Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/netskope_netskope_logs-latest
T
Mick c5a4f796a0 Add unlabelled event detection, stub parser quality, Sync All, and modern UI redesign 
Key changes:
- Unlabelled event banner: shows count only after Sample Events is clicked; uses broad SDL filter expression; time window synced to sync-days dropdown
- Parser Quality: new "Attributes Missing" subsection listing all parsers without dataSource.name regardless of event volume
- Coverage map: filter buttons (All / Complete Parser / Attributes Missing); stat card renamed to "Incomplete Parser"; stub count excluded from sync when no active sources
- Sync All button: runs SDL parser sync → library sync → live sources sync in sequence
- Reset now clears ActiveSource table and resets unlabelled count cache
- run_powerquery: configurable max_count param (default 1000, 50M for count queries)
- _DS_NAME_RE: supports both quoted and unquoted dataSource.name keys in parser files
- Full modern UI redesign: slate palette, gradient cards, ring borders, pill nav, colored stat accents
- Updated 7 tracked parser files synced from SDL

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-22 10:00:21 -04:00

410 lines
12 KiB
Plaintext
Raw Permalink Blame History

{
attributes: {
"dataSource.category": "security",
"dataSource.name": "Netskope",
"dataSource.vendor": "Netskope"
},
formats: [
{
format: ".*${parse=json}{attrWhitelist=(_id|action|activity|device|category|app_name|count|dst_country|dst_region|malware_severity|malware_type|request_id|severity|severity_id|src_country|src_location|src_region|type|_category_id|_category_tags|_correlation_id|_detection_name|_event_id|_nshostname|_resource_name|_service_identifier|account_name|alert_id|alert_name|alert_type|appcategory|breach_date|breach_description|breach_id|breach_score|connection_id|dlp_file|dlp_incident_id|dlp_rule|dlp_rule_count|dst_latitude|dst_longitude|dst_timezone|dst_zipcode|dstip|event_type|file_name|file_size|file_type|hostname|incident_id|instance_id|local_md5|malsite_country|malware_name|matched_username|md5|os|os10|os11|policy|policy_id|protocol|severity_level|severity_level_id|src_latitude|src_longitude|src_time|src_timezone|src_zipcode|srcip|timestamp|transaction_id|true_obj_type|url|user|user_id|userip|userkey|local_sha256)}$"
rewrites: [
{
input: "_category_id",
output: "security_finding.category_uid",
match: ".*",
replace: "$0"
},
{
input: "_category_tags",
output: "security_finding.category_tags",
match: ".*",
replace: "$0"
},
{
input: "_correlation_id",
output: "metadata.correlation_uid",
match: ".*",
replace: "$0"
},
{
input: "_detection_name",
output: "detection.name",
match: ".*",
replace: "$0"
},
{
input: "_event_id",
output: "security_finding.activity_id",
match: ".*",
replace: "$0"
},
{
input: "_id",
output: "security_finding.type_uid",
match: ".*",
replace: "$0"
},
{
input: "_nshostname",
output: "network_endpoint.sender_hostname",
match: ".*",
replace: "$0"
},
{
input: "_resource_name",
output: "resource.name",
match: ".*",
replace: "$0"
},
{
input: "_service_identifier",
output: "service.identifier",
match: ".*",
replace: "$0"
},
{
input: "account_name",
output: "account.name",
match: ".*",
replace: "$0"
},
{
input: "action",
output: "security_finding.action",
match: ".*",
replace: "$0"
},
{
input: "alert_id",
output: "alert.uid",
match: ".*",
replace: "$0"
},
{
input: "alert_name",
output: "alert.name",
match: ".*",
replace: "$0"
},
{
input: "alert_type",
output: "event.type",
match: ".*",
replace: "$0"
},
{
input: "appcategory",
output: "security_finding.app_category",
match: ".*",
replace: "$0"
},
{
input: "breach_date",
output: "breach.date",
match: ".*",
replace: "$0"
},
{
input: "breach_description",
output: "breach.desc",
match: ".*",
replace: "$0"
},
{
input: "breach_id",
output: "breach.uid",
match: ".*",
replace: "$0"
},
{
input: "breach_score",
output: "breach.score",
match: ".*",
replace: "$0"
},
{
input: "category",
output: "security_finding.category_name",
match: ".*",
replace: "$0"
},
{
input: "connection_id",
output: "security_finding.connection_id",
match: ".*",
replace: "$0"
},
{
input: "device",
output: "device.name",
match: ".*",
replace: "$0"
},
{
input: "dlp_file",
output: "dlp.file_name",
match: ".*",
replace: "$0"
},
{
input: "dlp_incident_id",
output: "dlp.incident_id",
match: ".*",
replace: "$0"
},
{
input: "dlp_rule",
output: "dlp.rule",
match: ".*",
replace: "$0"
},
{
input: "dlp_rule_count",
output: "dlp.rule_count",
match: ".*",
replace: "$0"
},
{
input: "dst_latitude",
output: "geo_coordinates.dst_latitude",
match: ".*",
replace: "$0"
},
{
input: "dst_longitude",
output: "geo_coordinates.dst_longitude",
match: ".*",
replace: "$0"
},
{
input: "dst_timezone",
output: "location.dst_timezone",
match: ".*",
replace: "$0"
},
{
input: "dst_zipcode",
output: "location.dst_zipcode",
match: ".*",
replace: "$0"
},
{
input: "dstip",
output: "dst.ip.address",
match: ".*",
replace: "$0"
},
{
input: "event_type",
output: "security_finding.ref_event_name",
match: ".*",
replace: "$0"
},
{
input: "file_name",
output: "file.name",
match: ".*",
replace: "$0"
},
{
input: "file_size",
output: "file.size",
match: ".*",
replace: "$0"
},
{
input: "file_type",
output: "file.type",
match: ".*",
replace: "$0"
},
{
input: "hostname",
output: "device.hostname",
match: ".*",
replace: "$0"
},
{
input: "incident_id",
output: "security_finding.incident_id",
match: ".*",
replace: "$0"
},
{
input: "instance_id",
output: "device.instance_uid",
match: ".*",
replace: "$0"
},
{
input: "local_md5",
output: "file.local_md5",
match: ".*",
replace: "$0"
},
{
input: "malsite_country",
output: "security_finding.malsite_country",
match: ".*",
replace: "$0"
},
{
input: "malware_name",
output: "malware.name",
match: ".*",
replace: "$0"
},
{
input: "matched_username",
output: "security_finding.matched_username",
match: ".*",
replace: "$0"
},
{
input: "md5",
output: "file.md5",
match: ".*",
replace: "$0"
},
{
input: "os",
output: "os.name",
match: ".*",
replace: "$0"
},
{
input: "os10",
output: "device.os10",
match: ".*",
replace: "$0"
},
{
input: "os11",
output: "device.os11",
match: ".*",
replace: "$0"
},
{
input: "policy",
output: "policy.name",
match: ".*",
replace: "$0"
},
{
input: "policy_id ",
output: "policy.uid",
match: ".*",
replace: "$0"
},
{
input: "protocol",
output: "network_connection_info.protocol_name",
match: ".*",
replace: "$0"
},
{
input: "severity_level",
output: "security_finding.severity",
match: ".*",
replace: "$0"
},
{
input: "severity_level_id",
output: "security_finding.severity_level_id",
match: ".*",
replace: "$0"
},
{
input: "src_latitude",
output: "geo_coordinates.src_latitude",
match: ".*",
replace: "$0"
},
{
input: "src_longitude",
output: "geo_coordinates.src_longitude",
match: ".*",
replace: "$0"
},
{
input: "src_time",
output: "security_finding.src_time",
match: ".*",
replace: "$0"
},
{
input: "src_timezone",
output: "location.src_timezone",
match: ".*",
replace: "$0"
},
{
input: "src_zipcode",
output: "location.src_zipcode",
match: ".*",
replace: "$0"
},
{
input: "srcip",
output: "src.ip.address",
match: ".*",
replace: "$0"
},
{
input: "timestamp",
output: "security_finding.time",
match: ".*",
replace: "$0"
},
{
input: "transaction_id",
output: "security_finding.transaction_id",
match: ".*",
replace: "$0"
},
{
input: "true_obj_type",
output: "file.type",
match: ".*",
replace: "$0"
},
{
input: "url",
output: "url.text",
match: ".*",
replace: "$0"
},
{
input: "user",
output: "user.name",
match: ".*",
replace: "$0"
},
{
input: "user_id",
output: "user.uid",
match: ".*",
replace: "$0"
},
{
input: "userip",
output: "user.ip",
match: ".*",
replace: "$0"
},
{
input: "userkey",
output: "user.key",
match: ".*",
replace: "$0"
},
{
input: "local_sha256",
output: "file.local_sha256",
match: ".*",
replace: "$0"
},
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink