mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-08 12:33:51 +00:00
Initial commit: SIEM Toolkit for SentinelOne
Dockerized SecOps toolkit with: - Coverage Map: STAR rule vs SDL parser field coverage analysis - Ingest Dashboard: PowerQuery-powered event volume and source breakdown - Onboarding Assistant: AI-guided log source onboarding with Claude - Parser management via SDL MCP integration Stack: FastAPI + PostgreSQL backend, nginx-served HTML frontend, Docker Compose. PowerQuery runs via Scalyr XDR API (SDL_XDR_URL + SDL_LOG_READ_KEY). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mick
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"attributes": {
|
||||
"dataSource.vendor": "AWS",
|
||||
"dataSource.name": "AWS Web Application Firewall",
|
||||
"dataSource.category": "web_security"
|
||||
},
|
||||
"formats": [
|
||||
{
|
||||
"id": "aws_waf_json",
|
||||
"format": ".*${parse=json}$",
|
||||
"rewrites": [
|
||||
{ "input": "timestamp", "output": "time", "match": ".*", "replace": "$0" },
|
||||
{ "input": "httpRequest.clientIp", "output": "src_endpoint.ip", "match": ".*", "replace": "$0" },
|
||||
{ "input": "action", "output": "disposition", "match": ".*", "replace": "$0" },
|
||||
{ "input": "httpRequest.uri", "output": "http_request.url.text", "match": ".*", "replace": "$0" },
|
||||
{ "input": "httpRequest.country", "output": "src_endpoint.location.country", "match": ".*", "replace": "$0" },
|
||||
{ "input": "httpRequest.httpMethod", "output": "http_request.http_method", "match": ".*", "replace": "$0" },
|
||||
{ "input": "webaclId", "output": "firewall_rule.uid", "match": ".*", "replace": "$0" },
|
||||
{ "input": "ruleGroupId", "output": "firewall_rule.name", "match": ".*", "replace": "$0" },
|
||||
{ "input": "terminatingRuleType", "output": "firewall_rule.type", "match": ".*", "replace": "$0" },
|
||||
{ "input": "httpRequest.httpVersion", "output": "http_request.version", "match": ".*", "replace": "$0" },
|
||||
{ "input": "httpRequest.args", "output": "http_request.url.query_string", "match": ".*", "replace": "$0" },
|
||||
{ "input": "requestId", "output": "http_request.uid", "match": ".*", "replace": "$0" },
|
||||
{ "input": "httpRequest.headers", "output": "http_request.http_headers", "match": ".*", "replace": "$0" }
|
||||
],
|
||||
"halt": true
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,42 @@
|
||||
{
|
||||
"attributes": {
|
||||
"dataSource.vendor": "Cisco",
|
||||
"dataSource.name": "Cisco Duo Security",
|
||||
"dataSource.category": "security"
|
||||
},
|
||||
"formats": [
|
||||
{
|
||||
"format": "$unmapped.{parse=json}$",
|
||||
"rewrites": [
|
||||
{ "input": "unmapped.timestamp", "output": "timestamp", "match": ".*", "replace": "$0" },
|
||||
{ "input": "unmapped.time", "output": "time", "match": ".*", "replace": "$0" }
|
||||
]
|
||||
}
|
||||
],
|
||||
"mappings": {
|
||||
"version": 1,
|
||||
"mappings": [
|
||||
{
|
||||
"predicate": "unmapped.class_uid = '3002'",
|
||||
"transformations": [
|
||||
{ "copy": { "from": "unmapped.activity_id", "to": "activity_id" } },
|
||||
{ "copy": { "from": "unmapped.activity_name", "to": "activity_name" } },
|
||||
{ "copy": { "from": "unmapped.type_uid", "to": "type_uid" } },
|
||||
{ "copy": { "from": "unmapped.severity_id", "to": "severity_id" } },
|
||||
{ "copy": { "from": "unmapped.status_id", "to": "status_id" } },
|
||||
{ "copy": { "from": "unmapped.status", "to": "status" } },
|
||||
{ "copy": { "from": "unmapped.message", "to": "message" } },
|
||||
{ "copy": { "from": "unmapped.user.name", "to": "user.name" } },
|
||||
{ "copy": { "from": "unmapped.user.account_uid", "to": "user.account_uid" } },
|
||||
{ "copy": { "from": "unmapped.user.account_type", "to": "user.account_type" } },
|
||||
{ "copy": { "from": "unmapped.src_endpoint.ip", "to": "src_endpoint.ip" } },
|
||||
{ "copy": { "from": "unmapped.src_endpoint.location.desc", "to": "src_endpoint.location.desc" } },
|
||||
{ "copy": { "from": "unmapped.src_endpoint.location.city", "to": "src_endpoint.location.city" } },
|
||||
{ "copy": { "from": "unmapped.src_endpoint.location.country", "to": "src_endpoint.location.country" } },
|
||||
{ "copy": { "from": "unmapped.auth_protocol", "to": "auth_protocol" } },
|
||||
{ "copy": { "from": "unmapped.mfa_factors", "to": "mfa_factors" } }
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
{
|
||||
attributes: {
|
||||
dataset: "Endpoint",
|
||||
"dataSource.name": "CrowdStrike Falcon",
|
||||
"dataSource.vendor": "CrowdStrike",
|
||||
"dataSource.category": "security"
|
||||
}
|
||||
patterns: {
|
||||
keyPattern: "\\w+"
|
||||
lastValuePattern: "[\\w\\s]+"
|
||||
},
|
||||
formats: [
|
||||
{
|
||||
format: "CEF:$version$\\|$deviceVendor$\\|$deviceProduct$\\|$deviceVersion$\\|$signatureID$\\|$name$\\|$severity$\\|$extension$"
|
||||
},
|
||||
{
|
||||
format: ".*[\\s]$_=keyPattern$=$_$ \\w+=",
|
||||
repeat: true
|
||||
},
|
||||
{
|
||||
format: ".*\\s$_=keyPattern$=$_=lastValuePattern$",
|
||||
repeat: true
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,33 @@
|
||||
{
|
||||
attributes: {
|
||||
"dataSource.category": "security",
|
||||
"dataSource.name": "Azure AD",
|
||||
"dataSource.vendor": "Azure"
|
||||
},
|
||||
formats: [
|
||||
{
|
||||
format: ".*${parse=json}{attrBlacklist=(targetResources)}$"
|
||||
rewrites: [
|
||||
{ input: "activityDateTime", output: "security_finding.time_dt", match: ".*", replace: "$0" },
|
||||
{ input: "activityDisplayName", output: "security_finding.activity_name", match: ".*", replace: "$0" },
|
||||
{ input: "category", output: "security_finding.category_name", match: ".*", replace: "$0" },
|
||||
{ input: "correlationId", output: "metadata.correlation_uid", match: ".*", replace: "$0" },
|
||||
{ input: "id", output: "security_finding.activity_id", match: ".*", replace: "$0" },
|
||||
{ input: "initiatedByUserId", output: "user.account_uid", match: ".*", replace: "$0" },
|
||||
{ input: "initiatedByUserIpAddress", output: "user.ip", match: ".*", replace: "$0" },
|
||||
{ input: "initiatedByUserUserPrincipalName", output: "user.name", match: ".*", replace: "$0" },
|
||||
{ input: "operationType", output: "security_finding.type_name", match: ".*", replace: "$0" },
|
||||
{ input: "result", output: "security_finding.result", match: ".*", replace: "$0" },
|
||||
{ input: "resultReason", output: "security_finding.result_reason", match: ".*", replace: "$0" }
|
||||
]
|
||||
}, {
|
||||
format: ".*targetResources\":..$targetResources.{parse=json}$"
|
||||
rewrites: [
|
||||
{ input: "targetResources.displayName", output: "target.name", match: ".*", replace: "$0" },
|
||||
{ input: "targetResources.id", output: "target.id", match: ".*", replace: "$0" },
|
||||
{ input: "targetResources.type", output: "target.type", match: ".*", replace: "$0" },
|
||||
{ input: "targetResources.userPrincipalName", output: "target.userName", match: ".*", replace: "$0" }
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
{
|
||||
attributes: {
|
||||
"dataSource.category": "security",
|
||||
"dataSource.name": "Netskope",
|
||||
"dataSource.vendor": "Netskope"
|
||||
},
|
||||
formats: [
|
||||
{
|
||||
format: ".*${parse=json}$"
|
||||
rewrites: [
|
||||
{ input: "_category_id", output: "security_finding.category_uid", match: ".*", replace: "$0" },
|
||||
{ input: "_correlation_id", output: "metadata.correlation_uid", match: ".*", replace: "$0" },
|
||||
{ input: "_detection_name", output: "detection.name", match: ".*", replace: "$0" },
|
||||
{ input: "_event_id", output: "security_finding.activity_id", match: ".*", replace: "$0" },
|
||||
{ input: "_id", output: "security_finding.type_uid", match: ".*", replace: "$0" },
|
||||
{ input: "_nshostname", output: "network_endpoint.sender_hostname", match: ".*", replace: "$0" },
|
||||
{ input: "_resource_name", output: "resource.name", match: ".*", replace: "$0" },
|
||||
{ input: "account_name", output: "account.name", match: ".*", replace: "$0" },
|
||||
{ input: "action", output: "security_finding.action", match: ".*", replace: "$0" },
|
||||
{ input: "alert_id", output: "alert.uid", match: ".*", replace: "$0" },
|
||||
{ input: "alert_name", output: "alert.name", match: ".*", replace: "$0" },
|
||||
{ input: "alert_type", output: "event.type", match: ".*", replace: "$0" },
|
||||
{ input: "device", output: "device.name", match: ".*", replace: "$0" },
|
||||
{ input: "dlp_file", output: "dlp.file_name", match: ".*", replace: "$0" },
|
||||
{ input: "dlp_incident_id", output: "dlp.incident_id", match: ".*", replace: "$0" },
|
||||
{ input: "dlp_rule", output: "dlp.rule", match: ".*", replace: "$0" },
|
||||
{ input: "dstip", output: "dst.ip.address", match: ".*", replace: "$0" },
|
||||
{ input: "file_name", output: "file.name", match: ".*", replace: "$0" },
|
||||
{ input: "file_size", output: "file.size", match: ".*", replace: "$0" },
|
||||
{ input: "file_type", output: "file.type", match: ".*", replace: "$0" },
|
||||
{ input: "hostname", output: "device.hostname", match: ".*", replace: "$0" },
|
||||
{ input: "malware_name", output: "malware.name", match: ".*", replace: "$0" },
|
||||
{ input: "md5", output: "file.md5", match: ".*", replace: "$0" },
|
||||
{ input: "os", output: "os.name", match: ".*", replace: "$0" },
|
||||
{ input: "policy", output: "policy.name", match: ".*", replace: "$0" },
|
||||
{ input: "policy_id", output: "policy.uid", match: ".*", replace: "$0" },
|
||||
{ input: "protocol", output: "network_connection_info.protocol_name", match: ".*", replace: "$0" },
|
||||
{ input: "srcip", output: "src.ip.address", match: ".*", replace: "$0" },
|
||||
{ input: "url", output: "url.text", match: ".*", replace: "$0" },
|
||||
{ input: "user", output: "user.name", match: ".*", replace: "$0" },
|
||||
{ input: "user_id", output: "user.uid", match: ".*", replace: "$0" },
|
||||
{ input: "userip", output: "user.ip", match: ".*", replace: "$0" }
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
{
|
||||
attributes: {
|
||||
source: "okta"
|
||||
"dataSource.category": "security",
|
||||
"dataSource.name": "Okta",
|
||||
"dataSource.vendor": "Okta",
|
||||
},
|
||||
formats: [
|
||||
{
|
||||
format: ".*${parse=dottedJson}{attrBlacklist=target}$"
|
||||
rewrites: [
|
||||
{ input: "actor.id", output: "user.account_uid", match: ".*", replace: "$0" },
|
||||
{ input: "actor.type", output: "user.account_type", match: ".*", replace: "$0" },
|
||||
{ input: "actor.alternateId", output: "user.email_addr", match: ".*", replace: "$0" },
|
||||
{ input: "actor.displayName", output: "user.name", match: ".*", replace: "$0" },
|
||||
{ input: "authenticationContext.authenticationStep", output: "authenticationStep", match: ".*", replace: "$0" },
|
||||
{ input: "authenticationContext.externalSessionId", output: "externalSessionId", match: ".*", replace: "$0" },
|
||||
{ input: "client.ipAddress", output: "client.ip", match: ".*", replace: "$0" },
|
||||
{ input: "client.userAgent.browser", output: "client.browser", match: ".*", replace: "$0" },
|
||||
{ input: "client.userAgent.os", output: "client.os", match: ".*", replace: "$0" },
|
||||
{ input: "client.userAgent.rawUserAgent", output: "client.userAgent", match: ".*", replace: "$0" },
|
||||
{ input: "client.zone", output: "client.location.zone", match: ".*", replace: "$0" },
|
||||
{ input: "client.geographicalContext.city", output: "client.location.city", match: ".*", replace: "$0" },
|
||||
{ input: "client.geographicalContext.country", output: "client.location.country", match: ".*", replace: "$0" },
|
||||
{ input: "client.geographicalContext.geolocation.lat", output: "client.location.lat", match: ".*", replace: "$0" },
|
||||
{ input: "client.geographicalContext.geolocation.lon", output: "client.location.lon", match: ".*", replace: "$0" },
|
||||
{ input: "client.geographicalContext.postalCode", output: "client.location.postal_code", match: ".*", replace: "$0" },
|
||||
{ input: "client.geographicalContext.state", output: "client.location.state", match: ".*", replace: "$0" },
|
||||
{ input: "displayMessage", output: "msg", match: ".*", replace: "$0" },
|
||||
{ input: "eventType", output: "category_name", match: ".*", replace: "$0" },
|
||||
{ input: "outcome.result", output: "result", match: ".*", replace: "$0" },
|
||||
{ input: "published", output: "time", match: ".*", replace: "$0" },
|
||||
{ input: "transaction.id", output: "type_uid", match: ".*", replace: "$0" },
|
||||
{ input: "transaction.type", output: "type_name", match: ".*", replace: "$0" },
|
||||
{ input: "uuid", output: "activity_id", match: ".*", replace: "$0" }
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
{
|
||||
attributes: {
|
||||
"dataSource.category": "security",
|
||||
"dataSource.name": "Palo Alto Networks",
|
||||
"dataSource.vendor": "Palo Alto Networks"
|
||||
}
|
||||
formats: [
|
||||
{
|
||||
id: "traffic-11-0",
|
||||
format: "$network_activity.future_use_1$,$network_activity.receive_time$,$firewall.serial_number$,$network_activity.sub_type$,$timestamp$,$src.ip.address$,$dst.ip.address$,$network_endpoint.nat_src_ip$,$network_endpoint.nat_dst_ip$,$rule.name$,$user.src_name$,$user.dst_name$,$network_activity.app_name$,$network_traffic.virtual_system_name$,$source_zone$,$destination_zone$,$network_interface.inbound_name$,$network_interface.outbound_name$,$network_activity.log_action$,$session.uid$,$network_activity.repeat_count$,$network_endpoint.src_port$,$network_endpoint.dst_port$,$network_connection_info.flag$,$network_connection_info.protocol_name$,$network_activity.action$,$network_traffic.bytes$,$network_traffic.bytes_out$,$network_traffic.bytes_in$,$network_traffic.packets$,$network_activity.start_time_dt$,$network_activity.elapsed_time$,$network_activity.category_name$,$network_activity.sequence_number$,$network_activity.action_flags$,$location.src_country$,$location.dst_country$,$network_traffic.packets_out$,$network_traffic.packets_in$,$session.expiration_reason$,$device.group_hierarchy.level_1$,$device.group_hierarchy.level_2$,$device.group_hierarchy.level_3$,$device.group_hierarchy.level_4$,$firewall.virtual_system_name$,$device.name$,$network_activity.action_source$,$virtual_machine.src_vm_uuid$,$virtual_machine.dst_vm_uuid$,$device.imsi$,$device.imei$,$session.parent_uid$,$network_activity.parent_start_time_dt$,$network_connection_info.tunnel_type$,$network_connection_info.sctp_id$,$network_connection_info.sctp_chunks$,$network_connection_info.sctp_chunks_out$,$network_connection_info.sctp_chunks_in$,$rule.uid$,$network_activity.http_connection$,$network_connection_info.app_flap_count$,$policy.uid$,$network_connection_info.link_switches$,$network_connection_info.sd_wan_cluster$,$network_connection_info.sd_wan_device_type$,$network_connection_info.sd_wan_cluster_type$,$network_connection_info.sd_wan_site$,$user.groups$,$http_request.x_forwarded_for$,$device.src_type$,$device.src_profile$,$device.src_model$,$device.src_vendor_name$,$device.src_os_edition$,$device.src_os_version$,$network_connection_info.src_hostname$,$device.src_mac$,$device.dst_type$,$device.dst_profile$,$device.dst_model$,$device.dst_vendor_name$,$network_connection_info.dst_hostname$,$network_connection_info.dst_mac$,$container.id$,$container.pod_namespace$,$container.pod_name$,$network_endpoint.src_host_list$,$network_endpoint.dst_host_list$,$network_endpoint.host_id$,$device_hardware_info.serial_number$,$policy.src_group$,$policy.dst_group$,$session.owner$,$network_activity.time$,$network_activity.a_slice.service_type$,$network_activity.a_slice.differentiator$,$network_activity.sub_category$,$network_activity.app_model$,$network_activity.severity$,$network_activity.container.id$,$network_activity.app_tunnel_type$,$network_activity.is_saas$,$network_activity.is_sanctioned$,$network_activity.is_offloaded$,$network_activity.flow_type$,$network_activity.cluster.name$",
|
||||
halt: true
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
{
|
||||
attributes: {
|
||||
"dataSource.vendor": "Palo Alto Networks",
|
||||
"dataSource.name": "Palo Alto Networks Prisma SASE",
|
||||
"dataSource.category": "security",
|
||||
}
|
||||
formats: [
|
||||
{
|
||||
format: "$network_traffic.log_header$,$network_traffic.log_source_uid$,$event.type$,$network_traffic.sub_type_value$,$network_traffic.config_version_value$,$network_activity.time$,$src.ip.address$,$dst.ip.address$,$nat_src.device_ip$,$nat_dst.device_ip$,$rule.name$,$user.src_name$,$user.dst_name$,$network_traffic.app_name$,$network_traffic.virtual_system_location$,$network_traffic.from_zone$,$network_traffic.to_zone$,$network_traffic.inbound_if_value$,$network_traffic.outbound_if_value$,$network_traffic.log_set$,$session.uid$,$network_traffic.repeat_count$,$network_endpoint.src_port$,$network_endpoint.dst_port$,$nat_src.port$,$nat_dst.port$,$network_traffic.flags$,$network_connection_info.protocol_name$,$network_traffic.bytes$,$network_traffic.bytes_out$,$network_traffic.bytes_in$,$network_traffic.packets$,$session.created_time$,$network_traffic.total_time_elapsed$,$url.categories$,$metadata.sequence$,$network_traffic.action_flags$,$location.src_region$,$location.dst_region$,$network_traffic.packets_out$,$network_traffic.packets_in$,$network_traffic.session_end_reason_value$,$network_traffic.dg_hier_level_1$,$network_traffic.dg_hier_level_2$,$network_traffic.dg_hier_level_3$,$network_traffic.dg_hier_level_4$,$network_traffic.virtual_system_name$,$endpoint.name$,$network_traffic.action_source_value$,$source.uuid$,$destination.uuid$,$network_traffic.tunnel_id_imsi$,$network_traffic.monitor_tag_imei$,$session.parent_id$,$session.parent_start_time$,$network_traffic.tunnel_value$,$network_traffic.ep_association_uid$,$network_traffic.chunks$,$network_traffic.chunks_out$,$network_traffic.chunks_in$,$rule.uid$,$network_traffic.http2_connection$,$network_traffic.link_change_count$,$policy.uid$,$network_traffic.link_switches$,$network_traffic.sdwan_cluster$,$network_traffic.sdwan_device_type$,$network_traffic.sdwan_cluster_type$,$network_traffic.sdwan_site$,$network_traffic.dynusergroup_name$,$http_request.x_forwarded_for$,$source_device.category_name$,$source_device.profile$,$source_device.model$,$source_device.vendor_name$,$source_device.os_name$,$source_device.os_version$,$source_device.hostname$,$source_device.mac$,$destination_device.category_name$,$destination_device.profile$,$destination_device.model$,$destination_device.vendor_name$,$destination_device.os_name$,$destination_device.os_version$,$destination_device.hostname$,$destination_device.mac$,$container.uid$,$network_traffic.pod_namespace$,$network_traffic.pod_name$,$network_traffic.source_edl$,$network_traffic.destination_edl$,$host.uid$,$endpoint.serial_number$,$network_traffic.source_dynamic_address_group$,$network_traffic.destination_dynamic_address_group$,$network_traffic.ha_session_owner$,$network_traffic.timestamp_generated_high_res$,$network_traffic.nssai_network_slice_type_value$,$network_traffic.nssai_network_slice_differentiator_value$",
|
||||
halt: true,
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user