Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/HANADatabase-OCSF
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

171 lines
14 KiB
Plaintext
Raw Permalink Blame History

{
// SAP HANA Database SDL Parser
// OCSF v1.3.0 — emits Detection Finding (2004) for risky events
// so they appear in XDR / AI SIEM Findings UI
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "SAP",
"metadata.product.name": "HANA Database",
"metadata.log_provider": "hana-audit",
"Category": "database",
"dataSource.vendor": "SAP",
"dataSource.name": "HANA Database",
"dataSource.category": "database",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Database Activity",
"activity_id": 0,
"activity_name": "Unknown",
"type_uid": 400100,
"status_id": 1,
"status": "Success",
"severity_id": 1,
"severity": "Informational",
"disposition_id": 0,
"disposition": "Unknown"
},
formats: [
{
format: "$=json{parse=json}$",
halt: true,
rewrites: [
// Field extraction
{ input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" },
{ input: "user_name", output: "user.name", match: ".*", replace: "$0" },
{ input: "application_user", output: "actor.user.account.name", match: ".*", replace: "$0" },
{ input: "application_name", output: "app_name", match: ".*", replace: "$0" },
{ input: "client_ip", output: "src_endpoint.ip", match: ".*", replace: "$0" },
{ input: "client_ip", output: "src_ip", match: ".*", replace: "$0" },
{ input: "client_port", output: "src_endpoint.port", match: ".*", replace: "$0" },
{ input: "host", output: "device.hostname", match: ".*", replace: "$0" },
{ input: "component", output: "device.type", match: ".*", replace: "$0" },
{ input: "connection_id", output: "actor.session.uid", match: ".*", replace: "$0" },
{ input: "connection_id", output: "session.uid", match: ".*", replace: "$0" },
{ input: "transaction_id", output: "transaction.uid", match: ".*", replace: "$0" },
{ input: "statement_id", output: "query_info.uid", match: ".*", replace: "$0" },
{ input: "statement", output: "query_info.query_string", match: ".*", replace: "$0" },
{ input: "executed_statement", output: "query_info.executed_query", match: ".*", replace: "$0" },
{ input: "rows_affected", output: "query_info.rows_affected", match: ".*", replace: "$0" },
{ input: "execution_time_ms", output: "query_info.duration", match: ".*", replace: "$0" },
{ input: "audit_action", output: "activity_name", match: ".*", replace: "$0" },
{ input: "audit_action", output: "query_info.query_type", match: ".*", replace: "$0" },
{ input: "audit_policy_name", output: "policy.name", match: ".*", replace: "$0" },
{ input: "comment", output: "raw_data", match: ".*", replace: "$0" },
// Status
{ input: "error_code", output: "status_id", match: "^0$", replace: "1" },
{ input: "error_code", output: "status", match: "^0$", replace: "Success" },
{ input: "error_code", output: "status_id", match: "^[1-9].*", replace: "2" },
{ input: "error_code", output: "status", match: "^[1-9].*", replace: "Failure" },
{ input: "error_code", output: "status_code", match: ".*", replace: "$0" },
{ input: "error_message", output: "status_detail", match: ".*", replace: "$0" },
// OCSF class routing by audit_action — Authentication
{ input: "audit_action", output: "class_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3002" },
{ input: "audit_action", output: "class_name", match: "^(CONNECT|DISCONNECT)$", replace: "Authentication" },
{ input: "audit_action", output: "category_uid", match: "^(CONNECT|DISCONNECT)$", replace: "3" },
{ input: "audit_action", output: "category_name", match: "^(CONNECT|DISCONNECT)$", replace: "IAM" },
{ input: "audit_action", output: "activity_id", match: "^CONNECT$", replace: "1" },
{ input: "audit_action", output: "type_uid", match: "^CONNECT$", replace: "300201" },
{ input: "audit_action", output: "activity_id", match: "^DISCONNECT$", replace: "2" },
{ input: "audit_action", output: "type_uid", match: "^DISCONNECT$", replace: "300202" },
// Authorization (GRANT / REVOKE)
{ input: "audit_action", output: "class_uid", match: "^(GRANT|REVOKE)$", replace: "3003" },
{ input: "audit_action", output: "class_name", match: "^(GRANT|REVOKE)$", replace: "Authorization" },
{ input: "audit_action", output: "category_uid", match: "^(GRANT|REVOKE)$", replace: "3" },
{ input: "audit_action", output: "category_name", match: "^(GRANT|REVOKE)$", replace: "IAM" },
{ input: "audit_action", output: "activity_id", match: "^GRANT$", replace: "1" },
{ input: "audit_action", output: "type_uid", match: "^GRANT$", replace: "300301" },
{ input: "audit_action", output: "activity_id", match: "^REVOKE$", replace: "2" },
// Database Activity (DML / DDL / Backup)
{ input: "audit_action", output: "class_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4001" },
{ input: "audit_action", output: "class_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Database Activity" },
{ input: "audit_action", output: "category_uid", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "4" },
{ input: "audit_action", output: "category_name", match: "^(SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER|BACKUP DATA|RESTORE)$", replace: "Network Activity" },
{ input: "audit_action", output: "activity_id", match: "^SELECT$", replace: "1" },
{ input: "audit_action", output: "activity_id", match: "^INSERT$", replace: "2" },
{ input: "audit_action", output: "activity_id", match: "^UPDATE$", replace: "3" },
{ input: "audit_action", output: "activity_id", match: "^DELETE$", replace: "4" },
{ input: "audit_action", output: "activity_id", match: "^BACKUP DATA$", replace: "5" },
// Severity from audit_level
{ input: "audit_level", output: "severity_id", match: "(?i)info", replace: "1" },
{ input: "audit_level", output: "severity", match: "(?i)info", replace: "Informational" },
{ input: "audit_level", output: "severity_id", match: "(?i)warning", replace: "3" },
{ input: "audit_level", output: "severity", match: "(?i)warning", replace: "Medium" },
{ input: "audit_level", output: "severity_id", match: "(?i)alert", replace: "4" },
{ input: "audit_level", output: "severity", match: "(?i)alert", replace: "High" },
{ input: "audit_level", output: "severity_id", match: "(?i)critical", replace: "5" },
{ input: "audit_level", output: "severity", match: "(?i)critical", replace: "Critical" },
// Promote risky events to Detection Finding (2004) so they show in XDR
// 1) Failed authentication
{ input: "error_code", output: "class_uid", match: "^[1-9].*", replace: "2004" },
{ input: "error_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" },
{ input: "error_code", output: "category_uid", match: "^[1-9].*", replace: "2" },
{ input: "error_code", output: "category_name", match: "^[1-9].*", replace: "Findings" },
{ input: "error_code", output: "activity_id", match: "^[1-9].*", replace: "1" },
{ input: "error_code", output: "type_uid", match: "^[1-9].*", replace: "200401" },
{ input: "error_code", output: "finding_title", match: "^[1-9].*", replace: "HANA Authentication Failure" },
{ input: "error_code", output: "finding_info.title", match: "^[1-9].*", replace: "HANA Authentication Failure" },
{ input: "error_code", output: "disposition_id", match: "^[1-9].*", replace: "2" },
{ input: "error_code", output: "disposition", match: "^[1-9].*", replace: "Blocked" },
{ input: "error_code", output: "severity_id", match: "^[1-9].*", replace: "4" },
{ input: "error_code", output: "severity", match: "^[1-9].*", replace: "High" },
// 2) Mass data extraction (rows_affected >= 10000)
{ input: "rows_affected", output: "class_uid", match: "^[1-9][0-9]{4,}$", replace: "2004" },
{ input: "rows_affected", output: "class_name", match: "^[1-9][0-9]{4,}$", replace: "Detection Finding" },
{ input: "rows_affected", output: "category_uid", match: "^[1-9][0-9]{4,}$", replace: "2" },
{ input: "rows_affected", output: "category_name", match: "^[1-9][0-9]{4,}$", replace: "Findings" },
{ input: "rows_affected", output: "type_uid", match: "^[1-9][0-9]{4,}$", replace: "200401" },
{ input: "rows_affected", output: "finding_title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" },
{ input: "rows_affected", output: "finding_info.title", match: "^[1-9][0-9]{4,}$", replace: "HANA Mass Data Extraction" },
{ input: "rows_affected", output: "severity_id", match: "^[1-9][0-9]{4,}$", replace: "5" },
{ input: "rows_affected", output: "severity", match: "^[1-9][0-9]{4,}$", replace: "Critical" },
// 3) SQL injection signature (more specific than mass extraction — wins on overlap)
{ input: "statement", output: "class_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2004" },
{ input: "statement", output: "class_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Detection Finding" },
{ input: "statement", output: "category_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" },
{ input: "statement", output: "category_name", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Findings" },
{ input: "statement", output: "type_uid", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "200401" },
{ input: "statement", output: "finding_title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" },
{ input: "statement", output: "finding_info.title", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "HANA SQL Injection Detected" },
{ input: "statement", output: "severity_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "5" },
{ input: "statement", output: "severity", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Critical" },
{ input: "statement", output: "disposition_id", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "2" },
{ input: "statement", output: "disposition", match: "(?i)^(.*WHERE 1=1.*|.*UNION\\s+SELECT.*|.*OR\\s+['\"]x['\"]\\s*=\\s*['\"]x['\"].*)$", replace: "Blocked" },
// 4) GRANT ALL PRIVILEGES (anchor with ^...$)
{ input: "statement", output: "class_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2004" },
{ input: "statement", output: "class_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Detection Finding" },
{ input: "statement", output: "category_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "2" },
{ input: "statement", output: "category_name", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Findings" },
{ input: "statement", output: "type_uid", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "200401" },
{ input: "statement", output: "finding_title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" },
{ input: "statement", output: "finding_info.title", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "HANA Privilege Escalation" },
{ input: "statement", output: "severity_id", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "5" },
{ input: "statement", output: "severity", match: "(?i)^.*GRANT\\s+ALL\\s+PRIVILEGES.*$", replace: "Critical" },
// 5) Backup to /tmp/ (anchor with ^...$)
{ input: "statement", output: "class_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2004" },
{ input: "statement", output: "class_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Detection Finding" },
{ input: "statement", output: "category_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "2" },
{ input: "statement", output: "category_name", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Findings" },
{ input: "statement", output: "type_uid", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "200401" },
{ input: "statement", output: "finding_title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" },
{ input: "statement", output: "finding_info.title", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "HANA Suspicious Backup Location" },
{ input: "statement", output: "severity_id", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "5" },
{ input: "statement", output: "severity", match: "(?i)^.*BACKUP\\s+DATA.+/tmp/.*$", replace: "Critical" }
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink