Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-09 04:47:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
12fec66d9af01119eaee6d7ec741b49d83cdb13e
marcredhat-siem-toolkit-pat…/parsers/proofpoint_proofpoint_logs-latest
T
marc a9dcf48e65 Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/ 
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.

Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
2026-05-22 14:11:56 +02:00

85 lines
3.9 KiB
Plaintext
Raw Blame History

{
attributes: {
"dataSource.vendor": "Proofpoint",
"dataSource.category": "security"
},
formats: [
{
id: "format1",
format: "${parse=dottedjson}$"
rewrites: [
{input: "messageTime", output: "timestamp", match: ".*", replace: "$0"},
{input: "clickTime", output: "unmapped.clickTime", match: ".*", replace: "$0"},
{input: "threatsInfoMap", output: "unmapped.threatsInfoMap", match: ".*", replace: "$0"},
{input: "messageParts", output: "unmapped.messageParts", match: ".*", replace: "$0"},
{input: "quarantineFolder", output: "unmapped.quarantineFolder", match: ".*", replace: "$0"},
{input: "impostorScore", output: "unmapped.impostorScore", match: ".*", replace: "$0"},
{input: "phishScore", output: "unmapped.phishScore", match: ".*", replace: "$0"},
{input: "policyRoutes", output: "unmapped.policyRoutes", match: ".*", replace: "$0"},
{input: "threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"},
{input: "threatsInfoMap[0].threatStatus", output: "unmapped.threatStatus", match: ".*", replace: "$0"},
{input: "classification", output: "unmapped.classification", match: ".*", replace: "$0"},
{input: "threatsInfoMap[0].classification", output: "unmapped.classification", match: ".*", replace: "$0"},
{input: "sender", output: "unmapped.sender", match: ".*", replace: "$0"},
{input: "recipient", output: "unmapped.recipient", match: ".*", replace: "$0"},
{input: "sender", output: "email.from", match: ".*", replace: "$0"},
{input: "fromAddress[0]", output: "email.from", match: ".*", replace: "$0"},
{input: "fromAddress", output: "email.from", match: ".*", replace: "$0"},
{input: "recipient", output: "email.to", match: ".*", replace: "$0"},
{input: "toAddresses[0]", output: "email.to", match: ".*", replace: "$0"},
{input: "toAddresses", output: "email.to", match: ".*", replace: "$0"},
{input: "recipient", output: "actor.user.name", match: ".*", replace: "$0"},
{input: "toAddresses[0]", output: "actor.user.name", match: ".*", replace: "$0"},
{input: "toAddresses", output: "actor.user.name", match: ".*", replace: "$0"},
{input: "messageSize", output: "email.size", match: ".*", replace: "$0"},
{input: "headerFrom", output: "email.smtp_from", match: ".*", replace: "$0"},
{input: "oext", output: "oext", match: ".*", replace: "$0"},
{input: "mod", output: "mod", match: ".*", replace: "$0"}
]
}
],
mappings: {
version: 1,
mappings: [
{
predicate: "clickTime = * OR clickIP = * OR threatURL = *",
transformations: [
{ constant: { field: "dataSource.name", value: "Proofpoint" } },
{ constant: { field: "event.type", value: "Click" } },
{ copy: { from: "fromAddress[0]", to: "email.from" } },
{ copy: { from: "toAddresses[0]", to: "email.to" } },
{ copy: { from: "toAddresses[0]", to: "actor.user.name" } },
{ copy: { from: "recipient", to: "actor.user.name" } }
]
},
{
predicate: "messageTime = * OR messageParts = * OR threatsInfoMap = *",
transformations: [
{ constant: { field: "dataSource.name", value: "Proofpoint" } },
{ constant: { field: "event.type", value: "Email" } },
{ copy: { from: "fromAddress[0]", to: "email.from" } },
{ copy: { from: "toAddresses[0]", to: "email.to" } },
{ copy: { from: "toAddresses[0]", to: "actor.user.name" } },
{ copy: { from: "recipient", to: "actor.user.name" } }
]
},
{
predicate: "true",
transformations: [
{ constant: { field: "dataSource.name", value: "Proofpoint" } },
{ constant: { field: "event.type", value: "Other" } },
]
}
]
}
}
Reference in New Issue View Git Blame Copy Permalink