "severity"},
// Endpoints
{"copy": "srcip", "to": "src_endpoint.ip"},
{"copy": "srcport", "to": "src_endpoint.port"},
{"copy": "dstip", "to": "dst_endpoint.ip"},
{"copy": "dstport", "to": "dst_endpoint.port"},
// Action
{"lookup": "action", "map": {"dropped": 2, "blocked": 2, "detected": 1, "pass": 0}, "to": "activity_id"}
]
},
// Virus/Malware logs
{
"pattern": "type=\"utm\" subtype=\"virus\"",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "finding_info.types", "value": ["Malware"]},
{"copy": "virusname", "to": "malware.name"},
{"copy": "filename", "to": "file.name"},
{"copy": "analyticscksum", "to": "file.hashes.sha256"},
{"copy": "dtype", "to": "file.type_id"},
{"lookup": "action", "map": {"blocked": 2, "detected": 1, "quarantined": 3}, "to": "activity_id"}
]
},
// Web filter logs
{
"pattern": "type=\"utm\" subtype=\"webfilter\"",
"rewrites": [
{"set": "class_uid", "value": "4002"},
{"set": "class_name", "value": "HTTP Activity"},
{"copy": "hostname", "to": "http_request.url.hostname"},
{"copy": "url", "to": "http_request.url.path"},
{"copy": "method", "to": "http_request.http_method"},
{"copy": "cat", "to": "http_request.url.category_ids"},
{"copy": "catdesc", "to": "http_request.url.categories"},
{"lookup": "action", "map": {"blocked": 2, "passthrough": 1, "warning": 3}, "to": "activity_id"}
]
},
// System/Auth logs
{
"pattern": "type=\"event\" subtype=\"system\"",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"copy": "user", "to": "actor.user.name"},
{"copy": "ui", "to": "src_endpoint.name"},
{"copy": "action", "to": "activity_name"},
{"lookup": "status", "map": {"success": 1, "failed": 2}, "to": "status_id"},
{"copy": "reason", "to": "status_detail"},
{"copy": "msg", "to": "message"}
]
}
]
}
parsers/ocsf-hana-db
+308
View File
@@ -0,0 +1,308 @@
// SentinelOne AI SIEM Parser: SAP HANA Database
// OCSF Schema Version: 1.1.0
// Maps SAP HANA audit JSON logs to OCSF classes
// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003)
{
"parserName": "HANADatabase-OCSF",
"version": "1.0.0",
"vendor": "SAP",
"product": "HANA Database",
"format": "json",
"patterns": [
// Connection events (CONNECT/DISCONNECT)
{
"pattern": "\"audit_action\":\\s*\"CONNECT\"",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.host", "to": "device.hostname"},
{"jsonPath": "$.component", "to": "metadata.product.feature.name"},
{"jsonPath": "$.source_file", "to": "metadata.log_name"},
{"jsonPath": "$.source_line", "to": "metadata.log_line"},
{"jsonPath": "$.thread_id", "to": "metadata.uid"},
// Time
{"jsonPath": "$.timestamp", "to": "time"},
// User
{"jsonPath": "$.user_name", "to": "user.name"},
{"jsonPath": "$.application_user", "to": "actor.user.name"},
{"jsonPath": "$.application_name", "to": "app_name"},
// Session
{"jsonPath": "$.connection_id", "to": "session.uid"},
// Source endpoint
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
{"jsonPath": "$.client_port", "to": "src_endpoint.port"},
// Audit policy
{"jsonPath": "$.audit_policy_name", "to": "policy.name"},
{"jsonPath": "$.audit_level", "to": "severity"},
// Comment
{"jsonPath": "$.comment", "to": "message"},
// Status - check for error
{"set": "status_id", "value": "1", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"},
{"set": "status", "value": "Success", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"}
]
},
// Failed connection
{
"pattern": "\"audit_action\":\\s*\"CONNECT\".*\"error_code\":\\s*[1-9]",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.timestamp", "to": "time"},
{"jsonPath": "$.user_name", "to": "user.name"},
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
{"jsonPath": "$.error_code", "to": "status_code"},
{"jsonPath": "$.error_message", "to": "status_detail"},
// Severity
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// Disconnect
{
"pattern": "\"audit_action\":\\s*\"DISCONNECT\"",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Logoff"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.timestamp", "to": "time"},
{"jsonPath": "$.user_name", "to": "user.name"},
{"jsonPath": "$.connection_id", "to": "session.uid"},
{"jsonPath": "$.session_duration_seconds", "to": "session.duration"},
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// SELECT queries
{
"pattern": "\"audit_action\":\\s*\"SELECT\"",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "Database Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Query"},
{"set": "type_uid", "value": "400301"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.timestamp", "to": "time"},
{"jsonPath": "$.user_name", "to": "actor.user.name"},
{"jsonPath": "$.connection_id", "to": "actor.session.uid"},
{"jsonPath": "$.transaction_id", "to": "transaction.uid"},
{"jsonPath": "$.statement_id", "to": "query_info.uid"},
// Query details
{"jsonPath": "$.statement", "to": "query_info.query_string"},
{"jsonPath": "$.executed_statement", "to": "query_info.executed_query"},
{"set": "query_info.query_type", "value": "SELECT"},
// Performance
{"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"},
{"jsonPath": "$.execution_time_ms", "to": "query_info.duration"},
// Source
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
{"jsonPath": "$.application_name", "to": "app_name"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Data modification (INSERT/UPDATE/DELETE)
{
"pattern": "\"audit_action\":\\s*\"(INSERT|UPDATE|DELETE)\"",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "Database Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"jsonPath": "$.audit_action", "to": "activity_name"},
{"lookup": "activity_name", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.timestamp", "to": "time"},
{"jsonPath": "$.user_name", "to": "actor.user.name"},
{"jsonPath": "$.connection_id", "to": "actor.session.uid"},
{"jsonPath": "$.transaction_id", "to": "transaction.uid"},
// Query
{"jsonPath": "$.statement", "to": "query_info.query_string"},
{"jsonPath": "$.executed_statement", "to": "query_info.executed_query"},
{"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"},
{"jsonPath": "$.execution_time_ms", "to": "query_info.duration"},
// Source
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
// Severity for data modification
{"set": "severity_id", "value": "2"},
{"set": "severity", "value": "Low"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// GRANT/REVOKE (privilege changes)
{
"pattern": "\"audit_action\":\\s*\"GRANT\"",
"rewrites": [
{"set": "class_uid", "value": "3003"},
{"set": "class_name", "value": "Authorization"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Grant"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.timestamp", "to": "time"},
{"jsonPath": "$.user_name", "to": "actor.user.name"},
{"jsonPath": "$.connection_id", "to": "actor.session.uid"},
// Privilege details
{"jsonPath": "$.statement", "to": "message"},
{"jsonPath": "$.executed_statement", "to": "privileges"},
// Source
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
// Severity for privilege grants
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Backup operations
{
"pattern": "\"audit_action\":\\s*\"BACKUP DATA\"",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "Database Activity"},
{"set": "activity_id", "value": "5"},
{"set": "activity_name", "value": "Backup"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.timestamp", "to": "time"},
{"jsonPath": "$.user_name", "to": "actor.user.name"},
{"jsonPath": "$.application_user", "to": "actor.user.account.name"},
{"jsonPath": "$.application_name", "to": "app_name"},
// Backup details
{"jsonPath": "$.statement", "to": "message"},
{"jsonPath": "$.backup_id", "to": "backup.uid"},
{"jsonPath": "$.backup_size_mb", "to": "backup.size"},
// Source
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Critical audit level events
{
"pattern": "\"audit_level\":\\s*\"CRITICAL\"",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "finding_info.types", "value": ["Database Security Event"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "SAP HANA"},
{"set": "metadata.product.vendor_name", "value": "SAP"},
{"jsonPath": "$.timestamp", "to": "time"},
{"jsonPath": "$.user_name", "to": "actor.user.name"},
{"jsonPath": "$.audit_action", "to": "finding_info.title"},
{"jsonPath": "$.comment", "to": "finding_info.desc"},
{"jsonPath": "$.statement", "to": "finding_info.data_sources"},
// Source
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
// Severity
{"set": "severity_id", "value": "5"},
{"set": "severity", "value": "Critical"}
]
}
],
"audit_action_mappings": {
"CONNECT": {"class": "Authentication", "activity": "Logon"},
"DISCONNECT": {"class": "Authentication", "activity": "Logoff"},
"SELECT": {"class": "Database Activity", "activity": "Query"},
"INSERT": {"class": "Database Activity", "activity": "Insert"},
"UPDATE": {"class": "Database Activity", "activity": "Update"},
"DELETE": {"class": "Database Activity", "activity": "Delete"},
"CREATE": {"class": "Database Activity", "activity": "Create"},
"DROP": {"class": "Database Activity", "activity": "Delete"},
"ALTER": {"class": "Database Activity", "activity": "Update"},
"GRANT": {"class": "Authorization", "activity": "Grant"},
"REVOKE": {"class": "Authorization", "activity": "Revoke"},
"BACKUP DATA": {"class": "Database Activity", "activity": "Backup"},
"RESTORE": {"class": "Database Activity", "activity": "Restore"}
}
}
parsers/ocsf-isc-bind
+259
View File
@@ -0,0 +1,259 @@
// SentinelOne AI SIEM Parser: ISC BIND DNS Server
// OCSF Schema Version: 1.1.0
// Maps ISC BIND query/security logs to OCSF classes
// Primary Class: DNS Activity (4003)
{
"parserName": "ISCBIND-OCSF",
"version": "1.0.0",
"vendor": "ISC",
"product": "BIND",
"format": "syslog",
"patterns": [
// Query logs
{
"pattern": "queries:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query:\\s+(\\S+)\\s+IN\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Query"},
{"set": "type_uid", "value": "400301"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
{"group": 1, "to": "metadata.uid"},
// Time (from syslog header)
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Query info
{"group": 4, "to": "query_info.opcode"},
{"group": 5, "to": "query_info.hostname"},
{"group": 6, "to": "query_info.type"},
// DNS server
{"regex": "\\(([\\d.]+)\\)$", "group": 1, "to": "dst_endpoint.ip"},
// Observables
{"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$2"}},
{"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$5"}},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Security - Zone transfer denied
{
"pattern": "security:\\s+warning:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+zone transfer\\s+'([^']+)'\\s+denied",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "finding_info.types", "value": ["DNS Zone Transfer Attempt"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Zone
{"group": 5, "to": "finding_info.title"},
{"set": "finding_info.desc", "value": "Unauthorized zone transfer attempt"},
// Severity
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"},
// Status
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Deny"}
]
},
// Security - Query denied
{
"pattern": "security:\\s+error:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query\\s+\\(cache\\)\\s+'([^']+)'\\s+denied",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Query Denied"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Query
{"group": 5, "to": "query_info.hostname"},
// Status
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "rcode", "value": "REFUSED"},
// Severity
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// Zone transfer (AXFR) - successful
{
"pattern": "xfer-out:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+transfer of\\s+'([^']+)':\\s+AXFR\\s+(started|ended)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"group": 6, "to": "transfer_status"},
{"lookup": "transfer_status", "map": {"started": 3, "ended": 4}, "to": "activity_id"},
{"lookup": "transfer_status", "map": {"started": "Zone Transfer Start", "ended": "Zone Transfer Complete"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client (secondary DNS)
{"group": 2, "to": "dst_endpoint.ip"},
{"group": 3, "to": "dst_endpoint.port"},
// Zone
{"group": 5, "to": "query_info.hostname"},
{"set": "query_info.type", "value": "AXFR"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Dynamic update
{
"pattern": "update:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+updating zone\\s+'([^']+)':\\s+(adding|deleting)\\s+an RR at\\s+'([^']+)'\\s+(\\w+)\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"group": 6, "to": "update_action"},
{"lookup": "update_action", "map": {"adding": 5, "deleting": 6}, "to": "activity_id"},
{"lookup": "update_action", "map": {"adding": "Record Add", "deleting": "Record Delete"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Zone and record
{"group": 5, "to": "query_info.zone"},
{"group": 7, "to": "query_info.hostname"},
{"group": 8, "to": "query_info.type"},
{"group": 9, "to": "answers.rdata"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Rate limiting
{
"pattern": "rate-limit:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+):\\s+rate limit\\s+(\\w+)\\s+(\\w+)\\s+response",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "finding_info.types", "value": ["DNS Rate Limiting"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Rate limit action
{"group": 4, "to": "activity_name"},
{"group": 5, "to": "finding_info.title"},
// Severity
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// DNSSEC events
{
"pattern": "dnssec:\\s+info:\\s+zone\\s+(\\S+):\\s+DNSKEY\\s+(\\d+)/(\\w+)\\s+\\((\\w+)\\)\\s+is now\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "activity_id", "value": "7"},
{"set": "activity_name", "value": "DNSSEC Key Event"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Zone
{"group": 1, "to": "query_info.zone"},
// Key info
{"group": 2, "to": "dnssec.key_tag"},
{"group": 3, "to": "dnssec.algorithm"},
{"group": 4, "to": "dnssec.key_type"},
{"group": 5, "to": "dnssec.key_state"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
}
],
"query_type_mappings": {
"A": 1, "AAAA": 28, "MX": 15, "TXT": 16, "CNAME": 5,
"NS": 2, "SOA": 6, "PTR": 12, "SRV": 33, "AXFR": 252, "ANY": 255
}
}
parsers/ocsf-linux-os
+406
View File
@@ -0,0 +1,406 @@
// SentinelOne AI SIEM Parser: Linux OS
// OCSF Schema Version: 1.1.0
// Maps Linux syslog/auth/audit logs to OCSF classes
// Primary Classes: Authentication (3002), Process Activity (1007), Account Change (3001)
{
"parserName": "LinuxOS-OCSF",
"version": "1.0.0",
"vendor": "Linux",
"product": "Linux OS",
"format": "syslog",
"patterns": [
// SSH successful login
{
"pattern": "sshd\\[\\d+\\]:\\s+Accepted\\s+(\\w+)\\s+for\\s+(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "OpenSSH"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)", "group": 2, "to": "device.hostname"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Auth method
{"group": 1, "to": "auth_protocol"},
// User
{"group": 2, "to": "user.name"},
// Source
{"group": 3, "to": "src_endpoint.ip"},
{"group": 4, "to": "src_endpoint.port"},
// SSH key fingerprint
{"regex": "SHA256:(\\S+)", "group": 1, "to": "user.credential_uid"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// SSH failed login
{
"pattern": "sshd\\[\\d+\\]:\\s+Failed\\s+(\\w+)\\s+for\\s+(invalid user\\s+)?(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "OpenSSH"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Auth method
{"group": 1, "to": "auth_protocol"},
// User
{"group": 3, "to": "user.name"},
{"set": "user.type", "value": "Invalid", "if": "invalid user"},
// Source
{"group": 4, "to": "src_endpoint.ip"},
{"group": 5, "to": "src_endpoint.port"},
// Severity
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// Sudo command execution
{
"pattern": "sudo:\\s+(\\S+)\\s+:\\s+TTY=(\\S+)\\s+;\\s+PWD=(\\S+)\\s+;\\s+USER=(\\S+)\\s+;\\s+COMMAND=(.+)$",
"rewrites": [
{"set": "class_uid", "value": "1007"},
{"set": "class_name", "value": "Process Activity"},
{"set": "category_uid", "value": "1"},
{"set": "category_name", "value": "System Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Launch"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "sudo"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Actor
{"group": 1, "to": "actor.user.name"},
{"group": 2, "to": "actor.session.terminal"},
{"group": 3, "to": "process.cwd"},
// Target user (run as)
{"group": 4, "to": "user.name"},
// Command
{"group": 5, "to": "process.cmd_line"},
// Privilege escalation indicator
{"set": "is_privileged", "value": "true"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Sudo denied
{
"pattern": "sudo:\\s+(\\S+)\\s+:\\s+user NOT in sudoers",
"rewrites": [
{"set": "class_uid", "value": "3003"},
{"set": "class_name", "value": "Authorization"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Deny"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "sudo"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// User
{"group": 1, "to": "actor.user.name"},
// Extract command attempted
{"regex": "COMMAND=(.+)$", "group": 1, "to": "process.cmd_line"},
// Severity
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// User creation (useradd)
{
"pattern": "useradd\\[\\d+\\]:\\s+new user:\\s+name=(\\S+),\\s+UID=(\\d+),\\s+GID=(\\d+),\\s+home=(\\S+),\\s+shell=(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "3001"},
{"set": "class_name", "value": "Account Change"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Create"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "useradd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// New user
{"group": 1, "to": "user.name"},
{"group": 2, "to": "user.uid"},
{"group": 3, "to": "user.gid"},
{"group": 4, "to": "user.home"},
{"group": 5, "to": "user.shell"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// User modification (usermod)
{
"pattern": "usermod\\[\\d+\\]:\\s+add\\s+'(\\S+)'\\s+to\\s+group\\s+'(\\S+)'",
"rewrites": [
{"set": "class_uid", "value": "3004"},
{"set": "class_name", "value": "Group Membership"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Add"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "usermod"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// User and group
{"group": 1, "to": "user.name"},
{"group": 2, "to": "group.name"},
// Severity for privileged groups
{"set": "severity_id", "value": "4", "if": "wheel|sudo|root|admin"},
{"set": "severity", "value": "High", "if": "wheel|sudo|root|admin"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// UFW firewall block
{
"pattern": "kernel:\\s+\\[UFW BLOCK\\]\\s+IN=(\\S*)\\s+OUT=(\\S*).*SRC=([\\d.]+)\\s+DST=([\\d.]+).*PROTO=(\\w+)\\s+SPT=(\\d+)\\s+DPT=(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Deny"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "UFW"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Interfaces
{"group": 1, "to": "src_endpoint.interface_name"},
{"group": 2, "to": "dst_endpoint.interface_name"},
// Endpoints
{"group": 3, "to": "src_endpoint.ip"},
{"group": 4, "to": "dst_endpoint.ip"},
{"group": 6, "to": "src_endpoint.port"},
{"group": 7, "to": "dst_endpoint.port"},
// Protocol
{"group": 5, "to": "connection_info.protocol_name"},
// Status
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"}
]
},
// Audit EXECVE (command execution)
{
"pattern": "auditd\\[\\d+\\]:\\s+EXECVE\\s+argc=(\\d+)\\s+(.+)$",
"rewrites": [
{"set": "class_uid", "value": "1007"},
{"set": "class_name", "value": "Process Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Launch"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "auditd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Arguments
{"group": 1, "to": "process.argc"},
{"group": 2, "to": "process.cmd_line", "transform": "parseAuditArgs"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Systemd service start
{
"pattern": "systemd\\[1\\]:\\s+Started\\s+(.+?)(?:\\s+-\\s+(.+))?\\.?$",
"rewrites": [
{"set": "class_uid", "value": "1006"},
{"set": "class_name", "value": "Service Activity"},
{"set": "category_uid", "value": "1"},
{"set": "category_name", "value": "System Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Start"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "systemd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Service
{"group": 1, "to": "service.name"},
{"group": 2, "to": "service.desc"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Cron job execution
{
"pattern": "cron\\[\\d+\\]:\\s+\\((\\S+)\\)\\s+CMD\\s+\\((.+)\\)$",
"rewrites": [
{"set": "class_uid", "value": "1007"},
{"set": "class_name", "value": "Process Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Launch"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "cron"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// User
{"group": 1, "to": "actor.user.name"},
// Command
{"group": 2, "to": "process.cmd_line"},
// Scheduled task indicator
{"set": "is_scheduled", "value": "true"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Password change
{
"pattern": "passwd\\[\\d+\\]:\\s+password changed for\\s+(\\S+)\\s+by\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "3001"},
{"set": "class_name", "value": "Account Change"},
{"set": "activity_id", "value": "3"},
{"set": "activity_name", "value": "Password Change"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "passwd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Target user
{"group": 1, "to": "user.name"},
// Actor
{"group": 2, "to": "actor.user.name"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// SSH disconnect
{
"pattern": "sshd\\[\\d+\\]:\\s+Received disconnect from\\s+([\\d.]+)\\s+port\\s+(\\d+):(\\d+):\\s+(.+)$",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Logoff"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "OpenSSH"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Source
{"group": 1, "to": "src_endpoint.ip"},
{"group": 2, "to": "src_endpoint.port"},
// Disconnect code and reason
{"group": 3, "to": "status_code"},
{"group": 4, "to": "status_detail"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
}
],
"transforms": {
"parseAuditArgs": {
"description": "Parse audit EXECVE arguments a0=\"/bin/bash\" a1=\"-c\" to command line",
"regex": "a\\d+=\"([^\"]+)\"",
"join": " "
}
}
}
parsers/ocsf-mitre-attack
+1
View File
@@ -0,0 +1 @@
{"name": "OCSF MITRE Coverage", "graphs": [{"label": "T1110-Brute Force", "filter": "message contains \"Failed\"", "function": "count", "graphType": "value"}, {"label": "T1046-Scanning", "filter": "action=\"deny\"", "function": "count", "graphType": "value"}, {"label": "T1059-Command Exec", "filter": "message contains \"bash\"", "function": "count", "graphType": "value"}, {"label": "T1078-Valid Accounts", "filter": "user_name=\"root\"", "function": "count", "graphType": "value"}, {"label": "T1548-Priv Esc", "filter": "message contains \"sudo\"", "function": "count", "graphType": "value"}, {"label": "Top IPs", "facet": "src_ip", "filter": "src_ip is not null", "graphType": "topValuesTable", "limit": 10}]}
parsers/ocsf-mitre-coverage
+160
View File
@@ -0,0 +1,160 @@
{
"duration": "24h",
"description": "MITRE ATT&CK technique coverage from OCSF detections",
"graphs": [
{
"title": "MITRE ATT&CK Coverage",
"graphStyle": "markdown",
"markdown": "## MITRE ATT&CK Technique Counters\nEach panel shows the count of events matching a specific MITRE technique pattern.\n\n| Technique | Description |\n|---|---|\n| T1110 | Brute Force |\n| T1046 | Network Service Scanning |\n| T1059 | Command and Scripting Interpreter |\n| T1078 | Valid Accounts |\n| T1098 | Account Manipulation |\n| T1548 | Abuse Elevation Control Mechanism |",
"layout": {
"w": 60,
"h": 10,
"x": 0,
"y": 0
}
},
{
"title": "T1110 - Brute Force",
"graphStyle": "number",
"query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 0,
"y": 10
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1046 - Network Scanning",
"graphStyle": "number",
"query": "action = 'deny' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 15,
"y": 10
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1059 - Command Execution",
"graphStyle": "number",
"query": "message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 30,
"y": 10
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1078 - Valid Accounts",
"graphStyle": "number",
"query": "user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 45,
"y": 10
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1098 - Account Manipulation",
"graphStyle": "number",
"query": "message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 0,
"y": 17
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1548 - Privilege Escalation",
"graphStyle": "number",
"query": "message contains 'sudo' or message contains 'NOT in sudoers' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 15,
"y": 17
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1021 - Remote Services",
"graphStyle": "number",
"query": "(dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 30,
"y": 17
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1136 - Create Account",
"graphStyle": "number",
"query": "message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 45,
"y": 17
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "Detections Over Time",
"graphStyle": "stacked_bar",
"xAxis": "time",
"query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
"layout": {
"w": 40,
"h": 14,
"x": 0,
"y": 24
}
},
{
"title": "Top Attacker IPs",
"graphStyle": "table",
"query": "src_ip = * (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10",
"layout": {
"w": 20,
"h": 14,
"x": 40,
"y": 24
}
}
]
}
parsers/ocsf-mitre-coverage-v2
+160
View File
@@ -0,0 +1,160 @@
{
"duration": "24h",
"description": "MITRE ATT&CK technique coverage from OCSF detections",
"graphs": [
{
"title": "MITRE ATT&CK Coverage",
"graphStyle": "markdown",
"markdown": "## MITRE ATT&CK Technique Counters\\n\\nEach panel shows the count of events matching a specific MITRE technique pattern.\\n\\n| Technique | Description | Detection Pattern |\\n|---|---|---|\\n| T1110 | Brute Force | Failed password attempts |\\n| T1046 | Network Scanning | Firewall denies to multiple ports |\\n| T1059 | Command Execution | bash -c, powershell -enc |\\n| T1078 | Valid Accounts | root/admin/SYSTEM usage |\\n| T1098 | Account Manipulation | useradd, GRANT |\\n| T1548 | Privilege Escalation | sudo, NOT in sudoers |",
"layout": {
"w": 60,
"h": 12,
"x": 0,
"y": 0
}
},
{
"title": "T1110 - Brute Force",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure') | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 0,
"y": 12
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1046 - Network Scanning",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' action = 'deny' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 15,
"y": 12
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1059 - Command Execution",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c') | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 30,
"y": 12
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1078 - Valid Accounts",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM') | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 45,
"y": 12
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1098 - Account Manipulation",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member') | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 0,
"y": 19
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1548 - Privilege Escalation",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (message contains 'sudo' or message contains 'NOT in sudoers') | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 15,
"y": 19
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1021 - Remote Services",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 30,
"y": 19
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "T1136 - Create Account",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER') | group count() | limit 1",
"layout": {
"w": 15,
"h": 7,
"x": 45,
"y": 19
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "Detections Over Time",
"graphStyle": "stacked_bar",
"xAxis": "time",
"query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
"layout": {
"w": 40,
"h": 14,
"x": 0,
"y": 26
}
},
{
"title": "Top Attacker IPs",
"graphStyle": "table",
"query": "src_ip = * serverHost contains 'ocsf' (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10",
"layout": {
"w": 20,
"h": 14,
"x": 40,
"y": 26
}
}
]
}
parsers/ocsf-ms-dhcp
+163
View File
@@ -0,0 +1,163 @@
// SentinelOne AI SIEM Parser: Microsoft DHCP Server
// OCSF Schema Version: 1.1.0
// Maps Microsoft DHCP CSV logs to OCSF classes
// Primary Class: DHCP Activity (4004)
{
"parserName": "MicrosoftDHCP-OCSF",
"version": "1.0.0",
"vendor": "Microsoft",
"product": "DHCP Server",
"format": "csv",
"hasHeader": true,
"patterns": [
// DHCP Lease events (Assign, Renew, Release)
{
"pattern": "^(10|11|12|17|20),",
"rewrites": [
{"set": "class_uid", "value": "4004"},
{"set": "class_name", "value": "DHCP Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft DHCP"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"csv": "TransactionID", "to": "metadata.uid"},
{"csv": "CorrelationID", "to": "metadata.correlation_uid"},
// Time
{"concat": ["$Date", " ", "$Time"], "to": "time"},
// Event ID mapping
{"csv": "ID", "to": "event_id"},
{"lookup": "event_id", "map": {
"10": 1, "11": 2, "12": 3, "13": 4, "14": 5,
"15": 6, "16": 7, "17": 8, "20": 9
}, "to": "activity_id"},
{"lookup": "event_id", "map": {
"10": "Assign", "11": "Renew", "12": "Release",
"13": "DNS Update Request", "14": "DNS Update Successful",
"15": "NACK", "16": "Decline", "17": "Expired", "20": "BOOTP Assign"
}, "to": "activity_name"},
// Description
{"csv": "Description", "to": "message"},
// Lease info
{"csv": "IP Address", "to": "lease.ip"},
{"csv": "Host Name", "to": "lease.hostname"},
{"csv": "MAC Address", "to": "lease.mac"},
// Device
{"csv": "IP Address", "to": "device.ip"},
{"csv": "Host Name", "to": "device.hostname"},
{"csv": "MAC Address", "to": "device.mac"},
// User (if available)
{"csv": "User Name", "to": "user.name"},
// DHCP identifiers
{"csv": "Dhcid", "to": "dhcp.client_id"},
{"csv": "VendorClass(ASCII)", "to": "dhcp.vendor_class"},
{"csv": "UserClass(ASCII)", "to": "dhcp.user_class"},
{"csv": "RelayAgentInformation", "to": "dhcp.relay_agent"},
// Status based on event
{"set": "status_id", "value": "1", "if": "ID:(10|11|13|14|20)"},
{"set": "status", "value": "Success", "if": "ID:(10|11|13|14|20)"},
{"set": "status_id", "value": "2", "if": "ID:(15|16|30)"},
{"set": "status", "value": "Failure", "if": "ID:(15|16|30)"}
]
},
// DNS Update events
{
"pattern": "^(13|14|30|31),",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft DHCP"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
// Time
{"concat": ["$Date", " ", "$Time"], "to": "time"},
// Activity
{"csv": "ID", "to": "event_id"},
{"lookup": "event_id", "map": {
"13": 1, "14": 1, "30": 2, "31": 1
}, "to": "activity_id"},
{"lookup": "event_id", "map": {
"13": "DNS Update Request", "14": "DNS Update Successful",
"30": "DNS Update Failed", "31": "DNS Update Request"
}, "to": "activity_name"},
// DNS info
{"csv": "Host Name", "to": "query_info.hostname"},
{"csv": "IP Address", "to": "answers.rdata"},
// Status
{"csv": "DnsRegError", "to": "status_code"},
{"set": "status_id", "value": "1", "if": "DnsRegError:0"},
{"set": "status", "value": "Success", "if": "DnsRegError:0"},
{"set": "status_id", "value": "2", "if": "DnsRegError:[^0]"},
{"set": "status", "value": "Failure", "if": "DnsRegError:[^0]"}
]
},
// NACK/Decline/Expired (potential issues)
{
"pattern": "^(15|16|17|32),",
"rewrites": [
{"set": "class_uid", "value": "4004"},
{"set": "class_name", "value": "DHCP Activity"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft DHCP"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
// Time
{"concat": ["$Date", " ", "$Time"], "to": "time"},
// Event
{"csv": "ID", "to": "event_id"},
{"lookup": "event_id", "map": {
"15": "NACK", "16": "Decline", "17": "Expired", "32": "Deleted"
}, "to": "activity_name"},
// Device
{"csv": "IP Address", "to": "device.ip"},
{"csv": "Host Name", "to": "device.hostname"},
{"csv": "MAC Address", "to": "device.mac"},
// Severity for issues
{"set": "severity_id", "value": "2"},
{"set": "severity", "value": "Low"}
]
}
],
"event_id_reference": {
"10": "New IP address leased to client",
"11": "Lease renewed by client",
"12": "Lease released by client",
"13": "DNS update request sent",
"14": "DNS update successful",
"15": "DHCP NACK sent to client",
"16": "DHCP Decline from client",
"17": "Lease expired and deleted",
"20": "BOOTP address leased to client",
"30": "DNS update failed",
"31": "DNS update request sent",
"32": "Lease deleted by administrator"
}
}
parsers/ocsf-ms-dns
+113
View File
@@ -0,0 +1,113 @@
// SentinelOne AI SIEM Parser: Microsoft DNS Debug Log
// OCSF Schema Version: 1.1.0
// Maps Microsoft DNS debug logs to OCSF classes
// Primary Class: DNS Activity (4003)
{
"parserName": "MicrosoftDNS-OCSF",
"version": "1.0.0",
"vendor": "Microsoft",
"product": "DNS Server",
"format": "regex",
"patterns": [
// DNS Query/Response
{
"pattern": "^(\\d+/\\d+/\\d+)\\s+(\\d+:\\d+:\\d+\\s+[AP]M)\\s+(\\w+)\\s+PACKET\\s+(\\w+)\\s+(UDP|TCP)\\s+(Rcv|Snd)\\s+([\\d.]+)\\s+(\\w+)\\s+([RQ\\s]+)\\s+\\[([^\\]]+)\\]\\s+(\\w+)\\s+(.+)$",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
// Activity based on direction
{"group": 6, "to": "direction"},
{"lookup": "direction", "map": {"Rcv": 1, "Snd": 2}, "to": "activity_id"},
{"lookup": "direction", "map": {"Rcv": "Query", "Snd": "Response"}, "to": "activity_name"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Microsoft DNS"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"group": 3, "to": "metadata.uid"},
{"group": 4, "to": "metadata.log_name"},
// Time
{"concat": ["$1", " ", "$2"], "to": "time"},
// Protocol
{"group": 5, "to": "connection_info.protocol_name"},
// Client IP
{"group": 7, "to": "src_endpoint.ip"},
// Transaction ID
{"group": 8, "to": "query_info.uid"},
// Flags
{"group": 9, "to": "query_info.flags"},
{"group": 10, "to": "rcode_name"},
// Query type
{"group": 11, "to": "query_info.type"},
// Query name (decode DNS format)
{"group": 12, "to": "query_info.hostname", "transform": "decodeDnsName"},
// Response code mapping
{"lookup": "rcode_name", "map": {
"NOERROR": 0, "FORMERR": 1, "SERVFAIL": 2, "NXDOMAIN": 3,
"NOTIMP": 4, "REFUSED": 5, "YXDOMAIN": 6, "YXRRSET": 7
}, "to": "rcode_id"},
// Status based on response code
{"set": "status_id", "value": "1", "if": "NOERROR"},
{"set": "status", "value": "Success", "if": "NOERROR"},
{"set": "status_id", "value": "2", "if": "REFUSED|NXDOMAIN|SERVFAIL"},
{"set": "status", "value": "Failure", "if": "REFUSED|NXDOMAIN|SERVFAIL"},
// Observables
{"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$7"}},
{"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$query_info.hostname"}}
]
}
],
"transforms": {
"decodeDnsName": {
"description": "Converts DNS wire format (4)mail(4)corp(5)local(0) to mail.corp.local",
"regex": "\\((\\d+)\\)([^(]+)",
"replace": "$2.",
"trim": "."
}
},
"query_type_mappings": {
"A": {"id": 1, "name": "A (IPv4 Address)"},
"AAAA": {"id": 28, "name": "AAAA (IPv6 Address)"},
"MX": {"id": 15, "name": "MX (Mail Exchange)"},
"TXT": {"id": 16, "name": "TXT (Text)"},
"CNAME": {"id": 5, "name": "CNAME (Canonical Name)"},
"NS": {"id": 2, "name": "NS (Name Server)"},
"SOA": {"id": 6, "name": "SOA (Start of Authority)"},
"PTR": {"id": 12, "name": "PTR (Pointer)"},
"SRV": {"id": 33, "name": "SRV (Service)"},
"AXFR": {"id": 252, "name": "AXFR (Zone Transfer)"},
"ANY": {"id": 255, "name": "ANY (All Records)"}
},
"security_indicators": {
"zone_transfer": {
"condition": "query_info.type == 'AXFR'",
"severity_id": 4,
"severity": "High",
"finding_info.title": "DNS Zone Transfer Attempt"
},
"any_query": {
"condition": "query_info.type == 'ANY'",
"severity_id": 3,
"severity": "Medium",
"finding_info.title": "DNS ANY Query (Potential Amplification)"
}
}
}
parsers/ocsf-oracle-rdbms
+184
View File
@@ -0,0 +1,184 @@
// SentinelOne AI SIEM Parser: Oracle RDBMS Audit Record
// OCSF Schema Version: 1.1.0
// Maps Oracle Database audit trail to OCSF classes
// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003)
{
"parserName": "OracleRDBMS-OCSF",
"version": "1.0.0",
"vendor": "Oracle",
"product": "Oracle Database",
"format": "kv",
"delimiter": " ",
"kvSeparator": ":",
"patterns": [
// Logon events
{
"pattern": "ACTION_NAME:\\s*LOGON",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
{"regex": "DBID:\\s*(\\d+)", "group": 1, "to": "metadata.product.uid"},
{"regex": "INSTANCE_NUMBER:\\s*(\\d+)", "group": 1, "to": "metadata.product.feature.uid"},
// Time
{"regex": "TIMESTAMP:\\s*([\\d-]+\\s[\\d:.]+\\s\\w+)", "group": 1, "to": "time"},
// User
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "user.name"},
{"regex": "OS_USERNAME:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
{"regex": "CLIENT_ID:\\s*(\\S+)", "group": 1, "to": "user.credential_uid"},
// Session
{"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "session.uid"},
// Source
{"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"},
{"regex": "TERMINAL:\\s*(\\S+)", "group": 1, "to": "src_endpoint.interface_name"},
{"regex": "OS_PROCESS:\\s*(\\d+)", "group": 1, "to": "actor.process.pid"},
// Auth details
{"regex": "AUTHENTICATION_TYPE:\\s*(\\S+)", "group": 1, "to": "auth_protocol"},
{"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "user.privileges"},
// Status
{"regex": "RETURNCODE:\\s*(\\d+)", "group": 1, "to": "status_code"},
{"set": "status_id", "value": "1", "if": "RETURNCODE: 0"},
{"set": "status", "value": "Success", "if": "RETURNCODE: 0"},
{"set": "status_id", "value": "2", "if": "RETURNCODE: [^0]"},
{"set": "status", "value": "Failure", "if": "RETURNCODE: [^0]"},
// Comment
{"regex": "COMMENT_TEXT:\\s*(.+?)$", "group": 1, "to": "message"}
]
},
// SELECT/Query events
{
"pattern": "ACTION_NAME:\\s*SELECT",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "Database Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Query"},
{"set": "type_uid", "value": "400301"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
// User
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
{"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"},
// Database object
{"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"},
{"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"},
// Query
{"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"},
{"set": "query_info.query_type", "value": "SELECT"},
// Source
{"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"},
// Privileges
{"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "actor.user.privileges"}
]
},
// INSERT/UPDATE/DELETE events
{
"pattern": "ACTION_NAME:\\s*(INSERT|UPDATE|DELETE)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "Database Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"lookup": "ACTION_NAME", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"},
{"lookup": "ACTION_NAME", "map": {"INSERT": "Insert", "UPDATE": "Update", "DELETE": "Delete"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
// User
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
{"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"},
// Database object
{"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"},
{"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"},
// Query
{"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"},
// Source
{"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"},
// Severity for data modification
{"set": "severity_id", "value": "2"},
{"set": "severity", "value": "Low"}
]
},
// GRANT/REVOKE events
{
"pattern": "ACTION_NAME:\\s*(GRANT|REVOKE)",
"rewrites": [
{"set": "class_uid", "value": "3003"},
{"set": "class_name", "value": "Authorization"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"lookup": "ACTION_NAME", "map": {"GRANT": 1, "REVOKE": 2}, "to": "activity_id"},
{"lookup": "ACTION_NAME", "map": {"GRANT": "Grant", "REVOKE": "Revoke"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
// Actor (who granted)
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
// Target (who received)
{"regex": "GRANTEE:\\s*(\\S+)", "group": 1, "to": "user.name"},
// Privilege/Role
{"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "privileges"},
{"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "message"},
// Severity for privilege changes
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
}
],
"action_mappings": {
"100": {"name": "LOGON", "class": "Authentication", "activity": "Logon"},
"101": {"name": "LOGOFF", "class": "Authentication", "activity": "Logoff"},
"103": {"name": "SELECT", "class": "Database Activity", "activity": "Query"},
"2": {"name": "INSERT", "class": "Database Activity", "activity": "Insert"},
"6": {"name": "UPDATE", "class": "Database Activity", "activity": "Update"},
"7": {"name": "DELETE", "class": "Database Activity", "activity": "Delete"},
"108": {"name": "GRANT", "class": "Authorization", "activity": "Grant"},
"109": {"name": "REVOKE", "class": "Authorization", "activity": "Revoke"},
"1": {"name": "CREATE TABLE", "class": "Database Activity", "activity": "Create"},
"12": {"name": "DROP TABLE", "class": "Database Activity", "activity": "Delete"}
}
}
parsers/ocsf-paloalto
+158
View File
@@ -0,0 +1,158 @@
// SentinelOne AI SIEM Parser: Palo Alto PA Series
// OCSF Schema Version: 1.1.0
// Maps Palo Alto CSV logs to OCSF classes
// Primary Classes: Network Activity (4001), Detection Finding (2004), Security Finding (2001)
{
"parserName": "PaloAlto-OCSF",
"version": "1.0.0",
"vendor": "Palo Alto Networks",
"product": "PA Series Firewall",
"format": "csv",
"patterns": [
// TRAFFIC logs
{
"pattern": ",TRAFFIC,",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Palo Alto Firewall"},
{"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"},
{"csv": 1, "to": "metadata.product.version"},
{"csv": 2, "to": "device.uid"},
{"csv": 6, "to": "time"},
// Source endpoint
{"csv": 7, "to": "src_endpoint.ip"},
{"csv": 8, "to": "dst_endpoint.ip"},
{"csv": 9, "to": "proxy.ip"},
{"csv": 10, "to": "proxy.dst_ip"},
{"csv": 24, "to": "src_endpoint.port"},
{"csv": 25, "to": "dst_endpoint.port"},
// User
{"csv": 12, "to": "actor.user.name"},
// Application
{"csv": 14, "to": "app_name"},
// Zones
{"csv": 16, "to": "src_endpoint.zone"},
{"csv": 17, "to": "dst_endpoint.zone"},
// Interfaces
{"csv": 18, "to": "src_endpoint.interface_name"},
{"csv": 19, "to": "dst_endpoint.interface_name"},
// Session
{"csv": 22, "to": "connection_info.session.uid"},
// Protocol
{"csv": 29, "to": "connection_info.protocol_name"},
// Action
{"csv": 30, "to": "activity_name"},
{"lookup": "activity_name", "map": {"allow": 1, "deny": 2, "drop": 5, "reset-both": 6}, "to": "activity_id"},
// Traffic stats
{"csv": 31, "to": "traffic.bytes"},
{"csv": 32, "to": "traffic.bytes_out"},
{"csv": 33, "to": "traffic.bytes_in"},
{"csv": 34, "to": "traffic.packets"},
// Duration
{"csv": 36, "to": "connection_info.session.duration"},
// Policy
{"csv": 11, "to": "policy.name"},
// Status
{"set": "status_id", "value": "1", "if": "allow"},
{"set": "status", "value": "Success", "if": "allow"}
]
},
// THREAT logs (vulnerability, spyware, virus, wildfire)
{
"pattern": ",THREAT,",
"rewrites": [
{"set": "class_uid", "value": "2004"},
{"set": "class_name", "value": "Detection Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Palo Alto Threat Prevention"},
{"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"},
{"csv": 2, "to": "device.uid"},
{"csv": 6, "to": "time"},
// Threat subtype
{"csv": 4, "to": "finding_info.type_uid"},
// Endpoints
{"csv": 7, "to": "src_endpoint.ip"},
{"csv": 8, "to": "dst_endpoint.ip"},
{"csv": 24, "to": "src_endpoint.port"},
{"csv": 25, "to": "dst_endpoint.port"},
// User
{"csv": 12, "to": "actor.user.name"},
// Threat info
{"csv": 31, "to": "finding_info.title"},
{"csv": 32, "to": "finding_info.desc"},
{"csv": 33, "to": "severity"},
{"lookup": "severity", "map": {"critical": 5, "high": 4, "medium": 3, "low": 2, "informational": 1}, "to": "severity_id"},
// Direction
{"csv": 34, "to": "connection_info.direction"},
// Threat ID
{"csv": 35, "to": "finding_info.uid"},
// Action
{"csv": 30, "to": "activity_name"},
{"lookup": "activity_name", "map": {"alert": 1, "block": 2, "drop": 2, "reset-both": 2, "reset-client": 2, "reset-server": 2}, "to": "activity_id"},
// File info (for wildfire)
{"csv": 42, "to": "file.name"},
{"csv": 43, "to": "file.type_id"},
{"csv": 46, "to": "file.hashes.sha256"},
{"csv": 47, "to": "malware.classification.name"}
]
},
// SYSTEM logs
{
"pattern": ",SYSTEM,",
"rewrites": [
{"set": "class_uid", "value": "6002"},
{"set": "class_name", "value": "API Activity"},
{"set": "category_uid", "value": "6"},
{"set": "category_name", "value": "Application Activity"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Palo Alto System"},
{"set": "metadata.product.vendor_name", "value": "Palo Alto Networks"},
{"csv": 2, "to": "device.uid"},
{"csv": 6, "to": "time"},
// System event type
{"csv": 4, "to": "activity_name"},
// Severity
{"csv": 33, "to": "severity"},
// Message
{"csv": 31, "to": "message"}
]
}
]
}
parsers/ocsf-qradar
+96
View File
@@ -0,0 +1,96 @@
// SentinelOne AI SIEM Parser: IBM QRadar
// OCSF Schema Version: 1.1.0
// Maps QRadar LEEF/JSON events to OCSF classes
// Primary Classes: Security Finding (2001), Authentication (3002), Network Activity (4001)
{
"parserName": "QRadar-OCSF",
"version": "1.0.0",
"vendor": "IBM",
"product": "QRadar",
"format": "json",
"patterns": [
{
"pattern": ".*",
"rewrites": [
// OCSF Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "QRadar"},
{"set": "metadata.product.vendor_name", "value": "IBM"},
{"copy": "logSourceName", "to": "metadata.log_name"},
{"copy": "logSourceTypeName", "to": "metadata.product.feature.name"},
// OCSF Classification
{"set": "class_uid", "value": "2001"}, // Security Finding
{"set": "class_name", "value": "Security Finding"},
{"copy": "category", "to": "category_name"},
{"set": "type_uid", "value": "200101"}, // Security Finding: Create
// Time mapping
{"copy": "startTime", "to": "time"},
{"parseTimestamp": "startTime", "format": "ISO8601", "to": "time_dt"},
// Severity mapping (QRadar 1-10 to OCSF 0-6)
{"copy": "severity", "to": "severity_id", "transform": "qradarSeverityToOCSF"},
{"lookup": "severity_id", "map": {"1": "Informational", "2": "Low", "3": "Medium", "4": "High", "5": "Critical", "6": "Fatal"}, "to": "severity"},
// Actor/User mapping
{"copy": "username", "to": "actor.user.name"},
{"copy": "domainName", "to": "actor.user.domain"},
{"copy": "identityHostName", "to": "actor.user.credential_uid"},
// Source endpoint
{"copy": "sourceIP", "to": "src_endpoint.ip"},
{"copy": "sourcePort", "to": "src_endpoint.port"},
// Destination endpoint
{"copy": "destinationIP", "to": "dst_endpoint.ip"},
{"copy": "destinationPort", "to": "dst_endpoint.port"},
// Network connection
{"copy": "protocol", "to": "connection_info.protocol_name"},
// Finding details
{"copy": "qidName", "to": "finding_info.title"},
{"copy": "eventName", "to": "finding_info.desc"},
{"copy": "qid", "to": "finding_info.uid"},
{"copy": "payload", "to": "finding_info.data_sources"},
// Risk scoring
{"copy": "magnitude", "to": "risk_score"},
{"copy": "credibility", "to": "confidence_score"},
{"copy": "relevance", "to": "impact_score"},
// Observables
{"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$sourceIP"}},
{"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$destinationIP"}},
{"array": "observables", "append": {"type": "User Name", "type_id": 4, "value": "$username"}, "if": "username"}
]
}
],
"transforms": {
"qradarSeverityToOCSF": {
"1-2": 1,
"3-4": 2,
"5-6": 3,
"7-8": 4,
"9-10": 5
}
},
"ocsf_mappings": {
"authentication_events": {
"condition": "category == 'Authentication'",
"class_uid": 3002,
"class_name": "Authentication",
"activity_id": {"success": 1, "failure": 2}
},
"network_events": {
"condition": "protocol != ''",
"class_uid": 4001,
"class_name": "Network Activity"
}
}
}
parsers/ocsf-security-overview
+84
View File
@@ -0,0 +1,84 @@
{
"duration": "24h",
"description": "Cross-source security posture from OCSF-normalized events",
"graphs": [
{
"title": "Events by Source",
"graphStyle": "donut",
"maxPieSlices": 15,
"query": "serverHost = * | group count() by serverHost | sort -count | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 0
}
},
{
"title": "Event Volume Over Time",
"graphStyle": "stacked_bar",
"xAxis": "time",
"query": "serverHost = * | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
"layout": {
"w": 40,
"h": 14,
"x": 20,
"y": 0
}
},
{
"title": "Top Source IPs",
"graphStyle": "table",
"query": "src_ip = * | group hits=count() by src_ip | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 14
}
},
{
"title": "Top Active Users",
"graphStyle": "table",
"query": "user_name = * | group hits=count() by user_name | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 20,
"y": 14
}
},
{
"title": "Authentication Failures",
"graphStyle": "number",
"query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1",
"layout": {
"w": 10,
"h": 7,
"x": 40,
"y": 14
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " failures"
}
},
{
"title": "Firewall Denies",
"graphStyle": "number",
"query": "action = 'deny' or action = 'block' or action = 'drop' | group count() | limit 1",
"layout": {
"w": 10,
"h": 7,
"x": 50,
"y": 14
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " blocked"
}
}
]
}
parsers/ocsf-security-overview-v2
+221
View File
@@ -0,0 +1,221 @@
{
"duration": "24h",
"description": "Cross-source security posture from OCSF-normalized events",
"parameters": [
{
"name": "source",
"values": [
{
"label": "All Sources",
"value": "*"
},
{
"label": "Linux",
"value": "linux-ocsf"
},
{
"label": "FortiGate",
"value": "fortigate-ocsf"
},
{
"label": "CheckPoint",
"value": "checkpoint-ocsf"
},
{
"label": "Palo Alto",
"value": "paloalto-ocsf"
},
{
"label": "Windows",
"value": "windows-ocsf"
}
],
"defaultValue": "*"
}
],
"graphs": [
{
"title": "Dashboard Overview",
"graphStyle": "markdown",
"markdown": "## OCSF Security Overview\\n\\nCross-source security posture from **OCSF v1.3.0** normalized events.\\n\\n| Metric | Description |\\n|--------|-------------|\\n| **Sources** | All serverHost containing 'ocsf' |\\n| **Time Range** | Last 24 hours |\\n| **Refresh** | Auto (5 min) |\\n\\nUse the **source** dropdown above to filter by specific data source.",
"layout": {
"w": 60,
"h": 8,
"x": 0,
"y": 0
}
},
{
"title": "Event Count by OCSF Source",
"graphStyle": "donut",
"maxPieSlices": 12,
"dataLabelType": "PERCENTAGE",
"query": "serverHost contains 'ocsf' | group count() by serverHost | sort -count | limit 12",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 8
}
},
{
"title": "Event Volume Over Time (24h)",
"graphStyle": "stacked_bar",
"xAxis": "time",
"query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
"layout": {
"w": 40,
"h": 14,
"x": 20,
"y": 8
}
},
{
"title": "Unique Source IPs",
"graphStyle": "number",
"query": "src_ip = * serverHost contains 'ocsf' | group estimate_distinct(src_ip) | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 0,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " IPs"
}
},
{
"title": "Unique Users",
"graphStyle": "number",
"query": "user_name = * serverHost contains 'ocsf' | group estimate_distinct(user_name) | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 12,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " users"
}
},
{
"title": "Unique Destinations",
"graphStyle": "number",
"query": "dst_ip = * serverHost contains 'ocsf' | group estimate_distinct(dst_ip) | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 24,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " IPs"
}
},
{
"title": "Total Events",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' | group count() | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 36,
"y": 22
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "Auth Failure Events (24h)",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure' or status = 'failure') | group count() | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 48,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " failures"
}
},
{
"title": "Top Source IPs (24h)",
"graphStyle": "table",
"query": "src_ip = * serverHost contains 'ocsf' | group hits=count() by src_ip | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 29
}
},
{
"title": "Top Active Users (24h)",
"graphStyle": "table",
"query": "user_name = * serverHost contains 'ocsf' | group hits=count() by user_name | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 20,
"y": 29
}
},
{
"title": "External Connections (non-RFC1918)",
"graphStyle": "table",
"query": "dst_ip = * serverHost contains 'ocsf' | let is_external = not net_rfc1918(dst_ip) | filter is_external = true | group hits=count() by dst_ip | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 40,
"y": 29
}
},
{
"title": "Events by Severity",
"graphStyle": "donut",
"maxPieSlices": 5,
"query": "severity_id = * serverHost contains 'ocsf' | group count() by severity_id | sort -count | limit 5",
"layout": {
"w": 15,
"h": 12,
"x": 0,
"y": 43
}
},
{
"title": "Events by Action",
"graphStyle": "donut",
"maxPieSlices": 6,
"query": "action = * serverHost contains 'ocsf' | group count() by action | sort -count | limit 6",
"layout": {
"w": 15,
"h": 12,
"x": 15,
"y": 43
}
},
{
"title": "Firewall Blocks (24h)",
"graphStyle": "table",
"query": "serverHost contains 'ocsf' (action = 'deny' or action = 'block' or action = 'drop') | group hits=count() by serverHost, src_ip, dst_ip | sort -hits | limit 20",
"layout": {
"w": 30,
"h": 12,
"x": 30,
"y": 43
}
}
]
}
parsers/ocsf-sim-generic
+184
View File
@@ -0,0 +1,184 @@
// SentinelOne AI SIEM Parser: SIM Generic Log DSM
// OCSF Schema Version: 1.1.0
// Maps generic syslog-style logs to OCSF classes
// Primary Classes: Base Event (0), Application Activity (6001)
{
"parserName": "SIMGeneric-OCSF",
"version": "1.0.0",
"vendor": "Generic",
"product": "SIM Generic Log",
"format": "syslog",
"patterns": [
// Generic syslog with key=value pairs
{
"pattern": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)\\s+(\\S+)\\[(\\d+)\\]:\\s+(\\w+)\\s+(.*)$",
"rewrites": [
{"set": "class_uid", "value": "6001"},
{"set": "class_name", "value": "Application Activity"},
{"set": "category_uid", "value": "6"},
{"set": "category_name", "value": "Application Activity"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Generic Application"},
{"set": "metadata.product.vendor_name", "value": "Unknown"},
{"group": 2, "to": "device.hostname"},
{"group": 3, "to": "app_name"},
{"group": 4, "to": "actor.process.pid"},
// Time
{"group": 1, "to": "time", "transform": "syslogTimestamp"},
// Severity from log level
{"group": 5, "to": "severity"},
{"lookup": "severity", "map": {
"CRITICAL": 5, "FATAL": 6, "ERROR": 4, "WARNING": 3, "WARN": 3,
"INFO": 1, "DEBUG": 0, "TRACE": 0
}, "to": "severity_id"},
// Message
{"group": 6, "to": "message"},
// Extract key=value pairs from message
{"kvExtract": "$6", "to": "unmapped"}
]
},
// Authentication events
{
"pattern": "(login|logon|auth|authentication)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
// Extract user
{"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "user.name"},
// Extract source IP
{"regex": "(?:src_ip|ip|from)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Extract session
{"regex": "session[_id]*[=:]\\s*(\\S+)", "group": 1, "to": "session.uid"},
// Determine success/failure
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "1", "if": "success|successful|accepted"},
{"set": "status", "value": "Success", "if": "success|successful|accepted"},
{"set": "status_id", "value": "2", "if": "fail|failed|denied|invalid"},
{"set": "status", "value": "Failure", "if": "fail|failed|denied|invalid"}
]
},
// File operations
{
"pattern": "(file|upload|download)",
"rewrites": [
{"set": "class_uid", "value": "1001"},
{"set": "class_name", "value": "File Activity"},
// Extract filename
{"regex": "filename[=:]\\s*(\\S+)", "group": 1, "to": "file.name"},
// Extract size
{"regex": "size[_bytes]*[=:]\\s*(\\d+)", "group": 1, "to": "file.size"},
// Extract user
{"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
// Extract destination
{"regex": "destination[=:]\\s*(\\S+)", "group": 1, "to": "file.path"},
// Activity
{"set": "activity_id", "value": "2", "if": "upload"},
{"set": "activity_name", "value": "Upload", "if": "upload"},
{"set": "activity_id", "value": "3", "if": "download"},
{"set": "activity_name", "value": "Download", "if": "download"}
]
},
// Security alerts
{
"pattern": "(security|alert|attack|injection|malware|threat)",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
// Extract source IP
{"regex": "(?:src_ip|ip)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Extract target
{"regex": "(?:target_url|url)[=:]\\s*(\\S+)", "group": 1, "to": "finding_info.src_url"},
// Extract payload
{"regex": "payload[=:]\\s*\"([^\"]+)\"", "group": 1, "to": "finding_info.data_sources"},
// Severity
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// Configuration changes
{
"pattern": "(config|configuration|setting|changed)",
"rewrites": [
{"set": "class_uid", "value": "5001"},
{"set": "class_name", "value": "Configuration"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Update"},
// Extract setting
{"regex": "setting[=:]\\s*(\\S+)", "group": 1, "to": "config.name"},
// Extract old/new values
{"regex": "old_value[=:]\\s*(\\S+)", "group": 1, "to": "prev_config.value"},
{"regex": "new_value[=:]\\s*(\\S+)", "group": 1, "to": "config.value"},
// Extract who changed
{"regex": "changed_by[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"}
]
},
// Service events
{
"pattern": "(service|started|stopped|restart)",
"rewrites": [
{"set": "class_uid", "value": "1006"},
{"set": "class_name", "value": "Service Activity"},
// Extract service name
{"regex": "service_name[=:]\\s*(\\S+)", "group": 1, "to": "service.name"},
// Extract version
{"regex": "version[=:]\\s*(\\S+)", "group": 1, "to": "service.version"},
// Extract port
{"regex": "port[=:]\\s*(\\d+)", "group": 1, "to": "service.port"},
// Extract PID
{"regex": "pid[=:]\\s*(\\d+)", "group": 1, "to": "service.pid"},
// Activity
{"set": "activity_id", "value": "1", "if": "started"},
{"set": "activity_name", "value": "Start", "if": "started"},
{"set": "activity_id", "value": "2", "if": "stopped"},
{"set": "activity_name", "value": "Stop", "if": "stopped"}
]
}
],
"transforms": {
"syslogTimestamp": {
"formats": [
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss"
],
"timezone": "local"
}
}
}
parsers/ocsf-threat-detection
+73
View File
@@ -0,0 +1,73 @@
{
"duration": "24h",
"description": "Active threats and detection triggers across OCSF sources",
"graphs": [
{
"title": "About This Dashboard",
"graphStyle": "markdown",
"markdown": "## OCSF Threat Detection\nMonitors suspicious activity patterns across all OCSF-normalized log sources.\n\n**Key Indicators:**\n- Brute force attempts (3+ failed logins)\n- Port scanning (5+ unique ports)\n- Suspicious process execution\n- Lateral movement indicators",
"layout": {
"w": 60,
"h": 6,
"x": 0,
"y": 0
}
},
{
"title": "Brute Force Attempts",
"graphStyle": "table",
"query": "message contains 'Failed password' or message contains 'authentication failure' | group failed_attempts=count() by src_ip, user_name | filter failed_attempts >= 3 | sort -failed_attempts | limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 6
}
},
{
"title": "Port Scan Sources",
"graphStyle": "table",
"query": "action = 'deny' dstport = * srcip = * | group hits=count() by srcip, dstport | group unique_ports=count() by srcip | filter unique_ports >= 5 | sort -unique_ports | limit 15",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 6
}
},
{
"title": "Suspicious Process Execution",
"graphStyle": "table",
"query": "message contains 'mimikatz' or message contains 'psexec' or message contains 'netcat' or message contains 'reverse shell' or message contains 'powershell -enc' | columns timestamp, serverHost, message | limit 50",
"layout": {
"w": 60,
"h": 14,
"x": 0,
"y": 20
}
},
{
"title": "Lateral Movement Indicators",
"graphStyle": "table",
"query": "(dstport = 22 or dstport = 3389 or dstport = 445 or dstport = 5985) srcip = * | group conns=count() by srcip, dstport | filter conns >= 3 | sort -conns | limit 15",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 34
}
},
{
"title": "C2 Beacon Activity",
"graphStyle": "stacked_bar",
"xAxis": "grouped_data",
"query": "(dstport = 4444 or dstport = 8080 or dstport = 1337) srcip = * | group count() by srcip | sort -count | limit 10",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 34
}
}
]
}
parsers/ocsf-threat-detection-v2
+93
View File
@@ -0,0 +1,93 @@
{
"duration": "24h",
"description": "Active threats and detection triggers across OCSF sources",
"parameters": [
{
"name": "severity_filter",
"values": [
{
"label": "All",
"value": "*"
},
{
"label": "Critical Only",
"value": "1"
},
{
"label": "High+",
"value": "1,2"
}
],
"defaultValue": "*"
}
],
"graphs": [
{
"title": "Threat Detection Overview",
"graphStyle": "markdown",
"markdown": "## OCSF Threat Detection\\n\\nMonitors suspicious activity patterns across all OCSF-normalized log sources.\\n\\n**Key Indicators:**\\n- Brute force attempts (3+ failed logins from same IP)\\n- Port scanning (5+ unique destination ports)\\n- Suspicious process execution (mimikatz, psexec, etc.)\\n- Lateral movement (SSH/RDP/SMB from internal IPs)",
"layout": {
"w": 60,
"h": 7,
"x": 0,
"y": 0
}
},
{
"title": "Brute Force Attempts (3+ failures)",
"graphStyle": "table",
"query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure') | group failed_attempts=count() by src_ip, user_name | filter failed_attempts >= 3 | sort -failed_attempts | limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 7
}
},
{
"title": "Port Scan Sources (5+ ports)",
"graphStyle": "table",
"query": "serverHost contains 'ocsf' action = 'deny' dstport = * srcip = * | group hits=count() by srcip, dstport | group unique_ports=count() by srcip | filter unique_ports >= 5 | sort -unique_ports | limit 15",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 7
}
},
{
"title": "Suspicious Process Execution",
"graphStyle": "table",
"query": "serverHost contains 'ocsf' (message contains 'mimikatz' or message contains 'psexec' or message contains 'netcat' or message contains 'reverse shell' or message contains 'powershell -enc' or message contains 'certutil -decode') | columns timestamp, serverHost, message | limit 50",
"layout": {
"w": 60,
"h": 14,
"x": 0,
"y": 21
}
},
{
"title": "Lateral Movement (SSH/RDP/SMB)",
"graphStyle": "table",
"query": "serverHost contains 'ocsf' (dstport = 22 or dstport = 3389 or dstport = 445 or dstport = 5985) srcip = * | group conns=count() by srcip, dstport | filter conns >= 3 | sort -conns | limit 15",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 35
}
},
{
"title": "C2 Beacon Activity (suspicious ports)",
"graphStyle": "stacked_bar",
"xAxis": "grouped_data",
"query": "serverHost contains 'ocsf' (dstport = 4444 or dstport = 8080 or dstport = 1337 or dstport = 6666) srcip = * | group count() by srcip | sort -count | limit 10",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 35
}
}
]
}
parsers/ocsf-watchguard
+216
View File
@@ -0,0 +1,216 @@
// SentinelOne AI SIEM Parser: WatchGuard Fireware OS
// OCSF Schema Version: 1.1.0
// Maps WatchGuard Firebox logs to OCSF classes
// Primary Classes: Network Activity (4001), Authentication (3002), Security Finding (2001)
{
"parserName": "WatchGuard-OCSF",
"version": "1.0.0",
"vendor": "WatchGuard",
"product": "Fireware OS",
"format": "space-delimited",
"patterns": [
// Firewall traffic logs
{
"pattern": "^(\\d{4}-\\d{2}-\\d{2}\\s+[\\d:]+)\\s+firewall\\s+(Allow|Deny)\\s+([\\d.]+)\\s+([\\d.]+|\\S+)\\s+(\\S+)\\s+(\\d+)\\s+(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
// Activity
{"group": 2, "to": "activity_name"},
{"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "activity_id"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "WatchGuard Fireware"},
{"set": "metadata.product.vendor_name", "value": "WatchGuard"},
// Time
{"group": 1, "to": "time"},
// Endpoints
{"group": 3, "to": "src_endpoint.ip"},
{"group": 4, "to": "dst_endpoint.ip"},
{"group": 6, "to": "src_endpoint.port"},
{"group": 7, "to": "dst_endpoint.port"},
// Protocol/Service
{"group": 5, "to": "connection_info.protocol_name"},
// Extract additional fields
{"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"},
{"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"},
{"regex": "geo_dst=\"([^\"]+)\"", "group": 1, "to": "dst_endpoint.location.country"},
{"regex": "proxy_act=\"([^\"]+)\"", "group": 1, "to": "proxy.name"},
{"regex": "msg_id=\"([^\"]+)\"", "group": 1, "to": "metadata.uid"},
// Application info
{"regex": "app_name=\"([^\"]+)\"", "group": 1, "to": "app_name"},
{"regex": "app_cat=\"([^\"]+)\"", "group": 1, "to": "app.category"},
{"regex": "app_behavior=\"([^\"]+)\"", "group": 1, "to": "app.feature.name"},
// Status
{"lookup": "activity_name", "map": {"Allow": 1, "Deny": 2}, "to": "status_id"},
{"lookup": "activity_name", "map": {"Allow": "Success", "Deny": "Failure"}, "to": "status"}
]
},
// IPS signature match
{
"pattern": "IPS\\s+signature_match",
"rewrites": [
{"set": "class_uid", "value": "2004"},
{"set": "class_name", "value": "Detection Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "WatchGuard IPS"},
{"set": "metadata.product.vendor_name", "value": "WatchGuard"},
// Endpoints
{"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "signature_match\\s+([\\d.]+)\\s+([\\d.]+)", "group": 2, "to": "dst_endpoint.ip"},
// Signature info
{"regex": "sig_name=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"},
{"regex": "sig_id=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"},
{"regex": "sig_vers=\"([^\"]+)\"", "group": 1, "to": "finding_info.version"},
{"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"},
{"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
// Severity mapping
{"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Info": 1}, "to": "severity_id"},
// Action mapping
{"lookup": "activity_name", "map": {"block": 2, "drop": 2, "alert": 1, "allow": 0}, "to": "activity_id"},
// Geo
{"regex": "geo_src=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.location.country"}
]
},
// Antivirus detection
{
"pattern": "antivirus\\s+virus_found",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "finding_info.types", "value": ["Malware"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "WatchGuard Gateway AntiVirus"},
{"set": "metadata.product.vendor_name", "value": "WatchGuard"},
// Endpoints
{"regex": "virus_found\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Malware info
{"regex": "virus_name=\"([^\"]+)\"", "group": 1, "to": "malware.name"},
{"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"},
{"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
{"regex": "content_type=\"([^\"]+)\"", "group": 1, "to": "file.type_id"},
{"regex": "md5=\"([^\"]+)\"", "group": 1, "to": "file.hashes.md5"},
{"set": "severity_id", "value": "5"},
{"set": "severity", "value": "Critical"}
]
},
// Authentication events
{
"pattern": "authentication\\s+(auth_success|auth_failure)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "WatchGuard Fireware"},
{"set": "metadata.product.vendor_name", "value": "WatchGuard"},
// User
{"regex": "user=\"([^\"]+)\"", "group": 1, "to": "user.name"},
{"regex": "domain=\"([^\"]+)\"", "group": 1, "to": "user.domain"},
// Source
{"regex": "auth_\\w+\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Auth details
{"regex": "auth_method=\"([^\"]+)\"", "group": 1, "to": "auth_protocol"},
{"regex": "auth_server=\"([^\"]+)\"", "group": 1, "to": "auth_server"},
{"regex": "session_id=\"([^\"]+)\"", "group": 1, "to": "session.uid"},
{"regex": "reason=\"([^\"]+)\"", "group": 1, "to": "status_detail"},
{"regex": "attempts=\"([^\"]+)\"", "group": 1, "to": "attempts"},
// Status
{"set": "status_id", "value": "1", "if": "auth_success"},
{"set": "status", "value": "Success", "if": "auth_success"},
{"set": "status_id", "value": "2", "if": "auth_failure"},
{"set": "status", "value": "Failure", "if": "auth_failure"}
]
},
// System/Config changes
{
"pattern": "system\\s+config_change",
"rewrites": [
{"set": "class_uid", "value": "5001"},
{"set": "class_name", "value": "Configuration"},
{"set": "category_uid", "value": "5"},
{"set": "category_name", "value": "Discovery"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Update"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "WatchGuard Fireware"},
{"set": "metadata.product.vendor_name", "value": "WatchGuard"},
// Actor
{"regex": "admin_user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"},
{"regex": "config_change\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Change details
{"regex": "change_type=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
{"regex": "object_type=\"([^\"]+)\"", "group": 1, "to": "resources.type"},
{"regex": "object_name=\"([^\"]+)\"", "group": 1, "to": "resources.name"},
{"regex": "action=\"([^\"]+)\"", "group": 1, "to": "resources.action"}
]
},
// DLP events
{
"pattern": "dlp\\s+data_leak_prevented",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "finding_info.types", "value": ["Data Loss Prevention"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "WatchGuard DLP"},
{"set": "metadata.product.vendor_name", "value": "WatchGuard"},
// Source
{"regex": "data_leak_prevented\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// DLP details
{"regex": "rule_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"},
{"regex": "pattern_matched=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"},
{"regex": "action=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
{"regex": "user=\"([^\"]+)\"", "group": 1, "to": "actor.user.name"},
{"regex": "file_name=\"([^\"]+)\"", "group": 1, "to": "file.name"},
{"regex": "bytes_blocked=\"([^\"]+)\"", "group": 1, "to": "traffic.bytes"},
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
}
]
}
parsers/ocsf-windows-security
+219
View File
@@ -0,0 +1,219 @@
// SentinelOne AI SIEM Parser: Microsoft Windows Security Event Log
// OCSF Schema Version: 1.1.0
// Maps Windows Security XML events to OCSF classes
// Primary Classes: Authentication (3002), Account Change (3001), Process Activity (1007)
{
"parserName": "WindowsSecurity-OCSF",
"version": "1.0.0",
"vendor": "Microsoft",
"product": "Windows Security",
"format": "xml",
"patterns": [
// Successful Logon (4624)
{
"pattern": "<EventID>4624</EventID>",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Windows Security"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"xpath": "//System/EventRecordID", "to": "metadata.uid"},
{"xpath": "//System/Computer", "to": "metadata.product.feature.name"},
// Time
{"xpath": "//System/TimeCreated/@SystemTime", "to": "time"},
// User (Target)
{"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"},
{"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"},
{"xpath": "//EventData/Data[@Name='TargetUserSid']", "to": "user.uid"},
{"xpath": "//EventData/Data[@Name='TargetLogonId']", "to": "session.uid"},
// Actor (Subject)
{"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"},
{"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"},
{"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"},
// Logon type mapping
{"xpath": "//EventData/Data[@Name='LogonType']", "to": "logon_type_id"},
{"lookup": "logon_type_id", "map": {
"2": "Interactive",
"3": "Network",
"4": "Batch",
"5": "Service",
"7": "Unlock",
"8": "NetworkCleartext",
"9": "NewCredentials",
"10": "RemoteInteractive",
"11": "CachedInteractive"
}, "to": "logon_type"},
// Source endpoint
{"xpath": "//EventData/Data[@Name='IpAddress']", "to": "src_endpoint.ip"},
{"xpath": "//EventData/Data[@Name='IpPort']", "to": "src_endpoint.port"},
{"xpath": "//EventData/Data[@Name='WorkstationName']", "to": "src_endpoint.name"},
// Authentication details
{"xpath": "//EventData/Data[@Name='AuthenticationPackageName']", "to": "auth_protocol"},
{"xpath": "//EventData/Data[@Name='LogonProcessName']", "to": "logon_process.name"},
// Process
{"xpath": "//EventData/Data[@Name='ProcessId']", "to": "actor.process.pid"},
{"xpath": "//EventData/Data[@Name='ProcessName']", "to": "actor.process.file.path"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Failed Logon (4625)
{
"pattern": "<EventID>4625</EventID>",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Windows Security"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
{"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"},
{"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"},
{"xpath": "//EventData/Data[@Name='Status']", "to": "status_code"},
{"xpath": "//EventData/Data[@Name='SubStatus']", "to": "status_detail"},
{"xpath": "//EventData/Data[@Name='FailureReason']", "to": "message"},
{"xpath": "//EventData/Data[@Name='IpAddress']", "to": "src_endpoint.ip"},
{"xpath": "//EventData/Data[@Name='WorkstationName']", "to": "src_endpoint.name"},
{"xpath": "//EventData/Data[@Name='LogonType']", "to": "logon_type_id"},
// Severity for failed auth
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// Process Creation (4688)
{
"pattern": "<EventID>4688</EventID>",
"rewrites": [
{"set": "class_uid", "value": "1007"},
{"set": "class_name", "value": "Process Activity"},
{"set": "category_uid", "value": "1"},
{"set": "category_name", "value": "System Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Launch"},
{"set": "type_uid", "value": "100701"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Windows Security"},
{"set": "metadata.product.vendor_name", "value": "Microsoft"},
// Actor
{"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"},
{"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"},
{"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"},
{"xpath": "//EventData/Data[@Name='SubjectLogonId']", "to": "actor.session.uid"},
// New Process
{"xpath": "//EventData/Data[@Name='NewProcessId']", "to": "process.pid"},
{"xpath": "//EventData/Data[@Name='NewProcessName']", "to": "process.file.path"},
{"xpath": "//EventData/Data[@Name='CommandLine']", "to": "process.cmd_line"},
{"xpath": "//EventData/Data[@Name='TokenElevationType']", "to": "process.integrity"},
// Parent Process
{"xpath": "//EventData/Data[@Name='ProcessId']", "to": "process.parent_process.pid"},
{"xpath": "//EventData/Data[@Name='ParentProcessName']", "to": "process.parent_process.file.path"},
// Labels
{"xpath": "//EventData/Data[@Name='MandatoryLabel']", "to": "process.integrity_id"}
]
},
// Special Privileges (4672)
{
"pattern": "<EventID>4672</EventID>",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Logon: Privileged"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Windows Security"},
{"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "user.name"},
{"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "user.domain"},
{"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "user.uid"},
{"xpath": "//EventData/Data[@Name='SubjectLogonId']", "to": "session.uid"},
{"xpath": "//EventData/Data[@Name='PrivilegeList']", "to": "user.privileges"},
{"set": "is_admin", "value": "true"}
]
},
// User Account Created (4720)
{
"pattern": "<EventID>4720</EventID>",
"rewrites": [
{"set": "class_uid", "value": "3001"},
{"set": "class_name", "value": "Account Change"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Create"},
{"set": "type_uid", "value": "300101"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Windows Security"},
// Actor (who created)
{"xpath": "//EventData/Data[@Name='SubjectUserName']", "to": "actor.user.name"},
{"xpath": "//EventData/Data[@Name='SubjectDomainName']", "to": "actor.user.domain"},
{"xpath": "//EventData/Data[@Name='SubjectUserSid']", "to": "actor.user.uid"},
// Target (new account)
{"xpath": "//EventData/Data[@Name='TargetUserName']", "to": "user.name"},
{"xpath": "//EventData/Data[@Name='TargetDomainName']", "to": "user.domain"},
{"xpath": "//EventData/Data[@Name='TargetSid']", "to": "user.uid"},
{"xpath": "//EventData/Data[@Name='SamAccountName']", "to": "user.account.name"},
{"xpath": "//EventData/Data[@Name='DisplayName']", "to": "user.full_name"},
{"xpath": "//EventData/Data[@Name='UserPrincipalName']", "to": "user.email_addr"}
]
}
],
"event_id_mappings": {
"4624": {"class": "Authentication", "activity": "Logon", "status": "Success"},
"4625": {"class": "Authentication", "activity": "Logon", "status": "Failure"},
"4634": {"class": "Authentication", "activity": "Logoff", "status": "Success"},
"4648": {"class": "Authentication", "activity": "Logon: Explicit Credentials"},
"4672": {"class": "Authentication", "activity": "Logon: Privileged"},
"4688": {"class": "Process Activity", "activity": "Launch"},
"4689": {"class": "Process Activity", "activity": "Terminate"},
"4720": {"class": "Account Change", "activity": "Create"},
"4722": {"class": "Account Change", "activity": "Enable"},
"4723": {"class": "Account Change", "activity": "Password Change"},
"4724": {"class": "Account Change", "activity": "Password Reset"},
"4725": {"class": "Account Change", "activity": "Disable"},
"4726": {"class": "Account Change", "activity": "Delete"},
"4728": {"class": "Group Membership", "activity": "Add"},
"4729": {"class": "Group Membership", "activity": "Remove"},
"4732": {"class": "Group Membership", "activity": "Add"},
"4733": {"class": "Group Membership", "activity": "Remove"}
}
}
parsers/paloalto_firewall-latest
+1169
View File
File diff suppressed because it is too large Load Diff
parsers/pingone_mfa-latest
+289
View File
@@ -0,0 +1,289 @@
{
"attributes": {
"dataSource.vendor": "Ping Identity",
"dataSource.name": "PingOne MFA",
"dataSource.category": "security",
"metadata.product.vendor_name": "Ping Identity",
"metadata.product.name": "PingOne MFA",
"metadata.version": "1.0.0"
},
"formats": [
{
"format": "$unmapped.{parse=json}$",
"rewrites": [
{
"input": "unmapped.timestamp",
"output": "timestamp",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.recordedAt",
"output": "recorded_at",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.user",
"output": "user.email_addr",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.source\\.ip",
"output": "src_endpoint.ip",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.action\\.type",
"output": "activity_name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.factor",
"output": "mfa_factors",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.result\\.status",
"output": "status_detail",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.description",
"output": "message",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.sessionId",
"output": "session.uid",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource",
"output": "metadata.product.name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource\\.vendor",
"output": "metadata.product.vendor_name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource\\.name",
"output": "metadata.product.name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource\\.category",
"output": "metadata.product.category",
"match": ".*",
"replace": "$0"
}
]
}
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "activity_name = *",
"transformations": [
{
"constant": {
"value": 3002,
"field": "class_uid"
}
},
{
"constant": {
"value": "Authentication",
"field": "class_name"
}
},
{
"constant": {
"value": 3,
"field": "category_uid"
}
},
{
"constant": {
"value": "Identity & Access Management",
"field": "category_name"
}
},
{
"constant": {
"value": 1,
"field": "activity_id",
"predicate": "activity_name = 'MFA.AUTHENTICATE'"
}
},
{
"constant": {
"value": "Logon",
"field": "activity_name",
"predicate": "activity_name = 'MFA.AUTHENTICATE'"
}
},
{
"constant": {
"value": 99,
"field": "activity_id",
"predicate": "activity_name = 'MFA.ENROLL'"
}
},
{
"constant": {
"value": "Other",
"field": "activity_name",
"predicate": "activity_name = 'MFA.ENROLL'"
}
},
{
"constant": {
"value": 1,
"field": "status_id",
"predicate": "status_detail = 'SUCCESS'"
}
},
{
"constant": {
"value": "Success",
"field": "status",
"predicate": "status_detail = 'SUCCESS'"
}
},
{
"constant": {
"value": 2,
"field": "status_id",
"predicate": "status_detail = 'FAILURE'"
}
},
{
"constant": {
"value": "Failure",
"field": "status",
"predicate": "status_detail = 'FAILURE'"
}
},
{
"constant": {
"value": 1,
"field": "severity_id"
}
},
{
"constant": {
"value": "Informational",
"field": "severity"
}
},
{
"constant": {
"value": 300201,
"field": "type_uid"
}
},
{
"copy": {
"from": "user.email_addr",
"to": "user.email_addr"
}
},
{
"copy": {
"from": "user.email_addr",
"to": "user.name"
}
},
{
"copy": {
"from": "src_endpoint.ip",
"to": "src_endpoint.ip"
}
},
{
"copy": {
"from": "mfa_factors",
"to": "mfa_factors"
}
},
{
"copy": {
"from": "session.uid",
"to": "session.uid"
}
},
{
"copy": {
"from": "status_detail",
"to": "status_detail"
}
},
{
"copy": {
"from": "recorded_at",
"to": "recorded_at"
}
},
{
"copy": {
"from": "message",
"to": "message"
}
},
{
"copy": {
"from": "metadata.product.name",
"to": "metadata.product.name"
}
},
{
"copy": {
"from": "metadata.product.vendor_name",
"to": "metadata.product.vendor_name"
}
},
{
"copy": {
"from": "metadata.product.category",
"to": "metadata.product.category"
}
}
]
}
]
},
"observables": {
"fields": [
{
"name": "user.email_addr",
"type": "User"
},
{
"name": "user.name",
"type": "User"
},
{
"name": "src_endpoint.ip",
"type": "IP Address"
},
{
"name": "session.uid",
"type": "Other"
}
]
}
}
parsers/pingprotect-latest
+309
View File
@@ -0,0 +1,309 @@
{
"attributes": {
"dataSource.vendor": "Ping Identity",
"dataSource.name": "PingProtect",
"dataSource.category": "security",
"metadata.product.vendor_name": "Ping Identity",
"metadata.product.name": "PingProtect",
"metadata.version": "1.0.0"
},
"formats": [
{
"format": "$unmapped.{parse=json}$",
"rewrites": [
{
"input": "unmapped.timestamp",
"output": "timestamp",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.recordedAt",
"output": "recorded_at",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.actors\\.client\\.id",
"output": "actor.app.name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.actors\\.user\\.id",
"output": "actor.user.uid",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.source\\.ip",
"output": "src_endpoint.ip",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.action\\.type",
"output": "activity_name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.action\\.description",
"output": "activity_desc",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.resources\\.application\\.id",
"output": "resource.uid",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.result\\.status",
"output": "status_detail",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.result\\.description",
"output": "message",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource",
"output": "metadata.product.name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource\\.vendor",
"output": "metadata.product.vendor_name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource\\.name",
"output": "metadata.product.name",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dataSource\\.category",
"output": "metadata.product.category",
"match": ".*",
"replace": "$0"
}
]
}
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "activity_name = *",
"transformations": [
{
"constant": {
"value": 3001,
"field": "class_uid"
}
},
{
"constant": {
"value": "Account Change",
"field": "class_name"
}
},
{
"constant": {
"value": 3,
"field": "category_uid"
}
},
{
"constant": {
"value": "Identity & Access Management",
"field": "category_name"
}
},
{
"constant": {
"value": 5,
"field": "activity_id",
"predicate": "activity_name = 'SECRET.READ'"
}
},
{
"constant": {
"value": "Read",
"field": "activity_name",
"predicate": "activity_name = 'SECRET.READ'"
}
},
{
"constant": {
"value": 3,
"field": "activity_id",
"predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'"
}
},
{
"constant": {
"value": "Delete",
"field": "activity_name",
"predicate": "activity_name = 'ROLE_ASSIGNMENT.DELETED'"
}
},
{
"constant": {
"value": 99,
"field": "activity_id",
"predicate": "activity_name = 'MFA.CHALLENGE'"
}
},
{
"constant": {
"value": "Other",
"field": "activity_name",
"predicate": "activity_name = 'MFA.CHALLENGE'"
}
},
{
"constant": {
"value": 1,
"field": "status_id",
"predicate": "status_detail = 'SUCCESS'"
}
},
{
"constant": {
"value": "Success",
"field": "status",
"predicate": "status_detail = 'SUCCESS'"
}
},
{
"constant": {
"value": 2,
"field": "status_id",
"predicate": "status_detail = 'FAILURE'"
}
},
{
"constant": {
"value": "Failure",
"field": "status",
"predicate": "status_detail = 'FAILURE'"
}
},
{
"constant": {
"value": 1,
"field": "severity_id"
}
},
{
"constant": {
"value": "Informational",
"field": "severity"
}
},
{
"constant": {
"value": 300101,
"field": "type_uid"
}
},
{
"copy": {
"from": "actor.user.uid",
"to": "actor.user.uid"
}
},
{
"copy": {
"from": "actor.app.name",
"to": "actor.app.name"
}
},
{
"copy": {
"from": "src_endpoint.ip",
"to": "src_endpoint.ip"
}
},
{
"copy": {
"from": "resource.uid",
"to": "resource.uid"
}
},
{
"copy": {
"from": "activity_desc",
"to": "activity_desc"
}
},
{
"copy": {
"from": "status_detail",
"to": "status_detail"
}
},
{
"copy": {
"from": "recorded_at",
"to": "recorded_at"
}
},
{
"copy": {
"from": "message",
"to": "message"
}
},
{
"copy": {
"from": "metadata.product.name",
"to": "metadata.product.name"
}
},
{
"copy": {
"from": "metadata.product.vendor_name",
"to": "metadata.product.vendor_name"
}
},
{
"copy": {
"from": "metadata.product.category",
"to": "metadata.product.category"
}
}
]
}
]
},
"observables": {
"fields": [
{
"name": "actor.user.uid",
"type": "User"
},
{
"name": "actor.app.name",
"type": "Other"
},
{
"name": "src_endpoint.ip",
"type": "IP Address"
},
{
"name": "resource.uid",
"type": "Other"
}
]
}
}
parsers/proofpoint_proofpoint_logs-latest
+85
View File
@@ -0,0 +1,85 @@
{
attributes: {
"dataSource.vendor": "Proofpoint",
"dataSource.category": "security"
},
formats: [
{
id: "format1",
format: "${parse=dottedjson}$"
rewrites: [
{input: "messageTime", output: "timestamp", match: ".*", replace: "$0"},
{input: "clickTime", output: "unmapped.clickTime", match: ".*", replace: "$0"},
{input: "threatsInfoMap", output: "unmapped.threatsInfoMap", match: ".*", replace: "$0"},
{input: "messageParts", output: "unmapped.messageParts", match: ".*", replace: "$0"},
{input: "quarantineFolder", output: "unmapped.quarantineFolder", match: ".*", replace: "$0"},
{input: "impostorScore", output: "unmapped.impostorScore", match: ".*", replace: "$0"},
{input: "phishScore", output: "unmapped.phishScore", match: ".*", replace: "$0"},
{input: "policyRoutes", output: "unmapped.policyRoutes", match: ".*", replace: "$0"},
{input: "threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"},
{input: "threatsInfoMap[0].threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"},
{input: "classification", output: "unmapped.classification", match: ".*", replace: "$0"},
{input: "threatsInfoMap[0].classification", output: "unmapped.classification", match: ".*", replace: "$0"},
{input: "sender", output: "unmapped.sender", match: ".*", replace: "$0"},
{input: "recipient", output: "unmapped.recipient", match: ".*", replace: "$0"},
{input: "sender", output: "email.from", match: ".*", replace: "$0"},
{input: "fromAddress[0]", output: "email.from", match: ".*", replace: "$0"},
{input: "fromAddress", output: "email.from", match: ".*", replace: "$0"},
{input: "recipient", output: "email.to", match: ".*", replace: "$0"},
{input: "toAddresses[0]", output: "email.to", match: ".*", replace: "$0"},
{input: "toAddresses", output: "email.to", match: ".*", replace: "$0"},
{input: "recipient", output: "actor.user.name", match: ".*", replace: "$0"},
{input: "toAddresses[0]", output: "actor.user.name", match: ".*", replace: "$0"},
{input: "toAddresses", output: "actor.user.name", match: ".*", replace: "$0"},
{input: "messageSize", output: "email.size", match: ".*", replace: "$0"},
{input: "headerFrom", output: "email.smtp_from", match: ".*", replace: "$0"},
{input: "oext", output: "oext", match: ".*", replace: "$0"},
{input: "mod", output: "mod", match: ".*", replace: "$0"}
]
}
],
mappings: {
version: 1,
mappings: [
{
predicate: "clickTime = * OR clickIP = * OR threatURL = *",
transformations: [
{ constant: { field: "dataSource.name", value: "Proofpoint" } },
{ constant: { field: "event.type", value: "Click" } },
{ copy: { from: "fromAddress[0]", to: "email.from" } },
{ copy: { from: "toAddresses[0]", to: "email.to" } },
{ copy: { from: "toAddresses[0]", to: "actor.user.name" } },
{ copy: { from: "recipient", to: "actor.user.name" } }
]
},
{
predicate: "messageTime = * OR messageParts = * OR threatsInfoMap = *",
transformations: [
{ constant: { field: "dataSource.name", value: "Proofpoint" } },
{ constant: { field: "event.type", value: "Email" } },
{ copy: { from: "fromAddress[0]", to: "email.from" } },
{ copy: { from: "toAddresses[0]", to: "email.to" } },
{ copy: { from: "toAddresses[0]", to: "actor.user.name" } },
{ copy: { from: "recipient", to: "actor.user.name" } }
]
},
{
predicate: "true",
transformations: [
{ constant: { field: "dataSource.name", value: "Proofpoint" } },
{ constant: { field: "event.type", value: "Other" } },
]
}
]
}
}
parsers/sdl_skill_smoke_1776702106
+1
View File
@@ -0,0 +1 @@
{"keys": {"a": "1"}}
parsers/searches
+12
View File
@@ -0,0 +1,12 @@
{
searches: [
{
title: "marc - Impossible traveller 2",
url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=4+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+login_freq_by_state%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cstate%3Dgeo_ip_state%28device.ip%29%0A%7C+columns+email_addr%2Cstate%2Clogin_freq_by_state%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_state%0A%7C+group+baseline_login_freq_by_state%3Dmax%28login_freq_by_state%29%2C+states%3Darray_agg%28state%29+by+email_addr%0A%7C+columns+email_addr%2Cstate%3Darray_get%28states%2C0%29%2Cbaseline_login_freq_by_state%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%2C+geo_ip_state%28device.ip%29%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_country%3Dgeo_ip_country%28device.ip%29%2C+state%3Dgeo_ip_state%28device.ip%29%0A%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A%7Cfilter+baseline.state%21%3Dlogons.state%0A%7C+columns+email_addr%2Cbaseline.state%2C+baseline_login_freq_by_state%2Cdeviation_login_source%3Dformat%28%22%25s+%28%25s%29%22%2Clogons.state%2Cdeviation_country%29%2Cdeviation_login_count%2C+deviation_ip_addresses"
},
{
title: "marc - Impossible traveller IP tets",
url: "/events/pq?_scopeId=2387775029058663326&_scopeLevel=site&_categoryId=eventSearch&startTime=72+hours&endTime=NOW&filter=%7C+sql+join+baseline+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%7C+columns+actor.user.email_addr%2C+device.ip%0A%7C+group+login_freq_by_ip%3Dcount%28%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2Cdevice.ip%0A%7C+columns+email_addr%2Cdevice.ip%2Clogin_freq_by_ip%0A%2F%2Fthe+sort+below+is+necessary+because+it+ensure+that+the+order+of+rows+is+preserved+when+using+array_ag++%0A%7C+sort+%2Bemail_addr%2C-login_freq_by_ip%0A%7C+group+baseline_login_freq_by_ip%3Dmax%28login_freq_by_ip%29%2C+ips%3Darray_agg%28device.ip%29+by+email_addr%0A%7C+columns+email_addr%2Cip%3Darray_get%28ips%2C0%29%2Cbaseline_login_freq_by_ip%0A%29%2C%0Alogons+%3D+%28%0AdataSource.vendor%3D%27Microsoft%27+dataSource.category+%3D+%27security%27+event.type%3D%27Logon%27%0A%2F%2F%7C+columns+actor.user.email_addr%2C+unmapped.UserId%2C+event.type%2C+device.ip%0A%7C+group+deviation_login_count%3Dcount%28event.type%29%2Cdeviation_ip_addresses%3Darray_agg_distinct%28device.ip%29+by+email_addr%3Dlower%28actor.user.email_addr%29%2C+deviation_ip%3Ddevice.ip%29+on+baseline.email_addr%3D%3Dlogons.email_addr%0A"
}
]
}
parsers/sentinelone_endpoint-latest
+466
View File
@@ -0,0 +1,466 @@
{
"attributes": {
"dataSource.vendor": "SentinelOne",
"dataSource.name": "SentinelOne",
"dataSource.category": "security",
"metadata.product.vendor_name": "SentinelOne",
"metadata.product.name": "EDR",
"metadata.version": "1.0.0"
},
"formats": [
{
"format": "$unmapped.{parse=json}$",
"rewrites": [
{
"input": "unmapped.event\\.time",
"output": "timestamp",
"match": ".*",
"replace": "$0"
}
]
}
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "true",
"transformations": [
{
"constant": {
"value": 1001,
"field": "class_uid"
}
},
{
"constant": {
"value": "Process Activity",
"field": "class_name"
}
},
{
"constant": {
"value": 1,
"field": "category_uid"
}
},
{
"constant": {
"value": "System Activity",
"field": "category_name"
}
},
{
"copy": {
"from": "unmapped.event\\.time",
"to": "time"
}
},
{
"replace": {
"field": "time",
"regexp": "(\\d+)\\d{3}",
"replacement": "$1"
}
},
{
"copy": {
"from": "unmapped.event\\.id",
"to": "metadata.uid"
}
},
{
"copy": {
"from": "unmapped.event\\.type",
"to": "message"
}
},
{
"copy": {
"from": "unmapped.event\\.category",
"to": "category_name"
}
},
{
"copy": {
"from": "unmapped.meta\\.event\\.name",
"to": "activity_name"
}
},
{
"copy": {
"from": "unmapped.endpoint\\.name",
"to": "device.hostname"
}
},
{
"copy": {
"from": "unmapped.endpoint\\.os",
"to": "device.os.name"
}
},
{
"copy": {
"from": "unmapped.endpoint\\.type",
"to": "device.type"
}
},
{
"copy": {
"from": "unmapped.agent\\.uuid",
"to": "device.uid"
}
},
{
"copy": {
"from": "unmapped.agent\\.version",
"to": "device.agent_list[0].version"
}
},
{
"copy": {
"from": "unmapped.site\\.id",
"to": "device.location.uid"
}
},
{
"copy": {
"from": "unmapped.site\\.name",
"to": "device.location.desc"
}
},
{
"copy": {
"from": "unmapped.account\\.id",
"to": "device.org.uid"
}
},
{
"copy": {
"from": "unmapped.account\\.name",
"to": "device.org.name"
}
},
{
"copy": {
"from": "unmapped.os\\.name",
"to": "device.os.name"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.name",
"to": "process.name"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.pid",
"to": "process.pid"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.uid",
"to": "process.uid"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.user",
"to": "process.user.name"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.cmdline",
"to": "process.cmd_line"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.displayName",
"to": "process.name"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.image\\.path",
"to": "process.file.path"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.image\\.sha1",
"to": "process.file.hashes[0].value"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.image\\.sha256",
"to": "process.file.hashes[1].value"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.image\\.size",
"to": "process.file.size"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.parent\\.name",
"to": "process.parent_process.name"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.parent\\.pid",
"to": "process.parent_process.pid"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.parent\\.uid",
"to": "process.parent_process.uid"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.parent\\.cmdline",
"to": "process.parent_process.cmd_line"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.parent\\.image\\.path",
"to": "process.parent_process.file.path"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.parent\\.image\\.sha1",
"to": "process.parent_process.file.hashes[0].value"
}
},
{
"copy": {
"from": "unmapped.src\\.process\\.parent\\.image\\.sha256",
"to": "process.parent_process.file.hashes[1].value"
}
},
{
"copy": {
"from": "unmapped.tgt\\.process\\.uid",
"to": "actor.process.uid"
}
},
{
"copy": {
"from": "unmapped.tgt\\.process\\.cmdline",
"to": "actor.process.cmd_line"
}
},
{
"copy": {
"from": "unmapped.tgt\\.process\\.user",
"to": "actor.user.name"
}
},
{
"copy": {
"from": "unmapped.tgt\\.file\\.path",
"to": "file.path"
}
},
{
"copy": {
"from": "unmapped.tgt\\.file\\.size",
"to": "file.size"
}
},
{
"copy": {
"from": "unmapped.src\\.ip\\.address",
"to": "src_endpoint.ip"
}
},
{
"copy": {
"from": "unmapped.src\\.port\\.number",
"to": "src_endpoint.port"
}
},
{
"copy": {
"from": "unmapped.dst\\.ip\\.address",
"to": "dst_endpoint.ip"
}
},
{
"copy": {
"from": "unmapped.dst\\.port\\.number",
"to": "dst_endpoint.port"
}
},
{
"copy": {
"from": "unmapped.event\\.network\\.direction",
"to": "connection_info.direction"
}
},
{
"copy": {
"from": "unmapped.event\\.network\\.connectionStatus",
"to": "connection_info.status"
}
},
{
"copy": {
"from": "unmapped.event\\.network\\.protocolName",
"to": "connection_info.protocol_name"
}
},
{
"copy": {
"from": "unmapped.indicator\\.category",
"to": "finding.title"
}
},
{
"copy": {
"from": "unmapped.indicator\\.name",
"to": "finding.desc"
}
},
{
"copy": {
"from": "unmapped.indicator\\.description",
"to": "finding.message"
}
},
{
"copy": {
"from": "unmapped.registry\\.keyPath",
"to": "registry.key"
}
},
{
"copy": {
"from": "unmapped.registry\\.value",
"to": "registry.value"
}
},
{
"copy": {
"from": "unmapped.cmdScript\\.content",
"to": "process.cmd_line"
}
},
{
"copy": {
"from": "unmapped.threadId",
"to": "process.tid"
}
},
{
"copy": {
"from": "unmapped.session",
"to": "process.session.uid"
}
},
{
"constant": {
"value": "SHA1",
"field": "process.file.hashes[0].type_id",
"predicate": "unmapped.src\\.process\\.image\\.sha1 != \"\""
}
},
{
"constant": {
"value": "SHA256",
"field": "process.file.hashes[1].type_id",
"predicate": "unmapped.src\\.process\\.image\\.sha256 != \"\""
}
},
{
"constant": {
"value": "SHA1",
"field": "process.parent_process.file.hashes[0].type_id",
"predicate": "unmapped.src\\.process\\.parent\\.image\\.sha1 != \"\""
}
},
{
"constant": {
"value": "SHA256",
"field": "process.parent_process.file.hashes[1].type_id",
"predicate": "unmapped.src\\.process\\.parent\\.image\\.sha256 != \"\""
}
},
{
"constant": {
"value": 1,
"field": "activity_id"
}
},
{
"constant": {
"value": 1,
"field": "severity_id"
}
},
{
"constant": {
"value": 1,
"field": "status_id"
}
}
]
}
]
},
"observables": {
"fields": [
{
"name": "device.hostname",
"type": "Hostname"
},
{
"name": "process.name",
"type": "Process Name"
},
{
"name": "process.user.name",
"type": "User"
},
{
"name": "process.file.path",
"type": "File Name"
},
{
"name": "process.file.hashes[0].value",
"type": "File Hash"
},
{
"name": "process.file.hashes[1].value",
"type": "File Hash"
},
{
"name": "src_endpoint.ip",
"type": "IP Address"
},
{
"name": "dst_endpoint.ip",
"type": "IP Address"
},
{
"name": "file.path",
"type": "File Name"
},
{
"name": "registry.key",
"type": "Other"
}
]
}
}
parsers/sophos
+447
View File
@@ -0,0 +1,447 @@
{
attributes: {
"metadata.version": "2.0.0",
"dataSource.vendor": "Sophos",
"dataSource.name": "Sophos Firewall",
"dataSource.category": "security",
"metadata.product.vendor_name": "Sophos",
"metadata.product.name": "Sophos Firewall",
"metadata.log_provider": "syslog",
"severity_id": 1,
"severity": "Informational"
},
patterns: {
tsval: "[^\"]+",
qval: "[^\"]+",
nqval: "[^ ]+",
ip: "\\d+\\.\\d+\\.\\d+\\.\\d+",
mac: "[0-9A-Fa-f:]+",
num: "\\d+",
rest: ".*"
},
formats: [
// FIREWALL ALLOWED - match log_type="Firewall" and log_subtype="Allowed"
{
id: "fw_allow",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106,
disposition_id: 1, disposition: "Allowed"
},
format: ".*log_type=\"Firewall\".*log_subtype=\"Allowed\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*",
rewrites: [
{ input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
{ input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
{ input: "message", output: "fw_rule", match: ".*fw_rule_name=\"$v=qval$\".*" },
{ input: "message", output: "src_zone", match: ".*src_zone=\"$v=qval$\".*" },
{ input: "message", output: "dst_zone", match: ".*dst_zone=\"$v=qval$\".*" },
{ input: "message", output: "src_mac", match: ".*src_mac=\"$v=mac$\".*" },
{ input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
],
halt: true
},
// FIREWALL DENIED
{
id: "fw_deny",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 6, activity_name: "Traffic",
type_uid: 400106,
disposition_id: 2, disposition: "Blocked",
severity_id: 3, severity: "Medium"
},
format: ".*log_type=\"Firewall\".*log_subtype=\"Denied\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*protocol=\"$protocol=qval$\".*",
rewrites: [
{ input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
{ input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
{ input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
],
halt: true
},
// IPS DETECT
{
id: "ips_detect",
attributes: {
class_uid: 4002, class_name: "Detection Finding",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Create",
type_uid: 400201,
severity_id: 3, severity: "Medium"
},
format: ".*log_type=\"IDP\".*log_subtype=\"Detect\".*",
rewrites: [
{ input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" },
{ input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" },
{ input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
{ input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
{ input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" },
{ input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" },
{ input: "message", output: "category", match: ".*category=\"$v=qval$\".*" },
{ input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
],
halt: true
},
// IPS DROP
{
id: "ips_drop",
attributes: {
class_uid: 4002, class_name: "Detection Finding",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Create",
type_uid: 400201,
disposition_id: 2, disposition: "Blocked",
severity_id: 4, severity: "High"
},
format: ".*log_type=\"IDP\".*log_subtype=\"Drop\".*",
rewrites: [
{ input: "message", output: "sig_id", match: ".*signature_id=$v=num$.*" },
{ input: "message", output: "sig_msg", match: ".*signature_msg=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=$v=ip$.*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=$v=ip$.*" },
{ input: "message", output: "src_port", match: ".*src_port=$v=num$.*" },
{ input: "message", output: "dst_port", match: ".*dst_port=$v=num$.*" },
{ input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" },
{ input: "message", output: "classification", match: ".*classification=\"$v=qval$\".*" },
{ input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
],
halt: true
},
// ATP THREAT
{
id: "atp",
attributes: {
class_uid: 4002, class_name: "Detection Finding",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Create",
type_uid: 400201,
severity_id: 4, severity: "High"
},
format: ".*log_type=\"ATP\".*",
rewrites: [
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
{ input: "message", output: "malware", match: ".*malware=\"$v=qval$\".*" },
{ input: "message", output: "threatfeed", match: ".*threatfeed=\"$v=qval$\".*" },
{ input: "message", output: "protocol", match: ".*protocol=\"$v=qval$\".*" },
{ input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
],
halt: true
},
// AUTH SUCCESS
{
id: "auth_ok",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*log_subtype=\"Authentication\".*status=\"Successful\".*",
rewrites: [
{ input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" },
{ input: "message", output: "user_grp", match: ".*user_group=\"$v=qval$\".*" },
{ input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" },
{ input: "message", output: "client", match: ".*client_used=\"$v=qval$\".*" }
],
halt: true
},
// AUTH FAILURE
{
id: "auth_fail",
attributes: {
class_uid: 3002, class_name: "Authentication",
category_uid: 3, category_name: "Identity & Access Management",
activity_id: 1, activity_name: "Logon",
type_uid: 300201,
status_id: 2, status: "Failure",
severity_id: 3, severity: "Medium"
},
format: ".*log_subtype=\"Authentication\".*status=\"Failed\".*",
rewrites: [
{ input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "auth_comp", match: ".*log_component=\"$v=qval$\".*" },
{ input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" },
{ input: "message", output: "auth_mech", match: ".*auth_mechanism=\"$v=qval$\".*" }
],
halt: true
},
// IPSEC ESTABLISHED
{
id: "ipsec_up",
attributes: {
class_uid: 4014, class_name: "Tunnel Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Open",
type_uid: 401401,
status_id: 1, status: "Success"
},
format: ".*log_component=\"IPSec\".*status=\"Established\".*",
rewrites: [
{ input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
{ input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" },
{ input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" }
],
halt: true
},
// IPSEC TERMINATED
{
id: "ipsec_down",
attributes: {
class_uid: 4014, class_name: "Tunnel Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 2, activity_name: "Close",
type_uid: 401402
},
format: ".*log_component=\"IPSec\".*status=\"Terminated\".*",
rewrites: [
{ input: "message", output: "con_name", match: ".*con_name=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
{ input: "message", output: "local_net", match: ".*local_network=\"$v=qval$\".*" },
{ input: "message", output: "remote_net", match: ".*remote_network=\"$v=qval$\".*" }
],
halt: true
},
// DHCP
{
id: "dhcp",
attributes: {
class_uid: 4004, class_name: "DHCP Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Lease",
type_uid: 400401
},
format: ".*log_component=\"DHCP Server\".*",
rewrites: [
{ input: "message", output: "client_ip", match: ".*reported_ip=\"$v=ip$\".*" },
{ input: "message", output: "client_mac", match: ".*src_mac=\"$v=mac$\".*" },
{ input: "message", output: "hostname", match: ".*reported_host=\"$v=qval$\".*" },
{ input: "message", output: "lease_time", match: ".*lease_time=$v=num$.*" },
{ input: "message", output: "dhcp_status", match: ".*status=\"$v=qval$\".*" }
],
halt: true
},
// ANTIVIRUS - full format with all fields
{
id: "av_full",
attributes: {
class_uid: 4002, class_name: "Detection Finding",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Create",
type_uid: 400201,
severity_id: 4, severity: "High"
},
format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*filename=\"$filename=qval$\".*url=\"$url=qval$\".*user=\"$user=qval$\".*",
halt: true
},
// ANTIVIRUS - minimal (virus, src, dst only)
{
id: "av_min",
attributes: {
class_uid: 4002, class_name: "Detection Finding",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Create",
type_uid: 400201,
severity_id: 4, severity: "High"
},
format: ".*log_type=\"Anti-Virus\".*virus=\"$malware=qval$\".*src_ip=\"$src_ip=ip$\".*dst_ip=\"$dst_ip=ip$\".*",
halt: true
},
// WEB FILTER ALLOWED
{
id: "web_allow",
attributes: {
class_uid: 4007, class_name: "Web Resources Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Access",
type_uid: 400701,
disposition_id: 1, disposition: "Allowed"
},
format: ".*log_type=\"Content Filtering\".*log_subtype=\"Allowed\".*",
rewrites: [
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
{ input: "message", output: "url", match: ".*url=\"$v=qval$\".*" },
{ input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
{ input: "message", output: "category", match: ".*category=\"$v=qval$\".*" }
],
halt: true
},
// WEB FILTER DENIED
{
id: "web_deny",
attributes: {
class_uid: 4007, class_name: "Web Resources Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Access",
type_uid: 400701,
disposition_id: 2, disposition: "Blocked",
severity_id: 2, severity: "Low"
},
format: ".*log_type=\"Content Filtering\".*log_subtype=\"Denied\".*",
rewrites: [
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
{ input: "message", output: "url", match: ".*url=\"$v=qval$\".*" },
{ input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
{ input: "message", output: "category", match: ".*category=\"$v=qval$\".*" },
{ input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" }
],
halt: true
},
// SSL VPN CONNECT
{
id: "sslvpn_up",
attributes: {
class_uid: 4014, class_name: "Tunnel Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Open",
type_uid: 401401
},
format: ".*log_component=\"SSL VPN\".*status=\"Connected\".*",
rewrites: [
{ input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "tunnel_ip", match: ".*tunnel_ip=\"$v=ip$\".*" }
],
halt: true
},
// SSL VPN DISCONNECT
{
id: "sslvpn_down",
attributes: {
class_uid: 4014, class_name: "Tunnel Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 2, activity_name: "Close",
type_uid: 401402
},
format: ".*log_component=\"SSL VPN\".*status=\"Disconnected\".*",
rewrites: [
{ input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "bytes_sent", match: ".*bytes_sent=$v=num$.*" },
{ input: "message", output: "bytes_recv", match: ".*bytes_received=$v=num$.*" }
],
halt: true
},
// WAF
{
id: "waf",
attributes: {
class_uid: 4007, class_name: "Web Resources Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 1, activity_name: "Access",
type_uid: 400701,
severity_id: 3, severity: "Medium"
},
format: ".*log_type=\"WAF\".*",
rewrites: [
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
{ input: "message", output: "url", match: ".*url=\"$v=qval$\".*" },
{ input: "message", output: "reason", match: ".*reason=\"$v=qval$\".*" }
],
halt: true
},
// FALLBACK - extract common fields from any Sophos log
{
id: "fallback",
attributes: {
class_uid: 4001, class_name: "Network Activity",
category_uid: 4, category_name: "Network Activity",
activity_id: 0, activity_name: "Unknown",
type_uid: 400100
},
format: "$body=rest$",
rewrites: [
{ input: "message", output: "log_type", match: ".*log_type=\"$v=qval$\".*" },
{ input: "message", output: "log_comp", match: ".*log_component=\"$v=qval$\".*" },
{ input: "message", output: "subtype", match: ".*log_subtype=\"$v=qval$\".*" },
{ input: "message", output: "src_ip", match: ".*src_ip=\"$v=ip$\".*" },
{ input: "message", output: "dst_ip", match: ".*dst_ip=\"$v=ip$\".*" },
{ input: "message", output: "user", match: ".*user=\"$v=qval$\".*" },
{ input: "message", output: "dev", match: ".*device_name=\"$v=qval$\".*" }
]
}
],
mappings: {
version: 1,
mappings: [
{
transformations: [
{ rename: { from: "src_ip", to: "src_endpoint.ip" } },
{ rename: { from: "dst_ip", to: "dst_endpoint.ip" } },
{ rename: { from: "src_port", to: "src_endpoint.port" } },
{ rename: { from: "dst_port", to: "dst_endpoint.port" } },
{ rename: { from: "src_mac", to: "src_endpoint.mac" } },
{ rename: { from: "protocol", to: "connection_info.protocol_name" } },
{ rename: { from: "bytes_sent", to: "traffic.bytes_out" } },
{ rename: { from: "bytes_recv", to: "traffic.bytes_in" } },
{ rename: { from: "user", to: "actor.user.name" } },
{ rename: { from: "user_grp", to: "actor.user.groups" } },
{ rename: { from: "auth_mech", to: "auth_protocol" } },
{ rename: { from: "fw_rule", to: "unmapped.fw_rule_name" } },
{ rename: { from: "src_zone", to: "src_endpoint.zone" } },
{ rename: { from: "dst_zone", to: "dst_endpoint.zone" } },
{ rename: { from: "in_iface", to: "src_endpoint.interface_name" } },
{ rename: { from: "out_iface", to: "dst_endpoint.interface_name" } },
{ rename: { from: "sig_id", to: "finding_info.uid" } },
{ rename: { from: "sig_msg", to: "finding_info.title" } },
{ rename: { from: "classification", to: "finding_info.types" } },
{ rename: { from: "category", to: "unmapped.category" } },
{ rename: { from: "malware", to: "malware.name" } },
{ rename: { from: "threatfeed", to: "unmapped.threatfeed" } },
{ rename: { from: "url", to: "http_request.url.original" } },
{ rename: { from: "filename", to: "file.name" } },
{ rename: { from: "con_name", to: "unmapped.connection_name" } },
{ rename: { from: "local_net", to: "unmapped.local_network" } },
{ rename: { from: "remote_net", to: "unmapped.remote_network" } },
{ rename: { from: "client_ip", to: "dst_endpoint.ip" } },
{ rename: { from: "client_mac", to: "dst_endpoint.mac" } },
{ rename: { from: "hostname", to: "dst_endpoint.hostname" } },
{ rename: { from: "tunnel_ip", to: "unmapped.tunnel_ip" } },
{ rename: { from: "auth_comp", to: "unmapped.auth_component" } },
{ rename: { from: "log_type", to: "unmapped.log_type" } },
{ rename: { from: "log_comp", to: "unmapped.log_component" } },
{ rename: { from: "subtype", to: "unmapped.log_subtype" } },
{ rename: { from: "reason", to: "unmapped.reason" } },
{ rename: { from: "client", to: "unmapped.client_used" } },
{ rename: { from: "dhcp_status", to: "unmapped.dhcp_status" } },
{ rename: { from: "lease_time", to: "unmapped.lease_time" } },
{ rename: { from: "dev", to: "device.name" } },
{ rename: { from: "body", to: "unmapped.raw_body" } }
]
}
]
}
}
parsers/sophos-edr
+33
View File
@@ -0,0 +1,33 @@
{
attributes: {
"metadata.version": "1.0.0",
"dataSource.vendor": "Sophos",
"dataSource.name": "Sophos EDR",
"dataSource.category": "security",
"Category": "security",
"metadata.product.vendor_name": "Sophos",
"metadata.product.name": "Endpoint Detection and Response",
"metadata.log_provider": "api",
"class_uid": 2001,
"class_name": "Security Finding",
"severity_id": 2,
"severity": "Low"
},
formats: [
{
format: ".*\\{.*\\}.*",
rewrites: [
{ input: "message", output: "sophos.name", match: ".*\"name\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "sophos.type", match: ".*\"type\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "sophos.severity", match: ".*\"severity\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "sophos.group", match: ".*\"group\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "sophos.dhost", match: ".*\"dhost\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "sophos.suser", match: ".*\"suser\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "sophos.endpoint_id", match: ".*\"endpoint_id\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "sophos.customer_id", match: ".*\"customer_id\":\\s*\"([^\"]+)\".*", replace: "$1" },
{ input: "message", output: "src_endpoint.ip", match: ".*\"ip\":\\s*\"([^\"]+)\".*", replace: "$1" }
]
}
]
}
parsers/stormshield
+58
View File
@@ -0,0 +1,58 @@
{
// specify a time zone if the timestamps in your log are not in GMT
timezone: "Europe/Paris",
attributes: {
"dataSource.category": "security",
"dataSource.name": "Stormshield",
"dataSource.vendor": "Stormshield",
"class_name": "Network Activity",
"class_id": 4001
},
patterns: {
tsPattern: "\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}"
},
formats: [
{
format: ".*time=\"$timestamp=tsPattern$\""
},
{
format: ".*$_$=$unmapped._$ ",
repeat: true
},
{
format: "^.*",
rewrites: [
{
"input": "unmapped.src",
"output": "src_endpoint.ip",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.srcport",
"output": "src_endpoint.port",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dst",
"output": "dst_endpoint.ip",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.dstport",
"output": "dst_endpoint.port",
"match": ".*",
"replace": "$0"
},
{
"input": "unmapped.user",
"output": "actor.user.name",
"match": ".*",
"replace": "$0"
},
]
}
]
}
parsers/ueba-healthcare
+204
View File
@@ -0,0 +1,204 @@
{
"duration": "24h",
"description": "Healthcare UEBA \u2014 auth, TI/Konnektor, data-transfer, SMC-B/HBA card ops. Powered by ueba/01..12 feature extractors.",
"graphs": [
{
"title": "Auth events (24h)",
"graphStyle": "number",
"query": "| filter( class_uid == 3002 )\n| group n = count()",
"layout": {
"w": 15,
"h": 6,
"x": 0,
"y": 0
}
},
{
"title": "Auth failures (24h)",
"graphStyle": "number",
"query": "| filter( class_uid == 3002 )\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group n = count( outcome == \"failure\" )",
"layout": {
"w": 15,
"h": 6,
"x": 15,
"y": 0
}
},
{
"title": "Konnektor disconnects (24h)",
"graphStyle": "number",
"query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group n = count( event_type == \"KONNEKTOR_DISCONNECTED\" )",
"layout": {
"w": 15,
"h": 6,
"x": 30,
"y": 0
}
},
{
"title": "Certs expired/expiring (24h)",
"graphStyle": "number",
"query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group n = count( event_type == \"CERTIFICATE_EXPIRED\" or event_type == \"CERTIFICATE_EXPIRING\" )",
"layout": {
"w": 15,
"h": 6,
"x": 45,
"y": 0
}
},
{
"title": "Auth success vs failure (hourly)",
"graphStyle": "line",
"query": "| filter( class_uid == 3002 )\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group\n success = count( outcome == \"success\" ),\n failure = count( outcome == \"failure\" )\n by hour = timebucket('1 hour')\n| sort hour",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 6
}
},
{
"title": "Konnektor health (hourly)",
"graphStyle": "line",
"query": "| filter( class_uid == 4001 )\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n connected = count( event_type == \"KONNEKTOR_CONNECTED\" ),\n disconnected = count( event_type == \"KONNEKTOR_DISCONNECTED\" ),\n vpn_failed = count( event_type == \"VPN_TUNNEL_FAILED\" )\n by hour = timebucket('1 hour')\n| sort hour",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 6
}
},
{
"title": "Top users by auth failures",
"graphStyle": "table",
"query": "| filter( class_uid == 3002 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group fails = count( outcome == \"failure\" ) by user\n| filter user = *\n| sort - fails\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 20
}
},
{
"title": "Top users by password reset / lockout",
"graphStyle": "table",
"query": "| filter( class_uid == 3002 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n pwd_reset = count( event_type == \"PASSWORD_RESET_REQUEST\" ),\n locked = count( event_type == \"ACCOUNT_LOCKED\" )\n by user\n| filter user = *\n| sort - locked\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 20
}
},
{
"title": "Top Konnektor hosts by VPN failures",
"graphStyle": "table",
"query": "| filter( class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group vpn_failed = count( event_type == \"VPN_TUNNEL_FAILED\" ) by host\n| filter host = *\n| sort - vpn_failed\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 34
}
},
{
"title": "Cert lifecycle by host",
"graphStyle": "table",
"query": "| filter( class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n expired = count( event_type == \"CERTIFICATE_EXPIRED\" ),\n expiring = count( event_type == \"CERTIFICATE_EXPIRING\" ),\n valid = count( event_type == \"CERTIFICATE_VALID\" )\n by host\n| filter host = *\n| sort - expired, - expiring\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 34
}
},
{
"title": "HL7 / FHIR / Exports by user",
"graphStyle": "table",
"query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n hl7_recv = count( event_type == \"HL7_MESSAGE_RECEIVED\" ),\n hl7_sent = count( event_type == \"HL7_MESSAGE_SENT\" ),\n fhir = count( event_type == \"FHIR_API_REQUEST\" ),\n exports = count( event_type == \"DATA_EXPORT_COMPLETED\" )\n by user\n| filter user = *\n| sort - exports, - hl7_recv\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 48
}
},
{
"title": "Total records exported by user (24h)",
"graphStyle": "table",
"query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"record_count\": $record_count{regex=[0-9]+}$' from message\n| group total_records = sum( record_count ) by user\n| filter user = *\n| sort - total_records\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 48
}
},
{
"title": "External destinations by user",
"graphStyle": "table",
"query": "| filter( class_uid == 4001 )\n| parse '\"username\": \"$user{regex=[^\"]+}$\"' from message\n| parse '\"destination\": \"$dest{regex=[^\"]+}$\"' from message\n| group external = count( dest == \"External Specialist\" ) by user, dest\n| filter user = *\n| filter dest = *\n| sort - external\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 62
}
},
{
"title": "Auth failures by role (24h)",
"graphStyle": "table",
"query": "| filter( class_uid == 3002 )\n| parse '\"role\": \"$role{regex=[^\"]+}$\"' from message\n| parse '\"outcome\": \"$outcome{regex=[^\"]+}$\"' from message\n| group fails = count( outcome == \"failure\" ) by role\n| filter role = *\n| sort - fails",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 62
}
},
{
"title": "SMC-B PIN events per Konnektor host",
"graphStyle": "table",
"query": "| filter( class_uid == 3002 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n pin_verified = count( event_type == \"CARD_PIN_VERIFIED\" ),\n pin_failed = count( event_type == \"CARD_PIN_FAILED\" ),\n pin_blocked = count( event_type == \"CARD_PIN_BLOCKED\" )\n by host\n| filter host = *\n| sort - pin_failed, - pin_blocked\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 76
}
},
{
"title": "QES signatures + decryptions per host",
"graphStyle": "table",
"query": "| filter( class_uid == 3002 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n signatures = count( event_type == \"CARD_SIGNATURE_CREATED\" ),\n decryptions = count( event_type == \"CARD_DECRYPTION_SUCCESS\" ),\n auth_success = count( event_type == \"CARD_AUTHENTICATION_SUCCESS\" ),\n auth_failed = count( event_type == \"CARD_AUTHENTICATION_FAILED\" )\n by host\n| filter host = *\n| sort - signatures\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 76
}
},
{
"title": "Account lockouts by hospital",
"graphStyle": "table",
"query": "| filter( class_uid == 3002 )\n| parse '\"hospital_id\": \"$hospital{regex=[^\"]+}$\"' from message\n| parse '\"event_type\": \"$event_type{regex=[^\"]+}$\"' from message\n| group\n locked = count( event_type == \"ACCOUNT_LOCKED\" ),\n unlocked = count( event_type == \"ACCOUNT_UNLOCKED\" ),\n pwd_reset = count( event_type == \"PASSWORD_RESET_REQUEST\" )\n by hospital\n| filter hospital = *\n| sort - locked",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 90
}
},
{
"title": "High/Critical severity events per host",
"graphStyle": "table",
"query": "| filter( class_uid == 3002 or class_uid == 4001 )\n| parse '\"hostname\": \"$host{regex=[^\"]+}$\"' from message\n| parse '\"severity\": \"$severity{regex=[^\"]+}$\"' from message\n| group high_sev = count( severity == \"HIGH\" or severity == \"CRITICAL\" ) by host\n| filter host = *\n| sort - high_sev\n| limit 20",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 90
}
}
]
}
parsers/ueba_alerts
+1
View File
@@ -0,0 +1 @@
{"columnNames": ["alert_id", "created_at", "entity_type", "entity_id", "family", "severity", "score", "explanation", "status"], "rows": [["risk-1778716800000000000-host-omniconnect-fra-01.local", 1778791804244494080, "host", "omniconnect-fra-01.local", "risk", "high", 82.61, "daily_risk=82.61 (>70)", "new"], ["risk-1778630400000000000-host-omniconnect-mun-01.local", 1778791804244494080, "host", "omniconnect-mun-01.local", "risk", "high", 83.27, "daily_risk=83.27 (>70)", "new"], ["risk-1778716800000000000-host-omniconnect-mun-01.local", 1778791804244494080, "host", "omniconnect-mun-01.local", "risk", "high", 88.22, "daily_risk=88.22 (>70)", "new"]]}
parsers/ueba_baselines_entity
+1
View File
File diff suppressed because one or more lines are too long
parsers/ueba_baselines_peer
+1
View File
File diff suppressed because one or more lines are too long
parsers/ueba_entity_risk
+1
View File
@@ -0,0 +1 @@
{"columnNames": ["entity_type", "entity_id", "date", "score"], "rows": [["user", ".anna.schmidt", 1778630400000000000, 23.57], ["user", ".anna.schmidt", 1778716800000000000, 56.48], ["user", "lab.tech.sarah.koch", 1778630400000000000, 48.55], ["user", "lab.tech.sarah.koch", 1778716800000000000, 61.95], ["user", "nurse.maria.m\\u00fcller", 1778630400000000000, 52.32], ["user", "nurse.maria.m\\u00fcller", 1778716800000000000, 67.04], ["user", "pharmacist.hans.meyer", 1778630400000000000, 42.16], ["user", "pharmacist.hans.meyer", 1778716800000000000, 64.47], ["user", ".lisa.bauer", 1778630400000000000, 24.49], ["user", ".lisa.bauer", 1778716800000000000, 55.79], ["user", ".thomas.weber", 1778630400000000000, 54.25], ["user", ".thomas.weber", 1778716800000000000, 67.04], ["user", "admin.klaus.fischer", 1778630400000000000, 34.64], ["user", "admin.klaus.fischer", 1778716800000000000, 48.64], ["user", "billing.clerk.peter.wolf", 1778630400000000000, 65.91], ["user", "billing.clerk.peter.wolf", 1778716800000000000, 65.91], ["host", "avelios-app-01.berlin.local", 1778630400000000000, 42.63], ["host", "avelios-app-01.berlin.local", 1778716800000000000, 42.63], ["host", "avelios-app-01.munich.local", 1778630400000000000, 18.38], ["host", "avelios-app-01.munich.local", 1778716800000000000, 41.11], ["host", "avelios-app-02.berlin.local", 1778630400000000000, 28.14], ["host", "avelios-app-02.berlin.local", 1778716800000000000, 46.88], ["host", "avelios-app-02.munich.local", 1778630400000000000, 26.0], ["host", "avelios-app-02.munich.local", 1778716800000000000, 39.0], ["host", "avelios-app-03.berlin.local", 1778630400000000000, 48.65], ["host", "avelios-app-03.berlin.local", 1778716800000000000, 56.72], ["host", "avelios-int-01.berlin.local", 1778630400000000000, 18.39], ["host", "avelios-int-01.berlin.local", 1778716800000000000, 47.35], ["host", "avelios-app-03.munich.local", 1778630400000000000, 63.69], ["host", "avelios-app-03.munich.local", 1778716800000000000, 45.03], ["host", "avelios-int-01.munich.local", 1778630400000000000, 13.0], ["host", "avelios-int-01.munich.local", 1778716800000000000, 40.04], ["host", "omniconnect-ber-01.local", 1778630400000000000, 39.19], ["host", "omniconnect-ber-01.local", 1778716800000000000, 59.07], ["host", "omniconnect-fra-01.local", 1778630400000000000, 59.55], ["host", "omniconnect-fra-01.local", 1778716800000000000, 82.61], ["host", "omniconnect-mun-01.local", 1778630400000000000, 83.27], ["host", "omniconnect-mun-01.local", 1778716800000000000, 88.22], ["host", "omniconnect-ham-01.local", 1778630400000000000, 42.69], ["host", "omniconnect-ham-01.local", 1778716800000000000, 64.57]]}
parsers/ueba_family_scores_hourly
+1
View File
File diff suppressed because one or more lines are too long
parsers/ueba_feature_scores_hourly
+1
View File
File diff suppressed because one or more lines are too long
parsers/ueba_features_hourly
+1
View File
File diff suppressed because one or more lines are too long
parsers/ueba_peer_membership
+1
View File
@@ -0,0 +1 @@
{"columnNames": ["entity_type", "entity_id", "peer_id"], "rows": [["user", ".thomas.weber", "role=Physician|hosp=HOSP-003"], ["user", "admin.klaus.fischer", "role=SystemAdmin|hosp=HOSP-003"], ["user", "billing.clerk.peter.wolf", "role=BillingClerk|hosp=HOSP-001"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-001"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-002"], ["user", "nurse.maria.m\\u00fcller", "role=Nurse|hosp=HOSP-003"], ["user", "pharmacist.hans.meyer", "role=Pharmacist|hosp=HOSP-001"], ["user", "pharmacist.hans.meyer", "role=Pharmacist|hosp=HOSP-003"], ["host", "avelios-app-01.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-app-03.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-app-03.munich.local", "host_fam=avelios|loc=Munich"], ["host", "avelios-int-01.berlin.local", "host_fam=avelios|loc=Berlin"], ["host", "avelios-int-01.munich.local", "host_fam=avelios|loc=Munich"], ["host", "omniconnect-ber-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-ber-01.local", "host_fam=omniconnect|loc=Berlin"], ["host", "omniconnect-fra-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-fra-01.local", "host_fam=omniconnect|loc=Frankfurt"], ["host", "omniconnect-ham-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-ham-01.local", "host_fam=omniconnect|loc=Hamburg"], ["host", "omniconnect-mun-01.local", "host_fam=omniconnect|loc=unknown"], ["host", "omniconnect-mun-01.local", "host_fam=omniconnect|loc=Munich"]]}
parsers/ueba_smoke_test
+4
View File
@@ -0,0 +1,4 @@
{
"columnNames": [],
"rows": []
}
parsers/ueba_test_default
+13
View File
@@ -0,0 +1,13 @@
{
"columnNames": ["entity_id", "feature_name", "value"],
"rows": [
[".anna.schmidt", "featureD3", 16],
[".lisa.bauer", "featureD3", 9],
[".thomas.weber", "featureD3", 18],
["admin.klaus.fischer", "featureD3", 17],
["billing.clerk.peter.wolf", "featureD3", 19],
["lab.tech.sarah.koch", "featureD3", 9],
["nurse.maria.m\\u00fcller", "featureD3", 16],
["pharmacist.hans.meyer", "featureD3", 17]
]
}
parsers/ueba_test_merge
+13
View File
@@ -0,0 +1,13 @@
{
"columnNames": ["entity_id", "feature_name", "value"],
"rows": [
[".anna.schmidt", "featureB3", 16],
[".lisa.bauer", "featureB3", 9],
[".thomas.weber", "featureB3", 18],
["admin.klaus.fischer", "featureB3", 17],
["billing.clerk.peter.wolf", "featureB3", 19],
["lab.tech.sarah.koch", "featureB3", 9],
["nurse.maria.m\\u00fcller", "featureB3", 16],
["pharmacist.hans.meyer", "featureB3", 17]
]
}
parsers/ueba_test_same_feat_merge
+13
View File
@@ -0,0 +1,13 @@
{
"columnNames": ["entity_id", "feature_name", "value"],
"rows": [
[".anna.schmidt", "featF_same", 16],
[".lisa.bauer", "featF_same", 9],
[".thomas.weber", "featF_same", 18],
["admin.klaus.fischer", "featF_same", 17],
["billing.clerk.peter.wolf", "featF_same", 19],
["lab.tech.sarah.koch", "featF_same", 9],
["nurse.maria.m\\u00fcller", "featF_same", 16],
["pharmacist.hans.meyer", "featF_same", 17]
]
}
parsers/ueba_test_same_feat_replace
+13
View File
@@ -0,0 +1,13 @@
{
"columnNames": ["entity_id", "feature_name", "value"],
"rows": [
[".anna.schmidt", "featG_same", 16],
[".lisa.bauer", "featG_same", 9],
[".thomas.weber", "featG_same", 18],
["admin.klaus.fischer", "featG_same", 17],
["billing.clerk.peter.wolf", "featG_same", 19],
["lab.tech.sarah.koch", "featG_same", 9],
["nurse.maria.m\\u00fcller", "featG_same", 16],
["pharmacist.hans.meyer", "featG_same", 17]
]
}
parsers/zscaler_logs-latest
+19
View File
@@ -0,0 +1,19 @@
{
// specify a time zone if the timestamps in your log are not in GMT
// timezone: "GMT-0800"
formats: [
{
id: "format1",
format: ".*$=json{parse=dottedJson}$"
rewrites: [
{input: "TimestampConnectionEnd", output: "timestamp", match: ".*", replace: "$0"}
// moved upstread wher it is more efficient
{input: "message", output: "message", match: "(.*\")(\\{\"\\w+\".*)", replace: "$2"}
]
}
]
}