Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
08c7a8a5b59e0b961979633411a09855c802b9bb
marcredhat-siem-toolkit-pat…/parsers/okta_authentication-latest
T
Mick c182d837ee Initial commit: SIEM Toolkit for SentinelOne 
Dockerized SecOps toolkit with:
- Coverage Map: STAR rule vs SDL parser field coverage analysis
- Ingest Dashboard: PowerQuery-powered event volume and source breakdown
- Onboarding Assistant: AI-guided log source onboarding with Claude
- Parser management via SDL MCP integration

Stack: FastAPI + PostgreSQL backend, nginx-served HTML frontend, Docker Compose.
PowerQuery runs via Scalyr XDR API (SDL_XDR_URL + SDL_LOG_READ_KEY).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-19 11:39:26 -04:00

39 lines
2.6 KiB
Plaintext
Raw Blame History

{
attributes: {
source: "okta"
"dataSource.category": "security",
"dataSource.name": "Okta",
"dataSource.vendor": "Okta",
},
formats: [
{
format: ".*${parse=dottedJson}{attrBlacklist=target}$"
rewrites: [
{ input: "actor.id", output: "user.account_uid", match: ".*", replace: "$0" },
{ input: "actor.type", output: "user.account_type", match: ".*", replace: "$0" },
{ input: "actor.alternateId", output: "user.email_addr", match: ".*", replace: "$0" },
{ input: "actor.displayName", output: "user.name", match: ".*", replace: "$0" },
{ input: "authenticationContext.authenticationStep", output: "authenticationStep", match: ".*", replace: "$0" },
{ input: "authenticationContext.externalSessionId", output: "externalSessionId", match: ".*", replace: "$0" },
{ input: "client.ipAddress", output: "client.ip", match: ".*", replace: "$0" },
{ input: "client.userAgent.browser", output: "client.browser", match: ".*", replace: "$0" },
{ input: "client.userAgent.os", output: "client.os", match: ".*", replace: "$0" },
{ input: "client.userAgent.rawUserAgent", output: "client.userAgent", match: ".*", replace: "$0" },
{ input: "client.zone", output: "client.location.zone", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.city", output: "client.location.city", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.country", output: "client.location.country", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.geolocation.lat", output: "client.location.lat", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.geolocation.lon", output: "client.location.lon", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.postalCode", output: "client.location.postal_code", match: ".*", replace: "$0" },
{ input: "client.geographicalContext.state", output: "client.location.state", match: ".*", replace: "$0" },
{ input: "displayMessage", output: "msg", match: ".*", replace: "$0" },
{ input: "eventType", output: "category_name", match: ".*", replace: "$0" },
{ input: "outcome.result", output: "result", match: ".*", replace: "$0" },
{ input: "published", output: "time", match: ".*", replace: "$0" },
{ input: "transaction.id", output: "type_uid", match: ".*", replace: "$0" },
{ input: "transaction.type", output: "type_name", match: ".*", replace: "$0" },
{ input: "uuid", output: "activity_id", match: ".*", replace: "$0" }
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink