Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ac971964359ef11f2be852234f1c31e1f05e65b0
marcredhat-siem-toolkit-pat…/parsers/aws_cloudtrail-latest
T
Mick c182d837ee Initial commit: SIEM Toolkit for SentinelOne 
Dockerized SecOps toolkit with:
- Coverage Map: STAR rule vs SDL parser field coverage analysis
- Ingest Dashboard: PowerQuery-powered event volume and source breakdown
- Onboarding Assistant: AI-guided log source onboarding with Claude
- Parser management via SDL MCP integration

Stack: FastAPI + PostgreSQL backend, nginx-served HTML frontend, Docker Compose.
PowerQuery runs via Scalyr XDR API (SDL_XDR_URL + SDL_LOG_READ_KEY).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-19 11:39:26 -04:00

29 lines
1.6 KiB
Plaintext
Raw Blame History

{
"attributes": {
"dataSource.vendor": "AWS",
"dataSource.name": "AWS Web Application Firewall",
"dataSource.category": "web_security"
},
"formats": [
{
"id": "aws_waf_json",
"format": ".*${parse=json}$",
"rewrites": [
{ "input": "timestamp", "output": "time", "match": ".*", "replace": "$0" },
{ "input": "httpRequest.clientIp", "output": "src_endpoint.ip", "match": ".*", "replace": "$0" },
{ "input": "action", "output": "disposition", "match": ".*", "replace": "$0" },
{ "input": "httpRequest.uri", "output": "http_request.url.text", "match": ".*", "replace": "$0" },
{ "input": "httpRequest.country", "output": "src_endpoint.location.country", "match": ".*", "replace": "$0" },
{ "input": "httpRequest.httpMethod", "output": "http_request.http_method", "match": ".*", "replace": "$0" },
{ "input": "webaclId", "output": "firewall_rule.uid", "match": ".*", "replace": "$0" },
{ "input": "ruleGroupId", "output": "firewall_rule.name", "match": ".*", "replace": "$0" },
{ "input": "terminatingRuleType", "output": "firewall_rule.type", "match": ".*", "replace": "$0" },
{ "input": "httpRequest.httpVersion", "output": "http_request.version", "match": ".*", "replace": "$0" },
{ "input": "httpRequest.args", "output": "http_request.url.query_string", "match": ".*", "replace": "$0" },
{ "input": "requestId", "output": "http_request.uid", "match": ".*", "replace": "$0" },
{ "input": "httpRequest.headers", "output": "http_request.http_headers", "match": ".*", "replace": "$0" }
],
"halt": true
}
]
}
Reference in New Issue View Git Blame Copy Permalink