Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-09 12:57:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d6d0faf218a593ef8789852a3f1276c16b23ba5a
marcredhat-siem-toolkit-pat…/tools/stormshield-verify/README.md
T
marc d6d0faf218 Add Stormshield ingest verifier 
End-to-end regression test for the SDL Stormshield parser:
- test.py        single upload + 150s polling verifier
- send_burst.py  4 varied events (different users, IPs, actions) with current timestamps
- verify_query.py  query last 15 min of stormshield events
- run_and_verify.sh  burst + 40s wait + verify
- config.example.json  template (config.json is gitignored)
- README.md     setup, run, behaviour-quirks docs

Use against a real SDL tenant after deploying parsers/stormshield. Confirms
parser='stormshield', dataSource.name='Stormshield', and the 5 OCSF rewrites
(src_endpoint.ip/port, dst_endpoint.ip/port, actor.user.name).
2026-05-22 17:06:08 +02:00

60 lines
2.0 KiB
Markdown
Raw Blame History

# Stormshield ingest verifier
End-to-end regression test for the SDL Stormshield parser. Sends raw syslog
events to `/api/uploadLogs`, waits for ingest, and confirms the OCSF rewrites
(`src_endpoint.ip`, `dst_endpoint.ip`, `actor.user.name`, ...) populated by
the parser at ingest time.
## Setup
```bash
cp config.example.json config.json
chmod 600 config.json
# Fill in log_write_key, log_read_key — both are SDL Data Lake API keys.
# Generate them in the S1 console: Singularity Data Lake -> API Keys.
```
`config.json` is gitignored. Never commit real tokens.
## Run
```bash
# Single-event upload + 150s polling verifier (prints which OCSF fields landed)
python3 test.py
# Burst of 4 varied events with current timestamps (different users, IPs, actions)
python3 send_burst.py
# One-shot regression: burst + 40s wait + query last 15 min
bash run_and_verify.sh
```
## How to find the events afterwards
The SDL console search field (and PowerQuery) attribute for the parser name
is **`parser`**, not `parser.name`:
```
parser="stormshield" | sort -timestamp | limit 10
```
## Behaviour quirks worth knowing
1. **`server-host` HTTP header is overwritten** to the literal string
`uploadLogs` on this tenant. Don't try to filter by `serverHost` for
precise event matching; use `parser='stormshield'` instead.
2. **`parser.name` is always None** on `uploadLogs`-ingested events.
Use the bare `parser` attribute.
3. **Embedded `time="..."`** in the syslog body is taken as the event's
canonical timestamp via `$timestamp=tsPattern$`. The scripts rewrite
this to "now" so events appear under recent activity in the console.
4. **Ingest latency** is 5-60s. `test.py` polls for up to 150s.
## Files
- `test.py` — single upload + polling verifier
- `send_burst.py` — N varied events with current timestamps
- `verify_query.py` — query last 15 min of stormshield events
- `run_and_verify.sh` — burst + sleep + verify (regression test)
- `config.example.json` — template, copy to `config.json`
Reference in New Issue View Git Blame Copy Permalink