{ // Omniconnect TI Gateway OCSF Parser - OCSF v1.3.0 // Secures HIS <-> German Telematics Infrastructure (TI) traffic // BSI / NIS2 / gematik compliance events attributes: { "metadata.version": "1.3.0", "metadata.product.vendor_name": "Omniconnect", "metadata.product.name": "Omniconnect TI Gateway", "metadata.log_provider": "hec", "Category": "healthcare", "dataSource.vendor": "Omniconnect", "dataSource.name": "Omniconnect", "dataSource.category": "Healthcare" }, formats: [ { format: "$=json{parse=json}$", halt: true, rewrites: [ // ─── OCSF classification by event_category ────────────────────── { input: "event_category", output: "category_uid", match: "ti_connection", replace: "4" }, { input: "event_category", output: "category_name", match: "ti_connection", replace: "Network Activity" }, { input: "event_category", output: "class_uid", match: "ti_connection", replace: "4001" }, { input: "event_category", output: "class_name", match: "ti_connection", replace: "Network Activity" }, { input: "event_category", output: "category_uid", match: "card_operations", replace: "3" }, { input: "event_category", output: "category_name", match: "card_operations", replace: "Identity & Access Management" }, { input: "event_category", output: "class_uid", match: "card_operations", replace: "3002" }, { input: "event_category", output: "class_name", match: "card_operations", replace: "Authentication" }, { input: "event_category", output: "category_uid", match: "vsdm", replace: "6" }, { input: "event_category", output: "category_name", match: "vsdm", replace: "Application Activity" }, { input: "event_category", output: "class_uid", match: "vsdm", replace: "6001" }, { input: "event_category", output: "class_name", match: "vsdm", replace: "Web Resources Activity" }, { input: "event_category", output: "category_uid", match: "erezept", replace: "6" }, { input: "event_category", output: "category_name", match: "erezept", replace: "Application Activity" }, { input: "event_category", output: "class_uid", match: "erezept", replace: "6001" }, { input: "event_category", output: "class_name", match: "erezept", replace: "Web Resources Activity" }, { input: "event_category", output: "category_uid", match: "epa", replace: "6" }, { input: "event_category", output: "category_name", match: "epa", replace: "Application Activity" }, { input: "event_category", output: "class_uid", match: "epa", replace: "6001" }, { input: "event_category", output: "class_name", match: "epa", replace: "Web Resources Activity" }, { input: "event_category", output: "category_uid", match: "kim", replace: "4" }, { input: "event_category", output: "category_name", match: "kim", replace: "Network Activity" }, { input: "event_category", output: "class_uid", match: "kim", replace: "4009" }, { input: "event_category", output: "class_name", match: "kim", replace: "Email Activity" }, { input: "event_category", output: "category_uid", match: "security", replace: "2" }, { input: "event_category", output: "category_name", match: "security", replace: "Findings" }, { input: "event_category", output: "class_uid", match: "security", replace: "2001" }, { input: "event_category", output: "class_name", match: "security", replace: "Security Finding" }, { input: "event_category", output: "category_uid", match: "system", replace: "6" }, { input: "event_category", output: "category_name", match: "system", replace: "Application Activity" }, { input: "event_category", output: "class_uid", match: "system", replace: "6007" }, { input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" }, // ─── Severity ─────────────────────────────────────────────────── { input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" }, { input: "severity", output: "severity_id", match: "(?i)high", replace: "5" }, { input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" }, { input: "severity", output: "severity_id", match: "(?i)low", replace: "2" }, { input: "severity", output: "severity_id", match: "(?i)info", replace: "1" }, { input: "severity", output: "severity_str", match: ".*", replace: "$0" }, // ─── Status ───────────────────────────────────────────────────── { input: "outcome", output: "status_id", match: "success", replace: "1" }, { input: "outcome", output: "status_id", match: "failure", replace: "2" }, { input: "outcome", output: "status_id", match: "detected", replace: "2" }, { input: "outcome", output: "status_id", match: "revoked", replace: "3" }, { input: "outcome", output: "status", match: ".*", replace: "$0" }, // ─── Activity / finding ───────────────────────────────────────── { input: "event_type", output: "activity_name", match: ".*", replace: "$0" }, { input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" }, { input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" }, { input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" }, // ─── Compliance tags (BSI / NIS2 / gematik / GDPR) ────────────── { input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,gematik-TI,GDPR" } ] } ] }