Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d6d0faf218a593ef8789852a3f1276c16b23ba5a
marcredhat-siem-toolkit-pat…/parsers/WindowsSecurity-OCSF
T
marc a9dcf48e65 Snapshot 95 demo-tenant parsers (incl. stormshield) + un-ignore parsers/ 
The original upstream gitignores parsers/* on the assumption that each tenant
has its own set. This fork commits a working snapshot so the Parser Test Runner
and Parser Coverage features are usable out of the box.

Stormshield parser exercises the new SDL key=value scanner, pattern references,
and JS-style unquoted format keys added to backend/routers/quality.py.
2026-05-22 14:11:56 +02:00

104 lines
3.5 KiB
Plaintext
Raw Blame History

{
// Windows Security Event XML parser — OCSF v1.3.0
// Uses non-greedy patterns that stop at the next XML tag/quote
attributes: {
"metadata.version": "1.3.0",
"metadata.product.vendor_name": "Microsoft",
"metadata.product.name": "Windows Security",
"metadata.log_provider": "winlogbeat",
"Category": "host",
"dataSource.vendor": "Microsoft",
"dataSource.name": "Windows Security",
"dataSource.category": "endpoint",
"category_uid": 3,
"category_name": "IAM",
"class_uid": 3002,
"class_name": "Authentication",
"activity_id": 1,
"type_uid": 300201,
"status_id": 1,
"severity_id": 1
},
patterns: {
// Anything until next "<" — perfect for XML content
untilLT: "[^<]*",
// Anything until next ">"
untilGT: "[^>]*",
word: "\\S+",
rest: ".*"
},
formats: [
// 4625 = Failed logon → Detection Finding (HIGH)
{
id: "win_4625",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows Logon Failure (4625)",
severity_id: 4, severity: "High",
disposition_id: 2, disposition: "Blocked",
status_id: 2, status: "Failure"
},
format: ".*<EventID>4625</EventID>.*<Data Name=\"TargetUserName\">$user_name=untilLT$</Data>.*<Data Name=\"IpAddress\">$src_ip=untilLT$</Data>.*",
halt: true
},
// 4720 = User account created → Detection Finding (HIGH)
{
id: "win_4720",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows New User Account Created (4720)",
severity_id: 4, severity: "High"
},
format: ".*<EventID>4720</EventID>.*<Data Name=\"TargetUserName\">$new_user=untilLT$</Data>.*",
halt: true
},
// 4732 = User added to security group → Detection Finding (CRITICAL)
{
id: "win_4732",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows User Added to Privileged Group (4732)",
severity_id: 5, severity: "Critical"
},
format: ".*<EventID>4732</EventID>.*<Data Name=\"MemberName\">$member=untilLT$</Data>.*<Data Name=\"TargetUserName\">$group_name=untilLT$</Data>.*",
halt: true
},
// 1102 = Audit log cleared (anti-forensics) → Detection Finding (CRITICAL)
{
id: "win_1102",
attributes: {
class_uid: 2004, class_name: "Detection Finding",
category_uid: 2, category_name: "Findings",
type_uid: 200401,
finding_title: "Windows Audit Log Cleared (1102)",
severity_id: 5, severity: "Critical"
},
format: ".*<EventID>1102</EventID>.*",
halt: true
},
// 4624 = Successful logon (informational)
{
id: "win_4624",
attributes: {
class_uid: 3002, class_name: "Authentication",
activity_id: 1, type_uid: 300201,
status_id: 1, status: "Success"
},
format: ".*<EventID>4624</EventID>.*<Data Name=\"TargetUserName\">$user_name=untilLT$</Data>.*<Data Name=\"IpAddress\">$src_ip=untilLT$</Data>.*",
halt: true
}
]
}
Reference in New Issue View Git Blame Copy Permalink