Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7c1687efcec4e44f7d2b838d2674a04b9e00e96f
marcredhat-siem-toolkit-pat…/parsers/ocsf-linux-os
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

407 lines
14 KiB
Plaintext
Raw Blame History

// SentinelOne AI SIEM Parser: Linux OS
// OCSF Schema Version: 1.1.0
// Maps Linux syslog/auth/audit logs to OCSF classes
// Primary Classes: Authentication (3002), Process Activity (1007), Account Change (3001)
{
"parserName": "LinuxOS-OCSF",
"version": "1.0.0",
"vendor": "Linux",
"product": "Linux OS",
"format": "syslog",
"patterns": [
// SSH successful login
{
"pattern": "sshd\\[\\d+\\]:\\s+Accepted\\s+(\\w+)\\s+for\\s+(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "type_uid", "value": "300201"},
// Metadata
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "OpenSSH"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)\\s+(\\S+)", "group": 2, "to": "device.hostname"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Auth method
{"group": 1, "to": "auth_protocol"},
// User
{"group": 2, "to": "user.name"},
// Source
{"group": 3, "to": "src_endpoint.ip"},
{"group": 4, "to": "src_endpoint.port"},
// SSH key fingerprint
{"regex": "SHA256:(\\S+)", "group": 1, "to": "user.credential_uid"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// SSH failed login
{
"pattern": "sshd\\[\\d+\\]:\\s+Failed\\s+(\\w+)\\s+for\\s+(invalid user\\s+)?(\\S+)\\s+from\\s+([\\d.]+)\\s+port\\s+(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Logon"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "OpenSSH"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Auth method
{"group": 1, "to": "auth_protocol"},
// User
{"group": 3, "to": "user.name"},
{"set": "user.type", "value": "Invalid", "if": "invalid user"},
// Source
{"group": 4, "to": "src_endpoint.ip"},
{"group": 5, "to": "src_endpoint.port"},
// Severity
{"set": "severity_id", "value": "3"},
{"set": "severity", "value": "Medium"}
]
},
// Sudo command execution
{
"pattern": "sudo:\\s+(\\S+)\\s+:\\s+TTY=(\\S+)\\s+;\\s+PWD=(\\S+)\\s+;\\s+USER=(\\S+)\\s+;\\s+COMMAND=(.+)$",
"rewrites": [
{"set": "class_uid", "value": "1007"},
{"set": "class_name", "value": "Process Activity"},
{"set": "category_uid", "value": "1"},
{"set": "category_name", "value": "System Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Launch"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "sudo"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Actor
{"group": 1, "to": "actor.user.name"},
{"group": 2, "to": "actor.session.terminal"},
{"group": 3, "to": "process.cwd"},
// Target user (run as)
{"group": 4, "to": "user.name"},
// Command
{"group": 5, "to": "process.cmd_line"},
// Privilege escalation indicator
{"set": "is_privileged", "value": "true"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Sudo denied
{
"pattern": "sudo:\\s+(\\S+)\\s+:\\s+user NOT in sudoers",
"rewrites": [
{"set": "class_uid", "value": "3003"},
{"set": "class_name", "value": "Authorization"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Deny"},
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "sudo"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// User
{"group": 1, "to": "actor.user.name"},
// Extract command attempted
{"regex": "COMMAND=(.+)$", "group": 1, "to": "process.cmd_line"},
// Severity
{"set": "severity_id", "value": "4"},
{"set": "severity", "value": "High"}
]
},
// User creation (useradd)
{
"pattern": "useradd\\[\\d+\\]:\\s+new user:\\s+name=(\\S+),\\s+UID=(\\d+),\\s+GID=(\\d+),\\s+home=(\\S+),\\s+shell=(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "3001"},
{"set": "class_name", "value": "Account Change"},
{"set": "category_uid", "value": "3"},
{"set": "category_name", "value": "Identity & Access Management"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Create"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "useradd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// New user
{"group": 1, "to": "user.name"},
{"group": 2, "to": "user.uid"},
{"group": 3, "to": "user.gid"},
{"group": 4, "to": "user.home"},
{"group": 5, "to": "user.shell"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// User modification (usermod)
{
"pattern": "usermod\\[\\d+\\]:\\s+add\\s+'(\\S+)'\\s+to\\s+group\\s+'(\\S+)'",
"rewrites": [
{"set": "class_uid", "value": "3004"},
{"set": "class_name", "value": "Group Membership"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Add"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "usermod"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// User and group
{"group": 1, "to": "user.name"},
{"group": 2, "to": "group.name"},
// Severity for privileged groups
{"set": "severity_id", "value": "4", "if": "wheel|sudo|root|admin"},
{"set": "severity", "value": "High", "if": "wheel|sudo|root|admin"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// UFW firewall block
{
"pattern": "kernel:\\s+\\[UFW BLOCK\\]\\s+IN=(\\S*)\\s+OUT=(\\S*).*SRC=([\\d.]+)\\s+DST=([\\d.]+).*PROTO=(\\w+)\\s+SPT=(\\d+)\\s+DPT=(\\d+)",
"rewrites": [
{"set": "class_uid", "value": "4001"},
{"set": "class_name", "value": "Network Activity"},
{"set": "category_uid", "value": "4"},
{"set": "category_name", "value": "Network Activity"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Deny"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "UFW"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Interfaces
{"group": 1, "to": "src_endpoint.interface_name"},
{"group": 2, "to": "dst_endpoint.interface_name"},
// Endpoints
{"group": 3, "to": "src_endpoint.ip"},
{"group": 4, "to": "dst_endpoint.ip"},
{"group": 6, "to": "src_endpoint.port"},
{"group": 7, "to": "dst_endpoint.port"},
// Protocol
{"group": 5, "to": "connection_info.protocol_name"},
// Status
{"set": "status_id", "value": "2"},
{"set": "status", "value": "Failure"}
]
},
// Audit EXECVE (command execution)
{
"pattern": "auditd\\[\\d+\\]:\\s+EXECVE\\s+argc=(\\d+)\\s+(.+)$",
"rewrites": [
{"set": "class_uid", "value": "1007"},
{"set": "class_name", "value": "Process Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Launch"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "auditd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Arguments
{"group": 1, "to": "process.argc"},
{"group": 2, "to": "process.cmd_line", "transform": "parseAuditArgs"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Systemd service start
{
"pattern": "systemd\\[1\\]:\\s+Started\\s+(.+?)(?:\\s+-\\s+(.+))?\\.?$",
"rewrites": [
{"set": "class_uid", "value": "1006"},
{"set": "class_name", "value": "Service Activity"},
{"set": "category_uid", "value": "1"},
{"set": "category_name", "value": "System Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Start"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "systemd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Service
{"group": 1, "to": "service.name"},
{"group": 2, "to": "service.desc"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Cron job execution
{
"pattern": "cron\\[\\d+\\]:\\s+\\((\\S+)\\)\\s+CMD\\s+\\((.+)\\)$",
"rewrites": [
{"set": "class_uid", "value": "1007"},
{"set": "class_name", "value": "Process Activity"},
{"set": "activity_id", "value": "1"},
{"set": "activity_name", "value": "Launch"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "cron"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// User
{"group": 1, "to": "actor.user.name"},
// Command
{"group": 2, "to": "process.cmd_line"},
// Scheduled task indicator
{"set": "is_scheduled", "value": "true"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// Password change
{
"pattern": "passwd\\[\\d+\\]:\\s+password changed for\\s+(\\S+)\\s+by\\s+(\\S+)",
"rewrites": [
{"set": "class_uid", "value": "3001"},
{"set": "class_name", "value": "Account Change"},
{"set": "activity_id", "value": "3"},
{"set": "activity_name", "value": "Password Change"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "passwd"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Target user
{"group": 1, "to": "user.name"},
// Actor
{"group": 2, "to": "actor.user.name"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
},
// SSH disconnect
{
"pattern": "sshd\\[\\d+\\]:\\s+Received disconnect from\\s+([\\d.]+)\\s+port\\s+(\\d+):(\\d+):\\s+(.+)$",
"rewrites": [
{"set": "class_uid", "value": "3002"},
{"set": "class_name", "value": "Authentication"},
{"set": "activity_id", "value": "2"},
{"set": "activity_name", "value": "Logoff"},
{"set": "metadata.version", "value": "1.1.0"},
{"set": "metadata.product.name", "value": "OpenSSH"},
{"set": "metadata.product.vendor_name", "value": "Linux"},
// Time
{"regex": "^(\\w+\\s+\\d+\\s+[\\d:]+)", "group": 1, "to": "time"},
// Source
{"group": 1, "to": "src_endpoint.ip"},
{"group": 2, "to": "src_endpoint.port"},
// Disconnect code and reason
{"group": 3, "to": "status_code"},
{"group": 4, "to": "status_detail"},
// Status
{"set": "status_id", "value": "1"},
{"set": "status", "value": "Success"}
]
}
],
"transforms": {
"parseAuditArgs": {
"description": "Parse audit EXECVE arguments a0=\"/bin/bash\" a1=\"-c\" to command line",
"regex": "a\\d+=\"([^\"]+)\"",
"join": " "
}
}
}
Reference in New Issue View Git Blame Copy Permalink