Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-11 05:41:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/

Browse Source 
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.

Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
This commit is contained in:
marc
2026-05-22 14:11:39 +02:00
parent 1e61fa9814
commit a9dcf48e65
96 changed files with 14742 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
parsers/netskope_netskope_logs-latest
+410
View File
@@ -0,0 +1,410 @@
{
attributes: {
"dataSource.category": "security",
"dataSource.name": "Netskope",
"dataSource.vendor": "Netskope"
},
formats: [
{
format: ".*${parse=json}{attrWhitelist=(_id|action|activity|device|category|app_name|count|dst_country|dst_region|malware_severity|malware_type|request_id|severity|severity_id|src_country|src_location|src_region|type|_category_id|_category_tags|_correlation_id|_detection_name|_event_id|_nshostname|_resource_name|_service_identifier|account_name|alert_id|alert_name|alert_type|appcategory|breach_date|breach_description|breach_id|breach_score|connection_id|dlp_file|dlp_incident_id|dlp_rule|dlp_rule_count|dst_latitude|dst_longitude|dst_timezone|dst_zipcode|dstip|event_type|file_name|file_size|file_type|hostname|incident_id|instance_id|local_md5|malsite_country|malware_name|matched_username|md5|os|os10|os11|policy|policy_id|protocol|severity_level|severity_level_id|src_latitude|src_longitude|src_time|src_timezone|src_zipcode|srcip|timestamp|transaction_id|true_obj_type|url|user|user_id|userip|userkey|local_sha256)}$"
rewrites: [
{
input: "_category_id",
output: "security_finding.category_uid",
match: ".*",
replace: "$0"
},
{
input: "_category_tags",
output: "security_finding.category_tags",
match: ".*",
replace: "$0"
},
{
input: "_correlation_id",
output: "metadata.correlation_uid",
match: ".*",
replace: "$0"
},
{
input: "_detection_name",
output: "detection.name",
match: ".*",
replace: "$0"
},
{
input: "_event_id",
output: "security_finding.activity_id",
match: ".*",
replace: "$0"
},
{
input: "_id",
output: "security_finding.type_uid",
match: ".*",
replace: "$0"
},
{
input: "_nshostname",
output: "network_endpoint.sender_hostname",
match: ".*",
replace: "$0"
},
{
input: "_resource_name",
output: "resource.name",
match: ".*",
replace: "$0"
},
{
input: "_service_identifier",
output: "service.identifier",
match: ".*",
replace: "$0"
},
{
input: "account_name",
output: "account.name",
match: ".*",
replace: "$0"
},
{
input: "action",
output: "security_finding.action",
match: ".*",
replace: "$0"
},
{
input: "alert_id",
output: "alert.uid",
match: ".*",
replace: "$0"
},
{
input: "alert_name",
output: "alert.name",
match: ".*",
replace: "$0"
},
{
input: "alert_type",
output: "event.type",
match: ".*",
replace: "$0"
},
{
input: "appcategory",
output: "security_finding.app_category",
match: ".*",
replace: "$0"
},
{
input: "breach_date",
output: "breach.date",
match: ".*",
replace: "$0"
},
{
input: "breach_description",
output: "breach.desc",
match: ".*",
replace: "$0"
},
{
input: "breach_id",
output: "breach.uid",
match: ".*",
replace: "$0"
},
{
input: "breach_score",
output: "breach.score",
match: ".*",
replace: "$0"
},
{
input: "category",
output: "security_finding.category_name",
match: ".*",
replace: "$0"
},
{
input: "connection_id",
output: "security_finding.connection_id",
match: ".*",
replace: "$0"
},
{
input: "device",
output: "device.name",
match: ".*",
replace: "$0"
},
{
input: "dlp_file",
output: "dlp.file_name",
match: ".*",
replace: "$0"
},
{
input: "dlp_incident_id",
output: "dlp.incident_id",
match: ".*",
replace: "$0"
},
{
input: "dlp_rule",
output: "dlp.rule",
match: ".*",
replace: "$0"
},
{
input: "dlp_rule_count",
output: "dlp.rule_count",
match: ".*",
replace: "$0"
},
{
input: "dst_latitude",
output: "geo_coordinates.dst_latitude",
match: ".*",
replace: "$0"
},
{
input: "dst_longitude",
output: "geo_coordinates.dst_longitude",
match: ".*",
replace: "$0"
},
{
input: "dst_timezone",
output: "location.dst_timezone",
match: ".*",
replace: "$0"
},
{
input: "dst_zipcode",
output: "location.dst_zipcode",
match: ".*",
replace: "$0"
},
{
input: "dstip",
output: "dst.ip.address",
match: ".*",
replace: "$0"
},
{
input: "event_type",
output: "security_finding.ref_event_name",
match: ".*",
replace: "$0"
},
{
input: "file_name",
output: "file.name",
match: ".*",
replace: "$0"
},
{
input: "file_size",
output: "file.size",
match: ".*",
replace: "$0"
},
{
input: "file_type",
output: "file.type",
match: ".*",
replace: "$0"
},
{
input: "hostname",
output: "device.hostname",
match: ".*",
replace: "$0"
},
{
input: "incident_id",
output: "security_finding.incident_id",
match: ".*",
replace: "$0"
},
{
input: "instance_id",
output: "device.instance_uid",
match: ".*",
replace: "$0"
},
{
input: "local_md5",
output: "file.local_md5",
match: ".*",
replace: "$0"
},
{
input: "malsite_country",
output: "security_finding.malsite_country",
match: ".*",
replace: "$0"
},
{
input: "malware_name",
output: "malware.name",
match: ".*",
replace: "$0"
},
{
input: "matched_username",
output: "security_finding.matched_username",
match: ".*",
replace: "$0"
},
{
input: "md5",
output: "file.md5",
match: ".*",
replace: "$0"
},
{
input: "os",
output: "os.name",
match: ".*",
replace: "$0"
},
{
input: "os10",
output: "device.os10",
match: ".*",
replace: "$0"
},
{
input: "os11",
output: "device.os11",
match: ".*",
replace: "$0"
},
{
input: "policy",
output: "policy.name",
match: ".*",
replace: "$0"
},
{
input: "policy_id ",
output: "policy.uid",
match: ".*",
replace: "$0"
},
{
input: "protocol",
output: "network_connection_info.protocol_name",
match: ".*",
replace: "$0"
},
{
input: "severity_level",
output: "security_finding.severity",
match: ".*",
replace: "$0"
},
{
input: "severity_level_id",
output: "security_finding.severity_level_id",
match: ".*",
replace: "$0"
},
{
input: "src_latitude",
output: "geo_coordinates.src_latitude",
match: ".*",
replace: "$0"
},
{
input: "src_longitude",
output: "geo_coordinates.src_longitude",
match: ".*",
replace: "$0"
},
{
input: "src_time",
output: "security_finding.src_time",
match: ".*",
replace: "$0"
},
{
input: "src_timezone",
output: "location.src_timezone",
match: ".*",
replace: "$0"
},
{
input: "src_zipcode",
output: "location.src_zipcode",
match: ".*",
replace: "$0"
},
{
input: "srcip",
output: "src.ip.address",
match: ".*",
replace: "$0"
},
{
input: "timestamp",
output: "security_finding.time",
match: ".*",
replace: "$0"
},
{
input: "transaction_id",
output: "security_finding.transaction_id",
match: ".*",
replace: "$0"
},
{
input: "true_obj_type",
output: "file.type",
match: ".*",
replace: "$0"
},
{
input: "url",
output: "url.text",
match: ".*",
replace: "$0"
},
{
input: "user",
output: "user.name",
match: ".*",
replace: "$0"
},
{
input: "user_id",
output: "user.uid",
match: ".*",
replace: "$0"
},
{
input: "userip",
output: "user.ip",
match: ".*",
replace: "$0"
},
{
input: "userkey",
output: "user.key",
match: ".*",
replace: "$0"
},
{
input: "local_sha256",
output: "file.local_sha256",
match: ".*",
replace: "$0"
},
]
}
]
}