Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d6d0faf218a593ef8789852a3f1276c16b23ba5a
marcredhat-siem-toolkit-pat…/parsers/OracleRDBMS-OCSF
T
marc a9dcf48e65 Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/ 
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.

Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
2026-05-22 14:11:56 +02:00

63 lines
3.2 KiB
Plaintext
Raw Blame History

{
// Oracle RDBMS audit trail parser — OCSF v1.3.0
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Oracle",
"metadata.product.name": "Database",
"Category": "database",
"dataSource.vendor": "Oracle",
"dataSource.name": "Oracle Database",
"dataSource.category": "database",
"category_uid": 4,
"category_name": "Network Activity",
"class_uid": 4001,
"class_name": "Database Activity",
"activity_id": 1,
"type_uid": 400101,
"status_id": 1,
"severity_id": 1
},
patterns: {
word: "\\S+",
rest: ".*"
},
formats: [
{
id: "oracle_audit",
attributes: {
class_uid: 4001, class_name: "Database Activity",
type_uid: 400101
},
format: "Audit trail: ACTION: $action_id=word$ TIMESTAMP: $ts=word$ $tz=word$ SESSIONID: $session_id=word$ ENTRYID: $entry_id=word$ STATEMENT: $stmt_id=word$ USERID: $user_name=word$ USERHOST: $user_host=word$ TERMINAL: $terminal=word$ ACTION_NAME: $activity_name=word$ RETURNCODE: $return_code=word$ $rest=rest$",
halt: true,
rewrites: [
{ input: "user_name", output: "actor.user.name", match: ".*", replace: "$0" },
{ input: "user_host", output: "device.hostname", match: ".*", replace: "$0" },
{ input: "session_id", output: "actor.session.uid", match: ".*", replace: "$0" },
// Failed (return_code != 0) → Detection Finding
{ input: "return_code", output: "class_uid", match: "^[1-9].*", replace: "2004" },
{ input: "return_code", output: "class_name", match: "^[1-9].*", replace: "Detection Finding" },
{ input: "return_code", output: "category_uid", match: "^[1-9].*", replace: "2" },
{ input: "return_code", output: "type_uid", match: "^[1-9].*", replace: "200401" },
{ input: "return_code", output: "finding_title", match: "^[1-9].*", replace: "Oracle Database Failed Operation" },
{ input: "return_code", output: "severity_id", match: "^[1-9].*", replace: "4" },
{ input: "return_code", output: "severity", match: "^[1-9].*", replace: "High" },
{ input: "return_code", output: "status_id", match: "^[1-9].*", replace: "2" },
{ input: "return_code", output: "status", match: "^[1-9].*", replace: "Failure" },
// Privilege grants → Detection Finding
{ input: "activity_name", output: "class_uid", match: "^GRANT$", replace: "2004" },
{ input: "activity_name", output: "class_name", match: "^GRANT$", replace: "Detection Finding" },
{ input: "activity_name", output: "category_uid", match: "^GRANT$", replace: "2" },
{ input: "activity_name", output: "type_uid", match: "^GRANT$", replace: "200401" },
{ input: "activity_name", output: "finding_title", match: "^GRANT$", replace: "Oracle Privilege Grant" },
{ input: "activity_name", output: "severity_id", match: "^GRANT$", replace: "4" },
{ input: "activity_name", output: "severity", match: "^GRANT$", replace: "High" }
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink