Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sync upstream features; preserve fork KV scanner, parsers, verifier

Browse Source 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
This commit is contained in:
marc
2026-05-22 18:19:52 +02:00
parent a7ebcac9a6
commit 7c1687efce
102 changed files with 13912 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files
parsers/ocsf-f5-bigip
+223
View File
@@ -0,0 +1,223 @@
// SentinelOne AI SIEM Parser: AMS - F5 Network Big IP
// OCSF Schema Version: 1.1.0
// Maps F5 BIG-IP LTM/ASM/APM logs to OCSF classes
// Primary Classes: HTTP Activity (4002), Security Finding (2001), Network Activity (4001)
{
"parserName": "F5BigIP-OCSF",
"version": "1.0.0",
"vendor": "F5 Networks",
"product": "BIG-IP",
"format": "syslog",
"patterns": [
// iRule HTTP Request logs
{
"pattern": "Rule\\s+(/\\S+)\\s+<HTTP_REQUEST>:",
"rewrites": [
{"set": "class_uid", "value": "4002"},
{"set": "class_name", "value": "HTTP Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Request"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP LTM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
// Client
{"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"},
// VIP
{"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.ip"},
{"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 2, "to": "dst_endpoint.port"},
// Pool/Member
{"regex": "Pool\\s+(\\S+)", "group": 1, "to": "dst_endpoint.svc_name"},
{"regex": "Member\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.intermediate_ips"},
// HTTP details
{"regex": "URI\\s+(\\S+)", "group": 1, "to": "http_request.url.path"},
{"regex": "Method\\s+(\\w+)", "group": 1, "to": "http_request.http_method"},
{"regex": "Host\\s+(\\S+)", "group": 1, "to": "http_request.url.hostname"},
{"regex": "User-Agent\\s+(.+?)(?:\\s+\\w+=|$)", "group": 1, "to": "http_request.user_agent"}
]
},
// iRule Security blocks
{
"pattern": "Rule\\s+(/\\S+)\\s+<HTTP_REQUEST>:\\s+BLOCKED",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Block"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP iRule"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Extract attack info
{"regex": "BLOCKED\\s+-\\s+(.+?)\\s+Client", "group": 1, "to": "finding_info.title"},
{"regex": "Client\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "URI\\s+(\\S+)", "group": 1, "to": "finding_info.src_url"},
{"regex": "Pattern matched:\\s+(.+?)$", "group": 1, "to": "finding_info.desc"},
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// SSL Handshake failures
{
"pattern": "SSL Handshake failed",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "activity_id", "value": "6"},
{"set": "activity_name", "value": "Fail"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP SSL"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 3, "to": "dst_endpoint.ip"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 4, "to": "dst_endpoint.port"},
{"regex": "-\\s+(.+)$", "group": 1, "to": "status_detail"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// APM Session events
{
"pattern": "apmd\\[\\d+\\]:",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Session
{"regex": ":Common:(\\w+):", "group": 1, "to": "session.uid"},
// User
{"regex": "User:\\s+(\\S+)", "group": 1, "to": "user.name"},
// Client IP
{"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Activity based on message
{"set": "activity_id", "value": "1", "if": "Session created|session created"},
{"set": "activity_name", "value": "Logon", "if": "Session created|session created"},
{"set": "activity_id", "value": "2", "if": "Session terminated|terminated"},
{"set": "activity_name", "value": "Logoff", "if": "Session terminated|terminated"},
// Status
{"set": "status_id", "value": "1", "if": "Allow|Success|success"},
{"set": "status", "value": "Success", "if": "Allow|Success|success"},
{"set": "status_id", "value": "2", "if": "Deny|failed|failure"},
{"set": "status", "value": "Failure", "if": "Deny|failed|failure"}
]
},
// ASM (WAF) logs
{
"pattern": "ASM:",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP ASM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Parse ASM fields
{"regex": "unit_hostname=\"([^\"]+)\"", "group": 1, "to": "device.hostname"},
{"regex": "management_ip_address=\"([^\"]+)\"", "group": 1, "to": "device.ip"},
{"regex": "policy_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"},
{"regex": "violations=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"},
{"regex": "request_status=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
{"regex": "response_code=\"([^\"]+)\"", "group": 1, "to": "http_response.code"},
{"regex": "ip_client=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.ip"},
{"regex": "method=\"([^\"]+)\"", "group": 1, "to": "http_request.http_method"},
{"regex": "protocol=\"([^\"]+)\"", "group": 1, "to": "connection_info.protocol_name"},
{"regex": "uri=\"([^\"]+)\"", "group": 1, "to": "http_request.url.path"},
{"regex": "sig_ids=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"},
{"regex": "sig_names=\"([^\"]+)\"", "group": 1, "to": "finding_info.desc"},
{"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"},
{"regex": "attack_type=\"([^\"]+)\"", "group": 1, "to": "finding_info.types"},
// Severity mapping
{"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Informational": 1}, "to": "severity_id"},
// Activity
{"lookup": "activity_name", "map": {"blocked": 2, "passed": 1, "alarmed": 1}, "to": "activity_id"}
]
},
// Pool member status
{
"pattern": "Pool\\s+(/\\S+)\\s+member\\s+([\\d.]+):(\\d+)\\s+monitor status\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "activity_id", "value": "99"},
{"set": "activity_name", "value": "Health Check"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP LTM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "dst_endpoint.svc_name"},
{"group": 2, "to": "dst_endpoint.ip"},
{"group": 3, "to": "dst_endpoint.port"},
{"group": 4, "to": "status"},
{"lookup": "status", "map": {"up": 1, "down": 2}, "to": "status_id"}
]
},
// Audit logs
{
"pattern": "AUDIT\\s+-\\s+user\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "6002"},
{"set": "class_name", "value": "API Activity"},
{"set": "category_uid", "value": "6"},
{"set": "category_name", "value": "Application Activity"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "actor.user.name"},
{"regex": "from host\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "modified object\\s+(\\S+)", "group": 1, "to": "resources.name"},
{"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 1, "to": "prev_state"},
{"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 2, "to": "state"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Update"}
]
}
]
}