Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/PaloAlto-OCSF
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

73 lines
2.8 KiB
Plaintext
Raw Permalink Blame History

{
// Palo Alto PAN-OS CSV parser — OCSF v1.3.0
// Format: domain,receive_time,serial,type,subtype,...,src_ip,dst_ip,natsrc_ip,natdst_ip,rule,...
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Palo Alto Networks",
"metadata.product.name": "PAN-OS",
"Category": "network",
"dataSource.vendor": "Palo Alto Networks",
"dataSource.name": "PAN-OS",
"dataSource.category": "firewall",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Network Activity",
"activity_id": 6,
"type_uid": 400106,
"status_id": 1,
"status": "Success",
"severity_id": 1
},
patterns: {
word: "[^,]*",
csv: "[^,]+"
},
formats: [
// TRAFFIC log
{
id: "panos_traffic",
attributes: {
class_uid: 4001, class_name: "Network Activity",
type_uid: 400106
},
format: "$domain=csv$,$receive_time=csv$,$serial=csv$,TRAFFIC,$subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*",
halt: true
},
// THREAT log → Detection Finding
{
id: "panos_threat",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Palo Alto Threat Detected",
severity_id: 5, severity: "Critical",
disposition_id: 2, disposition: "Blocked"
},
format: "$domain=csv$,$receive_time=csv$,$serial=csv$,THREAT,$threat_subtype=csv$,$config_ver=csv$,$gen_time=csv$,$src_ip=csv$,$dst_ip=csv$,$natsrc_ip=word$,$natdst_ip=word$,$rule=csv$,$src_user=word$,$dst_user=word$,$application=csv$,.*",
halt: true,
rewrites: [
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*vulnerability.*$", replace: "Palo Alto Vulnerability Exploit Attempt" },
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*virus.*$", replace: "Palo Alto Malware Detected" },
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*spyware.*$", replace: "Palo Alto Spyware/C2 Detected" },
{ input: "threat_subtype", output: "finding_title", match: "(?i)^.*url.*$", replace: "Palo Alto Malicious URL" }
]
},
// URL filtering log
{
id: "panos_url",
attributes: {
class_uid: 4002, class_name: "HTTP Activity",
type_uid: 400201
},
format: "$domain=csv$,$receive_time=csv$,$serial=csv$,URL,.*",
halt: true
}
]
}
Reference in New Issue View Git Blame Copy Permalink