mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-08 12:33:51 +00:00
marc
7c1687efce
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).
Preserved fork additions:
backend/routers/quality.py KV scanner, pattern refs, JS keys, JSON mode,
/parsers + /sync-from-sdl endpoints
parsers/ 96 OCSF + tenant parsers
tools/stormshield-verify/ end-to-end ingest regression test
.gitignore un-ignored parsers/*
CHANGES.md, PATCHES.md
309 lines
12 KiB
Plaintext
309 lines
12 KiB
Plaintext
// SentinelOne AI SIEM Parser: SAP HANA Database
|
|
// OCSF Schema Version: 1.1.0
|
|
// Maps SAP HANA audit JSON logs to OCSF classes
|
|
// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003)
|
|
|
|
{
|
|
"parserName": "HANADatabase-OCSF",
|
|
"version": "1.0.0",
|
|
"vendor": "SAP",
|
|
"product": "HANA Database",
|
|
"format": "json",
|
|
|
|
"patterns": [
|
|
// Connection events (CONNECT/DISCONNECT)
|
|
{
|
|
"pattern": "\"audit_action\":\\s*\"CONNECT\"",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "3002"},
|
|
{"set": "class_name", "value": "Authentication"},
|
|
{"set": "category_uid", "value": "3"},
|
|
{"set": "category_name", "value": "Identity & Access Management"},
|
|
{"set": "activity_id", "value": "1"},
|
|
{"set": "activity_name", "value": "Logon"},
|
|
{"set": "type_uid", "value": "300201"},
|
|
|
|
// Metadata
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
{"jsonPath": "$.host", "to": "device.hostname"},
|
|
{"jsonPath": "$.component", "to": "metadata.product.feature.name"},
|
|
{"jsonPath": "$.source_file", "to": "metadata.log_name"},
|
|
{"jsonPath": "$.source_line", "to": "metadata.log_line"},
|
|
{"jsonPath": "$.thread_id", "to": "metadata.uid"},
|
|
|
|
// Time
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
|
|
// User
|
|
{"jsonPath": "$.user_name", "to": "user.name"},
|
|
{"jsonPath": "$.application_user", "to": "actor.user.name"},
|
|
{"jsonPath": "$.application_name", "to": "app_name"},
|
|
|
|
// Session
|
|
{"jsonPath": "$.connection_id", "to": "session.uid"},
|
|
|
|
// Source endpoint
|
|
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
|
|
{"jsonPath": "$.client_port", "to": "src_endpoint.port"},
|
|
|
|
// Audit policy
|
|
{"jsonPath": "$.audit_policy_name", "to": "policy.name"},
|
|
{"jsonPath": "$.audit_level", "to": "severity"},
|
|
|
|
// Comment
|
|
{"jsonPath": "$.comment", "to": "message"},
|
|
|
|
// Status - check for error
|
|
{"set": "status_id", "value": "1", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"},
|
|
{"set": "status", "value": "Success", "if": "\"error_code\":\\s*null|\"error_code\":\\s*0"}
|
|
]
|
|
},
|
|
|
|
// Failed connection
|
|
{
|
|
"pattern": "\"audit_action\":\\s*\"CONNECT\".*\"error_code\":\\s*[1-9]",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "3002"},
|
|
{"set": "class_name", "value": "Authentication"},
|
|
{"set": "activity_id", "value": "1"},
|
|
{"set": "activity_name", "value": "Logon"},
|
|
{"set": "status_id", "value": "2"},
|
|
{"set": "status", "value": "Failure"},
|
|
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
{"jsonPath": "$.user_name", "to": "user.name"},
|
|
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
|
|
{"jsonPath": "$.error_code", "to": "status_code"},
|
|
{"jsonPath": "$.error_message", "to": "status_detail"},
|
|
|
|
// Severity
|
|
{"set": "severity_id", "value": "3"},
|
|
{"set": "severity", "value": "Medium"}
|
|
]
|
|
},
|
|
|
|
// Disconnect
|
|
{
|
|
"pattern": "\"audit_action\":\\s*\"DISCONNECT\"",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "3002"},
|
|
{"set": "class_name", "value": "Authentication"},
|
|
{"set": "activity_id", "value": "2"},
|
|
{"set": "activity_name", "value": "Logoff"},
|
|
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
{"jsonPath": "$.user_name", "to": "user.name"},
|
|
{"jsonPath": "$.connection_id", "to": "session.uid"},
|
|
{"jsonPath": "$.session_duration_seconds", "to": "session.duration"},
|
|
|
|
{"set": "status_id", "value": "1"},
|
|
{"set": "status", "value": "Success"}
|
|
]
|
|
},
|
|
|
|
// SELECT queries
|
|
{
|
|
"pattern": "\"audit_action\":\\s*\"SELECT\"",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "4003"},
|
|
{"set": "class_name", "value": "Database Activity"},
|
|
{"set": "category_uid", "value": "4"},
|
|
{"set": "category_name", "value": "Network Activity"},
|
|
{"set": "activity_id", "value": "1"},
|
|
{"set": "activity_name", "value": "Query"},
|
|
{"set": "type_uid", "value": "400301"},
|
|
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
{"jsonPath": "$.user_name", "to": "actor.user.name"},
|
|
{"jsonPath": "$.connection_id", "to": "actor.session.uid"},
|
|
{"jsonPath": "$.transaction_id", "to": "transaction.uid"},
|
|
{"jsonPath": "$.statement_id", "to": "query_info.uid"},
|
|
|
|
// Query details
|
|
{"jsonPath": "$.statement", "to": "query_info.query_string"},
|
|
{"jsonPath": "$.executed_statement", "to": "query_info.executed_query"},
|
|
{"set": "query_info.query_type", "value": "SELECT"},
|
|
|
|
// Performance
|
|
{"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"},
|
|
{"jsonPath": "$.execution_time_ms", "to": "query_info.duration"},
|
|
|
|
// Source
|
|
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
|
|
{"jsonPath": "$.application_name", "to": "app_name"},
|
|
|
|
// Status
|
|
{"set": "status_id", "value": "1"},
|
|
{"set": "status", "value": "Success"}
|
|
]
|
|
},
|
|
|
|
// Data modification (INSERT/UPDATE/DELETE)
|
|
{
|
|
"pattern": "\"audit_action\":\\s*\"(INSERT|UPDATE|DELETE)\"",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "4003"},
|
|
{"set": "class_name", "value": "Database Activity"},
|
|
{"set": "category_uid", "value": "4"},
|
|
{"set": "category_name", "value": "Network Activity"},
|
|
|
|
{"jsonPath": "$.audit_action", "to": "activity_name"},
|
|
{"lookup": "activity_name", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"},
|
|
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
{"jsonPath": "$.user_name", "to": "actor.user.name"},
|
|
{"jsonPath": "$.connection_id", "to": "actor.session.uid"},
|
|
{"jsonPath": "$.transaction_id", "to": "transaction.uid"},
|
|
|
|
// Query
|
|
{"jsonPath": "$.statement", "to": "query_info.query_string"},
|
|
{"jsonPath": "$.executed_statement", "to": "query_info.executed_query"},
|
|
{"jsonPath": "$.rows_affected", "to": "query_info.rows_affected"},
|
|
{"jsonPath": "$.execution_time_ms", "to": "query_info.duration"},
|
|
|
|
// Source
|
|
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
|
|
|
|
// Severity for data modification
|
|
{"set": "severity_id", "value": "2"},
|
|
{"set": "severity", "value": "Low"},
|
|
|
|
// Status
|
|
{"set": "status_id", "value": "1"},
|
|
{"set": "status", "value": "Success"}
|
|
]
|
|
},
|
|
|
|
// GRANT/REVOKE (privilege changes)
|
|
{
|
|
"pattern": "\"audit_action\":\\s*\"GRANT\"",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "3003"},
|
|
{"set": "class_name", "value": "Authorization"},
|
|
{"set": "category_uid", "value": "3"},
|
|
{"set": "category_name", "value": "Identity & Access Management"},
|
|
{"set": "activity_id", "value": "1"},
|
|
{"set": "activity_name", "value": "Grant"},
|
|
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
{"jsonPath": "$.user_name", "to": "actor.user.name"},
|
|
{"jsonPath": "$.connection_id", "to": "actor.session.uid"},
|
|
|
|
// Privilege details
|
|
{"jsonPath": "$.statement", "to": "message"},
|
|
{"jsonPath": "$.executed_statement", "to": "privileges"},
|
|
|
|
// Source
|
|
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
|
|
|
|
// Severity for privilege grants
|
|
{"set": "severity_id", "value": "4"},
|
|
{"set": "severity", "value": "High"},
|
|
|
|
// Status
|
|
{"set": "status_id", "value": "1"},
|
|
{"set": "status", "value": "Success"}
|
|
]
|
|
},
|
|
|
|
// Backup operations
|
|
{
|
|
"pattern": "\"audit_action\":\\s*\"BACKUP DATA\"",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "4003"},
|
|
{"set": "class_name", "value": "Database Activity"},
|
|
{"set": "activity_id", "value": "5"},
|
|
{"set": "activity_name", "value": "Backup"},
|
|
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
{"jsonPath": "$.user_name", "to": "actor.user.name"},
|
|
{"jsonPath": "$.application_user", "to": "actor.user.account.name"},
|
|
{"jsonPath": "$.application_name", "to": "app_name"},
|
|
|
|
// Backup details
|
|
{"jsonPath": "$.statement", "to": "message"},
|
|
{"jsonPath": "$.backup_id", "to": "backup.uid"},
|
|
{"jsonPath": "$.backup_size_mb", "to": "backup.size"},
|
|
|
|
// Source
|
|
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
|
|
|
|
// Status
|
|
{"set": "status_id", "value": "1"},
|
|
{"set": "status", "value": "Success"}
|
|
]
|
|
},
|
|
|
|
// Critical audit level events
|
|
{
|
|
"pattern": "\"audit_level\":\\s*\"CRITICAL\"",
|
|
"rewrites": [
|
|
{"set": "class_uid", "value": "2001"},
|
|
{"set": "class_name", "value": "Security Finding"},
|
|
{"set": "category_uid", "value": "2"},
|
|
{"set": "category_name", "value": "Findings"},
|
|
{"set": "finding_info.types", "value": ["Database Security Event"]},
|
|
|
|
{"set": "metadata.version", "value": "1.1.0"},
|
|
{"set": "metadata.product.name", "value": "SAP HANA"},
|
|
{"set": "metadata.product.vendor_name", "value": "SAP"},
|
|
|
|
{"jsonPath": "$.timestamp", "to": "time"},
|
|
{"jsonPath": "$.user_name", "to": "actor.user.name"},
|
|
{"jsonPath": "$.audit_action", "to": "finding_info.title"},
|
|
{"jsonPath": "$.comment", "to": "finding_info.desc"},
|
|
{"jsonPath": "$.statement", "to": "finding_info.data_sources"},
|
|
|
|
// Source
|
|
{"jsonPath": "$.client_ip", "to": "src_endpoint.ip"},
|
|
|
|
// Severity
|
|
{"set": "severity_id", "value": "5"},
|
|
{"set": "severity", "value": "Critical"}
|
|
]
|
|
}
|
|
],
|
|
|
|
"audit_action_mappings": {
|
|
"CONNECT": {"class": "Authentication", "activity": "Logon"},
|
|
"DISCONNECT": {"class": "Authentication", "activity": "Logoff"},
|
|
"SELECT": {"class": "Database Activity", "activity": "Query"},
|
|
"INSERT": {"class": "Database Activity", "activity": "Insert"},
|
|
"UPDATE": {"class": "Database Activity", "activity": "Update"},
|
|
"DELETE": {"class": "Database Activity", "activity": "Delete"},
|
|
"CREATE": {"class": "Database Activity", "activity": "Create"},
|
|
"DROP": {"class": "Database Activity", "activity": "Delete"},
|
|
"ALTER": {"class": "Database Activity", "activity": "Update"},
|
|
"GRANT": {"class": "Authorization", "activity": "Grant"},
|
|
"REVOKE": {"class": "Authorization", "activity": "Revoke"},
|
|
"BACKUP DATA": {"class": "Database Activity", "activity": "Backup"},
|
|
"RESTORE": {"class": "Database Activity", "activity": "Restore"}
|
|
}
|
|
}
|