Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4df8e844e5f59a40ba7ff6e7b6a697bf56c65687
marcredhat-siem-toolkit-pat…/parsers/ocsf-f5-bigip
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

224 lines
9.7 KiB
Plaintext
Raw Blame History

// SentinelOne AI SIEM Parser: AMS - F5 Network Big IP
// OCSF Schema Version: 1.1.0
// Maps F5 BIG-IP LTM/ASM/APM logs to OCSF classes
// Primary Classes: HTTP Activity (4002), Security Finding (2001), Network Activity (4001)
{
"parserName": "F5BigIP-OCSF",
"version": "1.0.0",
"vendor": "F5 Networks",
"product": "BIG-IP",
"format": "syslog",
"patterns": [
// iRule HTTP Request logs
{
"pattern": "Rule\\s+(/\\S+)\\s+<HTTP_REQUEST>:",
"rewrites": [
{"set": "class_uid", "value": "4002"},
{"set": "class_name", "value": "HTTP Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Request"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP LTM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "policy.name"},
// Client
{"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "Client\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"},
// VIP
{"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.ip"},
{"regex": "VIP\\s+([\\d.]+):(\\d+)", "group": 2, "to": "dst_endpoint.port"},
// Pool/Member
{"regex": "Pool\\s+(\\S+)", "group": 1, "to": "dst_endpoint.svc_name"},
{"regex": "Member\\s+([\\d.]+):(\\d+)", "group": 1, "to": "dst_endpoint.intermediate_ips"},
// HTTP details
{"regex": "URI\\s+(\\S+)", "group": 1, "to": "http_request.url.path"},
{"regex": "Method\\s+(\\w+)", "group": 1, "to": "http_request.http_method"},
{"regex": "Host\\s+(\\S+)", "group": 1, "to": "http_request.url.hostname"},
{"regex": "User-Agent\\s+(.+?)(?:\\s+\\w+=|$)", "group": 1, "to": "http_request.user_agent"}
]
},
// iRule Security blocks
{
"pattern": "Rule\\s+(/\\S+)\\s+<HTTP_REQUEST>:\\s+BLOCKED",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Block"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP iRule"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Extract attack info
{"regex": "BLOCKED\\s+-\\s+(.+?)\\s+Client", "group": 1, "to": "finding_info.title"},
{"regex": "Client\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "URI\\s+(\\S+)", "group": 1, "to": "finding_info.src_url"},
{"regex": "Pattern matched:\\s+(.+?)$", "group": 1, "to": "finding_info.desc"},
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// SSL Handshake failures
{
"pattern": "SSL Handshake failed",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "activity_id", "value": "6"},
{"set": "activity_name", "value": "Fail"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP SSL"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 2, "to": "src_endpoint.port"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 3, "to": "dst_endpoint.ip"},
{"regex": "TCP\\s+([\\d.]+):(\\d+)\\s+->\\s+([\\d.]+):(\\d+)", "group": 4, "to": "dst_endpoint.port"},
{"regex": "-\\s+(.+)$", "group": 1, "to": "status_detail"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// APM Session events
{
"pattern": "apmd\\[\\d+\\]:",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP APM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Session
{"regex": ":Common:(\\w+):", "group": 1, "to": "session.uid"},
// User
{"regex": "User:\\s+(\\S+)", "group": 1, "to": "user.name"},
// Client IP
{"regex": "Client IP:\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
// Activity based on message
{"set": "activity_id", "value": "1", "if": "Session created|session created"},
{"set": "activity_name", "value": "Logon", "if": "Session created|session created"},
{"set": "activity_id", "value": "2", "if": "Session terminated|terminated"},
{"set": "activity_name", "value": "Logoff", "if": "Session terminated|terminated"},
// Status
{"set": "status_id", "value": "1", "if": "Allow|Success|success"},
{"set": "status", "value": "Success", "if": "Allow|Success|success"},
{"set": "status_id", "value": "2", "if": "Deny|failed|failure"},
{"set": "status", "value": "Failure", "if": "Deny|failed|failure"}
]
},
// ASM (WAF) logs
{
"pattern": "ASM:",
"rewrites": [
{"set": "class_uid", "value": "2001"},
{"set": "class_name", "value": "Security Finding"},
{"set": "category_uid", "value": "2"},
{"set": "category_name", "value": "Findings"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP ASM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
// Parse ASM fields
{"regex": "unit_hostname=\"([^\"]+)\"", "group": 1, "to": "device.hostname"},
{"regex": "management_ip_address=\"([^\"]+)\"", "group": 1, "to": "device.ip"},
{"regex": "policy_name=\"([^\"]+)\"", "group": 1, "to": "policy.name"},
{"regex": "violations=\"([^\"]+)\"", "group": 1, "to": "finding_info.title"},
{"regex": "request_status=\"([^\"]+)\"", "group": 1, "to": "activity_name"},
{"regex": "response_code=\"([^\"]+)\"", "group": 1, "to": "http_response.code"},
{"regex": "ip_client=\"([^\"]+)\"", "group": 1, "to": "src_endpoint.ip"},
{"regex": "method=\"([^\"]+)\"", "group": 1, "to": "http_request.http_method"},
{"regex": "protocol=\"([^\"]+)\"", "group": 1, "to": "connection_info.protocol_name"},
{"regex": "uri=\"([^\"]+)\"", "group": 1, "to": "http_request.url.path"},
{"regex": "sig_ids=\"([^\"]+)\"", "group": 1, "to": "finding_info.uid"},
{"regex": "sig_names=\"([^\"]+)\"", "group": 1, "to": "finding_info.desc"},
{"regex": "severity=\"([^\"]+)\"", "group": 1, "to": "severity"},
{"regex": "attack_type=\"([^\"]+)\"", "group": 1, "to": "finding_info.types"},
// Severity mapping
{"lookup": "severity", "map": {"Critical": 5, "High": 4, "Medium": 3, "Low": 2, "Informational": 1}, "to": "severity_id"},
// Activity
{"lookup": "activity_name", "map": {"blocked": 2, "passed": 1, "alarmed": 1}, "to": "activity_id"}
]
},
// Pool member status
{
"pattern": "Pool\\s+(/\\S+)\\s+member\\s+([\\d.]+):(\\d+)\\s+monitor status\\s+(\\w+)",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "activity_id", "value": "99"},
{"set": "activity_name", "value": "Health Check"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP LTM"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "dst_endpoint.svc_name"},
{"group": 2, "to": "dst_endpoint.ip"},
{"group": 3, "to": "dst_endpoint.port"},
{"group": 4, "to": "status"},
{"lookup": "status", "map": {"up": 1, "down": 2}, "to": "status_id"}
]
},
// Audit logs
{
"pattern": "AUDIT\\s+-\\s+user\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "6002"},
{"set": "class_name", "value": "API Activity"},
{"set": "category_uid", "value": "6"},
{"set": "category_name", "value": "Application Activity"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "F5 BIG-IP"},
{"set": "metadata.product.vendor_name", "value": "F5 Networks"},
{"group": 1, "to": "actor.user.name"},
{"regex": "from host\\s+([\\d.]+)", "group": 1, "to": "src_endpoint.ip"},
{"regex": "modified object\\s+(\\S+)", "group": 1, "to": "resources.name"},
{"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 1, "to": "prev_state"},
{"regex": "state from\\s+(\\w+)\\s+to\\s+(\\w+)", "group": 2, "to": "state"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Update"}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink