marcredhat-siem-toolkit-patched/parsers/Darktrace-OCSF

{
  // Darktrace CEF / syslog parser — OCSF v1.3.0
  //
  // Supports the four canonical Darktrace log streams:
  //   1. Model Breach              → Detection Finding (severity from score)
  //   2. AI Analyst Incident       → Detection Finding (Critical)
  //   3. Antigena (autonomous response) → Detection Finding (action: Blocked)
  //   4. Admin / authentication events  → Authentication (3002)
  //
  // Wire format is CEF: pipe-separated header + space-separated key=value extension.
  //   CEF:0|Darktrace|<product>|<ver>|<sigID>|<name>|<sev>|<extension>
  attributes: {
    "metadata.version":             "1.3.0",
    "metadata.product.vendor_name": "Darktrace",
    "metadata.product.name":        "Enterprise Immune System",
    "metadata.log_provider":        "syslog",
    "Category":               "security",
    "dataSource.vendor":      "Darktrace",
    "dataSource.name":        "Darktrace",
    "dataSource.category":    "ndr",
    "event.type":             "Alert",
    "event.category":         "security",
    "category_uid":           2,
    "category_name":          "Findings",
    "class_uid":              2004,
    "class_name":             "Detection Finding",
    "activity_id":            1,
    "type_uid":               200401,
    "severity_id":            3
  },

  patterns: {
    word:  "[^ |]+",
    phrase: "[^|]+",
    rest:  ".*",
    num:   "\\d+",
    ip:    "\\d+\\.\\d+\\.\\d+\\.\\d+",
    ext:   ".*"
  },

  formats: [
    // ============================================================
    // 1. MODEL BREACH  — sigID 100, name="Model Breach"
    // Example:
    //   CEF:0|Darktrace|DCIP|6.1|100|Model Breach|7|src=10.1.1.5 dst=8.8.8.8
    //   spt=54321 dpt=443 cs1=Anomalous Connection / Suspicious Self-Signed SSL
    //   cs1Label=Model cn1=85 cn1Label=Score duser=jsmith deviceExternalId=12345
    //   cs2=Compliance cs2Label=Category act=alert
    // ============================================================
    {
      id: "dt_model_breach",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "Darktrace Model Breach",
        "event.type": "Alert", "event.category": "security",
        severity_id: 4,
        severity: "High",
        disposition_id: 1, disposition: "Allowed",
        status_id: 1, status: "Detected"
      },
      format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]100[|]Model Breach[|]$cef_severity=num$[|]$cef_extension=ext$",
      halt: true,
      rewrites: [
        // Pull common fields out of the CEF extension key=value bag
        { input: "message", output: "src_ip",        match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",  replace: "$1" },
        { input: "message", output: "dst_ip",        match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",  replace: "$1" },
        { input: "message", output: "src_port",      match: ".*spt=(\\d+).*",                         replace: "$1" },
        { input: "message", output: "dst_port",      match: ".*dpt=(\\d+).*",                         replace: "$1" },
        { input: "message", output: "user_name",     match: ".*duser=([^ \\n]+).*",                      replace: "$1" },
        { input: "message", output: "device_id",     match: ".*deviceExternalId=([^ \\n]+).*",           replace: "$1" },
        { input: "message", output: "model_name",    match: ".*cs1=([^=\\n]+?)\\s+\\w+=.*",              replace: "$1" },
        { input: "message", output: "model_category",match: ".*cs2=([^ \\n]+).*",                        replace: "$1" },
        { input: "message", output: "score",         match: ".*cn1=(\\d+).*",                         replace: "$1" },
        { input: "model_name",    output: "finding_title", match: "(?i).*",
          replace: "Darktrace Model Breach: $0" }
      ]
    },

    // ============================================================
    // 2. AI ANALYST INCIDENT  — sigID 200, name contains "AI Analyst"
    // ============================================================
    {
      id: "dt_aianalyst",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "Darktrace AI Analyst Incident",
        "event.type": "Alert", "event.category": "security",
        severity_id: 5, severity: "Critical",
        disposition_id: 1, disposition: "Allowed",
        status_id: 1, status: "Detected"
      },
      format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]200[|]$incident_name=phrase$[|]$cef_severity=num$[|]$cef_extension=ext$",
      halt: true,
      rewrites: [
        { input: "message", output: "src_ip",       match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",   replace: "$1" },
        { input: "message", output: "dst_ip",       match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",   replace: "$1" },
        { input: "message", output: "user_name",    match: ".*duser=([^ \\n]+).*",                       replace: "$1" },
        { input: "message", output: "device_id",    match: ".*deviceExternalId=([^ \\n]+).*",            replace: "$1" },
        { input: "message", output: "incident_id",  match: ".*externalId=([^ \\n]+).*",                  replace: "$1" },
        { input: "message", output: "summary",      match: ".*msg=([^=\\n]+?)(?:\\s+\\w+=.*|$)",         replace: "$1" },
        { input: "incident_name", output: "finding_title",match: ".*",                                            replace: "Darktrace $0" }
      ]
    },

    // ============================================================
    // 3. ANTIGENA (Autonomous Response)  — sigID 300
    // ============================================================
    {
      id: "dt_antigena",
      attributes: {
        class_uid: 2004, class_name: "Detection Finding",
        category_uid: 2, category_name: "Findings",
        type_uid: 200401,
        finding_title: "Darktrace Antigena Autonomous Action",
        "event.type": "Action", "event.category": "security",
        severity_id: 5, severity: "Critical",
        disposition_id: 2, disposition: "Blocked",
        status_id: 1, status: "Detected"
      },
      format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]300[|]Antigena Action[|]$cef_severity=num$[|]$cef_extension=ext$",
      halt: true,
      rewrites: [
        { input: "message", output: "src_ip",     match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",  replace: "$1" },
        { input: "message", output: "dst_ip",     match: ".*dst=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",  replace: "$1" },
        { input: "message", output: "user_name",  match: ".*duser=([^ \\n]+).*",                      replace: "$1" },
        { input: "message", output: "device_id",  match: ".*deviceExternalId=([^ \\n]+).*",           replace: "$1" },
        { input: "message", output: "action",     match: ".*act=([^ \\n]+).*",                         replace: "$1" }
      ]
    },

    // ============================================================
    // 4. ADMIN / AUTH EVENTS  — sigID 400 (login success/failure)
    // ============================================================
    {
      id: "dt_auth_fail",
      attributes: {
        class_uid: 3002, class_name: "Authentication",
        category_uid: 3, category_name: "Identity & Access Management",
        type_uid: 300201, activity_id: 1,
        "event.type": "Login", "event.category": "authentication",
        status_id: 2, status: "Failure",
        finding_title: "Darktrace Admin Login Failure"
      },
      format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Failure[|]$cef_severity=num$[|]$cef_extension=ext$",
      halt: true,
      rewrites: [
        { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*",                     replace: "$1" },
        { input: "message", output: "src_ip",    match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",   replace: "$1" }
      ]
    },

    {
      id: "dt_auth_ok",
      attributes: {
        class_uid: 3002, class_name: "Authentication",
        category_uid: 3, category_name: "Identity & Access Management",
        type_uid: 300201, activity_id: 1,
        "event.type": "Login", "event.category": "authentication",
        status_id: 1, status: "Success"
      },
      format: "CEF:0[|]Darktrace[|]$dt_product=word$[|]$dt_version=word$[|]400[|]Admin Login Success[|]$cef_severity=num$[|]$cef_extension=ext$",
      halt: true,
      rewrites: [
        { input: "message", output: "user_name", match: ".*duser=([^ \\n]+).*",                     replace: "$1" },
        { input: "message", output: "src_ip",    match: ".*src=(\\d+\\.\\d+\\.\\d+\\.\\d+).*",   replace: "$1" }
      ]
    }
  ]
}