Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-09 04:47:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
12fec66d9af01119eaee6d7ec741b49d83cdb13e
marcredhat-siem-toolkit-pat…/parsers/ocsf-security-overview
T
marc a9dcf48e65 Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/ 
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.

Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
2026-05-22 14:11:56 +02:00

84 lines
2.0 KiB
Plaintext
Raw Blame History

{
"duration": "24h",
"description": "Cross-source security posture from OCSF-normalized events",
"graphs": [
{
"title": "Events by Source",
"graphStyle": "donut",
"maxPieSlices": 15,
"query": "serverHost = * | group count() by serverHost | sort -count | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 0
}
},
{
"title": "Event Volume Over Time",
"graphStyle": "stacked_bar",
"xAxis": "time",
"query": "serverHost = * | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
"layout": {
"w": 40,
"h": 14,
"x": 20,
"y": 0
}
},
{
"title": "Top Source IPs",
"graphStyle": "table",
"query": "src_ip = * | group hits=count() by src_ip | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 0,
"y": 14
}
},
{
"title": "Top Active Users",
"graphStyle": "table",
"query": "user_name = * | group hits=count() by user_name | sort -hits | limit 15",
"layout": {
"w": 20,
"h": 14,
"x": 20,
"y": 14
}
},
{
"title": "Authentication Failures",
"graphStyle": "number",
"query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1",
"layout": {
"w": 10,
"h": 7,
"x": 40,
"y": 14
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " failures"
}
},
{
"title": "Firewall Denies",
"graphStyle": "number",
"query": "action = 'deny' or action = 'block' or action = 'drop' | group count() | limit 1",
"layout": {
"w": 10,
"h": 7,
"x": 50,
"y": 14
},
"options": {
"format": "auto",
"precision": "0",
"suffix": " blocked"
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink