Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/SIMGeneric-OCSF
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

75 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

{
// Generic SIM application syslog parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Generic",
"metadata.product.name": "SIM Generic Application",
"Category": "application",
"dataSource.vendor": "Generic",
"dataSource.name": "Generic Application",
"dataSource.category": "application",
"category_uid": 3,
"category_name": "IAM",
"class_uid": 3002,
"class_name": "Authentication",
"activity_id": 1,
"type_uid": 300201,
"status_id": 1,
"severity_id": 1
},
patterns: {
ipv4: "\\d+\\.\\d+\\.\\d+\\.\\d+",
word: "\\S+",
rest: ".*"
},
formats: [
// Successful login
{
id: "generic_login_success",
attributes: {
class_uid: 3002, class_name: "Authentication",
type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*INFO User login successful user=$user_name=word$ src_ip=$src_ip=ipv4$ session_id=$session_id=word$",
halt: true
},
// Failed authentication → Detection Finding
{
id: "generic_auth_fail",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, type_uid: 200401,
finding_title: "Generic Application Authentication Failure",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked",
status_id: 2, status: "Failure"
},
format: ".*WARNING Failed authentication attempt user=$user_name=word$ src_ip=$src_ip=ipv4$ reason=$reason=word$ attempts=$attempts=word$",
halt: true,
rewrites: [
// Bump severity if attempts >= 5 (likely brute force)
{ input: "attempts", output: "finding_title", match: "^[5-9]$|^\\d{2,}$", replace: "Generic Application Brute Force" },
{ input: "attempts", output: "severity_id", match: "^[5-9]$|^\\d{2,}$", replace: "5" },
{ input: "attempts", output: "severity", match: "^[5-9]$|^\\d{2,}$", replace: "Critical" }
]
},
// Generic ERROR
{
id: "generic_error",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, type_uid: 200401,
finding_title: "Generic Application Error",
severity_id: 3, severity: "Medium"
},
format: ".*ERROR $detail=rest$",
halt: true
}
]
}
Reference in New Issue View Git Blame Copy Permalink