mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-10 13:21:17 +00:00
marc
a9dcf48e65
The original upstream gitignores parsers/* on the assumption that each tenant has its own set. This fork commits a working snapshot so the Parser Test Runner and Parser Coverage features are usable out of the box. Stormshield parser exercises the new SDL key=value scanner, pattern references, and JS-style unquoted format keys added to backend/routers/quality.py.
34 lines
1.5 KiB
Plaintext
34 lines
1.5 KiB
Plaintext
{
|
|
attributes: {
|
|
"metadata.version": "1.0.0",
|
|
"dataSource.vendor": "Sophos",
|
|
"dataSource.name": "Sophos EDR",
|
|
"dataSource.category": "security",
|
|
"Category": "security",
|
|
"metadata.product.vendor_name": "Sophos",
|
|
"metadata.product.name": "Endpoint Detection and Response",
|
|
"metadata.log_provider": "api",
|
|
"class_uid": 2001,
|
|
"class_name": "Security Finding",
|
|
"severity_id": 2,
|
|
"severity": "Low"
|
|
},
|
|
|
|
formats: [
|
|
{
|
|
format: ".*\\{.*\\}.*",
|
|
rewrites: [
|
|
{ input: "message", output: "sophos.name", match: ".*\"name\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "sophos.type", match: ".*\"type\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "sophos.severity", match: ".*\"severity\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "sophos.group", match: ".*\"group\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "sophos.dhost", match: ".*\"dhost\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "sophos.suser", match: ".*\"suser\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "sophos.endpoint_id", match: ".*\"endpoint_id\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "sophos.customer_id", match: ".*\"customer_id\":\\s*\"([^\"]+)\".*", replace: "$1" },
|
|
{ input: "message", output: "src_endpoint.ip", match: ".*\"ip\":\\s*\"([^\"]+)\".*", replace: "$1" }
|
|
]
|
|
}
|
|
]
|
|
}
|