Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-11 05:41:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add unlabelled event detection, stub parser quality, Sync All, and modern UI redesign

Browse Source 
Key changes:
- Unlabelled event banner: shows count only after Sample Events is clicked; uses broad SDL filter expression; time window synced to sync-days dropdown
- Parser Quality: new "Attributes Missing" subsection listing all parsers without dataSource.name regardless of event volume
- Coverage map: filter buttons (All / Complete Parser / Attributes Missing); stat card renamed to "Incomplete Parser"; stub count excluded from sync when no active sources
- Sync All button: runs SDL parser sync → library sync → live sources sync in sequence
- Reset now clears ActiveSource table and resets unlabelled count cache
- run_powerquery: configurable max_count param (default 1000, 50M for count queries)
- _DS_NAME_RE: supports both quoted and unquoted dataSource.name keys in parser files
- Full modern UI redesign: slate palette, gradient cards, ring borders, pill nav, colored stat accents
- Updated 7 tracked parser files synced from SDL

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mick
2026-05-22 10:00:21 -04:00
parent 0013adbe7e
commit c5a4f796a0
15 changed files with 3498 additions and 469 deletions
Download Patch File Download Diff File Expand all files Collapse all files
parsers/okta_authentication-latest
+284 -32
View File
@@ -1,39 +1,291 @@
{
attributes: {
source: "okta"
"dataSource.category": "security",
"dataSource.name": "Okta",
"attributes": {
"dataSource.vendor": "Okta",
"dataSource.name": "Okta System Log",
"dataSource.category": "security",
"metadata.product.vendor_name": "Okta",
"metadata.product.name": "Okta System Log",
"metadata.version": "1.0.0"
},
formats: [
"formats": [
{
format: ".*${parse=dottedJson}{attrBlacklist=target}$"
rewrites: [
{ input: "actor.id", output: "user.account_uid", match: ".*", replace: "$0" },
{ input: "actor.type", output: "user.account_type", match: ".*", replace: "$0" },
{ input: "actor.alternateId", output: "user.email_addr", match: ".*", replace: "$0" },
{ input: "actor.displayName", output: "user.name", match: ".*", replace: "$0" },
{ input: "authenticationContext.authenticationStep", output: "authenticationStep", match: ".*", replace: "$0" },
{ input: "authenticationContext.externalSessionId", output: "externalSessionId", match: ".*", replace: "$0" },
{ input: "client.ipAddress", output: "client.ip", match: ".*", replace: "$0" },
{ input: "client.userAgent.browser", output: "client.browser", match: ".*", replace: "$0" },
{ input: "client.userAgent.os", output: "client.os", match: ".*", replace: "$0" },
{ input: "client.userAgent.rawUserAgent", output: "client.userAgent", match: ".*", replace: "$0" },
{ input: "client.zone", output: "client.location.zone", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.city", output: "client.location.city", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.country", output: "client.location.country", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.geolocation.lat", output: "client.location.lat", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.geolocation.lon", output: "client.location.lon", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.postalCode", output: "client.location.postal_code", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.state", output: "client.location.state", match: ".*", replace: "$0" },
{ input: "displayMessage", output: "msg", match: ".*", replace: "$0" },
{ input: "eventType", output: "category_name", match: ".*", replace: "$0" },
{ input: "outcome.result", output: "result", match: ".*", replace: "$0" },
{ input: "published", output: "time", match: ".*", replace: "$0" },
{ input: "transaction.id", output: "type_uid", match: ".*", replace: "$0" },
{ input: "transaction.type", output: "type_name", match: ".*", replace: "$0" },
{ input: "uuid", output: "activity_id", match: ".*", replace: "$0" }
"format": "$unmapped.{parse=json}$",
"rewrites": [
{
"input": "unmapped.published",
"output": "timestamp",
"match": ".*",
"replace": "$0"
}
]
}
]
],
"mappings": {
"version": 1,
"mappings": [
{
"predicate": "true",
"transformations": [
{
"constant": {
"value": 3002,
"field": "class_uid"
}
},
{
"constant": {
"value": "Authentication",
"field": "class_name"
}
},
{
"constant": {
"value": 3,
"field": "category_uid"
}
},
{
"constant": {
"value": "Identity & Access Management",
"field": "category_name"
}
},
{
"copy": {
"from": "unmapped.published",
"to": "time"
}
},
{
"cast": {
"field": "time",
"type": "iso8601TimestampToEpochSec"
}
},
{
"copy": {
"from": "unmapped.uuid",
"to": "metadata.uid"
}
},
{
"copy": {
"from": "unmapped.eventType",
"to": "type_name"
}
},
{
"copy": {
"from": "unmapped.displayMessage",
"to": "message"
}
},
{
"copy": {
"from": "unmapped.actor.alternateId",
"to": "user.name"
}
},
{
"copy": {
"from": "unmapped.actor.displayName",
"to": "user.full_name"
}
},
{
"copy": {
"from": "unmapped.actor.id",
"to": "user.uid"
}
},
{
"copy": {
"from": "unmapped.client.ipAddress",
"to": "src_endpoint.ip"
}
},
{
"copy": {
"from": "unmapped.client.geographicalContext.city",
"to": "src_endpoint.location.city"
}
},
{
"copy": {
"from": "unmapped.client.geographicalContext.state",
"to": "src_endpoint.location.region"
}
},
{
"copy": {
"from": "unmapped.client.geographicalContext.country",
"to": "src_endpoint.location.country"
}
},
{
"copy": {
"from": "unmapped.client.geographicalContext.postalCode",
"to": "src_endpoint.location.postal_code"
}
},
{
"copy": {
"from": "unmapped.client.geographicalContext.geolocation.lat",
"to": "src_endpoint.location.coordinates[0]"
}
},
{
"copy": {
"from": "unmapped.client.geographicalContext.geolocation.lon",
"to": "src_endpoint.location.coordinates[1]"
}
},
{
"copy": {
"from": "unmapped.client.userAgent.rawUserAgent",
"to": "http_request.user_agent"
}
},
{
"copy": {
"from": "unmapped.client.userAgent.os.family",
"to": "src_endpoint.os.name"
}
},
{
"copy": {
"from": "unmapped.client.userAgent.browser.family",
"to": "http_request.user_agent"
}
},
{
"copy": {
"from": "unmapped.outcome.result",
"to": "status"
}
},
{
"copy": {
"from": "unmapped.outcome.reason",
"to": "status_detail"
}
},
{
"copy": {
"from": "unmapped.transaction.type",
"to": "auth_protocol"
}
},
{
"copy": {
"from": "unmapped.transaction.id",
"to": "session.uid"
}
},
{
"copy": {
"from": "unmapped.authenticationContext.externalSessionId",
"to": "session.uid"
}
},
{
"copy": {
"from": "unmapped.debugContext.debugData.requestId",
"to": "metadata.correlation_uid"
}
},
{
"copy": {
"from": "unmapped.debugContext.debugData.requestUri",
"to": "http_request.url.path"
}
},
{
"copy": {
"from": "unmapped.target[0].displayName",
"to": "dst_endpoint.name"
}
},
{
"copy": {
"from": "unmapped.target[0].alternateId",
"to": "dst_endpoint.uid"
}
},
{
"copy": {
"from": "unmapped.severity",
"to": "severity"
}
},
{
"constant": {
"value": 1,
"field": "activity_id",
"predicate": "unmapped.outcome.result = 'SUCCESS'"
}
},
{
"constant": {
"value": 2,
"field": "activity_id",
"predicate": "unmapped.outcome.result = 'FAILURE'"
}
},
{
"constant": {
"value": 1,
"field": "severity_id",
"predicate": "unmapped.outcome.result = 'SUCCESS'"
}
},
{
"constant": {
"value": 3,
"field": "severity_id",
"predicate": "unmapped.outcome.result = 'FAILURE'"
}
},
{
"constant": {
"value": 1,
"field": "status_id",
"predicate": "unmapped.outcome.result = 'SUCCESS'"
}
},
{
"constant": {
"value": 2,
"field": "status_id",
"predicate": "unmapped.outcome.result = 'FAILURE'"
}
}
]
}
]
},
"observables": {
"fields": [
{
"name": "user.name",
"type": "User"
},
{
"name": "src_endpoint.ip",
"type": "IP Address"
},
{
"name": "http_request.user_agent",
"type": "Other"
},
{
"name": "session.uid",
"type": "Other"
},
{
"name": "dst_endpoint.name",
"type": "Other"
}
]
}
}