mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-11 05:41:19 +00:00
Sync upstream features; preserve fork KV scanner, parsers, verifier
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).
Preserved fork additions:
backend/routers/quality.py KV scanner, pattern refs, JS keys, JSON mode,
/parsers + /sync-from-sdl endpoints
parsers/ 96 OCSF + tenant parsers
tools/stormshield-verify/ end-to-end ingest regression test
.gitignore un-ignored parsers/*
CHANGES.md, PATCHES.md
This commit is contained in:
marc
@@ -0,0 +1,58 @@
|
||||
{
|
||||
// QRadar JSON parser — OCSF v1.3.0
|
||||
attributes: {
|
||||
"metadata.version": "1.3.0",
|
||||
"metadata.product.vendor_name": "IBM",
|
||||
"metadata.product.name": "QRadar",
|
||||
"Category": "siem",
|
||||
"dataSource.vendor": "IBM",
|
||||
"dataSource.name": "QRadar",
|
||||
"dataSource.category": "siem",
|
||||
"category_uid": 4,
|
||||
"category_name": "Network Activity",
|
||||
"class_uid": 4001,
|
||||
"class_name": "Network Activity",
|
||||
"activity_id": 6,
|
||||
"type_uid": 400106,
|
||||
"status_id": 1,
|
||||
"status": "Success",
|
||||
"severity_id": 1,
|
||||
"severity": "Informational"
|
||||
},
|
||||
|
||||
formats: [
|
||||
{
|
||||
format: "$=json{parse=json}$",
|
||||
halt: true,
|
||||
rewrites: [
|
||||
{ input: "sourceIP", output: "src_endpoint.ip", match: ".*", replace: "$0" },
|
||||
{ input: "sourceIP", output: "src_ip", match: ".*", replace: "$0" },
|
||||
{ input: "sourcePort", output: "src_endpoint.port", match: ".*", replace: "$0" },
|
||||
{ input: "destinationIP", output: "dst_endpoint.ip", match: ".*", replace: "$0" },
|
||||
{ input: "destinationIP", output: "dst_ip", match: ".*", replace: "$0" },
|
||||
{ input: "destinationPort", output: "dst_endpoint.port", match: ".*", replace: "$0" },
|
||||
{ input: "protocol", output: "connection_info.protocol_name", match: ".*", replace: "$0" },
|
||||
{ input: "username", output: "actor.user.name", match: ".*", replace: "$0" },
|
||||
{ input: "username", output: "user_name", match: ".*", replace: "$0" },
|
||||
{ input: "category", output: "metadata.event_type", match: ".*", replace: "$0" },
|
||||
|
||||
// QRadar magnitude → severity
|
||||
{ input: "magnitude", output: "severity_id", match: "^[1-3]$", replace: "2" },
|
||||
{ input: "magnitude", output: "severity_id", match: "^[4-6]$", replace: "3" },
|
||||
{ input: "magnitude", output: "severity_id", match: "^[7-8]$", replace: "4" },
|
||||
{ input: "magnitude", output: "severity_id", match: "^(9|10)$", replace: "5" },
|
||||
|
||||
// Detection Finding for "Suspicious" / "Authentication" categories
|
||||
{ input: "category", output: "class_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2004" },
|
||||
{ input: "category", output: "class_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Detection Finding" },
|
||||
{ input: "category", output: "category_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "2" },
|
||||
{ input: "category", output: "category_name", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "Findings" },
|
||||
{ input: "category", output: "type_uid", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "200401" },
|
||||
{ input: "category", output: "finding_title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" },
|
||||
{ input: "category", output: "finding_info.title", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "$0" },
|
||||
{ input: "category", output: "severity_id", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "4" },
|
||||
{ input: "category", output: "severity", match: "(?i)^.*(Suspicious|Malware|Exploit|Brute).*$", replace: "High" }
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user