Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/bsi-nis2-healthcare-overview
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

585 lines
19 KiB
Plaintext
Raw Permalink Blame History

{
"configType": "TABBED",
"duration": "24h",
"description": "BSI / NIS2 healthcare compliance \u2014 Avelios Medical HIS + Omniconnect TI Gateway",
"tabs": [
{
"tabName": "Overview",
"graphs": [
{
"title": "BSI / NIS2 Healthcare Compliance \u2014 Overview",
"graphStyle": "markdown",
"markdown": "**Scope:** Avelios Medical Hospital Information System (HIS) + Omniconnect HIS\u2194Telematics Infrastructure (TI) gateway.\n\n**Frameworks:** BSI-Grundschutz \u00b7 NIS2 \u00b7 GDPR \u00b7 gematik TI.\n\nAll events are OCSF-enriched (v1.3.0) by the deployed parsers `Avelios-Medical-OCSF` and `Omniconnect-OCSF`.",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Healthcare Events",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": " events"
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "Avelios Events",
"graphStyle": "number",
"query": "serverHost='avelios-medical' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "Omniconnect Events",
"graphStyle": "number",
"query": "serverHost='omniconnect' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Critical Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_id='6' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Events by Source",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') | group ct=count() by serverHost",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 12
}
},
{
"title": "OCSF Severity Distribution",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') severity_str=* | group ct=count() by severity_str",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 12
}
},
{
"title": "Events by OCSF Class (per source)",
"graphStyle": "stacked_bar",
"xAxis": "grouped_data",
"yScale": "linear",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') class_name=* | group ct=count() by class_name, serverHost | sort -ct",
"layout": {
"w": 60,
"h": 16,
"x": 0,
"y": 26
}
},
{
"title": "Recent HIGH / CRITICAL events",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (severity_str='HIGH' or severity_str='CRITICAL') | columns timestamp, serverHost, event_category, event_type, severity_str | sort -timestamp | limit 25",
"layout": {
"w": 60,
"h": 18,
"x": 0,
"y": 42
}
}
]
},
{
"tabName": "Avelios HIS",
"graphs": [
{
"title": "Avelios Medical \u2014 Hospital Information System",
"graphStyle": "markdown",
"markdown": "Patient-data access (PHI / GDPR Art. 32), authentication, administrative changes and security findings.\n\n**Relevant BSI controls:** ORP.4 (Identity Management), OPS.1.1 (Logging), CON.3 (Data Protection), DER.1 (Detection).",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Avelios Events",
"graphStyle": "number",
"query": "serverHost='avelios-medical' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "PHI Access Events",
"graphStyle": "number",
"query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "Auth Failures",
"graphStyle": "number",
"query": "serverHost='avelios-medical' event_category='authentication' outcome='failure' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Security Findings",
"graphStyle": "number",
"query": "serverHost='avelios-medical' category_uid='2' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Avelios \u2014 Event Categories",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='avelios-medical' event_category=* | group ct=count() by event_category",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 12
}
},
{
"title": "Avelios \u2014 Severity Mix",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='avelios-medical' severity_str=* | group ct=count() by severity_str",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 12
}
},
{
"title": "PHI Access (BSI CON.3 / GDPR Art. 32)",
"graphStyle": "table",
"query": "serverHost='avelios-medical' event_category='patient_access' | group ct=count() by event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 26
}
},
{
"title": "Authentication Outcomes",
"graphStyle": "table",
"query": "serverHost='avelios-medical' event_category='authentication' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 26
}
},
{
"title": "Administrative Changes (BSI ORP.4)",
"graphStyle": "table",
"query": "serverHost='avelios-medical' event_category='administrative' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 40
}
},
{
"title": "Avelios Security Findings",
"graphStyle": "table",
"query": "serverHost='avelios-medical' category_uid='2' | columns timestamp, event_type, severity_str | sort -timestamp | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 40
}
}
]
},
{
"tabName": "Omniconnect",
"graphs": [
{
"title": "Omniconnect \u2014 HIS \u2194 Telematics Infrastructure (TI)",
"graphStyle": "markdown",
"markdown": "Konnektor health, eGK / HBA / SMC-B card operations, eRezept, ePA, VSDM and KIM secure messaging.\n\n**Relevant frameworks:** gematik TI, BSI TR-03116, NIS2 Annex II.",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Omniconnect Events",
"graphStyle": "number",
"query": "serverHost='omniconnect' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "TI Connection Events",
"graphStyle": "number",
"query": "serverHost='omniconnect' event_category='ti_connection' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "Card Operations",
"graphStyle": "number",
"query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Cert / Crypto Failures",
"graphStyle": "number",
"query": "serverHost='omniconnect' (event_type='CERTIFICATE_EXPIRED' or event_type='CERTIFICATE_VALIDATION_FAILED' or event_type='ENCRYPTION_FAILED' or event_type='SIGNATURE_VERIFICATION_FAILED') | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Omniconnect \u2014 Event Categories",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='omniconnect' event_category=* | group ct=count() by event_category",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 12
}
},
{
"title": "Omniconnect \u2014 Severity Mix",
"graphStyle": "donut",
"maxPieSlices": 10,
"dataLabelType": "PERCENTAGE",
"query": "serverHost='omniconnect' severity_str=* | group ct=count() by severity_str",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 12
}
},
{
"title": "TI Connection Issues",
"graphStyle": "table",
"query": "serverHost='omniconnect' event_category='ti_connection' outcome!='success' | group ct=count() by event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 26
}
},
{
"title": "Card Operations (eGK / HBA / SMC-B)",
"graphStyle": "table",
"query": "serverHost='omniconnect' event_category='card_operations' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 26
}
},
{
"title": "eRezept Activity",
"graphStyle": "table",
"query": "serverHost='omniconnect' event_category='erezept' | group ct=count() by event_type, outcome | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 40
}
},
{
"title": "ePA / KIM Activity",
"graphStyle": "table",
"query": "serverHost='omniconnect' (event_category='epa' or event_category='kim') | group ct=count() by event_category, event_type | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 40
}
}
]
},
{
"tabName": "Compliance",
"graphs": [
{
"title": "BSI / NIS2 Compliance Findings",
"graphStyle": "markdown",
"markdown": "OCSF Security Findings (`category_uid=2`) across both healthcare platforms, mapped to BSI-Grundschutz controls and NIS2 Annex II obligations (incident handling, encryption, access control, supply-chain security).",
"layout": {
"w": 60,
"h": 4,
"x": 0,
"y": 0
}
},
{
"title": "Total Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 0,
"y": 4
}
},
{
"title": "CRITICAL Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='CRITICAL' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 15,
"y": 4
}
},
{
"title": "HIGH Findings",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' severity_str='HIGH' | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 30,
"y": 4
}
},
{
"title": "Auth Failures (24h)",
"graphStyle": "number",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='USER_LOGIN_FAILURE' or event_type='CARD_AUTHENTICATION_FAILED' or event_type='CARD_PIN_FAILED') | group ct=count() | limit 1",
"options": {
"format": "auto",
"precision": "0",
"suffix": ""
},
"layout": {
"w": 15,
"h": 8,
"x": 45,
"y": 4
}
},
{
"title": "Findings by Type per Source (NIS2 Annex II)",
"graphStyle": "stacked_bar",
"xAxis": "grouped_data",
"yScale": "linear",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') category_uid='2' | group ct=count() by event_type, serverHost | sort -ct",
"layout": {
"w": 60,
"h": 18,
"x": 0,
"y": 12
}
},
{
"title": "BSI ORP.4 \u2014 Identity & Access Anomalies",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='ACCOUNT_LOCKED' or event_type='UNAUTHORIZED_ACCESS_ATTEMPT' or event_type='PRIVILEGE_ESCALATION_ATTEMPT' or event_type='CARD_PIN_BLOCKED') | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 30
}
},
{
"title": "BSI CON.1 \u2014 Crypto / Certificate Issues",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type contains 'CERTIFICATE' or event_type contains 'ENCRYPTION' or event_type contains 'SIGNATURE') outcome!='success' | group ct=count() by serverHost, event_type, severity_str | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 30
}
},
{
"title": "BSI DER.1 \u2014 Threats & Intrusions",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='MALWARE_DETECTED' or event_type='INTRUSION_DETECTED' or event_type='TAMPER_DETECTION' or event_type='SECURITY_POLICY_VIOLATION') | columns timestamp, serverHost, event_type, severity_str | sort -timestamp | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 0,
"y": 44
}
},
{
"title": "GDPR Art. 32 \u2014 Data-Processing Events",
"graphStyle": "table",
"query": "(serverHost='avelios-medical' or serverHost='omniconnect') (event_type='EMERGENCY_ACCESS_OVERRIDE' or event_type='PATIENT_RECORD_DELETE' or event_type='DATA_EXPORT_INITIATED' or event_type='AUDIT_LOG_EXPORT' or event_type='EPA_EMERGENCY_ACCESS') | group ct=count() by serverHost, event_type | sort -ct | limit 25",
"layout": {
"w": 30,
"h": 14,
"x": 30,
"y": 44
}
},
{
"title": "Compliance Control Mapping",
"graphStyle": "markdown",
"markdown": "| Control | BSI / NIS2 ref | Evidence query |\n|---|---|---|\n| Identity & Access | BSI ORP.4 / NIS2 Art. 21(2)(i) | `event_category in (authentication, card_operations)` |\n| Logging & Audit | BSI OPS.1.1 / NIS2 Art. 21(2)(b) | All ingested events |\n| Cryptography | BSI CON.1 / NIS2 Art. 21(2)(h) | `event_type contains CERTIFICATE/ENCRYPTION/SIGNATURE` |\n| Incident Detection | BSI DER.1 / NIS2 Art. 21(2)(c) | `category_uid=2` |\n| Data Protection | BSI CON.3 / GDPR Art. 32 | `event_category=patient_access OR epa` |\n| Supply Chain (TI) | BSI TR-03116 / NIS2 Art. 21(2)(d) | `event_category=ti_connection` |",
"layout": {
"w": 60,
"h": 12,
"x": 0,
"y": 58
}
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink