mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-08 20:37:12 +00:00
marc
7c1687efce
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).
Preserved fork additions:
backend/routers/quality.py KV scanner, pattern refs, JS keys, JSON mode,
/parsers + /sync-from-sdl endpoints
parsers/ 96 OCSF + tenant parsers
tools/stormshield-verify/ end-to-end ingest regression test
.gitignore un-ignored parsers/*
CHANGES.md, PATCHES.md
287 lines
6.7 KiB
Plaintext
287 lines
6.7 KiB
Plaintext
{
|
|
"attributes": {
|
|
"dataSource.vendor": "HashiCorp",
|
|
"dataSource.name": "HashiCorp Vault",
|
|
"dataSource.category": "security",
|
|
"metadata.product.vendor_name": "HashiCorp",
|
|
"metadata.product.name": "HashiCorp Vault",
|
|
"metadata.version": "1.0.0"
|
|
},
|
|
"formats": [
|
|
{
|
|
"format": "$unmapped.{parse=json}$",
|
|
"rewrites": [
|
|
{
|
|
"input": "unmapped.time",
|
|
"output": "timestamp",
|
|
"match": ".*",
|
|
"replace": "$0"
|
|
},
|
|
{
|
|
"input": "unmapped.timestamp",
|
|
"output": "timestamp",
|
|
"match": ".*",
|
|
"replace": "$0"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"mappings": {
|
|
"version": 1,
|
|
"mappings": [
|
|
{
|
|
"predicate": "true",
|
|
"transformations": [
|
|
{
|
|
"constant": {
|
|
"value": 6001,
|
|
"field": "class_uid"
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": "Vault Activity",
|
|
"field": "class_name"
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": 6,
|
|
"field": "category_uid"
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": "Application Activity",
|
|
"field": "category_name"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.time",
|
|
"to": "time"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.timestamp",
|
|
"to": "time"
|
|
}
|
|
},
|
|
{
|
|
"cast": {
|
|
"field": "time",
|
|
"type": "iso8601TimestampToEpochSec"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.id",
|
|
"to": "metadata.uid"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.type",
|
|
"to": "message"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.operation",
|
|
"to": "activity_name"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.auth.display_name",
|
|
"to": "user.name"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.auth.entity_id",
|
|
"to": "user.uid"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.auth.token_type",
|
|
"to": "user.type"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.client_ip",
|
|
"to": "src_endpoint.ip"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.client_token",
|
|
"to": "session.uid"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.path",
|
|
"to": "http_request.url.path"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.namespace.path",
|
|
"to": "http_request.url.path"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.response.data.accessor",
|
|
"to": "dst_endpoint.uid"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.response.data.entity_id",
|
|
"to": "dst_endpoint.uid"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.error",
|
|
"to": "status_detail"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.auth.policies",
|
|
"to": "metadata.extensions.policies"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.mount_type",
|
|
"to": "metadata.extensions.mount_type"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.request.mount_point",
|
|
"to": "metadata.extensions.mount_point"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.response.mount_type",
|
|
"to": "metadata.extensions.mount_type"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.response.secret",
|
|
"to": "metadata.extensions.secret"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.response.data.lease_id",
|
|
"to": "metadata.extensions.lease_id"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.response.data.lease_duration",
|
|
"to": "metadata.extensions.lease_duration"
|
|
}
|
|
},
|
|
{
|
|
"copy": {
|
|
"from": "unmapped.response.data.renewable",
|
|
"to": "metadata.extensions.renewable"
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": 1,
|
|
"field": "activity_id",
|
|
"predicate": "unmapped.error == \"\""
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": 2,
|
|
"field": "activity_id",
|
|
"predicate": "unmapped.error != \"\""
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": 1,
|
|
"field": "severity_id",
|
|
"predicate": "unmapped.error == \"\""
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": 3,
|
|
"field": "severity_id",
|
|
"predicate": "unmapped.error != \"\""
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": 1,
|
|
"field": "status_id",
|
|
"predicate": "unmapped.error == \"\""
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": 2,
|
|
"field": "status_id",
|
|
"predicate": "unmapped.error != \"\""
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": "Success",
|
|
"field": "status",
|
|
"predicate": "unmapped.error == \"\""
|
|
}
|
|
},
|
|
{
|
|
"constant": {
|
|
"value": "Failure",
|
|
"field": "status",
|
|
"predicate": "unmapped.error != \"\""
|
|
}
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"observables": {
|
|
"fields": [
|
|
{
|
|
"name": "user.name",
|
|
"type": "User"
|
|
},
|
|
{
|
|
"name": "src_endpoint.ip",
|
|
"type": "IP Address"
|
|
},
|
|
{
|
|
"name": "session.uid",
|
|
"type": "Other"
|
|
},
|
|
{
|
|
"name": "http_request.url.path",
|
|
"type": "Other"
|
|
},
|
|
{
|
|
"name": "metadata.extensions.lease_id",
|
|
"type": "Other"
|
|
}
|
|
]
|
|
}
|
|
} |