Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
marcredhat-siem-toolkit-pat…/parsers/ocsf-sim-generic
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

185 lines
6.3 KiB
Plaintext
Raw Permalink Blame History

// SentinelOne AI SIEM Parser: SIM Generic Log DSM
// OCSF Schema Version: 1.1.0
// Maps generic syslog-style logs to OCSF classes
// Primary Classes: Base Event (0), Application Activity (6001)
{
"parserName": "SIMGeneric-OCSF",
"version": "1.0.0",
"vendor": "Generic",
"product": "SIM Generic Log",
"format": "syslog",
"patterns": [
// Generic syslog with key=value pairs
{
"pattern": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)\\s+(\\S+)\\[(\\d+)\\]:\\s+(\\w+)\\s+(.*)$",
"rewrites": [
{"set": "class_uid", "value": "6001"},
{"set": "class_name", "value": "Application Activity"},
{"set": "category_uid", "value": "6"},
{"set": "category_name", "value": "Application Activity"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "Generic Application"},
{"set": "metadata.product.vendor_name", "value": "Unknown"},
{"group": 2, "to": "device.hostname"},
{"group": 3, "to": "app_name"},
{"group": 4, "to": "actor.process.pid"},
// Time
{"group": 1, "to": "time", "transform": "syslogTimestamp"},
// Severity from log level
{"group": 5, "to": "severity"},
{"lookup": "severity", "map": {
"CRITICAL": 5, "FATAL": 6, "ERROR": 4, "WARNING": 3, "WARN": 3,
"INFO": 1, "DEBUG": 0, "TRACE": 0
}, "to": "severity_id"},
// Message
{"group": 6, "to": "message"},
// Extract key=value pairs from message
{"kvExtract": "$6", "to": "unmapped"}
]
},
// Authentication events
{
"pattern": "(login|logon|auth|authentication)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
// Extract user
{"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "user.name"},
// Extract source IP
{"regex": "(?:src_ip|ip|from)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Extract session
{"regex": "session[_id]*[=:]\\s*(\\S+)", "group": 1, "to": "session.uid"},
// Determine success/failure
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "1", "if": "success|successful|accepted"},
{"set": "status", "value": "Success", "if": "success|successful|accepted"},
{"set": "status_id", "value": "2", "if": "fail|failed|denied|invalid"},
{"set": "status", "value": "Failure", "if": "fail|failed|denied|invalid"}
]
},
// File operations
{
"pattern": "(file|upload|download)",
"rewrites": [
{"set": "class_uid", "value": "1001"},
{"set": "class_name", "value": "File Activity"},
// Extract filename
{"regex": "filename[=:]\\s*(\\S+)", "group": 1, "to": "file.name"},
// Extract size
{"regex": "size[_bytes]*[=:]\\s*(\\d+)", "group": 1, "to": "file.size"},
// Extract user
{"regex": "user[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"},
// Extract destination
{"regex": "destination[=:]\\s*(\\S+)", "group": 1, "to": "file.path"},
// Activity
{"set": "activity_id", "value": "2", "if": "upload"},
{"set": "activity_name", "value": "Upload", "if": "upload"},
{"set": "activity_id", "value": "3", "if": "download"},
{"set": "activity_name", "value": "Download", "if": "download"}
]
},
// Security alerts
{
"pattern": "(security|alert|attack|injection|malware|threat)",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
// Extract source IP
{"regex": "(?:src_ip|ip)[=:]\\s*([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Extract target
{"regex": "(?:target_url|url)[=:]\\s*(\\S+)", "group": 1, "to": "finding_info.src_url"},
// Extract payload
{"regex": "payload[=:]\\s*\"([^\"]+)\"", "group": 1, "to": "finding_info.data_sources"},
// Severity
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// Configuration changes
{
"pattern": "(config|configuration|setting|changed)",
"rewrites": [
{"set": "class_uid", "value": "5001"},
{"set": "class_name", "value": "Configuration"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Update"},
// Extract setting
{"regex": "setting[=:]\\s*(\\S+)", "group": 1, "to": "config.name"},
// Extract old/new values
{"regex": "old_value[=:]\\s*(\\S+)", "group": 1, "to": "prev_config.value"},
{"regex": "new_value[=:]\\s*(\\S+)", "group": 1, "to": "config.value"},
// Extract who changed
{"regex": "changed_by[=:]\\s*(\\S+)", "group": 1, "to": "actor.user.name"}
]
},
// Service events
{
"pattern": "(service|started|stopped|restart)",
"rewrites": [
{"set": "class_uid", "value": "1006"},
{"set": "class_name", "value": "Service Activity"},
// Extract service name
{"regex": "service_name[=:]\\s*(\\S+)", "group": 1, "to": "service.name"},
// Extract version
{"regex": "version[=:]\\s*(\\S+)", "group": 1, "to": "service.version"},
// Extract port
{"regex": "port[=:]\\s*(\\d+)", "group": 1, "to": "service.port"},
// Extract PID
{"regex": "pid[=:]\\s*(\\d+)", "group": 1, "to": "service.pid"},
// Activity
{"set": "activity_id", "value": "1", "if": "started"},
{"set": "activity_name", "value": "Start", "if": "started"},
{"set": "activity_id", "value": "2", "if": "stopped"},
{"set": "activity_name", "value": "Stop", "if": "stopped"}
]
}
],
"transforms": {
"syslogTimestamp": {
"formats": [
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss"
],
"timezone": "local"
}
}
}
Reference in New Issue View Git Blame Copy Permalink