Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 12:33:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4df8e844e5f59a40ba7ff6e7b6a697bf56c65687
marcredhat-siem-toolkit-pat…/parsers/ocsf-qradar
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

97 lines
3.4 KiB
Plaintext
Raw Blame History

// SentinelOne AI SIEM Parser: IBM QRadar
// OCSF Schema Version: 1.1.0
// Maps QRadar LEEF/JSON events to OCSF classes
// Primary Classes: Security Finding (2001), Authentication (3002), Network Activity (4001)
{
"parserName": "QRadar-OCSF",
"version": "1.0.0",
"vendor": "IBM",
"product": "QRadar",
"format": "json",
"patterns": [
{
"pattern": ".*",
"rewrites": [
// OCSF Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "QRadar"},
{"set": "metadata.product.vendor_name", "value": "IBM"},
{"copy": "logSourceName", "to": "metadata.log_name"},
{"copy": "logSourceTypeName", "to": "metadata.product.feature.name"},
// OCSF Classification
{"set": "class_uid", "value": "2001"}, // Security Finding
{"set": "class_name", "value": "Security Finding"},
{"copy": "category", "to": "category_name"},
{"set": "type_uid", "value": "200101"}, // Security Finding: Create
// Time mapping
{"copy": "startTime", "to": "time"},
{"parseTimestamp": "startTime", "format": "ISO8601", "to": "time_dt"},
// Severity mapping (QRadar 1-10 to OCSF 0-6)
{"copy": "severity", "to": "severity_id", "transform": "qradarSeverityToOCSF"},
{"lookup": "severity_id", "map": {"1": "Informational", "2": "Low", "3": "Medium", "4": "High", "5": "Critical", "6": "Fatal"}, "to": "severity"},
// Actor/User mapping
{"copy": "username", "to": "actor.user.name"},
{"copy": "domainName", "to": "actor.user.domain"},
{"copy": "identityHostName", "to": "actor.user.credential_uid"},
// Source endpoint
{"copy": "sourceIP", "to": "src_endpoint.ip"},
{"copy": "sourcePort", "to": "src_endpoint.port"},
// Destination endpoint
{"copy": "destinationIP", "to": "dst_endpoint.ip"},
{"copy": "destinationPort", "to": "dst_endpoint.port"},
// Network connection
{"copy": "protocol", "to": "connection_info.protocol_name"},
// Finding details
{"copy": "qidName", "to": "finding_info.title"},
{"copy": "eventName", "to": "finding_info.desc"},
{"copy": "qid", "to": "finding_info.uid"},
{"copy": "payload", "to": "finding_info.data_sources"},
// Risk scoring
{"copy": "magnitude", "to": "risk_score"},
{"copy": "credibility", "to": "confidence_score"},
{"copy": "relevance", "to": "impact_score"},
// Observables
{"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$sourceIP"}},
{"array": "observables", "append": {"type": "IP Address", "type_id": 2, "value": "$destinationIP"}},
{"array": "observables", "append": {"type": "User Name", "type_id": 4, "value": "$username"}, "if": "username"}
]
}
],
"transforms": {
"qradarSeverityToOCSF": {
"1-2": 1,
"3-4": 2,
"5-6": 3,
"7-8": 4,
"9-10": 5
}
},
"ocsf_mappings": {
"authentication_events": {
"condition": "category == 'Authentication'",
"class_uid": 3002,
"class_name": "Authentication",
"activity_id": {"success": 1, "failure": 2}
},
"network_events": {
"condition": "protocol != ''",
"class_uid": 4001,
"class_name": "Network Activity"
}
}
}
Reference in New Issue View Git Blame Copy Permalink