mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-08 12:33:51 +00:00
marc
7c1687efce
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).
Preserved fork additions:
backend/routers/quality.py KV scanner, pattern refs, JS keys, JSON mode,
/parsers + /sync-from-sdl endpoints
parsers/ 96 OCSF + tenant parsers
tools/stormshield-verify/ end-to-end ingest regression test
.gitignore un-ignored parsers/*
CHANGES.md, PATCHES.md
89 lines
6.4 KiB
Plaintext
89 lines
6.4 KiB
Plaintext
{
|
|
// Omniconnect TI Gateway OCSF Parser - OCSF v1.3.0
|
|
// Secures HIS <-> German Telematics Infrastructure (TI) traffic
|
|
// BSI / NIS2 / gematik compliance events
|
|
attributes: {
|
|
"metadata.version": "1.3.0",
|
|
"metadata.product.vendor_name": "Omniconnect",
|
|
"metadata.product.name": "Omniconnect TI Gateway",
|
|
"metadata.log_provider": "hec",
|
|
"Category": "healthcare",
|
|
"dataSource.vendor": "Omniconnect",
|
|
"dataSource.name": "Omniconnect",
|
|
"dataSource.category": "Healthcare"
|
|
},
|
|
|
|
formats: [
|
|
{
|
|
format: "$=json{parse=json}$",
|
|
halt: true,
|
|
rewrites: [
|
|
// ─── OCSF classification by event_category ──────────────────────
|
|
{ input: "event_category", output: "category_uid", match: "ti_connection", replace: "4" },
|
|
{ input: "event_category", output: "category_name", match: "ti_connection", replace: "Network Activity" },
|
|
{ input: "event_category", output: "class_uid", match: "ti_connection", replace: "4001" },
|
|
{ input: "event_category", output: "class_name", match: "ti_connection", replace: "Network Activity" },
|
|
|
|
{ input: "event_category", output: "category_uid", match: "card_operations", replace: "3" },
|
|
{ input: "event_category", output: "category_name", match: "card_operations", replace: "Identity & Access Management" },
|
|
{ input: "event_category", output: "class_uid", match: "card_operations", replace: "3002" },
|
|
{ input: "event_category", output: "class_name", match: "card_operations", replace: "Authentication" },
|
|
|
|
{ input: "event_category", output: "category_uid", match: "vsdm", replace: "6" },
|
|
{ input: "event_category", output: "category_name", match: "vsdm", replace: "Application Activity" },
|
|
{ input: "event_category", output: "class_uid", match: "vsdm", replace: "6001" },
|
|
{ input: "event_category", output: "class_name", match: "vsdm", replace: "Web Resources Activity" },
|
|
|
|
{ input: "event_category", output: "category_uid", match: "erezept", replace: "6" },
|
|
{ input: "event_category", output: "category_name", match: "erezept", replace: "Application Activity" },
|
|
{ input: "event_category", output: "class_uid", match: "erezept", replace: "6001" },
|
|
{ input: "event_category", output: "class_name", match: "erezept", replace: "Web Resources Activity" },
|
|
|
|
{ input: "event_category", output: "category_uid", match: "epa", replace: "6" },
|
|
{ input: "event_category", output: "category_name", match: "epa", replace: "Application Activity" },
|
|
{ input: "event_category", output: "class_uid", match: "epa", replace: "6001" },
|
|
{ input: "event_category", output: "class_name", match: "epa", replace: "Web Resources Activity" },
|
|
|
|
{ input: "event_category", output: "category_uid", match: "kim", replace: "4" },
|
|
{ input: "event_category", output: "category_name", match: "kim", replace: "Network Activity" },
|
|
{ input: "event_category", output: "class_uid", match: "kim", replace: "4009" },
|
|
{ input: "event_category", output: "class_name", match: "kim", replace: "Email Activity" },
|
|
|
|
{ input: "event_category", output: "category_uid", match: "security", replace: "2" },
|
|
{ input: "event_category", output: "category_name", match: "security", replace: "Findings" },
|
|
{ input: "event_category", output: "class_uid", match: "security", replace: "2001" },
|
|
{ input: "event_category", output: "class_name", match: "security", replace: "Security Finding" },
|
|
|
|
{ input: "event_category", output: "category_uid", match: "system", replace: "6" },
|
|
{ input: "event_category", output: "category_name", match: "system", replace: "Application Activity" },
|
|
{ input: "event_category", output: "class_uid", match: "system", replace: "6007" },
|
|
{ input: "event_category", output: "class_name", match: "system", replace: "Application Lifecycle" },
|
|
|
|
// ─── Severity ───────────────────────────────────────────────────
|
|
{ input: "severity", output: "severity_id", match: "(?i)critical", replace: "6" },
|
|
{ input: "severity", output: "severity_id", match: "(?i)high", replace: "5" },
|
|
{ input: "severity", output: "severity_id", match: "(?i)medium", replace: "4" },
|
|
{ input: "severity", output: "severity_id", match: "(?i)low", replace: "2" },
|
|
{ input: "severity", output: "severity_id", match: "(?i)info", replace: "1" },
|
|
{ input: "severity", output: "severity_str", match: ".*", replace: "$0" },
|
|
|
|
// ─── Status ─────────────────────────────────────────────────────
|
|
{ input: "outcome", output: "status_id", match: "success", replace: "1" },
|
|
{ input: "outcome", output: "status_id", match: "failure", replace: "2" },
|
|
{ input: "outcome", output: "status_id", match: "detected", replace: "2" },
|
|
{ input: "outcome", output: "status_id", match: "revoked", replace: "3" },
|
|
{ input: "outcome", output: "status", match: ".*", replace: "$0" },
|
|
|
|
// ─── Activity / finding ─────────────────────────────────────────
|
|
{ input: "event_type", output: "activity_name", match: ".*", replace: "$0" },
|
|
{ input: "event_type", output: "finding_info.title", match: ".*", replace: "$0" },
|
|
{ input: "event_id", output: "finding_info.uid", match: ".*", replace: "$0" },
|
|
{ input: "timestamp", output: "finding_info.created_time_dt", match: ".*", replace: "$0" },
|
|
|
|
// ─── Compliance tags (BSI / NIS2 / gematik / GDPR) ──────────────
|
|
{ input: "event_category", output: "compliance.standard", match: ".*", replace: "BSI-Grundschutz,NIS2,gematik-TI,GDPR" }
|
|
]
|
|
}
|
|
]
|
|
}
|