Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/ocsf-security-overview-v2
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

221 lines
5.7 KiB
Plaintext
Raw Permalink Blame History

{
"duration": "24h",
"description": "Cross-source security posture from OCSF-normalized events",
"parameters": [
{
"name": "source",
"values": [
{
"label": "All Sources",
"value": "*"
},
{
"label": "Linux",
"value": "linux-ocsf"
},
{
"label": "FortiGate",
"value": "fortigate-ocsf"
},
{
"label": "CheckPoint",
"value": "checkpoint-ocsf"
},
{
"label": "Palo Alto",
"value": "paloalto-ocsf"
},
{
"label": "Windows",
"value": "windows-ocsf"
}
],
"defaultValue": "*"
}
],
"graphs": [
{
"title": "Dashboard Overview",
"graphStyle": "markdown",
"markdown": "## OCSF Security Overview\\n\\nCross-source security posture from **OCSF v1.3.0** normalized events.\\n\\n| Metric | Description |\\n|--------|-------------|\\n| **Sources** | All serverHost containing 'ocsf' |\\n| **Time Range** | Last 24 hours |\\n| **Refresh** | Auto (5 min) |\\n\\nUse the **source** dropdown above to filter by specific data source.",
"layout": {
"w": 60,
"h": 8,
"x": 0,
"y": 0
}
},
{
"title": "Event Count by OCSF Source",
"graphStyle": "donut",
"maxPieSlices": 12,
"dataLabelType": "PERCENTAGE",
"query": "serverHost contains 'ocsf' | group count() by serverHost | sort -count | limit 12",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 8
}
},
{
"title": "Event Volume Over Time (24h)",
"graphStyle": "stacked_bar",
"xAxis": "time",
"query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
"layout": {
"w": 40,
"h": 14,
"x": 20,
"y": 8
}
},
{
"title": "Unique Source IPs",
"graphStyle": "number",
"query": "src_ip = * serverHost contains 'ocsf' | group estimate_distinct(src_ip) | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 0,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " IPs"
}
},
{
"title": "Unique Users",
"graphStyle": "number",
"query": "user_name = * serverHost contains 'ocsf' | group estimate_distinct(user_name) | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 12,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " users"
}
},
{
"title": "Unique Destinations",
"graphStyle": "number",
"query": "dst_ip = * serverHost contains 'ocsf' | group estimate_distinct(dst_ip) | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 24,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " IPs"
}
},
{
"title": "Total Events",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' | group count() | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 36,
"y": 22
},
"options": {
"format": "auto",
"precision": "0"
}
},
{
"title": "Auth Failure Events (24h)",
"graphStyle": "number",
"query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure' or status = 'failure') | group count() | limit 1",
"layout": {
"w": 12,
"h": 7,
"x": 48,
"y": 22
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " failures"
}
},
{
"title": "Top Source IPs (24h)",
"graphStyle": "table",
"query": "src_ip = * serverHost contains 'ocsf' | group hits=count() by src_ip | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 29
}
},
{
"title": "Top Active Users (24h)",
"graphStyle": "table",
"query": "user_name = * serverHost contains 'ocsf' | group hits=count() by user_name | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 20,
"y": 29
}
},
{
"title": "External Connections (non-RFC1918)",
"graphStyle": "table",
"query": "dst_ip = * serverHost contains 'ocsf' | let is_external = not net_rfc1918(dst_ip) | filter is_external = true | group hits=count() by dst_ip | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 40,
"y": 29
}
},
{
"title": "Events by Severity",
"graphStyle": "donut",
"maxPieSlices": 5,
"query": "severity_id = * serverHost contains 'ocsf' | group count() by severity_id | sort -count | limit 5",
"layout": {
"w": 15,
"h": 12,
"x": 0,
"y": 43
}
},
{
"title": "Events by Action",
"graphStyle": "donut",
"maxPieSlices": 6,
"query": "action = * serverHost contains 'ocsf' | group count() by action | sort -count | limit 6",
"layout": {
"w": 15,
"h": 12,
"x": 15,
"y": 43
}
},
{
"title": "Firewall Blocks (24h)",
"graphStyle": "table",
"query": "serverHost contains 'ocsf' (action = 'deny' or action = 'block' or action = 'drop') | group hits=count() by serverHost, src_ip, dst_ip | sort -hits | limit 20",
"layout": {
"w": 30,
"h": 12,
"x": 30,
"y": 43
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink