Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/ocsf-oracle-rdbms
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

185 lines
7.8 KiB
Plaintext
Raw Permalink Blame History

// SentinelOne AI SIEM Parser: Oracle RDBMS Audit Record
// OCSF Schema Version: 1.1.0
// Maps Oracle Database audit trail to OCSF classes
// Primary Classes: Database Activity (4003), Authentication (3002), Authorization (3003)
{
"parserName": "OracleRDBMS-OCSF",
"version": "1.0.0",
"vendor": "Oracle",
"product": "Oracle Database",
"format": "kv",
"delimiter": " ",
"kvSeparator": ":",
"patterns": [
// Logon events
{
"pattern": "ACTION_NAME:\\s*LOGON",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
{"regex": "DBID:\\s*(\\d+)", "group": 1, "to": "metadata.product.uid"},
{"regex": "INSTANCE_NUMBER:\\s*(\\d+)", "group": 1, "to": "metadata.product.feature.uid"},
// Time
{"regex": "TIMESTAMP:\\s*([\\d-]+\\s[\\d:.]+\\s\\w+)", "group": 1, "to": "time"},
// User
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "user.name"},
{"regex": "OS_USERNAME:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
{"regex": "CLIENT_ID:\\s*(\\S+)", "group": 1, "to": "user.credential_uid"},
// Session
{"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "session.uid"},
// Source
{"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"},
{"regex": "TERMINAL:\\s*(\\S+)", "group": 1, "to": "src_endpoint.interface_name"},
{"regex": "OS_PROCESS:\\s*(\\d+)", "group": 1, "to": "actor.process.pid"},
// Auth details
{"regex": "AUTHENTICATION_TYPE:\\s*(\\S+)", "group": 1, "to": "auth_protocol"},
{"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "user.privileges"},
// Status
{"regex": "RETURNCODE:\\s*(\\d+)", "group": 1, "to": "status_code"},
{"set": "status_id", "value": "1", "if": "RETURNCODE: 0"},
{"set": "status", "value": "Success", "if": "RETURNCODE: 0"},
{"set": "status_id", "value": "2", "if": "RETURNCODE: [^0]"},
{"set": "status", "value": "Failure", "if": "RETURNCODE: [^0]"},
// Comment
{"regex": "COMMENT_TEXT:\\s*(.+?)$", "group": 1, "to": "message"}
]
},
// SELECT/Query events
{
"pattern": "ACTION_NAME:\\s*SELECT",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "Database Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Query"},
{"set": "type_uid", "value": "400301"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
// User
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
{"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"},
// Database object
{"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"},
{"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"},
// Query
{"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"},
{"set": "query_info.query_type", "value": "SELECT"},
// Source
{"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"},
// Privileges
{"regex": "PRIV_USED:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "actor.user.privileges"}
]
},
// INSERT/UPDATE/DELETE events
{
"pattern": "ACTION_NAME:\\s*(INSERT|UPDATE|DELETE)",
"rewrites": [
{"set": "class_uid", "value": "4003"},
{"set": "class_name", "value": "Database Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"lookup": "ACTION_NAME", "map": {"INSERT": 2, "UPDATE": 3, "DELETE": 4}, "to": "activity_id"},
{"lookup": "ACTION_NAME", "map": {"INSERT": "Insert", "UPDATE": "Update", "DELETE": "Delete"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
// User
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
{"regex": "SESSIONID:\\s*(\\d+)", "group": 1, "to": "actor.session.uid"},
// Database object
{"regex": "OBJ_CREATOR:\\s*(\\S+)", "group": 1, "to": "database.schema"},
{"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "database.table"},
// Query
{"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "query_info.query_string"},
// Source
{"regex": "USERHOST:\\s*(\\S+)", "group": 1, "to": "src_endpoint.name"},
// Severity for data modification
{"set": "severity_id", "value": "2"},
{"set": "severity", "value": "Low"}
]
},
// GRANT/REVOKE events
{
"pattern": "ACTION_NAME:\\s*(GRANT|REVOKE)",
"rewrites": [
{"set": "class_uid", "value": "3003"},
{"set": "class_name", "value": "Authorization"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"lookup": "ACTION_NAME", "map": {"GRANT": 1, "REVOKE": 2}, "to": "activity_id"},
{"lookup": "ACTION_NAME", "map": {"GRANT": "Grant", "REVOKE": "Revoke"}, "to": "activity_name"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Oracle Database"},
{"set": "metadata.product.vendor_name", "value": "Oracle"},
// Actor (who granted)
{"regex": "USERID:\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
// Target (who received)
{"regex": "GRANTEE:\\s*(\\S+)", "group": 1, "to": "user.name"},
// Privilege/Role
{"regex": "OBJ_NAME:\\s*(\\S+)", "group": 1, "to": "privileges"},
{"regex": "SQL_TEXT:\\s*(.+?)(?=\\s+\\w+:|$)", "group": 1, "to": "message"},
// Severity for privilege changes
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
}
],
"action_mappings": {
"100": {"name": "LOGON", "class": "Authentication", "activity": "Logon"},
"101": {"name": "LOGOFF", "class": "Authentication", "activity": "Logoff"},
"103": {"name": "SELECT", "class": "Database Activity", "activity": "Query"},
"2": {"name": "INSERT", "class": "Database Activity", "activity": "Insert"},
"6": {"name": "UPDATE", "class": "Database Activity", "activity": "Update"},
"7": {"name": "DELETE", "class": "Database Activity", "activity": "Delete"},
"108": {"name": "GRANT", "class": "Authorization", "activity": "Grant"},
"109": {"name": "REVOKE", "class": "Authorization", "activity": "Revoke"},
"1": {"name": "CREATE TABLE", "class": "Database Activity", "activity": "Create"},
"12": {"name": "DROP TABLE", "class": "Database Activity", "activity": "Delete"}
}
}
Reference in New Issue View Git Blame Copy Permalink