Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sync upstream features; preserve fork KV scanner, parsers, verifier

Browse Source 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
This commit is contained in:
marc
2026-05-22 18:19:52 +02:00
parent a7ebcac9a6
commit 7c1687efce
102 changed files with 13912 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files
parsers/ocsf-isc-bind
+259
View File
@@ -0,0 +1,259 @@
// SentinelOne AI SIEM Parser: ISC BIND DNS Server
// OCSF Schema Version: 1.1.0
// Maps ISC BIND query/security logs to OCSF classes
// Primary Class: DNS Activity (4003)
{
"parserName": "ISCBIND-OCSF",
"version": "1.0.0",
"vendor": "ISC",
"product": "BIND",
"format": "syslog",
"patterns": [
// Query logs
{
"pattern": "queries:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query:\\s+(\\S+)\\s+IN\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Query"},
{"set": "type_uid", "value": "400301"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
{"group": 1, "to": "metadata.uid"},
// Time (from syslog header)
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Query info
{"group": 4, "to": "query_info.opcode"},
{"group": 5, "to": "query_info.hostname"},
{"group": 6, "to": "query_info.type"},
// DNS server
{"regex": "\\(([\\d.]+)\\)$", "group": 1, "to": "dst_endpoint.ip"},
// Observables
{"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$2"}},
{"array": "observables", "append": {"type": "Hostname", "type_id": 1, "value": "$5"}},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Security - Zone transfer denied
{
"pattern": "security:\\s+warning:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+zone transfer\\s+'([^']+)'\\s+denied",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "finding_info.types", "value": ["DNS Zone Transfer Attempt"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Zone
{"group": 5, "to": "finding_info.title"},
{"set": "finding_info.desc", "value": "Unauthorized zone transfer attempt"},
// Severity
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"},
// Status
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Deny"}
]
},
// Security - Query denied
{
"pattern": "security:\\s+error:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+query\\s+\\(cache\\)\\s+'([^']+)'\\s+denied",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Query Denied"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Query
{"group": 5, "to": "query_info.hostname"},
// Status
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "rcode", "value": "REFUSED"},
// Severity
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// Zone transfer (AXFR) - successful
{
"pattern": "xfer-out:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+transfer of\\s+'([^']+)':\\s+AXFR\\s+(started|ended)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"group": 6, "to": "transfer_status"},
{"lookup": "transfer_status", "map": {"started": 3, "ended": 4}, "to": "activity_id"},
{"lookup": "transfer_status", "map": {"started": "Zone Transfer Start", "ended": "Zone Transfer Complete"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client (secondary DNS)
{"group": 2, "to": "dst_endpoint.ip"},
{"group": 3, "to": "dst_endpoint.port"},
// Zone
{"group": 5, "to": "query_info.hostname"},
{"set": "query_info.type", "value": "AXFR"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Dynamic update
{
"pattern": "update:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+)\\s+\\(([^)]+)\\):\\s+updating zone\\s+'([^']+)':\\s+(adding|deleting)\\s+an RR at\\s+'([^']+)'\\s+(\\w+)\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"group": 6, "to": "update_action"},
{"lookup": "update_action", "map": {"adding": 5, "deleting": 6}, "to": "activity_id"},
{"lookup": "update_action", "map": {"adding": "Record Add", "deleting": "Record Delete"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Zone and record
{"group": 5, "to": "query_info.zone"},
{"group": 7, "to": "query_info.hostname"},
{"group": 8, "to": "query_info.type"},
{"group": 9, "to": "answers.rdata"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Rate limiting
{
"pattern": "rate-limit:\\s+info:\\s+client\\s+@(\\S+)\\s+([\\d.]+)#(\\d+):\\s+rate limit\\s+(\\w+)\\s+(\\w+)\\s+response",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "finding_info.types", "value": ["DNS Rate Limiting"]},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Client
{"group": 2, "to": "src_endpoint.ip"},
{"group": 3, "to": "src_endpoint.port"},
// Rate limit action
{"group": 4, "to": "activity_name"},
{"group": 5, "to": "finding_info.title"},
// Severity
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// DNSSEC events
{
"pattern": "dnssec:\\s+info:\\s+zone\\s+(\\S+):\\s+DNSKEY\\s+(\\d+)/(\\w+)\\s+\\((\\w+)\\)\\s+is now\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "DNS Activity"},
{"set": "activity_id", "value": "7"},
{"set": "activity_name", "value": "DNSSEC Key Event"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "ISC BIND"},
{"set": "metadata.product.vendor_name", "value": "ISC"},
// Time
{"regex": "^(\\d+-\\w+-\\d+\\s+[\\d:.]+)", "group": 1, "to": "time"},
// Zone
{"group": 1, "to": "query_info.zone"},
// Key info
{"group": 2, "to": "dnssec.key_tag"},
{"group": 3, "to": "dnssec.algorithm"},
{"group": 4, "to": "dnssec.key_type"},
{"group": 5, "to": "dnssec.key_state"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
}
],
"query_type_mappings": {
"A": 1, "AAAA": 28, "MX": 15, "TXT": 16, "CNAME": 5,
"NS": 2, "SOA": 6, "PTR": 12, "SRV": 33, "AXFR": 252, "ANY": 255
}
}