diff --git a/.env copy b/.env copy index 81fb767..3a371f7 100644 --- a/.env copy +++ b/.env copy @@ -8,12 +8,13 @@ DISABLE_AUTH=true SECRET_KEY=change-me-in-development # API keys (only used if DISABLE_AUTH=false) -API_KEYS_ADMIN= -API_KEYS_READ_ONLY= -API_KEYS_WRITE= +JARVIS_ADMIN_KEYS= +JARVIS_READ_KEYS= +JARVIS_WRITE_KEYS= # Integrations S1_SDL_API_TOKEN= +S1_HEC_TOKEN= # Frontend -> Backend API key (not needed when DISABLE_AUTH=true) BACKEND_API_KEY= diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..3e90c77 --- /dev/null +++ b/.env.example @@ -0,0 +1,139 @@ +# ============================================================================== +# JARVIS CODING - CONFIGURATION ENVIRONMENT +# ============================================================================== +# Copy this file to .env and update values for your environment +# cp .env.example .env +# +# IMPORTANT: Never commit the .env file to version control! +# ============================================================================== + +# ============================================================================== +# RUNTIME SETTINGS +# ============================================================================== + +# Server host +HOST=0.0.0.0 + +# API server port (default: 8000) +PORT=8000 + +# Log level: debug, info, warning, error, critical +LOG_LEVEL=info + +# ============================================================================== +# AUTHENTICATION & SECURITY +# ============================================================================== + +# Disable authentication for local development (true/false) +# WARNING: Set to false in production! +DISABLE_AUTH=true + +# Secret key for JWT tokens and session encryption +# CRITICAL: Change this to a strong random string in production! +# Generate with: python -c "import secrets; print(secrets.token_urlsafe(32))" +SECRET_KEY=change-me-in-production + +# API Keys - Comma-separated for multiple keys per role +# Only used when DISABLE_AUTH=false +# Generate secure keys with: openssl rand -hex 32 + +# Admin keys +JARVIS_ADMIN_KEYS= + +# Write keys / Mandatory +# Get it from SentinelOne Console → Policy & Settings → API Keys → Log Access Keys (New Write Key) +JARVIS_WRITE_KEYS= + +# Read-only keys +JARVIS_READ_KEYS= + +# Frontend -> Backend API key (required when DISABLE_AUTH=false) +# Should match one of the JARVIS_ADMIN_KEYS or JARVIS_WRITE_KEYS +BACKEND_API_KEY= + +# ============================================================================== +# SENTINELONE HEC INTEGRATION (REQUIRED FOR PRODUCTION) +# ============================================================================== +# HEC = HTTP Event Collector - Used to SEND/WRITE events TO SentinelOne + +# SentinelOne HEC Token +# REQUIRED: To send events to SentinelOne AI-SIEM for ingestion and parsing +# Get from: SentinelOne Console > Settings > Integrations > HEC Tokens +# This token is used throughout the application (hec_sender.py, Frontend, scenarios) +S1_HEC_TOKEN= + +# SentinelOne HEC Endpoint URL +# Format: https://your-instance.sentinelone.net/api/v1/cloud_connect/events/raw +# Replace "your-instance" with your SentinelOne instance name +# Get information : https://your-console.sentinelone.net/soc-docs/en/services-and-ports-for-management.html#hec-endpoints-for-sdl-ingestion +S1_HEC_URL=https://your-instance.sentinelone.net/api/v1/cloud_connect/events/raw + +# ============================================================================== +# HEC (HTTP EVENT COLLECTOR) ADVANCED SETTINGS +# ============================================================================== + +# HEC Authentication Scheme: "Splunk" or "Bearer" +# - Splunk: Uses "Splunk " header format (default) +# - Bearer: Uses "Bearer " header format +S1_HEC_AUTH_SCHEME=Splunk + +# HEC Event Metadata (optional) +# Default source, host, and index for events +S1_HEC_SOURCE=jarvis_coding +S1_HEC_HOST=jarvis-generator +S1_HEC_INDEX=main + +# HEC Batching Configuration +# Enable batch mode for better performance (true/false) +S1_HEC_BATCH=true + +# Maximum batch size in bytes (default: 1MB) +# SentinelOne recommends max 5MB per batch +S1_HEC_BATCH_MAX_BYTES=1048576 + +# Batch flush interval in milliseconds (default: 500ms) +S1_HEC_BATCH_FLUSH_MS=500 + +# Number of worker threads for batch processing +S1_HEC_WORKERS=10 + +# HEC TLS/SSL Configuration +# Verify SSL certificates (true/false) +# Set to false only for development/testing with self-signed certs +# S1_HEC_VERIFY=true + +# Use lower TLS security level for compatibility with older systems +S1_HEC_TLS_LOW=false + +# Enable debug logging for HEC sender (0=off, 1=basic, 2=verbose) +S1_HEC_DEBUG=0 + +# HEC API Timeout and Retry Settings +S1_API_TIMEOUT=30 +S1_API_RETRY_ATTEMPTS=3 + +# ============================================================================== +# KEYRING CONFIGURATION (FRONTEND CREDENTIAL STORAGE) +# ============================================================================== + +# Python keyring backend type +# Options: keyrings.alt.file.EncryptedKeyring, keyring.backends.SecretService.Keyring +PYTHON_KEYRING_BACKEND=keyrings.alt.file.EncryptedKeyring + +# Password for encrypted keyring file +# IMPORTANT: Change this to a strong password in production! +KEYRING_CRYPTFILE_PASSWORD=change-this-strong-password + +# Path to keyring file +# Docker: /app/Frontend/.keyring.cfg +# Local: ./Frontend/.keyring.cfg +KEYRING_CRYPTFILE_PATH=/app/Frontend/.keyring.cfg + +# ============================================================================== +# DEPRECATED VARIABLES (NOT USED IN CURRENT VERSION) +# ============================================================================== +# +# S1_SDL_API_TOKEN - SDL API token (for querying events from SentinelOne)S +# This was planned for parser validation features but is NOT currently used. +# The functionality exists in Backend/archive/ but is not integrated in the API. +# Leave commented unless you're working with the archived validation scripts. diff --git a/Backend/docker-compose.yml b/Backend/docker-compose.yml index 3225e0f..8cdc93c 100644 --- a/Backend/docker-compose.yml +++ b/Backend/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.8' - services: api: build: @@ -15,12 +13,19 @@ services: - SECRET_KEY=${SECRET_KEY:-change-me-in-production} # Authentication settings - DISABLE_AUTH=${DISABLE_AUTH:-false} - - API_KEYS_ADMIN=${API_KEYS_ADMIN} - - API_KEYS_READ_ONLY=${API_KEYS_READ_ONLY} - - API_KEYS_WRITE=${API_KEYS_WRITE} + - JARVIS_ADMIN_KEYS=${JARVIS_ADMIN_KEYS} + - JARVIS_WRITE_KEYS=${JARVIS_WRITE_KEYS} + - JARVIS_READ_KEYS=${JARVIS_READ_KEYS} # SentinelOne integration - S1_HEC_TOKEN=${S1_HEC_TOKEN} + - S1_HEC_URL=${S1_HEC_URL} - S1_SDL_API_TOKEN=${S1_SDL_API_TOKEN} + # HEC batching and configuration + - S1_HEC_BATCH=${S1_HEC_BATCH:-false} + - S1_HEC_BATCH_MAX_BYTES=${S1_HEC_BATCH_MAX_BYTES:-1048576} + - S1_HEC_BATCH_FLUSH_MS=${S1_HEC_BATCH_FLUSH_MS:-500} + - S1_HEC_DEBUG=${S1_HEC_DEBUG:-0} + - S1_HEC_VERIFY=${S1_HEC_VERIFY:-true} # Database - DATABASE_URL=sqlite+aiosqlite:///./data/jarvis_coding.db volumes: diff --git a/Backend/event_generators/shared/hec_sender.py b/Backend/event_generators/shared/hec_sender.py index c5d7e77..3d99aa9 100644 --- a/Backend/event_generators/shared/hec_sender.py +++ b/Backend/event_generators/shared/hec_sender.py @@ -4,6 +4,7 @@ import gzip, io, threading, queue from datetime import datetime from typing import Callable, Tuple, Optional +from pathlib import Path # Add generator category paths to sys.path import os @@ -24,108 +25,12 @@ except Exception: _LOADED_SOURCETYPE_MAP = {} +# Load parser mappings from JSON file +_MAPPINGS_FILE = Path(__file__).parent / "parser_mappings.json" +with open(_MAPPINGS_FILE) as f: + _PARSER_MAPPINGS = json.load(f) -# Marketplace parser mappings to generators -MARKETPLACE_PARSER_MAP = { - # AWS parsers - "marketplace-awscloudtrail-latest": "aws_cloudtrail", - "marketplace-awscloudtrail-1.0.0": "aws_cloudtrail", - "marketplace-awselasticloadbalancer-latest": "aws_elasticloadbalancer", - "marketplace-awsguardduty-latest": "aws_guardduty", - "marketplace-awsvpcflowlogs-latest": "aws_vpcflowlogs", - "marketplace-awsvpcflowlogs-1.0.0": "aws_vpcflowlogs", - - # Check Point - "marketplace-checkpointfirewall-latest": "checkpoint", - "marketplace-checkpointfirewall-1.0.0": "checkpoint", - "marketplace-checkpointfirewall-1.0.1": "checkpoint", - - # Cisco parsers - "marketplace-ciscofirepowerthreatdefense-latest": "cisco_firewall_threat_defense", - "marketplace-ciscofirepowerthreatdefense-1.0.0": "cisco_firewall_threat_defense", - "marketplace-ciscofirepowerthreatdefense-2.0.0": "cisco_firewall_threat_defense", - "marketplace-ciscofirewallthreatdefense-latest": "cisco_firewall_threat_defense", - "marketplace-ciscofirewallthreatdefense-1.0.0": "cisco_firewall_threat_defense", - "marketplace-ciscofirewallthreatdefense-1.0.1": "cisco_firewall_threat_defense", - "marketplace-ciscofirewallthreatdefense-1.0.2": "cisco_firewall_threat_defense", - "marketplace-ciscofirewallthreatdefense-1.0.3": "cisco_firewall_threat_defense", - "marketplace-ciscoumbrella-latest": "cisco_umbrella", - - # Corelight parsers - "marketplace-corelight-conn-latest": "corelight_conn", - "marketplace-corelight-conn-1.0.0": "corelight_conn", - "marketplace-corelight-conn-1.0.1": "corelight_conn", - "marketplace-corelight-conn-2.0.0": "corelight_conn", - "marketplace-corelight-http-latest": "corelight_http", - "marketplace-corelight-http-1.0.0": "corelight_http", - "marketplace-corelight-http-1.0.1": "corelight_http", - "marketplace-corelight-http-2.0.0": "corelight_http", - "marketplace-corelight-ssl-latest": "corelight_ssl", - "marketplace-corelight-ssl-1.0.0": "corelight_ssl", - "marketplace-corelight-ssl-1.0.1": "corelight_ssl", - "marketplace-corelight-ssl-2.0.0": "corelight_ssl", - "marketplace-corelight-tunnel-latest": "corelight_tunnel", - "marketplace-corelight-tunnel-1.0.0": "corelight_tunnel", - "marketplace-corelight-tunnel-2.0.0": "corelight_tunnel", - - # Fortinet parsers - "marketplace-fortinetfortigate-latest": "fortinet_fortigate", - "marketplace-fortinetfortigate-1.0.0": "fortinet_fortigate", - "marketplace-fortinetfortigate-1.0.1": "fortinet_fortigate", - "marketplace-fortinetfortigate-1.0.2": "fortinet_fortigate", - "marketplace-fortinetfortigate-1.0.3": "fortinet_fortigate", - "marketplace-fortinetfortigate-1.0.4": "fortinet_fortigate", - "marketplace-fortinetfortigate-1.0.5": "fortinet_fortigate", - "marketplace-fortinetfortigate-1.0.6": "fortinet_fortigate", - "marketplace-fortinetfortimanager-latest": "fortimanager", - "marketplace-fortinetfortimanager-1.0.0": "fortimanager", - "marketplace-fortinetfortimanager-1.0.1": "fortimanager", - "marketplace-fortinetfortimanager-2.0.0": "fortimanager", - - # Infoblox - "marketplace-infobloxddi-latest": "infoblox_ddi", - "marketplace-infobloxddi-1.0.0": "infoblox_ddi", - "marketplace-infobloxddi-2.0.0": "infoblox_ddi", - - # Netskope - "marketplace-netskopecloudlogshipper-latest": "netskope", - "marketplace-netskopecloudlogshipper-1.0.0": "netskope", - "marketplace-netskopecloudlogshipper-1.0.1": "netskope", - "marketplace-netskopecloudlogshipper-1.0.2": "netskope", - "marketplace-netskopecloudlogshipper-1.0.3": "netskope", - "marketplace-netskopecloudlogshipperjson-latest": "netskope", - "marketplace-netskopecloudlogshipperjson-1.0.0": "netskope", - - # Palo Alto Networks - "marketplace-paloaltonetworksfirewall-latest": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-1.0.0": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-1.0.1": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-1.0.2": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-2.0.0": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-2.0.1": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-2.0.2": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-2.0.3": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-2.0.4": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-2.0.5": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-3.0.0": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-3.0.1": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-3.0.2": "paloalto_firewall", - "marketplace-paloaltonetworksfirewall-3.0.3": "paloalto_firewall", - "marketplace-paloaltonetworksprismaaccess-latest": "paloalto_prismasase", - "marketplace-paloaltonetworksprismaaccess-1.0.0": "paloalto_prismasase", - - # Zscaler parsers - "marketplace-zscalerinternetaccess-latest": "zscaler", - "marketplace-zscalerinternetaccess-1.0.0": "zscaler", - "marketplace-zscalerinternetaccess-1.0.1": "zscaler", - "marketplace-zscalerinternetaccess-2.0.0": "zscaler", - "marketplace-zscalerinternetaccess-3.0.0": "zscaler", - "marketplace-zscalerprivateaccess-latest": "zscaler_private_access", - "marketplace-zscalerprivateaccess-1.0.0": "zscaler_private_access", - "marketplace-zscalerprivateaccess-2.0.0": "zscaler_private_access", - "marketplace-zscalerprivateaccessjson-latest": "zscaler_private_access", - "marketplace-zscalerprivateaccessjson-1.0.0": "zscaler_private_access", -} +MARKETPLACE_PARSER_MAP = _PARSER_MAPPINGS["marketplace_to_product"] # Map product → (module_name, generator function names) PROD_MAP = { @@ -618,7 +523,14 @@ def _post(url, headers=None, data=None, json=None, timeout=10): _BATCH_LOCK = threading.Lock() _BATCH_BUFFERS = {} # key: (is_json:bool, product:str) -> {'lines': list[str], 'bytes': int, 'last': float} _BATCH_THREAD_STARTED = False -_VERBOSITY = 'info' # Global verbosity level, set after arg parsing +# Set verbosity from environment variable S1_HEC_DEBUG +_DEBUG_LEVEL = os.getenv("S1_HEC_DEBUG", "0") +if _DEBUG_LEVEL in ("1", "true", "True", "debug"): + _VERBOSITY = 'debug' +elif _DEBUG_LEVEL in ("2", "verbose"): + _VERBOSITY = 'verbose' +else: + _VERBOSITY = 'info' # Default verbosity level, can be overridden by arg parsing _BATCH_SEND_QUEUE = None # Queue for pipelined batch sending _BATCH_SENDER_THREAD = None # Background thread for sending batches @@ -815,140 +727,7 @@ def _send_batch(lines: list, is_json: bool, product: str): print(f"[BATCH] Response: {resp.status_code} - {resp.text[:200] if resp.text else 'OK'}", flush=True) sys.stdout.flush() -SOURCETYPE_MAP_OVERRIDES = { - # ===== FIXED PARSER MAPPINGS (Based on actual parser directory names) ===== - # AWS parsers - use actual directory names - "aws_cloudtrail": "aws_cloudtrail-latest", - "aws_vpcflowlogs": "aws_vpcflowlogs-latest", - "aws_guardduty": "aws_guardduty_logs-latest", - "aws_elasticloadbalancer": "aws_elasticloadbalancer_logs-latest", - "aws_waf": "aws_waf-latest", - "aws_route53": "aws_route53-latest", - "aws_vpc_dns": "aws_vpc_dns_logs-latest", - "aws_vpcflow": "aws_vpcflow_logs-latest", - - # Network security - actual directory names - "fortinet_fortigate": "fortinet_fortigate_candidate_logs-latest", - "fortimanager": "fortinet_fortigate_fortimanager_logs-latest", - "checkpoint": "checkpoint_checkpoint_logs-latest", - "paloalto_firewall": "paloalto_firewall-latest", - "paloalto_prismasase": "paloalto_prismasase_logs-latest", - "cisco_firewall_threat_defense": "cisco_firewall_threat_defense-latest", - "infoblox_ddi": "infoblox_ddi-latest", - - # Zscaler products - "zscaler": "zscaler_logs-latest", - "zscaler_private_access": "zscaler_private_access-latest", - "zscaler_firewall": "zscaler_firewall_logs-latest", - "zscaler_dns_firewall": "zscaler_dns_firewall-latest", - - # Netskope - "netskope": "netskope_netskope_logs-latest", - - # Corelight - "corelight_conn": "corelight_conn_logs-latest", - "corelight_http": "corelight_http_logs-latest", - "corelight_ssl": "corelight_ssl_logs-latest", - "corelight_tunnel": "corelight_tunnel_logs-latest", - - # Identity and access management - "okta_authentication": "okta_authentication-latest", - "microsoft_azuread": "microsoft_azuread-latest", - "microsoft_azure_ad": "microsoft_azure_ad_logs-latest", - "microsoft_azure_ad_signin": "microsoft_azure_ad_signin-latest", - "beyondtrust_passwordsafe": "beyondtrust_passwordsafe_logs-latest", - "beyondtrust_privilegemgmt_windows": "beyondtrust_privilegemgmt_windows-latest", - "hashicorp_vault": "hashicorp_vault-latest", - "hypr_auth": "hypr_auth-latest", - "pingfederate": "pingfederate-latest", - "pingone_mfa": "pingone_mfa-latest", - "pingprotect": "pingprotect-latest", - "rsa_adaptive": "rsa_adaptive-latest", - "cyberark_pas": "cyberark_pas_logs-latest", - "cyberark_conjur": "cyberark_conjur-latest", - - # Microsoft products - "microsoft_365_mgmt_api": "microsoft_365_mgmt_api_logs-latest", - "microsoft_365_collaboration": "microsoft_365_collaboration-latest", - "microsoft_365_defender": "microsoft_365_defender-latest", - "microsoft_defender_email": "microsoft_defender_email-latest", - "microsoft_windows_eventlog": "microsoft_windows_eventlog-latest", - "microsoft_eventhub_azure_signin": "microsoft_eventhub_azure_signin_logs-latest", - "microsoft_eventhub_defender_email": "microsoft_eventhub_defender_email_logs-latest", - "microsoft_eventhub_defender_emailforcloud": "microsoft_eventhub_defender_emailforcloud_logs-latest", - - # Cisco products - "cisco_asa": "cisco_asa-latest", - "cisco_umbrella": "cisco_umbrella-latest", - "cisco_meraki": "cisco_meraki-latest", - "cisco_duo": "cisco_duo-latest", - "cisco_ise": "cisco_ise_logs-latest", - "cisco_fmc": "cisco_fmc_logs-latest", - "cisco_ios": "cisco_ios_logs-latest", - "cisco_ironport": "cisco_ironport-latest", - "cisco_meraki_flow": "cisco_meraki_flow_logs-latest", - "cisco_networks": "cisco_networks_logs-latest", - - # Endpoint security - "crowdstrike_falcon": "crowdstrike_falcon-latest", - "sentinelone_endpoint": "sentinelone_endpoint-latest", - "sentinelone_identity": "sentinelone_identity-latest", - "jamf_protect": "jamf_protect-latest", - - # Network detection - "darktrace": "darktrace_darktrace_logs-latest", - "extrahop": "extrahop_extrahop_logs-latest", - "vectra_ai": "vectra_ai_logs-latest", - "armis": "armis_armis_logs-latest", - - # Email security - "proofpoint": "proofpoint_proofpoint_logs-latest", - "mimecast": "mimecast_mimecast_logs-latest", - "abnormal_security": "abnormal_security_logs-latest", - - # Web security and CDN - "cloudflare_general": "cloudflare_general_logs-latest", - "cloudflare_waf": "cloudflare_waf_logs-latest", - "imperva_waf": "imperva_waf_logs-latest", - "imperva_sonar": "imperva_sonar-latest", - "incapsula": "incapsula_incapsula_logs-latest", - "akamai_cdn": "akamai_cdn-latest", - "akamai_dns": "akamai_dns-latest", - "akamai_general": "akamai_general-latest", - "akamai_sitedefender": "akamai_sitedefender-latest", - - # Cloud services - "google_workspace": "google_workspace_logs-latest", - "google_cloud_dns": "google_cloud_dns_logs-latest", - "wiz_cloud": "wiz_cloud-latest", - - # Network infrastructure - "apache_http": "apache_http_logs-latest", - "f5_networks": "f5_networks_logs-latest", - "f5_vpn": "f5_vpn-latest", - "extreme_networks": "extreme_networks_logs-latest", - "juniper_networks": "juniper_networks_logs-latest", - "ubiquiti_unifi": "ubiquiti_unifi_logs-latest", - "tailscale": "tailscale_tailscale_logs-latest", - "isc_bind": "isc_bind-latest", - "isc_dhcp": "isc_dhcp-latest", - - # IT management and DevOps - "buildkite": "buildkite_ci_logs-latest", - "github_audit": "github_audit-latest", - "harness_ci": "harness_ci-latest", - "teleport": "teleport_logs-latest", - "linux_auth": "linux_auth-latest", - "iis_w3c": "iis_w3c-latest", - "veeam_backup": "veeam_backup-latest", - "cohesity_backup": "cohesity_backup-latest", - "axway_sftp": "axway_sftp-latest", - "sap": "sap_logs-latest", - "securelink": "securelink_logs-latest", - "manageengine_general": "manageengine_general_logs-latest", - "manageengine_adauditplus": "manageengine_adauditplus_logs-latest", - "manch_siem": "manch_siem_logs-latest", -} +SOURCETYPE_MAP_OVERRIDES = _PARSER_MAPPINGS["product_to_parser"] # Merge dynamically discovered sourcetypes with explicit overrides. # Overrides win to preserve intentional non-standard mappings. @@ -1113,7 +892,17 @@ def send_one(line, product: str, attr_fields: dict, event_time: float | None = N # Backward-compat: single URL variable (may point to /raw or /event) single = os.getenv("S1_HEC_URL") if single and not (env_event and env_raw): - if single.rstrip("/").endswith("/raw"): + # Check if this is a SentinelOne Cloud Connect endpoint + if "/api/v1/cloud_connect/events" in single: + # SentinelOne Cloud Connect uses a single endpoint for all events + # Strip /raw or /event suffix if present, use base endpoint + base = single.rstrip("/") + if base.endswith("/raw") or base.endswith("/event"): + base = base.rsplit("/", 1)[0] + # Both JSON and raw events go to the same endpoint + env_event = base + env_raw = base + elif single.rstrip("/").endswith("/raw"): env_raw = single.rstrip("/") env_event = single.rstrip("/").rsplit("/", 1)[0] + "/event" elif single.rstrip("/").endswith("/event"): @@ -1127,6 +916,14 @@ def send_one(line, product: str, attr_fields: dict, event_time: float | None = N bases = [] if env_event and env_raw: bases.append((env_event, env_raw)) + if _VERBOSITY == 'debug': + print(f"[DEBUG] Using S1_HEC_URL from environment: event={env_event}, raw={env_raw}") + sys.stdout.flush() + else: + if _VERBOSITY == 'debug': + print(f"[DEBUG] S1_HEC_URL not set, using fallback URLs. S1_HEC_URL={single}") + sys.stdout.flush() + # Fallback to legacy Splunk HEC endpoints (kept for backward compatibility) bases.extend([ ("https://ingest.us1.sentinelone.net/services/collector/event", "https://ingest.us1.sentinelone.net/services/collector/raw"), @@ -1410,8 +1207,8 @@ def send_many_with_spacing(lines, product: str, attr_fields: dict, # Backward compatibility: --print-responses sets verbosity to verbose if args.print_responses: args.verbosity = 'verbose' - - # Set module-level verbosity for batch logging (no global needed since it's already module-level) + + # Set module-level verbosity for batch logging (no global needed at module level) _VERBOSITY = args.verbosity # Handle marketplace parser name diff --git a/Backend/event_generators/shared/parser_mappings.json b/Backend/event_generators/shared/parser_mappings.json new file mode 100644 index 0000000..9ba3200 --- /dev/null +++ b/Backend/event_generators/shared/parser_mappings.json @@ -0,0 +1,188 @@ +{ + "marketplace_to_product": { + "marketplace-awscloudtrail-latest": "aws_cloudtrail", + "marketplace-awscloudtrail-1.0.0": "aws_cloudtrail", + "marketplace-awselasticloadbalancer-latest": "aws_elasticloadbalancer", + "marketplace-awsguardduty-latest": "aws_guardduty", + "marketplace-awsvpcflowlogs-latest": "aws_vpcflowlogs", + "marketplace-awsvpcflowlogs-1.0.0": "aws_vpcflowlogs", + "marketplace-checkpointfirewall-latest": "checkpoint", + "marketplace-checkpointfirewall-1.0.0": "checkpoint", + "marketplace-checkpointfirewall-1.0.1": "checkpoint", + "marketplace-ciscofirepowerthreatdefense-latest": "cisco_firewall_threat_defense", + "marketplace-ciscofirepowerthreatdefense-1.0.0": "cisco_firewall_threat_defense", + "marketplace-ciscofirepowerthreatdefense-2.0.0": "cisco_firewall_threat_defense", + "marketplace-ciscofirewallthreatdefense-latest": "cisco_firewall_threat_defense", + "marketplace-ciscofirewallthreatdefense-1.0.0": "cisco_firewall_threat_defense", + "marketplace-ciscofirewallthreatdefense-1.0.1": "cisco_firewall_threat_defense", + "marketplace-ciscofirewallthreatdefense-1.0.2": "cisco_firewall_threat_defense", + "marketplace-ciscofirewallthreatdefense-1.0.3": "cisco_firewall_threat_defense", + "marketplace-ciscoumbrella-latest": "cisco_umbrella", + "marketplace-corelight-conn-latest": "corelight_conn", + "marketplace-corelight-conn-1.0.0": "corelight_conn", + "marketplace-corelight-conn-1.0.1": "corelight_conn", + "marketplace-corelight-conn-2.0.0": "corelight_conn", + "marketplace-corelight-http-latest": "corelight_http", + "marketplace-corelight-http-1.0.0": "corelight_http", + "marketplace-corelight-http-1.0.1": "corelight_http", + "marketplace-corelight-http-2.0.0": "corelight_http", + "marketplace-corelight-ssl-latest": "corelight_ssl", + "marketplace-corelight-ssl-1.0.0": "corelight_ssl", + "marketplace-corelight-ssl-1.0.1": "corelight_ssl", + "marketplace-corelight-ssl-2.0.0": "corelight_ssl", + "marketplace-corelight-tunnel-latest": "corelight_tunnel", + "marketplace-corelight-tunnel-1.0.0": "corelight_tunnel", + "marketplace-corelight-tunnel-2.0.0": "corelight_tunnel", + "marketplace-fortinetfortigate-latest": "fortinet_fortigate", + "marketplace-fortinetfortigate-1.0.0": "fortinet_fortigate", + "marketplace-fortinetfortigate-1.0.1": "fortinet_fortigate", + "marketplace-fortinetfortigate-1.0.2": "fortinet_fortigate", + "marketplace-fortinetfortigate-1.0.3": "fortinet_fortigate", + "marketplace-fortinetfortigate-1.0.4": "fortinet_fortigate", + "marketplace-fortinetfortigate-1.0.5": "fortinet_fortigate", + "marketplace-fortinetfortigate-1.0.6": "fortinet_fortigate", + "marketplace-fortinetfortimanager-latest": "fortimanager", + "marketplace-fortinetfortimanager-1.0.0": "fortimanager", + "marketplace-fortinetfortimanager-1.0.1": "fortimanager", + "marketplace-fortinetfortimanager-2.0.0": "fortimanager", + "marketplace-infobloxddi-latest": "infoblox_ddi", + "marketplace-infobloxddi-1.0.0": "infoblox_ddi", + "marketplace-infobloxddi-2.0.0": "infoblox_ddi", + "marketplace-netskopecloudlogshipper-latest": "netskope", + "marketplace-netskopecloudlogshipper-1.0.0": "netskope", + "marketplace-netskopecloudlogshipper-1.0.1": "netskope", + "marketplace-netskopecloudlogshipper-1.0.2": "netskope", + "marketplace-netskopecloudlogshipper-1.0.3": "netskope", + "marketplace-netskopecloudlogshipperjson-latest": "netskope", + "marketplace-netskopecloudlogshipperjson-1.0.0": "netskope", + "marketplace-paloaltonetworksfirewall-latest": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-1.0.0": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-1.0.1": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-1.0.2": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-2.0.0": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-2.0.1": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-2.0.2": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-2.0.3": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-2.0.4": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-2.0.5": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-3.0.0": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-3.0.1": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-3.0.2": "paloalto_firewall", + "marketplace-paloaltonetworksfirewall-3.0.3": "paloalto_firewall", + "marketplace-paloaltonetworksprismaaccess-latest": "paloalto_prismasase", + "marketplace-paloaltonetworksprismaaccess-1.0.0": "paloalto_prismasase", + "marketplace-zscalerinternetaccess-latest": "zscaler", + "marketplace-zscalerinternetaccess-1.0.0": "zscaler", + "marketplace-zscalerinternetaccess-1.0.1": "zscaler", + "marketplace-zscalerinternetaccess-2.0.0": "zscaler", + "marketplace-zscalerinternetaccess-3.0.0": "zscaler", + "marketplace-zscalerprivateaccess-latest": "zscaler_private_access", + "marketplace-zscalerprivateaccess-1.0.0": "zscaler_private_access", + "marketplace-zscalerprivateaccess-2.0.0": "zscaler_private_access", + "marketplace-zscalerprivateaccessjson-latest": "zscaler_private_access", + "marketplace-zscalerprivateaccessjson-1.0.0": "zscaler_private_access" + }, + "product_to_parser": { + "aws_cloudtrail": "marketplace-awscloudtrail-latest", + "aws_vpcflowlogs": "marketplace-awsvpcflowlogs-latest", + "aws_guardduty": "marketplace-awsguardduty_logs-latest", + "aws_elasticloadbalancer": "marketplace-awselasticloadbalancer_logs-latest", + "aws_waf": "marketplace-awswaf-latest", + "aws_route53": "marketplace-awsroute53-latest", + "aws_vpc_dns": "marketplace-awsvpc_dns_logs-latest", + "fortinet_fortigate": "marketplace-fortinetfortigate-latest", + "fortimanager": "marketplace-fortinetfortimanager-latest", + "checkpoint": "marketplace-checkpointfirewall-latest", + "paloalto_firewall": "marketplace-paloaltonetworksfirewall-latest", + "paloalto_prismasase": "marketplace-paloaltonetworksprismaaccess-latest", + "cisco_firewall_threat_defense": "marketplace-ciscofirewallthreatdefense-latest", + "infoblox_ddi": "marketplace-infobloxddi-latest", + "zscaler": "marketplace-zscalerinternetaccess-latest", + "zscaler_private_access": "marketplace-zscalerprivateaccessjson-latest", + "zscaler_firewall": "zscaler_firewall_logs-latest", + "zscaler_dns_firewall": "zscaler_dns_firewall-latest", + "netskope": "marketplace-netskopecloudlogshipper-latest", + "corelight_conn": "marketplace-corelight-conn-latest", + "corelight_http": "marketplace-corelight-http-latest", + "corelight_ssl": "marketplace-corelight-ssl-latest", + "corelight_tunnel": "marketplace-corelight-tunnel-latest", + "okta_authentication": "okta_authentication-latest", + "microsoft_azuread": "microsoft_azuread-latest", + "microsoft_azure_ad": "microsoft_azure_ad_logs-latest", + "microsoft_azure_ad_signin": "microsoft_azure_ad_signin-latest", + "beyondtrust_passwordsafe": "beyondtrust_passwordsafe_logs-latest", + "beyondtrust_privilegemgmt_windows": "beyondtrust_privilegemgmt_windows-latest", + "hashicorp_vault": "hashicorp_vault-latest", + "hypr_auth": "hypr_auth-latest", + "pingfederate": "pingfederate-latest", + "pingone_mfa": "pingone_mfa-latest", + "pingprotect": "pingprotect-latest", + "rsa_adaptive": "rsa_adaptive-latest", + "cyberark_pas": "cyberark_pas_logs-latest", + "cyberark_conjur": "cyberark_conjur-latest", + "microsoft_365_mgmt_api": "microsoft_365_mgmt_api_logs-latest", + "microsoft_365_collaboration": "microsoft_365_collaboration-latest", + "microsoft_365_defender": "microsoft_365_defender-latest", + "microsoft_defender_email": "microsoft_defender_email-latest", + "microsoft_windows_eventlog": "microsoft_windows_eventlog-latest", + "microsoft_eventhub_azure_signin": "microsoft_eventhub_azure_signin_logs-latest", + "microsoft_eventhub_defender_email": "microsoft_eventhub_defender_email_logs-latest", + "microsoft_eventhub_defender_emailforcloud": "microsoft_eventhub_defender_emailforcloud_logs-latest", + "cisco_asa": "cisco_asa-latest", + "cisco_umbrella": "cisco_umbrella-latest", + "cisco_meraki": "cisco_meraki-latest", + "cisco_duo": "cisco_duo-latest", + "cisco_ise": "cisco_ise_logs-latest", + "cisco_fmc": "cisco_fmc_logs-latest", + "cisco_ios": "cisco_ios_logs-latest", + "cisco_ironport": "cisco_ironport-latest", + "cisco_meraki_flow": "cisco_meraki_flow_logs-latest", + "cisco_networks": "cisco_networks_logs-latest", + "crowdstrike_falcon": "crowdstrike_falcon-latest", + "sentinelone_endpoint": "sentinelone_endpoint-latest", + "sentinelone_identity": "sentinelone_identity-latest", + "jamf_protect": "jamf_protect-latest", + "darktrace": "darktrace_darktrace_logs-latest", + "extrahop": "extrahop_extrahop_logs-latest", + "vectra_ai": "vectra_ai_logs-latest", + "armis": "armis_armis_logs-latest", + "proofpoint": "proofpoint_proofpoint_logs-latest", + "mimecast": "mimecast_mimecast_logs-latest", + "abnormal_security": "abnormal_security_logs-latest", + "cloudflare_general": "cloudflare_general_logs-latest", + "cloudflare_waf": "cloudflare_waf_logs-latest", + "imperva_waf": "imperva_waf_logs-latest", + "imperva_sonar": "imperva_sonar-latest", + "incapsula": "incapsula_incapsula_logs-latest", + "akamai_cdn": "akamai_cdn-latest", + "akamai_dns": "akamai_dns-latest", + "akamai_general": "akamai_general-latest", + "akamai_sitedefender": "akamai_sitedefender-latest", + "google_workspace": "google_workspace_logs-latest", + "google_cloud_dns": "google_cloud_dns_logs-latest", + "wiz_cloud": "wiz_cloud-latest", + "apache_http": "apache_http_logs-latest", + "f5_networks": "f5_networks_logs-latest", + "f5_vpn": "f5_vpn-latest", + "extreme_networks": "extreme_networks_logs-latest", + "juniper_networks": "juniper_networks_logs-latest", + "ubiquiti_unifi": "ubiquiti_unifi_logs-latest", + "tailscale": "tailscale_tailscale_logs-latest", + "isc_bind": "isc_bind-latest", + "isc_dhcp": "isc_dhcp-latest", + "buildkite": "buildkite_ci_logs-latest", + "github_audit": "github_audit-latest", + "harness_ci": "harness_ci-latest", + "teleport": "teleport_logs-latest", + "linux_auth": "linux_auth-latest", + "iis_w3c": "iis_w3c-latest", + "veeam_backup": "veeam_backup-latest", + "cohesity_backup": "cohesity_backup-latest", + "axway_sftp": "axway_sftp-latest", + "sap": "sap_logs-latest", + "securelink": "securelink_logs-latest", + "manageengine_general": "manageengine_general_logs-latest", + "manageengine_adauditplus": "manageengine_adauditplus_logs-latest", + "manch_siem": "manch_siem_logs-latest" + } +} diff --git a/Backend/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.json b/Backend/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.json index 9dc1384..f25eb2a 100644 --- a/Backend/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.json +++ b/Backend/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.json @@ -1,207 +1,207 @@ -{ - "attributes": { - "dataSource.name": "AWS VPC DNS", - "dataSource.vendor": "AWS", - "dataSource.category": "security", - "metadata.product.name": "VPC DNS", - "metadata.product.vendor_name": "AWS", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.query_timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "constant": { - "value": 6, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Traffic", - "field": "activity_name" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 400306, - "field": "type_uid" - } - }, - { - "constant": { - "value": "DNS Activity: Traffic", - "field": "type_name" - } - }, - { - "copy": { - "from": "unmapped.query_timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.query_timestamp", - "to": "query_time" - } - }, - { - "rename": { - "from": "unmapped.query_class", - "to": "query.class" - } - }, - { - "rename": { - "from": "unmapped.query_name", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.query_type", - "to": "query.type" - } - }, - { - "rename": { - "from": "unmapped.rcode", - "to": "rcode" - } - }, - { - "rename": { - "from": "unmapped.answers.Rdata", - "to": "answers.rdata" - } - }, - { - "rename": { - "from": "unmapped.answers.Class", - "to": "answers.class" - } - }, - { - "rename": { - "from": "unmapped.answers.Type", - "to": "answers.type" - } - }, - { - "rename": { - "from": "unmapped.srcaddr", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.srcport", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.vpc_id", - "to": "src_endpoint.vpc_uid" - } - }, - { - "rename": { - "from": "unmapped.srcids.instance", - "to": "src_endpoint.instance_uid" - } - }, - { - "rename": { - "from": "unmapped.region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.transport", - "to": "connection_info.protocol_name" - } - }, - { - "rename": { - "from": "unmapped.account_id", - "to": "cloud.account.uid" - } - }, - { - "rename": { - "from": "unmapped.version", - "to": "metadata.product.version" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Rdata", - "to": "answers[*].rdata" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Class", - "to": "answers[*].class" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Type", - "to": "answers[*].type" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "AWS VPC DNS", + "dataSource.vendor": "AWS", + "dataSource.category": "security", + "metadata.product.name": "VPC DNS", + "metadata.product.vendor_name": "AWS", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.query_timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 6, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Traffic", + "field": "activity_name" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 400306, + "field": "type_uid" + } + }, + { + "constant": { + "value": "DNS Activity: Traffic", + "field": "type_name" + } + }, + { + "copy": { + "from": "unmapped.query_timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.query_timestamp", + "to": "query_time" + } + }, + { + "rename": { + "from": "unmapped.query_class", + "to": "query.class" + } + }, + { + "rename": { + "from": "unmapped.query_name", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.query_type", + "to": "query.type" + } + }, + { + "rename": { + "from": "unmapped.rcode", + "to": "rcode" + } + }, + { + "rename": { + "from": "unmapped.answers.Rdata", + "to": "answers.rdata" + } + }, + { + "rename": { + "from": "unmapped.answers.Class", + "to": "answers.class" + } + }, + { + "rename": { + "from": "unmapped.answers.Type", + "to": "answers.type" + } + }, + { + "rename": { + "from": "unmapped.srcaddr", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.srcport", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.vpc_id", + "to": "src_endpoint.vpc_uid" + } + }, + { + "rename": { + "from": "unmapped.srcids.instance", + "to": "src_endpoint.instance_uid" + } + }, + { + "rename": { + "from": "unmapped.region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.transport", + "to": "connection_info.protocol_name" + } + }, + { + "rename": { + "from": "unmapped.account_id", + "to": "cloud.account.uid" + } + }, + { + "rename": { + "from": "unmapped.version", + "to": "metadata.product.version" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Rdata", + "to": "answers[*].rdata" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Class", + "to": "answers[*].class" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Type", + "to": "answers[*].type" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community/buildkite_ci_logs-latest/buildkite.json b/Backend/parsers/community/buildkite_ci_logs-latest/buildkite.json index 282c48b..76b6292 100644 --- a/Backend/parsers/community/buildkite_ci_logs-latest/buildkite.json +++ b/Backend/parsers/community/buildkite_ci_logs-latest/buildkite.json @@ -1,395 +1,395 @@ -{ - "attributes": { - "dataSource.name": "Buildkite Audit", - "dataSource.vendor": "Buildkite", - "dataSource.category": "security", - "metadata.product.name": "Buildkite Audit", - "metadata.product.vendor_name": "Buildkite", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.occurredAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "copy": { - "from": "unmapped.type", - "to": "event.action" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Read", - "field": "activity_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 300402, - "field": "type_uid", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Entity Management: Read", - "field": "type_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 8, - "field": "activity_id", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Enable", - "field": "activity_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 300408, - "field": "type_uid", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Entity Management: Enable", - "field": "type_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 9, - "field": "activity_id", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Disable", - "field": "activity_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 300409, - "field": "type_uid", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Entity Management: Disable", - "field": "type_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 10, - "field": "activity_id", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Activate", - "field": "activity_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 300410, - "field": "type_uid", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Entity Management: Activate", - "field": "type_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "constant": { - "value": "Other", - "field": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.actor.node.email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.actor.name", - "to": "actor.user.full_name" - } - }, - { - "rename": { - "from": "unmapped.actor.uuid", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.actor.type", - "to": "actor.user.type" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.occurredAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "Buildkite Audit", + "dataSource.vendor": "Buildkite", + "dataSource.category": "security", + "metadata.product.name": "Buildkite Audit", + "metadata.product.vendor_name": "Buildkite", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.occurredAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "copy": { + "from": "unmapped.type", + "to": "event.action" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Read", + "field": "activity_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 300402, + "field": "type_uid", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Entity Management: Read", + "field": "type_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 8, + "field": "activity_id", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Enable", + "field": "activity_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 300408, + "field": "type_uid", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Entity Management: Enable", + "field": "type_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 9, + "field": "activity_id", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Disable", + "field": "activity_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 300409, + "field": "type_uid", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Entity Management: Disable", + "field": "type_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 10, + "field": "activity_id", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Activate", + "field": "activity_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 300410, + "field": "type_uid", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Entity Management: Activate", + "field": "type_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.actor.node.email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.actor.name", + "to": "actor.user.full_name" + } + }, + { + "rename": { + "from": "unmapped.actor.uuid", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.actor.type", + "to": "actor.user.type" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.occurredAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community/cloudflare_general_logs-latest/cloudflare.json b/Backend/parsers/community/cloudflare_general_logs-latest/cloudflare.json index 4c77d33..ed16cab 100644 --- a/Backend/parsers/community/cloudflare_general_logs-latest/cloudflare.json +++ b/Backend/parsers/community/cloudflare_general_logs-latest/cloudflare.json @@ -1,1284 +1,1284 @@ -{ - "attributes": { - "dataSource.vendor": "Cloudflare", - "dataSource.category": "security", - "metadata.product.vendor_name": "Cloudflare", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.CreatedAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Datetime", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.When", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "aws contains 'access-requests'", - "transformations": [ - { - "constant": { - "value": "Access Requests", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Access Requests", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 6, - "field": "activity_id", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Enroll", - "field": "activity_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 300406, - "field": "type_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management: Enroll", - "field": "type_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Authentication", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Logon", - "field": "activity_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Logoff", - "field": "activity_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 300201, - "field": "type_uid", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 300202, - "field": "type_uid", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 300299, - "field": "type_uid", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Authentication: Logon", - "field": "type_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Authentication: Logoff", - "field": "type_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": "Authentication: Other", - "field": "type_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.AppUUID", - "to": "actor.app_uid" - } - }, - { - "copy": { - "from": "unmapped.AppDomain", - "to": "actor.app_name" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.CreatedAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-http'", - "transformations": [ - { - "constant": { - "value": "Gateway HTTP", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway HTTP", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "HTTP Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400299, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.HTTPHost", - "to": "http_request.url.hostname" - } - }, - { - "rename": { - "from": "unmapped.URL", - "to": "http_request.url.url_string" - } - }, - { - "rename": { - "from": "unmapped.HTTPMethod", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.HTTPVersion", - "to": "http_request.version" - } - }, - { - "rename": { - "from": "unmapped.HTTPStatusCode", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-network'", - "transformations": [ - { - "constant": { - "value": "Gateway Network", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway Network", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400199, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'device-posture'", - "transformations": [ - { - "constant": { - "value": "Device Posture", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Device Posture", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 5001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 5, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info", - "field": "class_name" - } - }, - { - "constant": { - "value": "Discovery", - "field": "category_name" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Collect", - "field": "activity_name" - } - }, - { - "constant": { - "value": 500102, - "field": "type_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info: Collect", - "field": "type_name" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "device.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "device.name" - } - }, - { - "rename": { - "from": "unmapped.DeviceManufacturer", - "to": "device.manufacturer" - } - }, - { - "rename": { - "from": "unmapped.DeviceModel", - "to": "device.model" - } - }, - { - "rename": { - "from": "unmapped.DeviceSerialNumber", - "to": "device.hw_info.serial_number" - } - }, - { - "rename": { - "from": "unmapped.DeviceType", - "to": "device.os.type" - } - }, - { - "rename": { - "from": "unmapped.OSVersion", - "to": "device.os.version" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "device.owner.email_addr" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.name" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.domain" - } - }, - { - "replace": { - "field": "device.owner.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@.*", - "replacement": "$1" - } - }, - { - "constant": { - "value": 100, - "field": "device.os.type_id", - "predicate": "device.os.type = 'windows'" - } - }, - { - "constant": { - "value": 300, - "field": "device.os.type_id", - "predicate": "device.os.type = 'mac'" - } - }, - { - "constant": { - "value": 301, - "field": "device.os.type_id", - "predicate": "device.os.type = 'ios'" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-dns'", - "transformations": [ - { - "constant": { - "value": "Gateway DNS", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway DNS", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Query", - "field": "activity_name" - } - }, - { - "constant": { - "value": 400301, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SrcIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SrcPort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DstIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DstPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.RCode", - "to": "rcode_id" - } - }, - { - "rename": { - "from": "unmapped.QueryName", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.QueryTypeName", - "to": "query.type" - } - }, - { - "rename_tree": { - "from": "unmapped.RData", - "to": "answers" - } - }, - { - "rename": { - "from": "answers[*].data", - "to": "answers[*].rdata" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'audit-logs'", - "transformations": [ - { - "constant": { - "value": "Audit Logs", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Audit Logs", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "copy": { - "from": "unmapped.ActionType", - "to": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.When", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.ActorEmail", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.ActorID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.ActorType", - "to": "actor.user.type" - } - }, - { - "rename": { - "from": "unmapped.ActorIP", - "to": "src_endpoint.ip" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.vendor": "Cloudflare", + "dataSource.category": "security", + "metadata.product.vendor_name": "Cloudflare", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.CreatedAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Datetime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.When", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "aws contains 'access-requests'", + "transformations": [ + { + "constant": { + "value": "Access Requests", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Access Requests", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 6, + "field": "activity_id", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Enroll", + "field": "activity_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 300406, + "field": "type_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management: Enroll", + "field": "type_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Logon", + "field": "activity_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Logoff", + "field": "activity_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 300201, + "field": "type_uid", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 300202, + "field": "type_uid", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 300299, + "field": "type_uid", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Authentication: Logon", + "field": "type_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Authentication: Logoff", + "field": "type_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": "Authentication: Other", + "field": "type_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.AppUUID", + "to": "actor.app_uid" + } + }, + { + "copy": { + "from": "unmapped.AppDomain", + "to": "actor.app_name" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.CreatedAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-http'", + "transformations": [ + { + "constant": { + "value": "Gateway HTTP", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway HTTP", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "HTTP Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400299, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.HTTPHost", + "to": "http_request.url.hostname" + } + }, + { + "rename": { + "from": "unmapped.URL", + "to": "http_request.url.url_string" + } + }, + { + "rename": { + "from": "unmapped.HTTPMethod", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.HTTPVersion", + "to": "http_request.version" + } + }, + { + "rename": { + "from": "unmapped.HTTPStatusCode", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-network'", + "transformations": [ + { + "constant": { + "value": "Gateway Network", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway Network", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400199, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'device-posture'", + "transformations": [ + { + "constant": { + "value": "Device Posture", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Device Posture", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 5001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 5, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info", + "field": "class_name" + } + }, + { + "constant": { + "value": "Discovery", + "field": "category_name" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Collect", + "field": "activity_name" + } + }, + { + "constant": { + "value": 500102, + "field": "type_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info: Collect", + "field": "type_name" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "device.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "device.name" + } + }, + { + "rename": { + "from": "unmapped.DeviceManufacturer", + "to": "device.manufacturer" + } + }, + { + "rename": { + "from": "unmapped.DeviceModel", + "to": "device.model" + } + }, + { + "rename": { + "from": "unmapped.DeviceSerialNumber", + "to": "device.hw_info.serial_number" + } + }, + { + "rename": { + "from": "unmapped.DeviceType", + "to": "device.os.type" + } + }, + { + "rename": { + "from": "unmapped.OSVersion", + "to": "device.os.version" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "device.owner.email_addr" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.name" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.domain" + } + }, + { + "replace": { + "field": "device.owner.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@.*", + "replacement": "$1" + } + }, + { + "constant": { + "value": 100, + "field": "device.os.type_id", + "predicate": "device.os.type = 'windows'" + } + }, + { + "constant": { + "value": 300, + "field": "device.os.type_id", + "predicate": "device.os.type = 'mac'" + } + }, + { + "constant": { + "value": 301, + "field": "device.os.type_id", + "predicate": "device.os.type = 'ios'" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-dns'", + "transformations": [ + { + "constant": { + "value": "Gateway DNS", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway DNS", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Query", + "field": "activity_name" + } + }, + { + "constant": { + "value": 400301, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SrcIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SrcPort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DstIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DstPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.RCode", + "to": "rcode_id" + } + }, + { + "rename": { + "from": "unmapped.QueryName", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.QueryTypeName", + "to": "query.type" + } + }, + { + "rename_tree": { + "from": "unmapped.RData", + "to": "answers" + } + }, + { + "rename": { + "from": "answers[*].data", + "to": "answers[*].rdata" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'audit-logs'", + "transformations": [ + { + "constant": { + "value": "Audit Logs", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Audit Logs", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "copy": { + "from": "unmapped.ActionType", + "to": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.When", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.ActorEmail", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.ActorID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.ActorType", + "to": "actor.user.type" + } + }, + { + "rename": { + "from": "unmapped.ActorIP", + "to": "src_endpoint.ip" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community/google_cloud_dns_logs-latest/gcp_dns.json b/Backend/parsers/community/google_cloud_dns_logs-latest/gcp_dns.json index 0306ff4..4bf4705 100644 --- a/Backend/parsers/community/google_cloud_dns_logs-latest/gcp_dns.json +++ b/Backend/parsers/community/google_cloud_dns_logs-latest/gcp_dns.json @@ -1,55 +1,55 @@ -{ - "attributes": { - "dataSource.name": "GCP DNS", - "dataSource.vendor": "GCP", - "dataSource.category": "security", - "metadata.product.name": "GCP DNS", - "metadata.product.vendor_name": "GCP", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { "constant": { "value": 4, "field": "category_uid" }}, - { "constant": { "value": "Network Activity", "field": "category_name" }}, - { "constant": { "value": 4003, "field": "class_uid" }}, - { "constant": { "value": "DNS Activity", "field": "class_name" }}, - { "constant": { "value": 1, "field": "activity_id" }}, - { "constant": { "value": "Query", "field": "activity_name" }}, - { "constant": { "value": 400301, "field": "type_uid" }}, - { "constant": { "value": "DNS Activity: Query", "field": "type_name" }}, - - { "rename": { "from": "unmapped.jsonPayload.queryName", "to": "query.hostname" }}, - { "rename": { "from": "unmapped.jsonPayload.queryType", "to": "query.type" }}, - { "rename": { "from": "unmapped.jsonPayload.rdata", "to": "answers.rdata" }}, - { "rename": { "from": "unmapped.type", "to": "answers.rdata" }}, - - { "rename": { "from": "unmapped.severity", "to": "severity_id" }}, - //mappings may be adjusted - { "cast": { "type": "enum", "field": "severity_id", "enum": {"DEFAULT":0,"DEBUG":99,"INFO":1,"NOTICE":2,"WARNING":3,"ERROR":4,"CRITICAL":5,"ALERT":5,"EMERGENCY":6}}} - - { "rename": { "from": "unmapped.receiveTimestamp", "to": "query_time" }}, - { "cast": { "field": "query_time", "type": "iso8601TimestampToEpochSec" }} - { "rename": { "from": "unmapped.timestamp", "to": "time" }}, - { "cast": { "field": "time", "type": "iso8601TimestampToEpochSec" }} - ] - } - ] - } -} +{ + "attributes": { + "dataSource.name": "GCP DNS", + "dataSource.vendor": "GCP", + "dataSource.category": "security", + "metadata.product.name": "GCP DNS", + "metadata.product.vendor_name": "GCP", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { "constant": { "value": 4, "field": "category_uid" }}, + { "constant": { "value": "Network Activity", "field": "category_name" }}, + { "constant": { "value": 4003, "field": "class_uid" }}, + { "constant": { "value": "DNS Activity", "field": "class_name" }}, + { "constant": { "value": 1, "field": "activity_id" }}, + { "constant": { "value": "Query", "field": "activity_name" }}, + { "constant": { "value": 400301, "field": "type_uid" }}, + { "constant": { "value": "DNS Activity: Query", "field": "type_name" }}, + + { "rename": { "from": "unmapped.jsonPayload.queryName", "to": "query.hostname" }}, + { "rename": { "from": "unmapped.jsonPayload.queryType", "to": "query.type" }}, + { "rename": { "from": "unmapped.jsonPayload.rdata", "to": "answers.rdata" }}, + { "rename": { "from": "unmapped.type", "to": "answers.rdata" }}, + + { "rename": { "from": "unmapped.severity", "to": "severity_id" }}, + //mappings may be adjusted + { "cast": { "type": "enum", "field": "severity_id", "enum": {"DEFAULT":0,"DEBUG":99,"INFO":1,"NOTICE":2,"WARNING":3,"ERROR":4,"CRITICAL":5,"ALERT":5,"EMERGENCY":6}}} + + { "rename": { "from": "unmapped.receiveTimestamp", "to": "query_time" }}, + { "cast": { "field": "query_time", "type": "iso8601TimestampToEpochSec" }} + { "rename": { "from": "unmapped.timestamp", "to": "time" }}, + { "cast": { "field": "time", "type": "iso8601TimestampToEpochSec" }} + ] + } + ] + } +} diff --git a/Backend/parsers/community/imperva_waf_logs-latest/Imperva_waf.json b/Backend/parsers/community/imperva_waf_logs-latest/Imperva_waf.json index a9a0e48..e598b35 100644 --- a/Backend/parsers/community/imperva_waf_logs-latest/Imperva_waf.json +++ b/Backend/parsers/community/imperva_waf_logs-latest/Imperva_waf.json @@ -1,84 +1,84 @@ -{ - // specify a time zone if the timestamps in your log are not in GMT - // timezone: "GMT-0800" - attributes: { - "dataSource.name": "Imperva WAF", - "dataSource.vendor": "Imperva", - "dataSource.category": "security" - "metadata.product.name": "Imperva WAF", - "metadata.product.vendor_name": "Imperva" - }, - - patterns: { - tsPattern: "\\d+", - value: "[^\\s]+", - toDrop: "^(?!CEF).*$" - }, - - formats: [ - //drop logs - { - id: "drop", - format: "$unwanted=toDrop$", - discard: true - }, - - { - format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", - }, - { - format: ".*\\sstart=$timestamp=tsPattern$", - }, - { - format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", - }, - { - format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", - }, - { - format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", - }, - { - format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", - }, - { - format: ".*$_=identifier$=$unmapped._=value$", - repeat: true - } - ], - mappings: { - version: 0, - mappings: [ - { - predicate: "", - renames: [ - { - inputs : ["unmapped.dst"], - output : "dst_endpoint.ip", - type: "string" - }, - { - inputs: ["unmapped.dpt"], - output: "dst_endpoint.port", - type: "string" - }, - { - inputs: ["unmapped.src"], - output: "src_endpoint.ip", - type: "string" - }, - { - inputs: ["unmapped.spt"], - output: "src_endpoint.port", - type: "string" - }, - { - inputs: ["unmapped.Customer"], - output: "Account Name", - type: "string" - } - ] - } - ] - } +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + attributes: { + "dataSource.name": "Imperva WAF", + "dataSource.vendor": "Imperva", + "dataSource.category": "security" + "metadata.product.name": "Imperva WAF", + "metadata.product.vendor_name": "Imperva" + }, + + patterns: { + tsPattern: "\\d+", + value: "[^\\s]+", + toDrop: "^(?!CEF).*$" + }, + + formats: [ + //drop logs + { + id: "drop", + format: "$unwanted=toDrop$", + discard: true + }, + + { + format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", + }, + { + format: ".*\\sstart=$timestamp=tsPattern$", + }, + { + format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", + }, + { + format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", + }, + { + format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", + }, + { + format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", + }, + { + format: ".*$_=identifier$=$unmapped._=value$", + repeat: true + } + ], + mappings: { + version: 0, + mappings: [ + { + predicate: "", + renames: [ + { + inputs : ["unmapped.dst"], + output : "dst_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.dpt"], + output: "dst_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.src"], + output: "src_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.spt"], + output: "src_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.Customer"], + output: "Account Name", + type: "string" + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community/teleport_logs-latest/teleport.json b/Backend/parsers/community/teleport_logs-latest/teleport.json index 4b28d9c..bbc42a4 100644 --- a/Backend/parsers/community/teleport_logs-latest/teleport.json +++ b/Backend/parsers/community/teleport_logs-latest/teleport.json @@ -1,4175 +1,4175 @@ -{ - "attributes": { - "dataSource.name": "Teleport Audit", - "dataSource.vendor": "Teleport", - "dataSource.category": "security", - "metadata.product.name": "Teleport Audit", - "metadata.product.vendor_name": "Teleport", - "metadata.version": "1.5.0", - "cloud.provider": "AWS" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.time", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.ts", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "unmapped.event in ('user.update','billing.plan.update')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300199 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('user.create','saml.created')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300101 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'user.delete'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 6 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300106 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.update'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 2 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Update" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600502 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.create'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 6 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Create" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600506 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.delete'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 7 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600507 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.session.query'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 4 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Query" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600504 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('db.session.postgres.statements.execute','db.session.postgres.statements.parse','db.session.postgres.statements.bind')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600599 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('cert.create','join_token.create','role.created','lock.created')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Create" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300401 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('role.delete','lock.delete')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 4 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300404 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'role.update'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 3 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300403 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('app.session.end','db.session.end','session.end','session.leave','desktop.session.end','mfa.auth.success')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 2 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Logoff" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Authentication" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300202 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3002 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('instance.join','session.start','session.join','user.login','bot.join','db.session.start','desktop.session.start','mfa.auth.success','port','db.session.mysql.init_db')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Logon" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Authentication" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300201 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3002 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('kube.request','app.session.chunk','exec','scp','sftp','app.session.start','session.upload','session.data')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "API Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600399 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6003 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'config.changed'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Discovery" - } - }, - { - "constant": { - "field": "class_name", - "value": "Device Config State Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 501999 - } - }, - { - "constant": { - "field": "category_uid", - "value": 5 - } - }, - { - "constant": { - "field": "class_uid", - "value": 5019 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'dns.query'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Query" - } - }, - { - "constant": { - "field": "category_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "DNS Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 400301 - } - }, - { - "constant": { - "field": "category_uid", - "value": 4 - } - }, - { - "constant": { - "field": "class_uid", - "value": 4003 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'net.connection'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Open" - } - }, - { - "constant": { - "field": "category_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 400101 - } - }, - { - "constant": { - "field": "category_uid", - "value": 4 - } - }, - { - "constant": { - "field": "class_uid", - "value": 4001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "true", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "Teleport Audit", + "dataSource.vendor": "Teleport", + "dataSource.category": "security", + "metadata.product.name": "Teleport Audit", + "metadata.product.vendor_name": "Teleport", + "metadata.version": "1.5.0", + "cloud.provider": "AWS" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.ts", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "unmapped.event in ('user.update','billing.plan.update')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300199 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('user.create','saml.created')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300101 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'user.delete'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 6 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300106 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.update'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 2 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Update" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600502 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.create'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 6 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Create" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600506 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.delete'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 7 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600507 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.session.query'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 4 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Query" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600504 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('db.session.postgres.statements.execute','db.session.postgres.statements.parse','db.session.postgres.statements.bind')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600599 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('cert.create','join_token.create','role.created','lock.created')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Create" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300401 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('role.delete','lock.delete')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 4 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300404 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'role.update'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 3 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300403 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('app.session.end','db.session.end','session.end','session.leave','desktop.session.end','mfa.auth.success')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 2 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Logoff" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Authentication" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300202 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3002 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('instance.join','session.start','session.join','user.login','bot.join','db.session.start','desktop.session.start','mfa.auth.success','port','db.session.mysql.init_db')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Logon" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Authentication" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300201 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3002 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('kube.request','app.session.chunk','exec','scp','sftp','app.session.start','session.upload','session.data')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "API Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600399 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6003 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'config.changed'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Discovery" + } + }, + { + "constant": { + "field": "class_name", + "value": "Device Config State Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 501999 + } + }, + { + "constant": { + "field": "category_uid", + "value": 5 + } + }, + { + "constant": { + "field": "class_uid", + "value": 5019 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'dns.query'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Query" + } + }, + { + "constant": { + "field": "category_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "DNS Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 400301 + } + }, + { + "constant": { + "field": "category_uid", + "value": 4 + } + }, + { + "constant": { + "field": "class_uid", + "value": 4003 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'net.connection'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Open" + } + }, + { + "constant": { + "field": "category_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 400101 + } + }, + { + "constant": { + "field": "category_uid", + "value": 4 + } + }, + { + "constant": { + "field": "class_uid", + "value": 4001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "true", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.json b/Backend/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.json index 5072b92..6984ecc 100644 --- a/Backend/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.json +++ b/Backend/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.json @@ -1,219 +1,219 @@ -{ - "attributes": { - "dataSource.vendor": "Zscaler", - "dataSource.name": "Zscaler Firewall", - "dataSource.category": "security", - "metadata.product.vendor_name": "Zscaler", - "metadata.product.name": "Zscaler Internet Access", - "metadata.version": "1.0.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=json}$", - "rewrites": [ - { - "input": "unmapped.datetime", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.timestamp", - "output": "time", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "constant": { - "value": 4001, - "field": "class_uid" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 6, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Traffic", - "field": "activity_name" - } - }, - { - "constant": { - "value": 400106, - "field": "type_uid" - } - }, - { - "copy": { - "from": "unmapped.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "copy": { - "from": "unmapped.src_port", - "to": "src_endpoint.port" - } - }, - { - "copy": { - "from": "unmapped.dest_ip", - "to": "dst_endpoint.ip" - } - }, - { - "copy": { - "from": "unmapped.dest_port", - "to": "dst_endpoint.port" - } - }, - { - "copy": { - "from": "unmapped.user", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "unmapped.device_hostname", - "to": "device.hostname" - } - }, - { - "copy": { - "from": "unmapped.device_owner", - "to": "device.owner.name" - } - }, - { - "copy": { - "from": "unmapped.action", - "to": "disposition" - } - }, - { - "copy": { - "from": "unmapped.policy", - "to": "policy.name" - } - }, - { - "copy": { - "from": "unmapped.rule", - "to": "rule.name" - } - }, - { - "copy": { - "from": "unmapped.app", - "to": "app_name" - } - }, - { - "copy": { - "from": "unmapped.proto", - "to": "connection_info.protocol_name" - } - }, - { - "copy": { - "from": "unmapped.inbound_bytes", - "to": "traffic.bytes_in" - } - }, - { - "copy": { - "from": "unmapped.outbound_bytes", - "to": "traffic.bytes_out" - } - }, - { - "copy": { - "from": "unmapped.duration", - "to": "duration" - } - }, - { - "copy": { - "from": "unmapped.client_country", - "to": "src_endpoint.location.country" - } - }, - { - "copy": { - "from": "unmapped.dest_country", - "to": "dst_endpoint.location.country" - } - }, - { - "copy": { - "from": "unmapped.locationname", - "to": "src_endpoint.location.city" - } - }, - { - "copy": { - "from": "unmapped.department", - "to": "actor.user.groups" - } - } - ] - } - ] - }, - "observables": { - "fields": [ - { - "name": "src_endpoint.ip", - "type": "IP Address" - }, - { - "name": "dst_endpoint.ip", - "type": "IP Address" - }, - { - "name": "actor.user.email_addr", - "type": "User" - }, - { - "name": "device.hostname", - "type": "Hostname" - }, - { - "name": "app_name", - "type": "Other" - } - ] - } +{ + "attributes": { + "dataSource.vendor": "Zscaler", + "dataSource.name": "Zscaler Firewall", + "dataSource.category": "security", + "metadata.product.vendor_name": "Zscaler", + "metadata.product.name": "Zscaler Internet Access", + "metadata.version": "1.0.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.datetime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.timestamp", + "output": "time", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 4001, + "field": "class_uid" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 6, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Traffic", + "field": "activity_name" + } + }, + { + "constant": { + "value": 400106, + "field": "type_uid" + } + }, + { + "copy": { + "from": "unmapped.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.src_port", + "to": "src_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.dest_ip", + "to": "dst_endpoint.ip" + } + }, + { + "copy": { + "from": "unmapped.dest_port", + "to": "dst_endpoint.port" + } + }, + { + "copy": { + "from": "unmapped.user", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "unmapped.device_hostname", + "to": "device.hostname" + } + }, + { + "copy": { + "from": "unmapped.device_owner", + "to": "device.owner.name" + } + }, + { + "copy": { + "from": "unmapped.action", + "to": "disposition" + } + }, + { + "copy": { + "from": "unmapped.policy", + "to": "policy.name" + } + }, + { + "copy": { + "from": "unmapped.rule", + "to": "rule.name" + } + }, + { + "copy": { + "from": "unmapped.app", + "to": "app_name" + } + }, + { + "copy": { + "from": "unmapped.proto", + "to": "connection_info.protocol_name" + } + }, + { + "copy": { + "from": "unmapped.inbound_bytes", + "to": "traffic.bytes_in" + } + }, + { + "copy": { + "from": "unmapped.outbound_bytes", + "to": "traffic.bytes_out" + } + }, + { + "copy": { + "from": "unmapped.duration", + "to": "duration" + } + }, + { + "copy": { + "from": "unmapped.client_country", + "to": "src_endpoint.location.country" + } + }, + { + "copy": { + "from": "unmapped.dest_country", + "to": "dst_endpoint.location.country" + } + }, + { + "copy": { + "from": "unmapped.locationname", + "to": "src_endpoint.location.city" + } + }, + { + "copy": { + "from": "unmapped.department", + "to": "actor.user.groups" + } + } + ] + } + ] + }, + "observables": { + "fields": [ + { + "name": "src_endpoint.ip", + "type": "IP Address" + }, + { + "name": "dst_endpoint.ip", + "type": "IP Address" + }, + { + "name": "actor.user.email_addr", + "type": "User" + }, + { + "name": "device.hostname", + "type": "Hostname" + }, + { + "name": "app_name", + "type": "Other" + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community_new/aws_vpc_dns_logs-latest/aws_vpc_dns.conf b/Backend/parsers/community_new/aws_vpc_dns_logs-latest/aws_vpc_dns.conf index 9dc1384..f25eb2a 100644 --- a/Backend/parsers/community_new/aws_vpc_dns_logs-latest/aws_vpc_dns.conf +++ b/Backend/parsers/community_new/aws_vpc_dns_logs-latest/aws_vpc_dns.conf @@ -1,207 +1,207 @@ -{ - "attributes": { - "dataSource.name": "AWS VPC DNS", - "dataSource.vendor": "AWS", - "dataSource.category": "security", - "metadata.product.name": "VPC DNS", - "metadata.product.vendor_name": "AWS", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.query_timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "constant": { - "value": 6, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Traffic", - "field": "activity_name" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 400306, - "field": "type_uid" - } - }, - { - "constant": { - "value": "DNS Activity: Traffic", - "field": "type_name" - } - }, - { - "copy": { - "from": "unmapped.query_timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.query_timestamp", - "to": "query_time" - } - }, - { - "rename": { - "from": "unmapped.query_class", - "to": "query.class" - } - }, - { - "rename": { - "from": "unmapped.query_name", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.query_type", - "to": "query.type" - } - }, - { - "rename": { - "from": "unmapped.rcode", - "to": "rcode" - } - }, - { - "rename": { - "from": "unmapped.answers.Rdata", - "to": "answers.rdata" - } - }, - { - "rename": { - "from": "unmapped.answers.Class", - "to": "answers.class" - } - }, - { - "rename": { - "from": "unmapped.answers.Type", - "to": "answers.type" - } - }, - { - "rename": { - "from": "unmapped.srcaddr", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.srcport", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.vpc_id", - "to": "src_endpoint.vpc_uid" - } - }, - { - "rename": { - "from": "unmapped.srcids.instance", - "to": "src_endpoint.instance_uid" - } - }, - { - "rename": { - "from": "unmapped.region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.transport", - "to": "connection_info.protocol_name" - } - }, - { - "rename": { - "from": "unmapped.account_id", - "to": "cloud.account.uid" - } - }, - { - "rename": { - "from": "unmapped.version", - "to": "metadata.product.version" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Rdata", - "to": "answers[*].rdata" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Class", - "to": "answers[*].class" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Type", - "to": "answers[*].type" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "AWS VPC DNS", + "dataSource.vendor": "AWS", + "dataSource.category": "security", + "metadata.product.name": "VPC DNS", + "metadata.product.vendor_name": "AWS", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.query_timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 6, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Traffic", + "field": "activity_name" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 400306, + "field": "type_uid" + } + }, + { + "constant": { + "value": "DNS Activity: Traffic", + "field": "type_name" + } + }, + { + "copy": { + "from": "unmapped.query_timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.query_timestamp", + "to": "query_time" + } + }, + { + "rename": { + "from": "unmapped.query_class", + "to": "query.class" + } + }, + { + "rename": { + "from": "unmapped.query_name", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.query_type", + "to": "query.type" + } + }, + { + "rename": { + "from": "unmapped.rcode", + "to": "rcode" + } + }, + { + "rename": { + "from": "unmapped.answers.Rdata", + "to": "answers.rdata" + } + }, + { + "rename": { + "from": "unmapped.answers.Class", + "to": "answers.class" + } + }, + { + "rename": { + "from": "unmapped.answers.Type", + "to": "answers.type" + } + }, + { + "rename": { + "from": "unmapped.srcaddr", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.srcport", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.vpc_id", + "to": "src_endpoint.vpc_uid" + } + }, + { + "rename": { + "from": "unmapped.srcids.instance", + "to": "src_endpoint.instance_uid" + } + }, + { + "rename": { + "from": "unmapped.region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.transport", + "to": "connection_info.protocol_name" + } + }, + { + "rename": { + "from": "unmapped.account_id", + "to": "cloud.account.uid" + } + }, + { + "rename": { + "from": "unmapped.version", + "to": "metadata.product.version" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Rdata", + "to": "answers[*].rdata" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Class", + "to": "answers[*].class" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Type", + "to": "answers[*].type" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community_new/buildkite_ci_logs-latest/buildkite.conf b/Backend/parsers/community_new/buildkite_ci_logs-latest/buildkite.conf index 282c48b..76b6292 100644 --- a/Backend/parsers/community_new/buildkite_ci_logs-latest/buildkite.conf +++ b/Backend/parsers/community_new/buildkite_ci_logs-latest/buildkite.conf @@ -1,395 +1,395 @@ -{ - "attributes": { - "dataSource.name": "Buildkite Audit", - "dataSource.vendor": "Buildkite", - "dataSource.category": "security", - "metadata.product.name": "Buildkite Audit", - "metadata.product.vendor_name": "Buildkite", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.occurredAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "copy": { - "from": "unmapped.type", - "to": "event.action" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Read", - "field": "activity_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 300402, - "field": "type_uid", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Entity Management: Read", - "field": "type_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 8, - "field": "activity_id", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Enable", - "field": "activity_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 300408, - "field": "type_uid", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Entity Management: Enable", - "field": "type_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 9, - "field": "activity_id", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Disable", - "field": "activity_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 300409, - "field": "type_uid", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Entity Management: Disable", - "field": "type_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 10, - "field": "activity_id", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Activate", - "field": "activity_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 300410, - "field": "type_uid", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Entity Management: Activate", - "field": "type_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "constant": { - "value": "Other", - "field": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.actor.node.email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.actor.name", - "to": "actor.user.full_name" - } - }, - { - "rename": { - "from": "unmapped.actor.uuid", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.actor.type", - "to": "actor.user.type" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.occurredAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "Buildkite Audit", + "dataSource.vendor": "Buildkite", + "dataSource.category": "security", + "metadata.product.name": "Buildkite Audit", + "metadata.product.vendor_name": "Buildkite", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.occurredAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "copy": { + "from": "unmapped.type", + "to": "event.action" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Read", + "field": "activity_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 300402, + "field": "type_uid", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Entity Management: Read", + "field": "type_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 8, + "field": "activity_id", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Enable", + "field": "activity_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 300408, + "field": "type_uid", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Entity Management: Enable", + "field": "type_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 9, + "field": "activity_id", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Disable", + "field": "activity_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 300409, + "field": "type_uid", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Entity Management: Disable", + "field": "type_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 10, + "field": "activity_id", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Activate", + "field": "activity_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 300410, + "field": "type_uid", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Entity Management: Activate", + "field": "type_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.actor.node.email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.actor.name", + "to": "actor.user.full_name" + } + }, + { + "rename": { + "from": "unmapped.actor.uuid", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.actor.type", + "to": "actor.user.type" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.occurredAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/parsers/community_new/cloudflare_general_logs-latest/cloudflare.conf b/Backend/parsers/community_new/cloudflare_general_logs-latest/cloudflare.conf index 4c77d33..ed16cab 100644 --- a/Backend/parsers/community_new/cloudflare_general_logs-latest/cloudflare.conf +++ b/Backend/parsers/community_new/cloudflare_general_logs-latest/cloudflare.conf @@ -1,1284 +1,1284 @@ -{ - "attributes": { - "dataSource.vendor": "Cloudflare", - "dataSource.category": "security", - "metadata.product.vendor_name": "Cloudflare", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.CreatedAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Datetime", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.When", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "aws contains 'access-requests'", - "transformations": [ - { - "constant": { - "value": "Access Requests", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Access Requests", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 6, - "field": "activity_id", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Enroll", - "field": "activity_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 300406, - "field": "type_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management: Enroll", - "field": "type_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Authentication", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Logon", - "field": "activity_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Logoff", - "field": "activity_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 300201, - "field": "type_uid", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 300202, - "field": "type_uid", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 300299, - "field": "type_uid", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Authentication: Logon", - "field": "type_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Authentication: Logoff", - "field": "type_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": "Authentication: Other", - "field": "type_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.AppUUID", - "to": "actor.app_uid" - } - }, - { - "copy": { - "from": "unmapped.AppDomain", - "to": "actor.app_name" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.CreatedAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-http'", - "transformations": [ - { - "constant": { - "value": "Gateway HTTP", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway HTTP", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "HTTP Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400299, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.HTTPHost", - "to": "http_request.url.hostname" - } - }, - { - "rename": { - "from": "unmapped.URL", - "to": "http_request.url.url_string" - } - }, - { - "rename": { - "from": "unmapped.HTTPMethod", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.HTTPVersion", - "to": "http_request.version" - } - }, - { - "rename": { - "from": "unmapped.HTTPStatusCode", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-network'", - "transformations": [ - { - "constant": { - "value": "Gateway Network", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway Network", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400199, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'device-posture'", - "transformations": [ - { - "constant": { - "value": "Device Posture", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Device Posture", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 5001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 5, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info", - "field": "class_name" - } - }, - { - "constant": { - "value": "Discovery", - "field": "category_name" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Collect", - "field": "activity_name" - } - }, - { - "constant": { - "value": 500102, - "field": "type_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info: Collect", - "field": "type_name" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "device.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "device.name" - } - }, - { - "rename": { - "from": "unmapped.DeviceManufacturer", - "to": "device.manufacturer" - } - }, - { - "rename": { - "from": "unmapped.DeviceModel", - "to": "device.model" - } - }, - { - "rename": { - "from": "unmapped.DeviceSerialNumber", - "to": "device.hw_info.serial_number" - } - }, - { - "rename": { - "from": "unmapped.DeviceType", - "to": "device.os.type" - } - }, - { - "rename": { - "from": "unmapped.OSVersion", - "to": "device.os.version" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "device.owner.email_addr" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.name" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.domain" - } - }, - { - "replace": { - "field": "device.owner.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@.*", - "replacement": "$1" - } - }, - { - "constant": { - "value": 100, - "field": "device.os.type_id", - "predicate": "device.os.type = 'windows'" - } - }, - { - "constant": { - "value": 300, - "field": "device.os.type_id", - "predicate": "device.os.type = 'mac'" - } - }, - { - "constant": { - "value": 301, - "field": "device.os.type_id", - "predicate": "device.os.type = 'ios'" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-dns'", - "transformations": [ - { - "constant": { - "value": "Gateway DNS", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway DNS", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Query", - "field": "activity_name" - } - }, - { - "constant": { - "value": 400301, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SrcIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SrcPort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DstIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DstPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.RCode", - "to": "rcode_id" - } - }, - { - "rename": { - "from": "unmapped.QueryName", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.QueryTypeName", - "to": "query.type" - } - }, - { - "rename_tree": { - "from": "unmapped.RData", - "to": "answers" - } - }, - { - "rename": { - "from": "answers[*].data", - "to": "answers[*].rdata" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'audit-logs'", - "transformations": [ - { - "constant": { - "value": "Audit Logs", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Audit Logs", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "copy": { - "from": "unmapped.ActionType", - "to": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.When", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.ActorEmail", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.ActorID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.ActorType", - "to": "actor.user.type" - } - }, - { - "rename": { - "from": "unmapped.ActorIP", - "to": "src_endpoint.ip" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.vendor": "Cloudflare", + "dataSource.category": "security", + "metadata.product.vendor_name": "Cloudflare", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.CreatedAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Datetime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.When", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "aws contains 'access-requests'", + "transformations": [ + { + "constant": { + "value": "Access Requests", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Access Requests", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 6, + "field": "activity_id", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Enroll", + "field": "activity_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 300406, + "field": "type_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management: Enroll", + "field": "type_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Logon", + "field": "activity_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Logoff", + "field": "activity_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 300201, + "field": "type_uid", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 300202, + "field": "type_uid", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 300299, + "field": "type_uid", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Authentication: Logon", + "field": "type_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Authentication: Logoff", + "field": "type_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": "Authentication: Other", + "field": "type_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.AppUUID", + "to": "actor.app_uid" + } + }, + { + "copy": { + "from": "unmapped.AppDomain", + "to": "actor.app_name" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.CreatedAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-http'", + "transformations": [ + { + "constant": { + "value": "Gateway HTTP", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway HTTP", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "HTTP Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400299, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.HTTPHost", + "to": "http_request.url.hostname" + } + }, + { + "rename": { + "from": "unmapped.URL", + "to": "http_request.url.url_string" + } + }, + { + "rename": { + "from": "unmapped.HTTPMethod", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.HTTPVersion", + "to": "http_request.version" + } + }, + { + "rename": { + "from": "unmapped.HTTPStatusCode", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-network'", + "transformations": [ + { + "constant": { + "value": "Gateway Network", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway Network", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400199, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'device-posture'", + "transformations": [ + { + "constant": { + "value": "Device Posture", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Device Posture", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 5001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 5, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info", + "field": "class_name" + } + }, + { + "constant": { + "value": "Discovery", + "field": "category_name" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Collect", + "field": "activity_name" + } + }, + { + "constant": { + "value": 500102, + "field": "type_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info: Collect", + "field": "type_name" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "device.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "device.name" + } + }, + { + "rename": { + "from": "unmapped.DeviceManufacturer", + "to": "device.manufacturer" + } + }, + { + "rename": { + "from": "unmapped.DeviceModel", + "to": "device.model" + } + }, + { + "rename": { + "from": "unmapped.DeviceSerialNumber", + "to": "device.hw_info.serial_number" + } + }, + { + "rename": { + "from": "unmapped.DeviceType", + "to": "device.os.type" + } + }, + { + "rename": { + "from": "unmapped.OSVersion", + "to": "device.os.version" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "device.owner.email_addr" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.name" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.domain" + } + }, + { + "replace": { + "field": "device.owner.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@.*", + "replacement": "$1" + } + }, + { + "constant": { + "value": 100, + "field": "device.os.type_id", + "predicate": "device.os.type = 'windows'" + } + }, + { + "constant": { + "value": 300, + "field": "device.os.type_id", + "predicate": "device.os.type = 'mac'" + } + }, + { + "constant": { + "value": 301, + "field": "device.os.type_id", + "predicate": "device.os.type = 'ios'" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-dns'", + "transformations": [ + { + "constant": { + "value": "Gateway DNS", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway DNS", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Query", + "field": "activity_name" + } + }, + { + "constant": { + "value": 400301, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SrcIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SrcPort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DstIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DstPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.RCode", + "to": "rcode_id" + } + }, + { + "rename": { + "from": "unmapped.QueryName", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.QueryTypeName", + "to": "query.type" + } + }, + { + "rename_tree": { + "from": "unmapped.RData", + "to": "answers" + } + }, + { + "rename": { + "from": "answers[*].data", + "to": "answers[*].rdata" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'audit-logs'", + "transformations": [ + { + "constant": { + "value": "Audit Logs", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Audit Logs", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "copy": { + "from": "unmapped.ActionType", + "to": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.When", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.ActorEmail", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.ActorID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.ActorType", + "to": "actor.user.type" + } + }, + { + "rename": { + "from": "unmapped.ActorIP", + "to": "src_endpoint.ip" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf b/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf index 242108c..2c4de28 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf @@ -1,53 +1,53 @@ -{ - graphs: [ - { - graphStyle: "", - query: "action = 'addPurpleInputOutputMessage'| group count = count() by analyst=inputContent.userDetails.emailAddress\n| sort -count", - teamEmails: [ - "123456@s1.oem" -], - title: "Questions asked by user", - layout: { - h: 14, - i: "0", - minH: 3, - minW: 6, - w: 15, - x: 45, - y: 0 -}, - plots: [], - showBarsColumn: "false" - }, - { - query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| let output = (!isempty(outputContent.message) ? outputContent.message : outputContent.powerQuery.query)\n| columns timestamp, analyst=inputContent.userDetails.emailAddress, inputContent.userInput, output \n| sort +timestamp", - teamEmails: [ - "123456@s1.oem" -], - title: "All questions and answers by user", - layout: { - h: 17, - w: 60, - x: 0, - y: 14 -} - }, - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| group count = count() by timestamp = timebucket(\"1 hour\"), status\n| transpose status on timestamp", - teamEmails: [ - "123456@s1.oem" -], - title: "Query timeline by status", - yScale: "linear", - layout: { - h: 14, - w: 45, - x: 0, - y: 0 -} - } - ], - options: {layout: {locked: 1}} -} +{ + graphs: [ + { + graphStyle: "", + query: "action = 'addPurpleInputOutputMessage'| group count = count() by analyst=inputContent.userDetails.emailAddress\n| sort -count", + teamEmails: [ + "123456@s1.oem" +], + title: "Questions asked by user", + layout: { + h: 14, + i: "0", + minH: 3, + minW: 6, + w: 15, + x: 45, + y: 0 +}, + plots: [], + showBarsColumn: "false" + }, + { + query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| let output = (!isempty(outputContent.message) ? outputContent.message : outputContent.powerQuery.query)\n| columns timestamp, analyst=inputContent.userDetails.emailAddress, inputContent.userInput, output \n| sort +timestamp", + teamEmails: [ + "123456@s1.oem" +], + title: "All questions and answers by user", + layout: { + h: 17, + w: 60, + x: 0, + y: 14 +} + }, + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| group count = count() by timestamp = timebucket(\"1 hour\"), status\n| transpose status on timestamp", + teamEmails: [ + "123456@s1.oem" +], + title: "Query timeline by status", + yScale: "linear", + layout: { + h: 14, + w: 45, + x: 0, + y: 0 +} + } + ], + options: {layout: {locked: 1}} +} diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf b/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf index d8d9c66..5f2089c 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf @@ -1,533 +1,533 @@ -{ - tabs: [{"tabName":"Overview","graphs":[ - { - graphStyle: "stacked_bar", - query: "event.category contains \"\" dataSource.category = 'security'\n| group count = count() by event.category\n| sort -count", - - title: "Count by event category", - xAxis: "grouped_data", - yScale: "linear", - layout: { - h: 13, - w: 20, - x: 0, - y: 0 -} - }, - { - graphStyle: "stacked_bar", - query: "event.category = \"indicators\"\n| group count = count() by indicator.category \n| sort -count", - - title: "Indicators by category", - xAxis: "grouped_data", - yScale: "linear", - layout: { - h: 13, - w: 13, - x: 47, - y: 0 -} - , - }, - { - graphStyle: "line", - layout: { - h: 13, - w: 27, - x: 20, - y: 0 -}, - lineSmoothing: "straightLines", - query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", - - title: "File timeline", - yScale: "linear" - }, - { - query: "event.category = \"process\" dataSource.category = 'security'\n| group distinct_spawned_processes=estimate_distinct(tgt.process.user) by src.process.user \n| sort -distinct_spawned_processes", - - title: "Spawned processes by user", - graphStyle: "", - showBarsColumn: "true", - layout: { - h: 14, - w: 15, - x: 30, - y: 13 -} - , - }, - { - query: "event.category = \"ip\" event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group count = count() by dst.ip.address, src.process.name\n| sort -count\n| columns src.process.name, dst.ip.address, count", - - title: "TOP outgoing IP connections by process", - graphStyle: "", - showBarsColumn: "true", - layout: { - h: 14, - w: 14, - x: 0, - y: 13 -} - }, - { - query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by src.process.name, event.dns.request\n| sort -count", - - title: "TOP DNS petitions by process", - layout: { - h: 14, - i: "6", - minH: 3, - minW: 6, - w: 16, - x: 14, - y: 13 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "", - layout: { - h: 14, - i: "4", - minH: 3, - minW: 6, - w: 15, - x: 45, - y: 13 - }, - query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", - showBarsColumn: "false", - - title: "HIFI Indicators" - } - ], - filters: [ - { - facet: "endpoint.name", - name: "Endpoint name", - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } - ], - options: {layout: {locked: 1}}, - options: {}, - options: {layout: {locked: 1}} -}, -{"tabName":"Process","graphs":[ - { - graphStyle: "", - query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by src.process.name\n| sort -count", - - title: "TOP process spawners", - layout: { - h: 14, - w: 15, - x: 30, - y: 0 -}, - showBarsColumn: "true" - }, - { - graphStyle: "", - query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by tgt.process.name\n| sort -count", - - title: "TOP spawned processes", - layout: { - h: 14, - w: 15, - x: 45, - y: 0 -}, - showBarsColumn: "true" - }, - { - query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| let tgt_details = format(\"(%s) %s (%s) -----> %s\", src.process.user, src.process.name, src.process.storyline.id, tgt.process.cmdline)\n| group count = count() by tgt_details\n| columns count, tgt_details\n| sort -count", - - title: "Processes grouped by target cmdlines", - layout: { - h: 29, - w: 60, - x: 0, - y: 14 -} - }, - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| group count=count() by src.process.user, timestamp = timebucket(\"1 minute\")\n\n| transpose src.process.user on timestamp", - - title: "Process timeline by user", - yScale: "linear", - layout: { - h: 14, - w: 30, - x: 0, - y: 0 -} - } -], -options: {layout: {locked: 1}}, -options: {}, -options: {layout: {locked: 1}}, -filters: [ - { - facet: "endpoint.name", - name: "Endpoint name" - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } -], -options: {}, -options: {layout: {locked: 1}} -}, -{"tabName":"File", -filters : [ - { - facet: "endpoint.name", - name: "Endpoint name" - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } - ], -graphs : [ - { - query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group distinct_sha1_count = estimate_distinct(tgt.file.sha1), distinct_name_count = estimate_distinct(tgt.file.path), distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension\n| sort -distinct_name_count, distinct_path_count, distinct_sha1_count\n| columns event.type, tgt.file.extension, distinct_sha1_count, distinct_name_count, distinct_path_count, src.process.name, src.process.image.sha1\n| limit 20", - - title: "Distinct file interactions by process", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 14, - w: 38, - x: 0, - y: 12 -} - , - }, - { - query: "event.category = \"file\" dataSource.category = 'security' \n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n| let windows_filename_string = windows_path_array.get(len(windows_path_array)-1)\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n| let unix_filename_string = unix_path_array.get(len(unix_path_array)-1)\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n| let filename_string = (endpoint.os = \"windows\") ? windows_filename_string : unix_filename_string\n\n| group distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension, filename_string\n| sort -distinct_path_count\n| columns src.process.name, event.type, distinct_path_count, filename_string\n| limit 10", - - title: "Possible ransom notes", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 12, - w: 22, - x: 38, - y: 0 -} - }, - { - query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group count = count() by event.type, src.process.name, tgt.file.extension, directory_path_string\n| sort -count\n| columns count, event.type, src.process.name, tgt.file.extension, directory_path_string", - - title: "Top file event count by src process (use with panel filter)", - layout: { - h: 14, - i: "2", - minH: 3, - minW: 6, - w: 22, - x: 38, - y: 12 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "line", - layout: { - h: 12, - i: "0", - minH: 3, - minW: 6, - w: 38, - x: 0, - y: 0 - }, - lineSmoothing: "straightLines", - query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", - - title: "File timeline", - yScale: "linear" - } - ], -options: {layout: {locked: 1}}, -options: {} -}, -{"tabName":"Network","graphs":[ - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.direction\n| transpose event.network.direction on timestamp", - - title: "IP connection timeline by direction", - yScale: "linear", - layout: { - h: 14, - w: 22, - x: 0, - y: 0 -} - }, - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.connectionStatus\n| transpose event.network.connectionStatus on timestamp", - - title: "IP connection timeline by status", - yScale: "linear", - layout: { - h: 14, - w: 21, - x: 22, - y: 0 -} - }, - { - query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstip\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, distinct_dstip\n| limit 10", - - title: "Possible outbound network scan", - layout: { - h: 12, - w: 50, - x: 10, - y: 28 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number)by dst.ip.address, endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstport\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, dst.ip.address, distinct_dstport\n| limit 10", - - title: "Possible outbound port scan", - layout: { - h: 12, - w: 50, - x: 10, - y: 40 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by src.ip.address\n| sort -distinct_dstip\n| columns src.ip.address, distinct_dstip \n| limit 10", - - title: "Possible inbound net scan", - layout: { - h: 12, - w: 10, - x: 0, - y: 28 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number) by src.ip.address\n| sort -distinct_dstport\n| columns src.ip.address, distinct_dstport", - - title: "Possible inbound port scan", - layout: { - h: 12, - w: 10, - x: 0, - y: 40 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "", - query: "event.category = 'ip' !isempty(dst.ip.address) dataSource.category = 'security'\n| group count = count() by dst.ip.address\n| sort -count", - - title: "Top destinations", - showBarsColumn: "true", - layout: { - h: 14, - w: 9, - x: 43, - y: 0 -} - }, - { - graphStyle: "", - query: "event.category = 'ip' !isempty(src.ip.address) dataSource.category = 'security'\n| group count = count() by src.ip.address\n| sort -count", - - title: "Top sources", - layout: { - h: 14, - w: 8, - x: 52, - y: 0 -}, - showBarsColumn: "true" - }, - { - query: "event.category = \"url\" and dataSource.category = 'security' dataSource.category = 'security' \n| group count = count() by url.address, src.process.name\n| sort -count\n| columns count, src.process.name, url.address", - - title: "URL count by process name", - layout: { - h: 14, - w: 40, - x: 20, - y: 14 -} - }, - { - query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by event.dns.request, src.process.name, src.process.storyline.id\n| sort -count\n| columns count, src.process.name, event.dns.request", - - title: "DNS count by process name", - layout: { - h: 14, - w: 20, - x: 0, - y: 14 -} - } -], -options: {layout: {locked: 1}}, -filters: [ - { - facet: "endpoint.name", - name: "Endpoint name" - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } -], -options: {}, -options: {layout: {locked: 1}}, -options: {}, -options: {layout: {locked: 1}} -}, -{"tabName":"Indicators","graphs":[ - { - graphStyle: "stacked_bar", - query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by indicator.category\n| sort -count", - - title: "Indicator count by category", - xAxis: "grouped_data", - yScale: "linear", - layout: { - h: 14, - w: 15, - x: 0, - y: 0 -} - }, - { - query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name, indicator.metadata\n| sort src.process.name, indicator.category, indicator.name, indicator.metadata\n| columns src.process.name, indicator.category, indicator.name, indicator.metadata", - - title: "Indicators with metadata", - layout: { - h: 28, - w: 60, - x: 0, - y: 14 -} - }, - { - query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name\n| sort src.process.name, indicator.category, indicator.name\n| columns src.process.name, indicator.category, indicator.name", - - title: "Full indicator list", - layout: { - h: 14, - w: 30, - x: 30, - y: 0 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "", - layout: { - h: 14, - w: 15, - x: 15, - y: 0 -}, - query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", - showBarsColumn: "false", - - title: "HIFI Indicators" - } -], -filters: [ - { - facet: "endpoint.name", - name: "Endpoint name", - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } -], -options: {layout: {locked: 1}}, -options: {}, -options: {layout: {locked: 1}} -}, -{"tabName":"Lateral movement origin","graphs":[ - { - query: "event.category = \"ip\" dataSource.category = 'security'\n| let unknown_ip = src.ip.address\n| let potential_hostname = endpoint.name\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", - - title: "Retrieve endpoint name from IP events", - layout: { - h: 14, - i: "0", - minH: 3, - minW: 6, - w: 30, - x: 0, - y: 0 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"dns\" dataSource.category = 'security'\n| let unknown_ip = event.dns.response\n| let potential_hostname = event.dns.request\n| group count = count() by unknown_ip, potential_hostname\n| columns unknown_ip, potential_hostname", - - title: "Retrieve endpoint name from DNS petitions", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 14, - i: "1", - minH: 3, - minW: 6, - w: 60, - x: 0, - y: 14 -} - }, - { - query: "event.category = \"logins\" event.login.userName contains \"$\" dataSource.category = 'security'\n| let unknown_ip = src.endpoint.ip.address\n| let potential_hostname = event.login.userName\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", - - title: "Retrieve endpoint name from login events", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 14, - i: "2", - minH: 3, - minW: 6, - w: 30, - x: 30, - y: 0 -} - } -], -filters: [ -], -options: {layout: {locked: 1}} -}], - configType: "TABBED" - } +{ + tabs: [{"tabName":"Overview","graphs":[ + { + graphStyle: "stacked_bar", + query: "event.category contains \"\" dataSource.category = 'security'\n| group count = count() by event.category\n| sort -count", + + title: "Count by event category", + xAxis: "grouped_data", + yScale: "linear", + layout: { + h: 13, + w: 20, + x: 0, + y: 0 +} + }, + { + graphStyle: "stacked_bar", + query: "event.category = \"indicators\"\n| group count = count() by indicator.category \n| sort -count", + + title: "Indicators by category", + xAxis: "grouped_data", + yScale: "linear", + layout: { + h: 13, + w: 13, + x: 47, + y: 0 +} + , + }, + { + graphStyle: "line", + layout: { + h: 13, + w: 27, + x: 20, + y: 0 +}, + lineSmoothing: "straightLines", + query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", + + title: "File timeline", + yScale: "linear" + }, + { + query: "event.category = \"process\" dataSource.category = 'security'\n| group distinct_spawned_processes=estimate_distinct(tgt.process.user) by src.process.user \n| sort -distinct_spawned_processes", + + title: "Spawned processes by user", + graphStyle: "", + showBarsColumn: "true", + layout: { + h: 14, + w: 15, + x: 30, + y: 13 +} + , + }, + { + query: "event.category = \"ip\" event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group count = count() by dst.ip.address, src.process.name\n| sort -count\n| columns src.process.name, dst.ip.address, count", + + title: "TOP outgoing IP connections by process", + graphStyle: "", + showBarsColumn: "true", + layout: { + h: 14, + w: 14, + x: 0, + y: 13 +} + }, + { + query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by src.process.name, event.dns.request\n| sort -count", + + title: "TOP DNS petitions by process", + layout: { + h: 14, + i: "6", + minH: 3, + minW: 6, + w: 16, + x: 14, + y: 13 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "", + layout: { + h: 14, + i: "4", + minH: 3, + minW: 6, + w: 15, + x: 45, + y: 13 + }, + query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", + showBarsColumn: "false", + + title: "HIFI Indicators" + } + ], + filters: [ + { + facet: "endpoint.name", + name: "Endpoint name", + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } + ], + options: {layout: {locked: 1}}, + options: {}, + options: {layout: {locked: 1}} +}, +{"tabName":"Process","graphs":[ + { + graphStyle: "", + query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by src.process.name\n| sort -count", + + title: "TOP process spawners", + layout: { + h: 14, + w: 15, + x: 30, + y: 0 +}, + showBarsColumn: "true" + }, + { + graphStyle: "", + query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by tgt.process.name\n| sort -count", + + title: "TOP spawned processes", + layout: { + h: 14, + w: 15, + x: 45, + y: 0 +}, + showBarsColumn: "true" + }, + { + query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| let tgt_details = format(\"(%s) %s (%s) -----> %s\", src.process.user, src.process.name, src.process.storyline.id, tgt.process.cmdline)\n| group count = count() by tgt_details\n| columns count, tgt_details\n| sort -count", + + title: "Processes grouped by target cmdlines", + layout: { + h: 29, + w: 60, + x: 0, + y: 14 +} + }, + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| group count=count() by src.process.user, timestamp = timebucket(\"1 minute\")\n\n| transpose src.process.user on timestamp", + + title: "Process timeline by user", + yScale: "linear", + layout: { + h: 14, + w: 30, + x: 0, + y: 0 +} + } +], +options: {layout: {locked: 1}}, +options: {}, +options: {layout: {locked: 1}}, +filters: [ + { + facet: "endpoint.name", + name: "Endpoint name" + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } +], +options: {}, +options: {layout: {locked: 1}} +}, +{"tabName":"File", +filters : [ + { + facet: "endpoint.name", + name: "Endpoint name" + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } + ], +graphs : [ + { + query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group distinct_sha1_count = estimate_distinct(tgt.file.sha1), distinct_name_count = estimate_distinct(tgt.file.path), distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension\n| sort -distinct_name_count, distinct_path_count, distinct_sha1_count\n| columns event.type, tgt.file.extension, distinct_sha1_count, distinct_name_count, distinct_path_count, src.process.name, src.process.image.sha1\n| limit 20", + + title: "Distinct file interactions by process", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 14, + w: 38, + x: 0, + y: 12 +} + , + }, + { + query: "event.category = \"file\" dataSource.category = 'security' \n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n| let windows_filename_string = windows_path_array.get(len(windows_path_array)-1)\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n| let unix_filename_string = unix_path_array.get(len(unix_path_array)-1)\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n| let filename_string = (endpoint.os = \"windows\") ? windows_filename_string : unix_filename_string\n\n| group distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension, filename_string\n| sort -distinct_path_count\n| columns src.process.name, event.type, distinct_path_count, filename_string\n| limit 10", + + title: "Possible ransom notes", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 12, + w: 22, + x: 38, + y: 0 +} + }, + { + query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group count = count() by event.type, src.process.name, tgt.file.extension, directory_path_string\n| sort -count\n| columns count, event.type, src.process.name, tgt.file.extension, directory_path_string", + + title: "Top file event count by src process (use with panel filter)", + layout: { + h: 14, + i: "2", + minH: 3, + minW: 6, + w: 22, + x: 38, + y: 12 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "line", + layout: { + h: 12, + i: "0", + minH: 3, + minW: 6, + w: 38, + x: 0, + y: 0 + }, + lineSmoothing: "straightLines", + query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", + + title: "File timeline", + yScale: "linear" + } + ], +options: {layout: {locked: 1}}, +options: {} +}, +{"tabName":"Network","graphs":[ + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.direction\n| transpose event.network.direction on timestamp", + + title: "IP connection timeline by direction", + yScale: "linear", + layout: { + h: 14, + w: 22, + x: 0, + y: 0 +} + }, + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.connectionStatus\n| transpose event.network.connectionStatus on timestamp", + + title: "IP connection timeline by status", + yScale: "linear", + layout: { + h: 14, + w: 21, + x: 22, + y: 0 +} + }, + { + query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstip\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, distinct_dstip\n| limit 10", + + title: "Possible outbound network scan", + layout: { + h: 12, + w: 50, + x: 10, + y: 28 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number)by dst.ip.address, endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstport\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, dst.ip.address, distinct_dstport\n| limit 10", + + title: "Possible outbound port scan", + layout: { + h: 12, + w: 50, + x: 10, + y: 40 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by src.ip.address\n| sort -distinct_dstip\n| columns src.ip.address, distinct_dstip \n| limit 10", + + title: "Possible inbound net scan", + layout: { + h: 12, + w: 10, + x: 0, + y: 28 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number) by src.ip.address\n| sort -distinct_dstport\n| columns src.ip.address, distinct_dstport", + + title: "Possible inbound port scan", + layout: { + h: 12, + w: 10, + x: 0, + y: 40 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "", + query: "event.category = 'ip' !isempty(dst.ip.address) dataSource.category = 'security'\n| group count = count() by dst.ip.address\n| sort -count", + + title: "Top destinations", + showBarsColumn: "true", + layout: { + h: 14, + w: 9, + x: 43, + y: 0 +} + }, + { + graphStyle: "", + query: "event.category = 'ip' !isempty(src.ip.address) dataSource.category = 'security'\n| group count = count() by src.ip.address\n| sort -count", + + title: "Top sources", + layout: { + h: 14, + w: 8, + x: 52, + y: 0 +}, + showBarsColumn: "true" + }, + { + query: "event.category = \"url\" and dataSource.category = 'security' dataSource.category = 'security' \n| group count = count() by url.address, src.process.name\n| sort -count\n| columns count, src.process.name, url.address", + + title: "URL count by process name", + layout: { + h: 14, + w: 40, + x: 20, + y: 14 +} + }, + { + query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by event.dns.request, src.process.name, src.process.storyline.id\n| sort -count\n| columns count, src.process.name, event.dns.request", + + title: "DNS count by process name", + layout: { + h: 14, + w: 20, + x: 0, + y: 14 +} + } +], +options: {layout: {locked: 1}}, +filters: [ + { + facet: "endpoint.name", + name: "Endpoint name" + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } +], +options: {}, +options: {layout: {locked: 1}}, +options: {}, +options: {layout: {locked: 1}} +}, +{"tabName":"Indicators","graphs":[ + { + graphStyle: "stacked_bar", + query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by indicator.category\n| sort -count", + + title: "Indicator count by category", + xAxis: "grouped_data", + yScale: "linear", + layout: { + h: 14, + w: 15, + x: 0, + y: 0 +} + }, + { + query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name, indicator.metadata\n| sort src.process.name, indicator.category, indicator.name, indicator.metadata\n| columns src.process.name, indicator.category, indicator.name, indicator.metadata", + + title: "Indicators with metadata", + layout: { + h: 28, + w: 60, + x: 0, + y: 14 +} + }, + { + query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name\n| sort src.process.name, indicator.category, indicator.name\n| columns src.process.name, indicator.category, indicator.name", + + title: "Full indicator list", + layout: { + h: 14, + w: 30, + x: 30, + y: 0 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "", + layout: { + h: 14, + w: 15, + x: 15, + y: 0 +}, + query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", + showBarsColumn: "false", + + title: "HIFI Indicators" + } +], +filters: [ + { + facet: "endpoint.name", + name: "Endpoint name", + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } +], +options: {layout: {locked: 1}}, +options: {}, +options: {layout: {locked: 1}} +}, +{"tabName":"Lateral movement origin","graphs":[ + { + query: "event.category = \"ip\" dataSource.category = 'security'\n| let unknown_ip = src.ip.address\n| let potential_hostname = endpoint.name\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", + + title: "Retrieve endpoint name from IP events", + layout: { + h: 14, + i: "0", + minH: 3, + minW: 6, + w: 30, + x: 0, + y: 0 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"dns\" dataSource.category = 'security'\n| let unknown_ip = event.dns.response\n| let potential_hostname = event.dns.request\n| group count = count() by unknown_ip, potential_hostname\n| columns unknown_ip, potential_hostname", + + title: "Retrieve endpoint name from DNS petitions", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 14, + i: "1", + minH: 3, + minW: 6, + w: 60, + x: 0, + y: 14 +} + }, + { + query: "event.category = \"logins\" event.login.userName contains \"$\" dataSource.category = 'security'\n| let unknown_ip = src.endpoint.ip.address\n| let potential_hostname = event.login.userName\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", + + title: "Retrieve endpoint name from login events", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 14, + i: "2", + minH: 3, + minW: 6, + w: 30, + x: 30, + y: 0 +} + } +], +filters: [ +], +options: {layout: {locked: 1}} +}], + configType: "TABBED" + } diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf index 9dc1384..f25eb2a 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf @@ -1,207 +1,207 @@ -{ - "attributes": { - "dataSource.name": "AWS VPC DNS", - "dataSource.vendor": "AWS", - "dataSource.category": "security", - "metadata.product.name": "VPC DNS", - "metadata.product.vendor_name": "AWS", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.query_timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "constant": { - "value": 6, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Traffic", - "field": "activity_name" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 400306, - "field": "type_uid" - } - }, - { - "constant": { - "value": "DNS Activity: Traffic", - "field": "type_name" - } - }, - { - "copy": { - "from": "unmapped.query_timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.query_timestamp", - "to": "query_time" - } - }, - { - "rename": { - "from": "unmapped.query_class", - "to": "query.class" - } - }, - { - "rename": { - "from": "unmapped.query_name", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.query_type", - "to": "query.type" - } - }, - { - "rename": { - "from": "unmapped.rcode", - "to": "rcode" - } - }, - { - "rename": { - "from": "unmapped.answers.Rdata", - "to": "answers.rdata" - } - }, - { - "rename": { - "from": "unmapped.answers.Class", - "to": "answers.class" - } - }, - { - "rename": { - "from": "unmapped.answers.Type", - "to": "answers.type" - } - }, - { - "rename": { - "from": "unmapped.srcaddr", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.srcport", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.vpc_id", - "to": "src_endpoint.vpc_uid" - } - }, - { - "rename": { - "from": "unmapped.srcids.instance", - "to": "src_endpoint.instance_uid" - } - }, - { - "rename": { - "from": "unmapped.region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.transport", - "to": "connection_info.protocol_name" - } - }, - { - "rename": { - "from": "unmapped.account_id", - "to": "cloud.account.uid" - } - }, - { - "rename": { - "from": "unmapped.version", - "to": "metadata.product.version" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Rdata", - "to": "answers[*].rdata" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Class", - "to": "answers[*].class" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Type", - "to": "answers[*].type" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "AWS VPC DNS", + "dataSource.vendor": "AWS", + "dataSource.category": "security", + "metadata.product.name": "VPC DNS", + "metadata.product.vendor_name": "AWS", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.query_timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 6, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Traffic", + "field": "activity_name" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 400306, + "field": "type_uid" + } + }, + { + "constant": { + "value": "DNS Activity: Traffic", + "field": "type_name" + } + }, + { + "copy": { + "from": "unmapped.query_timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.query_timestamp", + "to": "query_time" + } + }, + { + "rename": { + "from": "unmapped.query_class", + "to": "query.class" + } + }, + { + "rename": { + "from": "unmapped.query_name", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.query_type", + "to": "query.type" + } + }, + { + "rename": { + "from": "unmapped.rcode", + "to": "rcode" + } + }, + { + "rename": { + "from": "unmapped.answers.Rdata", + "to": "answers.rdata" + } + }, + { + "rename": { + "from": "unmapped.answers.Class", + "to": "answers.class" + } + }, + { + "rename": { + "from": "unmapped.answers.Type", + "to": "answers.type" + } + }, + { + "rename": { + "from": "unmapped.srcaddr", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.srcport", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.vpc_id", + "to": "src_endpoint.vpc_uid" + } + }, + { + "rename": { + "from": "unmapped.srcids.instance", + "to": "src_endpoint.instance_uid" + } + }, + { + "rename": { + "from": "unmapped.region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.transport", + "to": "connection_info.protocol_name" + } + }, + { + "rename": { + "from": "unmapped.account_id", + "to": "cloud.account.uid" + } + }, + { + "rename": { + "from": "unmapped.version", + "to": "metadata.product.version" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Rdata", + "to": "answers[*].rdata" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Class", + "to": "answers[*].class" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Type", + "to": "answers[*].type" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf index 282c48b..76b6292 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf @@ -1,395 +1,395 @@ -{ - "attributes": { - "dataSource.name": "Buildkite Audit", - "dataSource.vendor": "Buildkite", - "dataSource.category": "security", - "metadata.product.name": "Buildkite Audit", - "metadata.product.vendor_name": "Buildkite", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.occurredAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "copy": { - "from": "unmapped.type", - "to": "event.action" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Read", - "field": "activity_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 300402, - "field": "type_uid", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Entity Management: Read", - "field": "type_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 8, - "field": "activity_id", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Enable", - "field": "activity_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 300408, - "field": "type_uid", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Entity Management: Enable", - "field": "type_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 9, - "field": "activity_id", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Disable", - "field": "activity_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 300409, - "field": "type_uid", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Entity Management: Disable", - "field": "type_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 10, - "field": "activity_id", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Activate", - "field": "activity_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 300410, - "field": "type_uid", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Entity Management: Activate", - "field": "type_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "constant": { - "value": "Other", - "field": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.actor.node.email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.actor.name", - "to": "actor.user.full_name" - } - }, - { - "rename": { - "from": "unmapped.actor.uuid", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.actor.type", - "to": "actor.user.type" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.occurredAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "Buildkite Audit", + "dataSource.vendor": "Buildkite", + "dataSource.category": "security", + "metadata.product.name": "Buildkite Audit", + "metadata.product.vendor_name": "Buildkite", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.occurredAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "copy": { + "from": "unmapped.type", + "to": "event.action" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Read", + "field": "activity_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 300402, + "field": "type_uid", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Entity Management: Read", + "field": "type_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 8, + "field": "activity_id", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Enable", + "field": "activity_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 300408, + "field": "type_uid", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Entity Management: Enable", + "field": "type_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 9, + "field": "activity_id", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Disable", + "field": "activity_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 300409, + "field": "type_uid", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Entity Management: Disable", + "field": "type_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 10, + "field": "activity_id", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Activate", + "field": "activity_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 300410, + "field": "type_uid", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Entity Management: Activate", + "field": "type_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.actor.node.email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.actor.name", + "to": "actor.user.full_name" + } + }, + { + "rename": { + "from": "unmapped.actor.uuid", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.actor.type", + "to": "actor.user.type" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.occurredAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf index 4c77d33..ed16cab 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf @@ -1,1284 +1,1284 @@ -{ - "attributes": { - "dataSource.vendor": "Cloudflare", - "dataSource.category": "security", - "metadata.product.vendor_name": "Cloudflare", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.CreatedAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Datetime", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.When", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "aws contains 'access-requests'", - "transformations": [ - { - "constant": { - "value": "Access Requests", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Access Requests", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 6, - "field": "activity_id", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Enroll", - "field": "activity_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 300406, - "field": "type_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management: Enroll", - "field": "type_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Authentication", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Logon", - "field": "activity_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Logoff", - "field": "activity_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 300201, - "field": "type_uid", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 300202, - "field": "type_uid", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 300299, - "field": "type_uid", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Authentication: Logon", - "field": "type_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Authentication: Logoff", - "field": "type_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": "Authentication: Other", - "field": "type_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.AppUUID", - "to": "actor.app_uid" - } - }, - { - "copy": { - "from": "unmapped.AppDomain", - "to": "actor.app_name" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.CreatedAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-http'", - "transformations": [ - { - "constant": { - "value": "Gateway HTTP", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway HTTP", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "HTTP Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400299, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.HTTPHost", - "to": "http_request.url.hostname" - } - }, - { - "rename": { - "from": "unmapped.URL", - "to": "http_request.url.url_string" - } - }, - { - "rename": { - "from": "unmapped.HTTPMethod", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.HTTPVersion", - "to": "http_request.version" - } - }, - { - "rename": { - "from": "unmapped.HTTPStatusCode", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-network'", - "transformations": [ - { - "constant": { - "value": "Gateway Network", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway Network", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400199, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'device-posture'", - "transformations": [ - { - "constant": { - "value": "Device Posture", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Device Posture", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 5001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 5, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info", - "field": "class_name" - } - }, - { - "constant": { - "value": "Discovery", - "field": "category_name" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Collect", - "field": "activity_name" - } - }, - { - "constant": { - "value": 500102, - "field": "type_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info: Collect", - "field": "type_name" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "device.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "device.name" - } - }, - { - "rename": { - "from": "unmapped.DeviceManufacturer", - "to": "device.manufacturer" - } - }, - { - "rename": { - "from": "unmapped.DeviceModel", - "to": "device.model" - } - }, - { - "rename": { - "from": "unmapped.DeviceSerialNumber", - "to": "device.hw_info.serial_number" - } - }, - { - "rename": { - "from": "unmapped.DeviceType", - "to": "device.os.type" - } - }, - { - "rename": { - "from": "unmapped.OSVersion", - "to": "device.os.version" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "device.owner.email_addr" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.name" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.domain" - } - }, - { - "replace": { - "field": "device.owner.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@.*", - "replacement": "$1" - } - }, - { - "constant": { - "value": 100, - "field": "device.os.type_id", - "predicate": "device.os.type = 'windows'" - } - }, - { - "constant": { - "value": 300, - "field": "device.os.type_id", - "predicate": "device.os.type = 'mac'" - } - }, - { - "constant": { - "value": 301, - "field": "device.os.type_id", - "predicate": "device.os.type = 'ios'" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-dns'", - "transformations": [ - { - "constant": { - "value": "Gateway DNS", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway DNS", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Query", - "field": "activity_name" - } - }, - { - "constant": { - "value": 400301, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SrcIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SrcPort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DstIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DstPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.RCode", - "to": "rcode_id" - } - }, - { - "rename": { - "from": "unmapped.QueryName", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.QueryTypeName", - "to": "query.type" - } - }, - { - "rename_tree": { - "from": "unmapped.RData", - "to": "answers" - } - }, - { - "rename": { - "from": "answers[*].data", - "to": "answers[*].rdata" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'audit-logs'", - "transformations": [ - { - "constant": { - "value": "Audit Logs", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Audit Logs", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "copy": { - "from": "unmapped.ActionType", - "to": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.When", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.ActorEmail", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.ActorID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.ActorType", - "to": "actor.user.type" - } - }, - { - "rename": { - "from": "unmapped.ActorIP", - "to": "src_endpoint.ip" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.vendor": "Cloudflare", + "dataSource.category": "security", + "metadata.product.vendor_name": "Cloudflare", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.CreatedAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Datetime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.When", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "aws contains 'access-requests'", + "transformations": [ + { + "constant": { + "value": "Access Requests", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Access Requests", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 6, + "field": "activity_id", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Enroll", + "field": "activity_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 300406, + "field": "type_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management: Enroll", + "field": "type_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Logon", + "field": "activity_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Logoff", + "field": "activity_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 300201, + "field": "type_uid", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 300202, + "field": "type_uid", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 300299, + "field": "type_uid", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Authentication: Logon", + "field": "type_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Authentication: Logoff", + "field": "type_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": "Authentication: Other", + "field": "type_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.AppUUID", + "to": "actor.app_uid" + } + }, + { + "copy": { + "from": "unmapped.AppDomain", + "to": "actor.app_name" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.CreatedAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-http'", + "transformations": [ + { + "constant": { + "value": "Gateway HTTP", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway HTTP", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "HTTP Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400299, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.HTTPHost", + "to": "http_request.url.hostname" + } + }, + { + "rename": { + "from": "unmapped.URL", + "to": "http_request.url.url_string" + } + }, + { + "rename": { + "from": "unmapped.HTTPMethod", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.HTTPVersion", + "to": "http_request.version" + } + }, + { + "rename": { + "from": "unmapped.HTTPStatusCode", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-network'", + "transformations": [ + { + "constant": { + "value": "Gateway Network", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway Network", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400199, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'device-posture'", + "transformations": [ + { + "constant": { + "value": "Device Posture", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Device Posture", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 5001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 5, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info", + "field": "class_name" + } + }, + { + "constant": { + "value": "Discovery", + "field": "category_name" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Collect", + "field": "activity_name" + } + }, + { + "constant": { + "value": 500102, + "field": "type_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info: Collect", + "field": "type_name" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "device.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "device.name" + } + }, + { + "rename": { + "from": "unmapped.DeviceManufacturer", + "to": "device.manufacturer" + } + }, + { + "rename": { + "from": "unmapped.DeviceModel", + "to": "device.model" + } + }, + { + "rename": { + "from": "unmapped.DeviceSerialNumber", + "to": "device.hw_info.serial_number" + } + }, + { + "rename": { + "from": "unmapped.DeviceType", + "to": "device.os.type" + } + }, + { + "rename": { + "from": "unmapped.OSVersion", + "to": "device.os.version" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "device.owner.email_addr" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.name" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.domain" + } + }, + { + "replace": { + "field": "device.owner.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@.*", + "replacement": "$1" + } + }, + { + "constant": { + "value": 100, + "field": "device.os.type_id", + "predicate": "device.os.type = 'windows'" + } + }, + { + "constant": { + "value": 300, + "field": "device.os.type_id", + "predicate": "device.os.type = 'mac'" + } + }, + { + "constant": { + "value": 301, + "field": "device.os.type_id", + "predicate": "device.os.type = 'ios'" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-dns'", + "transformations": [ + { + "constant": { + "value": "Gateway DNS", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway DNS", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Query", + "field": "activity_name" + } + }, + { + "constant": { + "value": 400301, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SrcIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SrcPort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DstIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DstPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.RCode", + "to": "rcode_id" + } + }, + { + "rename": { + "from": "unmapped.QueryName", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.QueryTypeName", + "to": "query.type" + } + }, + { + "rename_tree": { + "from": "unmapped.RData", + "to": "answers" + } + }, + { + "rename": { + "from": "answers[*].data", + "to": "answers[*].rdata" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'audit-logs'", + "transformations": [ + { + "constant": { + "value": "Audit Logs", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Audit Logs", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "copy": { + "from": "unmapped.ActionType", + "to": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.When", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.ActorEmail", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.ActorID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.ActorType", + "to": "actor.user.type" + } + }, + { + "rename": { + "from": "unmapped.ActorIP", + "to": "src_endpoint.ip" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf index 0306ff4..4bf4705 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf @@ -1,55 +1,55 @@ -{ - "attributes": { - "dataSource.name": "GCP DNS", - "dataSource.vendor": "GCP", - "dataSource.category": "security", - "metadata.product.name": "GCP DNS", - "metadata.product.vendor_name": "GCP", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { "constant": { "value": 4, "field": "category_uid" }}, - { "constant": { "value": "Network Activity", "field": "category_name" }}, - { "constant": { "value": 4003, "field": "class_uid" }}, - { "constant": { "value": "DNS Activity", "field": "class_name" }}, - { "constant": { "value": 1, "field": "activity_id" }}, - { "constant": { "value": "Query", "field": "activity_name" }}, - { "constant": { "value": 400301, "field": "type_uid" }}, - { "constant": { "value": "DNS Activity: Query", "field": "type_name" }}, - - { "rename": { "from": "unmapped.jsonPayload.queryName", "to": "query.hostname" }}, - { "rename": { "from": "unmapped.jsonPayload.queryType", "to": "query.type" }}, - { "rename": { "from": "unmapped.jsonPayload.rdata", "to": "answers.rdata" }}, - { "rename": { "from": "unmapped.type", "to": "answers.rdata" }}, - - { "rename": { "from": "unmapped.severity", "to": "severity_id" }}, - //mappings may be adjusted - { "cast": { "type": "enum", "field": "severity_id", "enum": {"DEFAULT":0,"DEBUG":99,"INFO":1,"NOTICE":2,"WARNING":3,"ERROR":4,"CRITICAL":5,"ALERT":5,"EMERGENCY":6}}} - - { "rename": { "from": "unmapped.receiveTimestamp", "to": "query_time" }}, - { "cast": { "field": "query_time", "type": "iso8601TimestampToEpochSec" }} - { "rename": { "from": "unmapped.timestamp", "to": "time" }}, - { "cast": { "field": "time", "type": "iso8601TimestampToEpochSec" }} - ] - } - ] - } -} +{ + "attributes": { + "dataSource.name": "GCP DNS", + "dataSource.vendor": "GCP", + "dataSource.category": "security", + "metadata.product.name": "GCP DNS", + "metadata.product.vendor_name": "GCP", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { "constant": { "value": 4, "field": "category_uid" }}, + { "constant": { "value": "Network Activity", "field": "category_name" }}, + { "constant": { "value": 4003, "field": "class_uid" }}, + { "constant": { "value": "DNS Activity", "field": "class_name" }}, + { "constant": { "value": 1, "field": "activity_id" }}, + { "constant": { "value": "Query", "field": "activity_name" }}, + { "constant": { "value": 400301, "field": "type_uid" }}, + { "constant": { "value": "DNS Activity: Query", "field": "type_name" }}, + + { "rename": { "from": "unmapped.jsonPayload.queryName", "to": "query.hostname" }}, + { "rename": { "from": "unmapped.jsonPayload.queryType", "to": "query.type" }}, + { "rename": { "from": "unmapped.jsonPayload.rdata", "to": "answers.rdata" }}, + { "rename": { "from": "unmapped.type", "to": "answers.rdata" }}, + + { "rename": { "from": "unmapped.severity", "to": "severity_id" }}, + //mappings may be adjusted + { "cast": { "type": "enum", "field": "severity_id", "enum": {"DEFAULT":0,"DEBUG":99,"INFO":1,"NOTICE":2,"WARNING":3,"ERROR":4,"CRITICAL":5,"ALERT":5,"EMERGENCY":6}}} + + { "rename": { "from": "unmapped.receiveTimestamp", "to": "query_time" }}, + { "cast": { "field": "query_time", "type": "iso8601TimestampToEpochSec" }} + { "rename": { "from": "unmapped.timestamp", "to": "time" }}, + { "cast": { "field": "time", "type": "iso8601TimestampToEpochSec" }} + ] + } + ] + } +} diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf index a9a0e48..e598b35 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf @@ -1,84 +1,84 @@ -{ - // specify a time zone if the timestamps in your log are not in GMT - // timezone: "GMT-0800" - attributes: { - "dataSource.name": "Imperva WAF", - "dataSource.vendor": "Imperva", - "dataSource.category": "security" - "metadata.product.name": "Imperva WAF", - "metadata.product.vendor_name": "Imperva" - }, - - patterns: { - tsPattern: "\\d+", - value: "[^\\s]+", - toDrop: "^(?!CEF).*$" - }, - - formats: [ - //drop logs - { - id: "drop", - format: "$unwanted=toDrop$", - discard: true - }, - - { - format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", - }, - { - format: ".*\\sstart=$timestamp=tsPattern$", - }, - { - format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", - }, - { - format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", - }, - { - format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", - }, - { - format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", - }, - { - format: ".*$_=identifier$=$unmapped._=value$", - repeat: true - } - ], - mappings: { - version: 0, - mappings: [ - { - predicate: "", - renames: [ - { - inputs : ["unmapped.dst"], - output : "dst_endpoint.ip", - type: "string" - }, - { - inputs: ["unmapped.dpt"], - output: "dst_endpoint.port", - type: "string" - }, - { - inputs: ["unmapped.src"], - output: "src_endpoint.ip", - type: "string" - }, - { - inputs: ["unmapped.spt"], - output: "src_endpoint.port", - type: "string" - }, - { - inputs: ["unmapped.Customer"], - output: "Account Name", - type: "string" - } - ] - } - ] - } +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + attributes: { + "dataSource.name": "Imperva WAF", + "dataSource.vendor": "Imperva", + "dataSource.category": "security" + "metadata.product.name": "Imperva WAF", + "metadata.product.vendor_name": "Imperva" + }, + + patterns: { + tsPattern: "\\d+", + value: "[^\\s]+", + toDrop: "^(?!CEF).*$" + }, + + formats: [ + //drop logs + { + id: "drop", + format: "$unwanted=toDrop$", + discard: true + }, + + { + format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", + }, + { + format: ".*\\sstart=$timestamp=tsPattern$", + }, + { + format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", + }, + { + format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", + }, + { + format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", + }, + { + format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", + }, + { + format: ".*$_=identifier$=$unmapped._=value$", + repeat: true + } + ], + mappings: { + version: 0, + mappings: [ + { + predicate: "", + renames: [ + { + inputs : ["unmapped.dst"], + output : "dst_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.dpt"], + output: "dst_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.src"], + output: "src_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.spt"], + output: "src_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.Customer"], + output: "Account Name", + type: "string" + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf index 4b28d9c..bbc42a4 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf @@ -1,4175 +1,4175 @@ -{ - "attributes": { - "dataSource.name": "Teleport Audit", - "dataSource.vendor": "Teleport", - "dataSource.category": "security", - "metadata.product.name": "Teleport Audit", - "metadata.product.vendor_name": "Teleport", - "metadata.version": "1.5.0", - "cloud.provider": "AWS" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.time", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.ts", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "unmapped.event in ('user.update','billing.plan.update')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300199 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('user.create','saml.created')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300101 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'user.delete'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 6 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300106 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.update'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 2 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Update" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600502 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.create'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 6 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Create" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600506 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.delete'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 7 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600507 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.session.query'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 4 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Query" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600504 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('db.session.postgres.statements.execute','db.session.postgres.statements.parse','db.session.postgres.statements.bind')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600599 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('cert.create','join_token.create','role.created','lock.created')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Create" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300401 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('role.delete','lock.delete')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 4 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300404 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'role.update'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 3 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300403 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('app.session.end','db.session.end','session.end','session.leave','desktop.session.end','mfa.auth.success')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 2 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Logoff" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Authentication" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300202 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3002 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('instance.join','session.start','session.join','user.login','bot.join','db.session.start','desktop.session.start','mfa.auth.success','port','db.session.mysql.init_db')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Logon" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Authentication" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300201 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3002 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('kube.request','app.session.chunk','exec','scp','sftp','app.session.start','session.upload','session.data')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "API Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600399 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6003 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'config.changed'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Discovery" - } - }, - { - "constant": { - "field": "class_name", - "value": "Device Config State Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 501999 - } - }, - { - "constant": { - "field": "category_uid", - "value": 5 - } - }, - { - "constant": { - "field": "class_uid", - "value": 5019 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'dns.query'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Query" - } - }, - { - "constant": { - "field": "category_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "DNS Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 400301 - } - }, - { - "constant": { - "field": "category_uid", - "value": 4 - } - }, - { - "constant": { - "field": "class_uid", - "value": 4003 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'net.connection'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Open" - } - }, - { - "constant": { - "field": "category_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 400101 - } - }, - { - "constant": { - "field": "category_uid", - "value": 4 - } - }, - { - "constant": { - "field": "class_uid", - "value": 4001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "true", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "Teleport Audit", + "dataSource.vendor": "Teleport", + "dataSource.category": "security", + "metadata.product.name": "Teleport Audit", + "metadata.product.vendor_name": "Teleport", + "metadata.version": "1.5.0", + "cloud.provider": "AWS" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.ts", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "unmapped.event in ('user.update','billing.plan.update')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300199 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('user.create','saml.created')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300101 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'user.delete'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 6 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300106 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.update'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 2 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Update" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600502 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.create'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 6 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Create" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600506 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.delete'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 7 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600507 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.session.query'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 4 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Query" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600504 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('db.session.postgres.statements.execute','db.session.postgres.statements.parse','db.session.postgres.statements.bind')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600599 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('cert.create','join_token.create','role.created','lock.created')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Create" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300401 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('role.delete','lock.delete')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 4 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300404 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'role.update'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 3 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300403 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('app.session.end','db.session.end','session.end','session.leave','desktop.session.end','mfa.auth.success')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 2 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Logoff" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Authentication" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300202 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3002 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('instance.join','session.start','session.join','user.login','bot.join','db.session.start','desktop.session.start','mfa.auth.success','port','db.session.mysql.init_db')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Logon" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Authentication" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300201 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3002 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('kube.request','app.session.chunk','exec','scp','sftp','app.session.start','session.upload','session.data')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "API Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600399 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6003 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'config.changed'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Discovery" + } + }, + { + "constant": { + "field": "class_name", + "value": "Device Config State Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 501999 + } + }, + { + "constant": { + "field": "category_uid", + "value": 5 + } + }, + { + "constant": { + "field": "class_uid", + "value": 5019 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'dns.query'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Query" + } + }, + { + "constant": { + "field": "category_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "DNS Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 400301 + } + }, + { + "constant": { + "field": "category_uid", + "value": 4 + } + }, + { + "constant": { + "field": "class_uid", + "value": 4003 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'net.connection'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Open" + } + }, + { + "constant": { + "field": "category_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 400101 + } + }, + { + "constant": { + "field": "category_uid", + "value": 4 + } + }, + { + "constant": { + "field": "class_uid", + "value": 4001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "true", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt index e0cd0ae..a3dfcc9 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt @@ -1,2 +1,2 @@ -This parser was created for customer Coats. +This parser was created for customer Coats. Log Ingested via HEC and structured /event endpoint \ No newline at end of file diff --git a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf index 523ad07..b80f819 100644 --- a/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf +++ b/Backend/utilities/parsers/community_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf @@ -1,61 +1,61 @@ -{ - - "attributes": { - "category_uid": "4", - "category_name": "Network Activity" - "metadata.product.name": "ZScaler Firewall", - "metadata.product.vendor_name": "ZScaler", - "metadata.version": "1.5.0", - "dataSource.category": "security", - "dataSource.name": "Zscaler Firewall", - "dataSource.vendor": "ZScaler" - }, - "formats": [ - { - "format": "$unmapped.{parse=json}$", - "rewrites": [ - { - "input": "unmapped.datetime", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - {"constant": { "value": 4, "field": "category_uid"}} - {"constant": { "value": "Network Activity", "field": "category_name"}} - {"constant": { "value": 4001, "field": "class_uid"}} - {"constant": { "value": "Network Activity", "field": "class_name"}} - {"constant": { "value": 6, "field": "activity_id"}} - {"constant": { "value": "Traffic", "field": "activity_name"}} - - {"constant": { "value": 0, "field": "severity_id"}} - {"constant": { "value": 400106, "field": "type_uid"}} - {"constant": { "value": "Network Activity: Traffic", "field": "type_name"}} - - {"rename": {"from": "unmapped.csip","to": "src_endpoint.ip"}}, - {"rename": {"from": "unmapped.csport","to": "src_endpoint.port"}}, - {"rename": {"from": "unmapped.cdip","to": "dst_endpoint.ip"}}, - {"rename": {"from": "unmapped.cdport","to": "dst_endpoint.port"}}, - - {"rename": {"from": "unmapped.user","to": "actor.user.email_addr"}}, - {"rename": {"from": "unmapped.devicehostname","to": "device.hostname"}}, - {"rename": {"from": "unmapped.deviceowner","to": "device.owner.name"}}, - - {"rename": {"from": "unmapped.datetime","to": "time"}}, - {"replace": {"field": "time", "regexp": "^[A-Za-z]{3}\\s(.*)", "replacement": "$1"}} - {"cast": {"type": "datetime", "field": "time", "format": "MMM dd HH:mm:ss yyyy"}} - - ] - } - ] - } +{ + + "attributes": { + "category_uid": "4", + "category_name": "Network Activity" + "metadata.product.name": "ZScaler Firewall", + "metadata.product.vendor_name": "ZScaler", + "metadata.version": "1.5.0", + "dataSource.category": "security", + "dataSource.name": "Zscaler Firewall", + "dataSource.vendor": "ZScaler" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.datetime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + {"constant": { "value": 4, "field": "category_uid"}} + {"constant": { "value": "Network Activity", "field": "category_name"}} + {"constant": { "value": 4001, "field": "class_uid"}} + {"constant": { "value": "Network Activity", "field": "class_name"}} + {"constant": { "value": 6, "field": "activity_id"}} + {"constant": { "value": "Traffic", "field": "activity_name"}} + + {"constant": { "value": 0, "field": "severity_id"}} + {"constant": { "value": 400106, "field": "type_uid"}} + {"constant": { "value": "Network Activity: Traffic", "field": "type_name"}} + + {"rename": {"from": "unmapped.csip","to": "src_endpoint.ip"}}, + {"rename": {"from": "unmapped.csport","to": "src_endpoint.port"}}, + {"rename": {"from": "unmapped.cdip","to": "dst_endpoint.ip"}}, + {"rename": {"from": "unmapped.cdport","to": "dst_endpoint.port"}}, + + {"rename": {"from": "unmapped.user","to": "actor.user.email_addr"}}, + {"rename": {"from": "unmapped.devicehostname","to": "device.hostname"}}, + {"rename": {"from": "unmapped.deviceowner","to": "device.owner.name"}}, + + {"rename": {"from": "unmapped.datetime","to": "time"}}, + {"replace": {"field": "time", "regexp": "^[A-Za-z]{3}\\s(.*)", "replacement": "$1"}} + {"cast": {"type": "datetime", "field": "time", "format": "MMM dd HH:mm:ss yyyy"}} + + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf index 242108c..2c4de28 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/PurpleAI-monitor-latest/PurpleAI-monitor.conf @@ -1,53 +1,53 @@ -{ - graphs: [ - { - graphStyle: "", - query: "action = 'addPurpleInputOutputMessage'| group count = count() by analyst=inputContent.userDetails.emailAddress\n| sort -count", - teamEmails: [ - "123456@s1.oem" -], - title: "Questions asked by user", - layout: { - h: 14, - i: "0", - minH: 3, - minW: 6, - w: 15, - x: 45, - y: 0 -}, - plots: [], - showBarsColumn: "false" - }, - { - query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| let output = (!isempty(outputContent.message) ? outputContent.message : outputContent.powerQuery.query)\n| columns timestamp, analyst=inputContent.userDetails.emailAddress, inputContent.userInput, output \n| sort +timestamp", - teamEmails: [ - "123456@s1.oem" -], - title: "All questions and answers by user", - layout: { - h: 17, - w: 60, - x: 0, - y: 14 -} - }, - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| group count = count() by timestamp = timebucket(\"1 hour\"), status\n| transpose status on timestamp", - teamEmails: [ - "123456@s1.oem" -], - title: "Query timeline by status", - yScale: "linear", - layout: { - h: 14, - w: 45, - x: 0, - y: 0 -} - } - ], - options: {layout: {locked: 1}} -} +{ + graphs: [ + { + graphStyle: "", + query: "action = 'addPurpleInputOutputMessage'| group count = count() by analyst=inputContent.userDetails.emailAddress\n| sort -count", + teamEmails: [ + "123456@s1.oem" +], + title: "Questions asked by user", + layout: { + h: 14, + i: "0", + minH: 3, + minW: 6, + w: 15, + x: 45, + y: 0 +}, + plots: [], + showBarsColumn: "false" + }, + { + query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| let output = (!isempty(outputContent.message) ? outputContent.message : outputContent.powerQuery.query)\n| columns timestamp, analyst=inputContent.userDetails.emailAddress, inputContent.userInput, output \n| sort +timestamp", + teamEmails: [ + "123456@s1.oem" +], + title: "All questions and answers by user", + layout: { + h: 17, + w: 60, + x: 0, + y: 14 +} + }, + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "source = \"scalyr\" action = 'addPurpleInputOutputMessage'| group count = count() by timestamp = timebucket(\"1 hour\"), status\n| transpose status on timestamp", + teamEmails: [ + "123456@s1.oem" +], + title: "Query timeline by status", + yScale: "linear", + layout: { + h: 14, + w: 45, + x: 0, + y: 0 +} + } + ], + options: {layout: {locked: 1}} +} diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf index d8d9c66..5f2089c 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/dashboards/community/Threat-Investigation-latest/Threat-Investigation.conf @@ -1,533 +1,533 @@ -{ - tabs: [{"tabName":"Overview","graphs":[ - { - graphStyle: "stacked_bar", - query: "event.category contains \"\" dataSource.category = 'security'\n| group count = count() by event.category\n| sort -count", - - title: "Count by event category", - xAxis: "grouped_data", - yScale: "linear", - layout: { - h: 13, - w: 20, - x: 0, - y: 0 -} - }, - { - graphStyle: "stacked_bar", - query: "event.category = \"indicators\"\n| group count = count() by indicator.category \n| sort -count", - - title: "Indicators by category", - xAxis: "grouped_data", - yScale: "linear", - layout: { - h: 13, - w: 13, - x: 47, - y: 0 -} - , - }, - { - graphStyle: "line", - layout: { - h: 13, - w: 27, - x: 20, - y: 0 -}, - lineSmoothing: "straightLines", - query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", - - title: "File timeline", - yScale: "linear" - }, - { - query: "event.category = \"process\" dataSource.category = 'security'\n| group distinct_spawned_processes=estimate_distinct(tgt.process.user) by src.process.user \n| sort -distinct_spawned_processes", - - title: "Spawned processes by user", - graphStyle: "", - showBarsColumn: "true", - layout: { - h: 14, - w: 15, - x: 30, - y: 13 -} - , - }, - { - query: "event.category = \"ip\" event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group count = count() by dst.ip.address, src.process.name\n| sort -count\n| columns src.process.name, dst.ip.address, count", - - title: "TOP outgoing IP connections by process", - graphStyle: "", - showBarsColumn: "true", - layout: { - h: 14, - w: 14, - x: 0, - y: 13 -} - }, - { - query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by src.process.name, event.dns.request\n| sort -count", - - title: "TOP DNS petitions by process", - layout: { - h: 14, - i: "6", - minH: 3, - minW: 6, - w: 16, - x: 14, - y: 13 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "", - layout: { - h: 14, - i: "4", - minH: 3, - minW: 6, - w: 15, - x: 45, - y: 13 - }, - query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", - showBarsColumn: "false", - - title: "HIFI Indicators" - } - ], - filters: [ - { - facet: "endpoint.name", - name: "Endpoint name", - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } - ], - options: {layout: {locked: 1}}, - options: {}, - options: {layout: {locked: 1}} -}, -{"tabName":"Process","graphs":[ - { - graphStyle: "", - query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by src.process.name\n| sort -count", - - title: "TOP process spawners", - layout: { - h: 14, - w: 15, - x: 30, - y: 0 -}, - showBarsColumn: "true" - }, - { - graphStyle: "", - query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by tgt.process.name\n| sort -count", - - title: "TOP spawned processes", - layout: { - h: 14, - w: 15, - x: 45, - y: 0 -}, - showBarsColumn: "true" - }, - { - query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| let tgt_details = format(\"(%s) %s (%s) -----> %s\", src.process.user, src.process.name, src.process.storyline.id, tgt.process.cmdline)\n| group count = count() by tgt_details\n| columns count, tgt_details\n| sort -count", - - title: "Processes grouped by target cmdlines", - layout: { - h: 29, - w: 60, - x: 0, - y: 14 -} - }, - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| group count=count() by src.process.user, timestamp = timebucket(\"1 minute\")\n\n| transpose src.process.user on timestamp", - - title: "Process timeline by user", - yScale: "linear", - layout: { - h: 14, - w: 30, - x: 0, - y: 0 -} - } -], -options: {layout: {locked: 1}}, -options: {}, -options: {layout: {locked: 1}}, -filters: [ - { - facet: "endpoint.name", - name: "Endpoint name" - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } -], -options: {}, -options: {layout: {locked: 1}} -}, -{"tabName":"File", -filters : [ - { - facet: "endpoint.name", - name: "Endpoint name" - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } - ], -graphs : [ - { - query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group distinct_sha1_count = estimate_distinct(tgt.file.sha1), distinct_name_count = estimate_distinct(tgt.file.path), distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension\n| sort -distinct_name_count, distinct_path_count, distinct_sha1_count\n| columns event.type, tgt.file.extension, distinct_sha1_count, distinct_name_count, distinct_path_count, src.process.name, src.process.image.sha1\n| limit 20", - - title: "Distinct file interactions by process", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 14, - w: 38, - x: 0, - y: 12 -} - , - }, - { - query: "event.category = \"file\" dataSource.category = 'security' \n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n| let windows_filename_string = windows_path_array.get(len(windows_path_array)-1)\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n| let unix_filename_string = unix_path_array.get(len(unix_path_array)-1)\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n| let filename_string = (endpoint.os = \"windows\") ? windows_filename_string : unix_filename_string\n\n| group distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension, filename_string\n| sort -distinct_path_count\n| columns src.process.name, event.type, distinct_path_count, filename_string\n| limit 10", - - title: "Possible ransom notes", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 12, - w: 22, - x: 38, - y: 0 -} - }, - { - query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group count = count() by event.type, src.process.name, tgt.file.extension, directory_path_string\n| sort -count\n| columns count, event.type, src.process.name, tgt.file.extension, directory_path_string", - - title: "Top file event count by src process (use with panel filter)", - layout: { - h: 14, - i: "2", - minH: 3, - minW: 6, - w: 22, - x: 38, - y: 12 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "line", - layout: { - h: 12, - i: "0", - minH: 3, - minW: 6, - w: 38, - x: 0, - y: 0 - }, - lineSmoothing: "straightLines", - query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", - - title: "File timeline", - yScale: "linear" - } - ], -options: {layout: {locked: 1}}, -options: {} -}, -{"tabName":"Network","graphs":[ - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.direction\n| transpose event.network.direction on timestamp", - - title: "IP connection timeline by direction", - yScale: "linear", - layout: { - h: 14, - w: 22, - x: 0, - y: 0 -} - }, - { - graphStyle: "line", - lineSmoothing: "straightLines", - query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.connectionStatus\n| transpose event.network.connectionStatus on timestamp", - - title: "IP connection timeline by status", - yScale: "linear", - layout: { - h: 14, - w: 21, - x: 22, - y: 0 -} - }, - { - query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstip\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, distinct_dstip\n| limit 10", - - title: "Possible outbound network scan", - layout: { - h: 12, - w: 50, - x: 10, - y: 28 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number)by dst.ip.address, endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstport\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, dst.ip.address, distinct_dstport\n| limit 10", - - title: "Possible outbound port scan", - layout: { - h: 12, - w: 50, - x: 10, - y: 40 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by src.ip.address\n| sort -distinct_dstip\n| columns src.ip.address, distinct_dstip \n| limit 10", - - title: "Possible inbound net scan", - layout: { - h: 12, - w: 10, - x: 0, - y: 28 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number) by src.ip.address\n| sort -distinct_dstport\n| columns src.ip.address, distinct_dstport", - - title: "Possible inbound port scan", - layout: { - h: 12, - w: 10, - x: 0, - y: 40 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "", - query: "event.category = 'ip' !isempty(dst.ip.address) dataSource.category = 'security'\n| group count = count() by dst.ip.address\n| sort -count", - - title: "Top destinations", - showBarsColumn: "true", - layout: { - h: 14, - w: 9, - x: 43, - y: 0 -} - }, - { - graphStyle: "", - query: "event.category = 'ip' !isempty(src.ip.address) dataSource.category = 'security'\n| group count = count() by src.ip.address\n| sort -count", - - title: "Top sources", - layout: { - h: 14, - w: 8, - x: 52, - y: 0 -}, - showBarsColumn: "true" - }, - { - query: "event.category = \"url\" and dataSource.category = 'security' dataSource.category = 'security' \n| group count = count() by url.address, src.process.name\n| sort -count\n| columns count, src.process.name, url.address", - - title: "URL count by process name", - layout: { - h: 14, - w: 40, - x: 20, - y: 14 -} - }, - { - query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by event.dns.request, src.process.name, src.process.storyline.id\n| sort -count\n| columns count, src.process.name, event.dns.request", - - title: "DNS count by process name", - layout: { - h: 14, - w: 20, - x: 0, - y: 14 -} - } -], -options: {layout: {locked: 1}}, -filters: [ - { - facet: "endpoint.name", - name: "Endpoint name" - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } -], -options: {}, -options: {layout: {locked: 1}}, -options: {}, -options: {layout: {locked: 1}} -}, -{"tabName":"Indicators","graphs":[ - { - graphStyle: "stacked_bar", - query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by indicator.category\n| sort -count", - - title: "Indicator count by category", - xAxis: "grouped_data", - yScale: "linear", - layout: { - h: 14, - w: 15, - x: 0, - y: 0 -} - }, - { - query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name, indicator.metadata\n| sort src.process.name, indicator.category, indicator.name, indicator.metadata\n| columns src.process.name, indicator.category, indicator.name, indicator.metadata", - - title: "Indicators with metadata", - layout: { - h: 28, - w: 60, - x: 0, - y: 14 -} - }, - { - query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name\n| sort src.process.name, indicator.category, indicator.name\n| columns src.process.name, indicator.category, indicator.name", - - title: "Full indicator list", - layout: { - h: 14, - w: 30, - x: 30, - y: 0 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - graphStyle: "", - layout: { - h: 14, - w: 15, - x: 15, - y: 0 -}, - query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", - showBarsColumn: "false", - - title: "HIFI Indicators" - } -], -filters: [ - { - facet: "endpoint.name", - name: "Endpoint name", - }, - { - facet: "src.process.storyline.id", - name: "Src storyline ID" - } -], -options: {layout: {locked: 1}}, -options: {}, -options: {layout: {locked: 1}} -}, -{"tabName":"Lateral movement origin","graphs":[ - { - query: "event.category = \"ip\" dataSource.category = 'security'\n| let unknown_ip = src.ip.address\n| let potential_hostname = endpoint.name\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", - - title: "Retrieve endpoint name from IP events", - layout: { - h: 14, - i: "0", - minH: 3, - minW: 6, - w: 30, - x: 0, - y: 0 -}, - graphStyle: "", - showBarsColumn: "false" - }, - { - query: "event.category = \"dns\" dataSource.category = 'security'\n| let unknown_ip = event.dns.response\n| let potential_hostname = event.dns.request\n| group count = count() by unknown_ip, potential_hostname\n| columns unknown_ip, potential_hostname", - - title: "Retrieve endpoint name from DNS petitions", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 14, - i: "1", - minH: 3, - minW: 6, - w: 60, - x: 0, - y: 14 -} - }, - { - query: "event.category = \"logins\" event.login.userName contains \"$\" dataSource.category = 'security'\n| let unknown_ip = src.endpoint.ip.address\n| let potential_hostname = event.login.userName\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", - - title: "Retrieve endpoint name from login events", - graphStyle: "", - showBarsColumn: "false", - layout: { - h: 14, - i: "2", - minH: 3, - minW: 6, - w: 30, - x: 30, - y: 0 -} - } -], -filters: [ -], -options: {layout: {locked: 1}} -}], - configType: "TABBED" - } +{ + tabs: [{"tabName":"Overview","graphs":[ + { + graphStyle: "stacked_bar", + query: "event.category contains \"\" dataSource.category = 'security'\n| group count = count() by event.category\n| sort -count", + + title: "Count by event category", + xAxis: "grouped_data", + yScale: "linear", + layout: { + h: 13, + w: 20, + x: 0, + y: 0 +} + }, + { + graphStyle: "stacked_bar", + query: "event.category = \"indicators\"\n| group count = count() by indicator.category \n| sort -count", + + title: "Indicators by category", + xAxis: "grouped_data", + yScale: "linear", + layout: { + h: 13, + w: 13, + x: 47, + y: 0 +} + , + }, + { + graphStyle: "line", + layout: { + h: 13, + w: 27, + x: 20, + y: 0 +}, + lineSmoothing: "straightLines", + query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", + + title: "File timeline", + yScale: "linear" + }, + { + query: "event.category = \"process\" dataSource.category = 'security'\n| group distinct_spawned_processes=estimate_distinct(tgt.process.user) by src.process.user \n| sort -distinct_spawned_processes", + + title: "Spawned processes by user", + graphStyle: "", + showBarsColumn: "true", + layout: { + h: 14, + w: 15, + x: 30, + y: 13 +} + , + }, + { + query: "event.category = \"ip\" event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group count = count() by dst.ip.address, src.process.name\n| sort -count\n| columns src.process.name, dst.ip.address, count", + + title: "TOP outgoing IP connections by process", + graphStyle: "", + showBarsColumn: "true", + layout: { + h: 14, + w: 14, + x: 0, + y: 13 +} + }, + { + query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by src.process.name, event.dns.request\n| sort -count", + + title: "TOP DNS petitions by process", + layout: { + h: 14, + i: "6", + minH: 3, + minW: 6, + w: 16, + x: 14, + y: 13 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "", + layout: { + h: 14, + i: "4", + minH: 3, + minW: 6, + w: 15, + x: 45, + y: 13 + }, + query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", + showBarsColumn: "false", + + title: "HIFI Indicators" + } + ], + filters: [ + { + facet: "endpoint.name", + name: "Endpoint name", + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } + ], + options: {layout: {locked: 1}}, + options: {}, + options: {layout: {locked: 1}} +}, +{"tabName":"Process","graphs":[ + { + graphStyle: "", + query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by src.process.name\n| sort -count", + + title: "TOP process spawners", + layout: { + h: 14, + w: 15, + x: 30, + y: 0 +}, + showBarsColumn: "true" + }, + { + graphStyle: "", + query: "event.category = \"process\" dataSource.category = 'security'\n| group count=count() by tgt.process.name\n| sort -count", + + title: "TOP spawned processes", + layout: { + h: 14, + w: 15, + x: 45, + y: 0 +}, + showBarsColumn: "true" + }, + { + query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| let tgt_details = format(\"(%s) %s (%s) -----> %s\", src.process.user, src.process.name, src.process.storyline.id, tgt.process.cmdline)\n| group count = count() by tgt_details\n| columns count, tgt_details\n| sort -count", + + title: "Processes grouped by target cmdlines", + layout: { + h: 29, + w: 60, + x: 0, + y: 14 +} + }, + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "event.category = \"process\" dataSource.category = 'security' dataSource.category = 'security'\n| group count=count() by src.process.user, timestamp = timebucket(\"1 minute\")\n\n| transpose src.process.user on timestamp", + + title: "Process timeline by user", + yScale: "linear", + layout: { + h: 14, + w: 30, + x: 0, + y: 0 +} + } +], +options: {layout: {locked: 1}}, +options: {}, +options: {layout: {locked: 1}}, +filters: [ + { + facet: "endpoint.name", + name: "Endpoint name" + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } +], +options: {}, +options: {layout: {locked: 1}} +}, +{"tabName":"File", +filters : [ + { + facet: "endpoint.name", + name: "Endpoint name" + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } + ], +graphs : [ + { + query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group distinct_sha1_count = estimate_distinct(tgt.file.sha1), distinct_name_count = estimate_distinct(tgt.file.path), distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension\n| sort -distinct_name_count, distinct_path_count, distinct_sha1_count\n| columns event.type, tgt.file.extension, distinct_sha1_count, distinct_name_count, distinct_path_count, src.process.name, src.process.image.sha1\n| limit 20", + + title: "Distinct file interactions by process", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 14, + w: 38, + x: 0, + y: 12 +} + , + }, + { + query: "event.category = \"file\" dataSource.category = 'security' \n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n| let windows_filename_string = windows_path_array.get(len(windows_path_array)-1)\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n| let unix_filename_string = unix_path_array.get(len(unix_path_array)-1)\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n| let filename_string = (endpoint.os = \"windows\") ? windows_filename_string : unix_filename_string\n\n| group distinct_path_count = estimate_distinct(directory_path_string) by endpoint.name, src.process.name, src.process.image.sha1, event.type, tgt.file.extension, filename_string\n| sort -distinct_path_count\n| columns src.process.name, event.type, distinct_path_count, filename_string\n| limit 10", + + title: "Possible ransom notes", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 12, + w: 22, + x: 38, + y: 0 +} + }, + { + query: "event.category = \"file\"\n| let windows_path_array = array_split(tgt.file.path, \"\\\\\\\\\")\n| let windows_directory_path_array = array_slice(windows_path_array, 0, len(windows_path_array)-1)\n| let windows_directory_path_string = array_to_string(windows_directory_path_array, \"\\\\\")\n\n| let unix_path_array = array_split(tgt.file.path, \"/\")\n| let unix_directory_path_array = array_slice(unix_path_array, 0, len(unix_path_array)-1)\n| let unix_directory_path_string = array_to_string(unix_directory_path_array, \"/\")\n\n| let directory_path_string = (endpoint.os = \"windows\") ? windows_directory_path_string : unix_directory_path_string\n\n| group count = count() by event.type, src.process.name, tgt.file.extension, directory_path_string\n| sort -count\n| columns count, event.type, src.process.name, tgt.file.extension, directory_path_string", + + title: "Top file event count by src process (use with panel filter)", + layout: { + h: 14, + i: "2", + minH: 3, + minW: 6, + w: 22, + x: 38, + y: 12 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "line", + layout: { + h: 12, + i: "0", + minH: 3, + minW: 6, + w: 38, + x: 0, + y: 0 + }, + lineSmoothing: "straightLines", + query: "event.category = 'file' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.type\n| transpose event.type on timestamp", + + title: "File timeline", + yScale: "linear" + } + ], +options: {layout: {locked: 1}}, +options: {} +}, +{"tabName":"Network","graphs":[ + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.direction\n| transpose event.network.direction on timestamp", + + title: "IP connection timeline by direction", + yScale: "linear", + layout: { + h: 14, + w: 22, + x: 0, + y: 0 +} + }, + { + graphStyle: "line", + lineSmoothing: "straightLines", + query: "event.category = 'ip' dataSource.category = 'security'\n| group count = count() by timestamp = timebucket(\"1 minute\"), event.network.connectionStatus\n| transpose event.network.connectionStatus on timestamp", + + title: "IP connection timeline by status", + yScale: "linear", + layout: { + h: 14, + w: 21, + x: 22, + y: 0 +} + }, + { + query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstip\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, distinct_dstip\n| limit 10", + + title: "Possible outbound network scan", + layout: { + h: 12, + w: 50, + x: 10, + y: 28 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"ip\" and event.network.direction = \"OUTGOING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number)by dst.ip.address, endpoint.name, src.ip.address, src.process.name, src.process.storyline.id\n| sort -distinct_dstport\n| columns endpoint.name, src.process.storyline.id, src.process.name, src.ip.address, dst.ip.address, distinct_dstport\n| limit 10", + + title: "Possible outbound port scan", + layout: { + h: 12, + w: 50, + x: 10, + y: 40 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstip=estimate_distinct(dst.ip.address) by src.ip.address\n| sort -distinct_dstip\n| columns src.ip.address, distinct_dstip \n| limit 10", + + title: "Possible inbound net scan", + layout: { + h: 12, + w: 10, + x: 0, + y: 28 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"ip\" and event.network.direction = \"INCOMING\" dataSource.category = 'security'\n| group distinct_dstport=estimate_distinct(dst.port.number) by src.ip.address\n| sort -distinct_dstport\n| columns src.ip.address, distinct_dstport", + + title: "Possible inbound port scan", + layout: { + h: 12, + w: 10, + x: 0, + y: 40 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "", + query: "event.category = 'ip' !isempty(dst.ip.address) dataSource.category = 'security'\n| group count = count() by dst.ip.address\n| sort -count", + + title: "Top destinations", + showBarsColumn: "true", + layout: { + h: 14, + w: 9, + x: 43, + y: 0 +} + }, + { + graphStyle: "", + query: "event.category = 'ip' !isempty(src.ip.address) dataSource.category = 'security'\n| group count = count() by src.ip.address\n| sort -count", + + title: "Top sources", + layout: { + h: 14, + w: 8, + x: 52, + y: 0 +}, + showBarsColumn: "true" + }, + { + query: "event.category = \"url\" and dataSource.category = 'security' dataSource.category = 'security' \n| group count = count() by url.address, src.process.name\n| sort -count\n| columns count, src.process.name, url.address", + + title: "URL count by process name", + layout: { + h: 14, + w: 40, + x: 20, + y: 14 +} + }, + { + query: "event.category = \"dns\" dataSource.category = 'security'\n| group count = count() by event.dns.request, src.process.name, src.process.storyline.id\n| sort -count\n| columns count, src.process.name, event.dns.request", + + title: "DNS count by process name", + layout: { + h: 14, + w: 20, + x: 0, + y: 14 +} + } +], +options: {layout: {locked: 1}}, +filters: [ + { + facet: "endpoint.name", + name: "Endpoint name" + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } +], +options: {}, +options: {layout: {locked: 1}}, +options: {}, +options: {layout: {locked: 1}} +}, +{"tabName":"Indicators","graphs":[ + { + graphStyle: "stacked_bar", + query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by indicator.category\n| sort -count", + + title: "Indicator count by category", + xAxis: "grouped_data", + yScale: "linear", + layout: { + h: 14, + w: 15, + x: 0, + y: 0 +} + }, + { + query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name, indicator.metadata\n| sort src.process.name, indicator.category, indicator.name, indicator.metadata\n| columns src.process.name, indicator.category, indicator.name, indicator.metadata", + + title: "Indicators with metadata", + layout: { + h: 28, + w: 60, + x: 0, + y: 14 +} + }, + { + query: "event.category = 'indicators' dataSource.category = 'security'\n| group count=count() by src.process.name, indicator.category, indicator.name\n| sort src.process.name, indicator.category, indicator.name\n| columns src.process.name, indicator.category, indicator.name", + + title: "Full indicator list", + layout: { + h: 14, + w: 30, + x: 30, + y: 0 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + graphStyle: "", + layout: { + h: 14, + w: 15, + x: 15, + y: 0 +}, + query: "event.category = 'indicators' indicator.name contains (\"appLockerBypass\",\n\"authenticationPackageImp\",\n\"blockedMimikatz\",\n\"bloodHound\",\n\"getAtomApcAddress\",\n\"injectionToSentinelProcess\",\n\"koadicWmicStager\",\n\"maliciousEmpirePowershellScript\",\n\"maliciousNativeApiPowershellScript\",\n\"maliciousPowershellScript\",\n\"MetasploitNamedPipeImpersonation\",\n\"metasploitShellTCP\",\n\"pentestingFramework\",\n\"pentestingFrameworkHash\",\n\"pictrap\",\n\"ranForbiddenLogonScreen\",\n\"ransomware\",\n\"samSave\",\n\"SPNRequestFromPowershell\",\n\"terminateProtectedProcessAttempt\",\n\"syskeyQuery\",\n\"localMachineHiveSave\",\n\"brute\") dataSource.category = 'security'\n| group count=count() by indicator.category, indicator.name\n| sort -count", + showBarsColumn: "false", + + title: "HIFI Indicators" + } +], +filters: [ + { + facet: "endpoint.name", + name: "Endpoint name", + }, + { + facet: "src.process.storyline.id", + name: "Src storyline ID" + } +], +options: {layout: {locked: 1}}, +options: {}, +options: {layout: {locked: 1}} +}, +{"tabName":"Lateral movement origin","graphs":[ + { + query: "event.category = \"ip\" dataSource.category = 'security'\n| let unknown_ip = src.ip.address\n| let potential_hostname = endpoint.name\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", + + title: "Retrieve endpoint name from IP events", + layout: { + h: 14, + i: "0", + minH: 3, + minW: 6, + w: 30, + x: 0, + y: 0 +}, + graphStyle: "", + showBarsColumn: "false" + }, + { + query: "event.category = \"dns\" dataSource.category = 'security'\n| let unknown_ip = event.dns.response\n| let potential_hostname = event.dns.request\n| group count = count() by unknown_ip, potential_hostname\n| columns unknown_ip, potential_hostname", + + title: "Retrieve endpoint name from DNS petitions", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 14, + i: "1", + minH: 3, + minW: 6, + w: 60, + x: 0, + y: 14 +} + }, + { + query: "event.category = \"logins\" event.login.userName contains \"$\" dataSource.category = 'security'\n| let unknown_ip = src.endpoint.ip.address\n| let potential_hostname = event.login.userName\n| group count = count() by potential_hostname, unknown_ip\n| columns unknown_ip, potential_hostname", + + title: "Retrieve endpoint name from login events", + graphStyle: "", + showBarsColumn: "false", + layout: { + h: 14, + i: "2", + minH: 3, + minW: 6, + w: 30, + x: 30, + y: 0 +} + } +], +filters: [ +], +options: {layout: {locked: 1}} +}], + configType: "TABBED" + } diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf index 9dc1384..f25eb2a 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/aws_vpc_dns_logs-latest/aws_vpc_dns.conf @@ -1,207 +1,207 @@ -{ - "attributes": { - "dataSource.name": "AWS VPC DNS", - "dataSource.vendor": "AWS", - "dataSource.category": "security", - "metadata.product.name": "VPC DNS", - "metadata.product.vendor_name": "AWS", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.query_timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "constant": { - "value": 6, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Traffic", - "field": "activity_name" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 400306, - "field": "type_uid" - } - }, - { - "constant": { - "value": "DNS Activity: Traffic", - "field": "type_name" - } - }, - { - "copy": { - "from": "unmapped.query_timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.query_timestamp", - "to": "query_time" - } - }, - { - "rename": { - "from": "unmapped.query_class", - "to": "query.class" - } - }, - { - "rename": { - "from": "unmapped.query_name", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.query_type", - "to": "query.type" - } - }, - { - "rename": { - "from": "unmapped.rcode", - "to": "rcode" - } - }, - { - "rename": { - "from": "unmapped.answers.Rdata", - "to": "answers.rdata" - } - }, - { - "rename": { - "from": "unmapped.answers.Class", - "to": "answers.class" - } - }, - { - "rename": { - "from": "unmapped.answers.Type", - "to": "answers.type" - } - }, - { - "rename": { - "from": "unmapped.srcaddr", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.srcport", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.vpc_id", - "to": "src_endpoint.vpc_uid" - } - }, - { - "rename": { - "from": "unmapped.srcids.instance", - "to": "src_endpoint.instance_uid" - } - }, - { - "rename": { - "from": "unmapped.region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.transport", - "to": "connection_info.protocol_name" - } - }, - { - "rename": { - "from": "unmapped.account_id", - "to": "cloud.account.uid" - } - }, - { - "rename": { - "from": "unmapped.version", - "to": "metadata.product.version" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Rdata", - "to": "answers[*].rdata" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Class", - "to": "answers[*].class" - } - }, - { - "rename": { - "from": "unmapped.answers[*].Type", - "to": "answers[*].type" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "AWS VPC DNS", + "dataSource.vendor": "AWS", + "dataSource.category": "security", + "metadata.product.name": "VPC DNS", + "metadata.product.vendor_name": "AWS", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.query_timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "constant": { + "value": 6, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Traffic", + "field": "activity_name" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 400306, + "field": "type_uid" + } + }, + { + "constant": { + "value": "DNS Activity: Traffic", + "field": "type_name" + } + }, + { + "copy": { + "from": "unmapped.query_timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.query_timestamp", + "to": "query_time" + } + }, + { + "rename": { + "from": "unmapped.query_class", + "to": "query.class" + } + }, + { + "rename": { + "from": "unmapped.query_name", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.query_type", + "to": "query.type" + } + }, + { + "rename": { + "from": "unmapped.rcode", + "to": "rcode" + } + }, + { + "rename": { + "from": "unmapped.answers.Rdata", + "to": "answers.rdata" + } + }, + { + "rename": { + "from": "unmapped.answers.Class", + "to": "answers.class" + } + }, + { + "rename": { + "from": "unmapped.answers.Type", + "to": "answers.type" + } + }, + { + "rename": { + "from": "unmapped.srcaddr", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.srcport", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.vpc_id", + "to": "src_endpoint.vpc_uid" + } + }, + { + "rename": { + "from": "unmapped.srcids.instance", + "to": "src_endpoint.instance_uid" + } + }, + { + "rename": { + "from": "unmapped.region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.transport", + "to": "connection_info.protocol_name" + } + }, + { + "rename": { + "from": "unmapped.account_id", + "to": "cloud.account.uid" + } + }, + { + "rename": { + "from": "unmapped.version", + "to": "metadata.product.version" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Rdata", + "to": "answers[*].rdata" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Class", + "to": "answers[*].class" + } + }, + { + "rename": { + "from": "unmapped.answers[*].Type", + "to": "answers[*].type" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf index 282c48b..76b6292 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/buildkite_ci_logs-latest/buildkite.conf @@ -1,395 +1,395 @@ -{ - "attributes": { - "dataSource.name": "Buildkite Audit", - "dataSource.vendor": "Buildkite", - "dataSource.category": "security", - "metadata.product.name": "Buildkite Audit", - "metadata.product.vendor_name": "Buildkite", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.occurredAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { - "copy": { - "from": "unmapped.type", - "to": "event.action" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.type contains ('created','added')" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Read", - "field": "activity_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 300402, - "field": "type_uid", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": "Entity Management: Read", - "field": "type_name", - "predicate": "unmapped.type contains 'read'" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.type contains ('updated','changed')" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.type contains ('deleted','destroyed','removed')" - } - }, - { - "constant": { - "value": 8, - "field": "activity_id", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Enable", - "field": "activity_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 300408, - "field": "type_uid", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": "Entity Management: Enable", - "field": "type_name", - "predicate": "unmapped.type contains 'enabled'" - } - }, - { - "constant": { - "value": 9, - "field": "activity_id", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Disable", - "field": "activity_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 300409, - "field": "type_uid", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": "Entity Management: Disable", - "field": "type_name", - "predicate": "unmapped.type contains 'disabled'" - } - }, - { - "constant": { - "value": 10, - "field": "activity_id", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Activate", - "field": "activity_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 300410, - "field": "type_uid", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": "Entity Management: Activate", - "field": "type_name", - "predicate": "unmapped.type contains 'activated'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.type contains 'revoked'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "constant": { - "value": "Other", - "field": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.actor.node.email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.actor.name", - "to": "actor.user.full_name" - } - }, - { - "rename": { - "from": "unmapped.actor.uuid", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.actor.type", - "to": "actor.user.type" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.context.requestIpAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.occurredAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "Buildkite Audit", + "dataSource.vendor": "Buildkite", + "dataSource.category": "security", + "metadata.product.name": "Buildkite Audit", + "metadata.product.vendor_name": "Buildkite", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.occurredAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { + "copy": { + "from": "unmapped.type", + "to": "event.action" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.type contains ('created','added')" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Read", + "field": "activity_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 300402, + "field": "type_uid", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": "Entity Management: Read", + "field": "type_name", + "predicate": "unmapped.type contains 'read'" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.type contains ('updated','changed')" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.type contains ('deleted','destroyed','removed')" + } + }, + { + "constant": { + "value": 8, + "field": "activity_id", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Enable", + "field": "activity_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 300408, + "field": "type_uid", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": "Entity Management: Enable", + "field": "type_name", + "predicate": "unmapped.type contains 'enabled'" + } + }, + { + "constant": { + "value": 9, + "field": "activity_id", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Disable", + "field": "activity_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 300409, + "field": "type_uid", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": "Entity Management: Disable", + "field": "type_name", + "predicate": "unmapped.type contains 'disabled'" + } + }, + { + "constant": { + "value": 10, + "field": "activity_id", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Activate", + "field": "activity_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 300410, + "field": "type_uid", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": "Entity Management: Activate", + "field": "type_name", + "predicate": "unmapped.type contains 'activated'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.type contains 'revoked'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "constant": { + "value": "Other", + "field": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.actor.node.email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.actor.name", + "to": "actor.user.full_name" + } + }, + { + "rename": { + "from": "unmapped.actor.uuid", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.actor.type", + "to": "actor.user.type" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.context.requestIpAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.occurredAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf index 4c77d33..ed16cab 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/cloudflare_general_logs-latest/cloudflare.conf @@ -1,1284 +1,1284 @@ -{ - "attributes": { - "dataSource.vendor": "Cloudflare", - "dataSource.category": "security", - "metadata.product.vendor_name": "Cloudflare", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.CreatedAt", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Datetime", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.Timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.When", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "aws contains 'access-requests'", - "transformations": [ - { - "constant": { - "value": "Access Requests", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Access Requests", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 6, - "field": "activity_id", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Enroll", - "field": "activity_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 300406, - "field": "type_uid", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": "Entity Management: Enroll", - "field": "type_name", - "predicate": "unmapped.Action = 'warpEnrollment'" - } - }, - { - "constant": { - "value": 3002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Authentication", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Logon", - "field": "activity_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Logoff", - "field": "activity_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 300201, - "field": "type_uid", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": 300202, - "field": "type_uid", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": 300299, - "field": "type_uid", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": "Authentication: Logon", - "field": "type_name", - "predicate": "unmapped.Action = 'login'" - } - }, - { - "constant": { - "value": "Authentication: Logoff", - "field": "type_name", - "predicate": "unmapped.Action = 'logout'" - } - }, - { - "constant": { - "value": "Authentication: Other", - "field": "type_name", - "predicate": "unmapped.Action = 'sso'" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.AppUUID", - "to": "actor.app_uid" - } - }, - { - "copy": { - "from": "unmapped.AppDomain", - "to": "actor.app_name" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.CreatedAt", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-http'", - "transformations": [ - { - "constant": { - "value": "Gateway HTTP", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway HTTP", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4002, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "HTTP Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400299, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.HTTPHost", - "to": "http_request.url.hostname" - } - }, - { - "rename": { - "from": "unmapped.URL", - "to": "http_request.url.url_string" - } - }, - { - "rename": { - "from": "unmapped.HTTPMethod", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.HTTPVersion", - "to": "http_request.version" - } - }, - { - "rename": { - "from": "unmapped.HTTPStatusCode", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-network'", - "transformations": [ - { - "constant": { - "value": "Gateway Network", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway Network", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id" - } - }, - { - "copy": { - "from": "unmapped.Action", - "to": "activity_name" - } - }, - { - "constant": { - "value": 400199, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SourceIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SourcePort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DestinationIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DestinationPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'device-posture'", - "transformations": [ - { - "constant": { - "value": "Device Posture", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Device Posture", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 5001, - "field": "class_uid" - } - }, - { - "constant": { - "value": 5, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info", - "field": "class_name" - } - }, - { - "constant": { - "value": "Discovery", - "field": "category_name" - } - }, - { - "constant": { - "value": 2, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Collect", - "field": "activity_name" - } - }, - { - "constant": { - "value": 500102, - "field": "type_uid" - } - }, - { - "constant": { - "value": "Device Inventory Info: Collect", - "field": "type_name" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Timestamp", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "device.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "device.name" - } - }, - { - "rename": { - "from": "unmapped.DeviceManufacturer", - "to": "device.manufacturer" - } - }, - { - "rename": { - "from": "unmapped.DeviceModel", - "to": "device.model" - } - }, - { - "rename": { - "from": "unmapped.DeviceSerialNumber", - "to": "device.hw_info.serial_number" - } - }, - { - "rename": { - "from": "unmapped.DeviceType", - "to": "device.os.type" - } - }, - { - "rename": { - "from": "unmapped.OSVersion", - "to": "device.os.version" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "device.owner.email_addr" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.name" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "device.owner.email_addr", - "to": "device.owner.domain" - } - }, - { - "replace": { - "field": "device.owner.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "replace": { - "field": "device.owner.name", - "regexp": "(.*?)@.*", - "replacement": "$1" - } - }, - { - "constant": { - "value": 100, - "field": "device.os.type_id", - "predicate": "device.os.type = 'windows'" - } - }, - { - "constant": { - "value": 300, - "field": "device.os.type_id", - "predicate": "device.os.type = 'mac'" - } - }, - { - "constant": { - "value": 301, - "field": "device.os.type_id", - "predicate": "device.os.type = 'ios'" - } - } - ] - }, - { - "predicate": "aws contains 'gateway-dns'", - "transformations": [ - { - "constant": { - "value": "Gateway DNS", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Gateway DNS", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 4003, - "field": "class_uid" - } - }, - { - "constant": { - "value": 4, - "field": "category_uid" - } - }, - { - "constant": { - "value": "DNS Activity", - "field": "class_name" - } - }, - { - "constant": { - "value": "Network Activity", - "field": "category_name" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id" - } - }, - { - "constant": { - "value": "Query", - "field": "activity_name" - } - }, - { - "constant": { - "value": 400301, - "field": "type_uid" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.SrcIP", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.SrcPort", - "to": "src_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.DeviceID", - "to": "src_endpoint.uid" - } - }, - { - "rename": { - "from": "unmapped.DeviceName", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.DstIP", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.DstPort", - "to": "dst_endpoint.port" - } - }, - { - "rename": { - "from": "unmapped.Datetime", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.RCode", - "to": "rcode_id" - } - }, - { - "rename": { - "from": "unmapped.QueryName", - "to": "query.hostname" - } - }, - { - "rename": { - "from": "unmapped.QueryTypeName", - "to": "query.type" - } - }, - { - "rename_tree": { - "from": "unmapped.RData", - "to": "answers" - } - }, - { - "rename": { - "from": "answers[*].data", - "to": "answers[*].rdata" - } - }, - { - "constant": { - "value": "Host", - "field": "metadata.profiles[0]" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserID", - "to": "actor.user.uid" - } - } - ] - }, - { - "predicate": "aws contains 'audit-logs'", - "transformations": [ - { - "constant": { - "value": "Audit Logs", - "field": "dataSource.name" - } - }, - { - "constant": { - "value": "Audit Logs", - "field": "metadata.product.name" - } - }, - { - "constant": { - "value": 3004, - "field": "class_uid" - } - }, - { - "constant": { - "value": 3, - "field": "category_uid" - } - }, - { - "constant": { - "value": "Entity Management", - "field": "class_name" - } - }, - { - "constant": { - "value": "Identity & Access Management", - "field": "category_name" - } - }, - { - "constant": { - "value": 3, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Update", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 300403, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": "Entity Management: Update", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'update'" - } - }, - { - "constant": { - "value": 1, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Create", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 300401, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": "Entity Management: Create", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'create'" - } - }, - { - "constant": { - "value": 4, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Delete", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 300404, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": "Entity Management: Delete", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'delete'" - } - }, - { - "constant": { - "value": 12, - "field": "activity_id", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Suspend", - "field": "activity_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 300412, - "field": "type_uid", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": "Entity Management: Suspend", - "field": "type_name", - "predicate": "unmapped.ActionType contains 'revoke'" - } - }, - { - "constant": { - "value": 99, - "field": "activity_id", - "predicate": "not (activity_id = *)" - } - }, - { - "copy": { - "from": "unmapped.ActionType", - "to": "activity_name", - "predicate": "not (activity_name = *)" - } - }, - { - "constant": { - "value": 300499, - "field": "type_uid", - "predicate": "not (type_uid = *)" - } - }, - { - "constant": { - "value": "Entity Management: Other", - "field": "type_name", - "predicate": "not (type_name = *)" - } - }, - { - "constant": { - "value": 1, - "field": "status_id", - "predicate": "unmapped.Allowed = true" - } - }, - { - "constant": { - "value": 2, - "field": "status_id", - "predicate": "unmapped.Allowed = false" - } - }, - { - "constant": { - "value": 99, - "field": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.Email", - "to": "actor.user.email_addr" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.name" - } - }, - { - "replace": { - "field": "actor.user.name", - "regexp": "(.*?)@(.*)", - "replacement": "$1" - } - }, - { - "copy": { - "from": "actor.user.email_addr", - "to": "actor.user.domain" - } - }, - { - "replace": { - "field": "actor.user.domain", - "regexp": "(.*?)@(.*)", - "replacement": "$2" - } - }, - { - "rename": { - "from": "unmapped.UserUID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.IPAddress", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.When", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.ActorEmail", - "to": "actor.user.email_addr" - } - }, - { - "rename": { - "from": "unmapped.ActorID", - "to": "actor.user.uid" - } - }, - { - "rename": { - "from": "unmapped.ActorType", - "to": "actor.user.type" - } - }, - { - "rename": { - "from": "unmapped.ActorIP", - "to": "src_endpoint.ip" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.vendor": "Cloudflare", + "dataSource.category": "security", + "metadata.product.vendor_name": "Cloudflare", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.CreatedAt", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Datetime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.Timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.When", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "aws contains 'access-requests'", + "transformations": [ + { + "constant": { + "value": "Access Requests", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Access Requests", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 6, + "field": "activity_id", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Enroll", + "field": "activity_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 300406, + "field": "type_uid", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": "Entity Management: Enroll", + "field": "type_name", + "predicate": "unmapped.Action = 'warpEnrollment'" + } + }, + { + "constant": { + "value": 3002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Authentication", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Logon", + "field": "activity_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Logoff", + "field": "activity_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 300201, + "field": "type_uid", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": 300202, + "field": "type_uid", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": 300299, + "field": "type_uid", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": "Authentication: Logon", + "field": "type_name", + "predicate": "unmapped.Action = 'login'" + } + }, + { + "constant": { + "value": "Authentication: Logoff", + "field": "type_name", + "predicate": "unmapped.Action = 'logout'" + } + }, + { + "constant": { + "value": "Authentication: Other", + "field": "type_name", + "predicate": "unmapped.Action = 'sso'" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.AppUUID", + "to": "actor.app_uid" + } + }, + { + "copy": { + "from": "unmapped.AppDomain", + "to": "actor.app_name" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.CreatedAt", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-http'", + "transformations": [ + { + "constant": { + "value": "Gateway HTTP", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway HTTP", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4002, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "HTTP Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400299, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.HTTPHost", + "to": "http_request.url.hostname" + } + }, + { + "rename": { + "from": "unmapped.URL", + "to": "http_request.url.url_string" + } + }, + { + "rename": { + "from": "unmapped.HTTPMethod", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.HTTPVersion", + "to": "http_request.version" + } + }, + { + "rename": { + "from": "unmapped.HTTPStatusCode", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-network'", + "transformations": [ + { + "constant": { + "value": "Gateway Network", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway Network", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id" + } + }, + { + "copy": { + "from": "unmapped.Action", + "to": "activity_name" + } + }, + { + "constant": { + "value": 400199, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SourceIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SourcePort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DestinationIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DestinationPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'device-posture'", + "transformations": [ + { + "constant": { + "value": "Device Posture", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Device Posture", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 5001, + "field": "class_uid" + } + }, + { + "constant": { + "value": 5, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info", + "field": "class_name" + } + }, + { + "constant": { + "value": "Discovery", + "field": "category_name" + } + }, + { + "constant": { + "value": 2, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Collect", + "field": "activity_name" + } + }, + { + "constant": { + "value": 500102, + "field": "type_uid" + } + }, + { + "constant": { + "value": "Device Inventory Info: Collect", + "field": "type_name" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Timestamp", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "device.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "device.name" + } + }, + { + "rename": { + "from": "unmapped.DeviceManufacturer", + "to": "device.manufacturer" + } + }, + { + "rename": { + "from": "unmapped.DeviceModel", + "to": "device.model" + } + }, + { + "rename": { + "from": "unmapped.DeviceSerialNumber", + "to": "device.hw_info.serial_number" + } + }, + { + "rename": { + "from": "unmapped.DeviceType", + "to": "device.os.type" + } + }, + { + "rename": { + "from": "unmapped.OSVersion", + "to": "device.os.version" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "device.owner.email_addr" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.name" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "device.owner.email_addr", + "to": "device.owner.domain" + } + }, + { + "replace": { + "field": "device.owner.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "replace": { + "field": "device.owner.name", + "regexp": "(.*?)@.*", + "replacement": "$1" + } + }, + { + "constant": { + "value": 100, + "field": "device.os.type_id", + "predicate": "device.os.type = 'windows'" + } + }, + { + "constant": { + "value": 300, + "field": "device.os.type_id", + "predicate": "device.os.type = 'mac'" + } + }, + { + "constant": { + "value": 301, + "field": "device.os.type_id", + "predicate": "device.os.type = 'ios'" + } + } + ] + }, + { + "predicate": "aws contains 'gateway-dns'", + "transformations": [ + { + "constant": { + "value": "Gateway DNS", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Gateway DNS", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 4003, + "field": "class_uid" + } + }, + { + "constant": { + "value": 4, + "field": "category_uid" + } + }, + { + "constant": { + "value": "DNS Activity", + "field": "class_name" + } + }, + { + "constant": { + "value": "Network Activity", + "field": "category_name" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id" + } + }, + { + "constant": { + "value": "Query", + "field": "activity_name" + } + }, + { + "constant": { + "value": 400301, + "field": "type_uid" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.SrcIP", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.SrcPort", + "to": "src_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.DeviceID", + "to": "src_endpoint.uid" + } + }, + { + "rename": { + "from": "unmapped.DeviceName", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.DstIP", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.DstPort", + "to": "dst_endpoint.port" + } + }, + { + "rename": { + "from": "unmapped.Datetime", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.RCode", + "to": "rcode_id" + } + }, + { + "rename": { + "from": "unmapped.QueryName", + "to": "query.hostname" + } + }, + { + "rename": { + "from": "unmapped.QueryTypeName", + "to": "query.type" + } + }, + { + "rename_tree": { + "from": "unmapped.RData", + "to": "answers" + } + }, + { + "rename": { + "from": "answers[*].data", + "to": "answers[*].rdata" + } + }, + { + "constant": { + "value": "Host", + "field": "metadata.profiles[0]" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserID", + "to": "actor.user.uid" + } + } + ] + }, + { + "predicate": "aws contains 'audit-logs'", + "transformations": [ + { + "constant": { + "value": "Audit Logs", + "field": "dataSource.name" + } + }, + { + "constant": { + "value": "Audit Logs", + "field": "metadata.product.name" + } + }, + { + "constant": { + "value": 3004, + "field": "class_uid" + } + }, + { + "constant": { + "value": 3, + "field": "category_uid" + } + }, + { + "constant": { + "value": "Entity Management", + "field": "class_name" + } + }, + { + "constant": { + "value": "Identity & Access Management", + "field": "category_name" + } + }, + { + "constant": { + "value": 3, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Update", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 300403, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": "Entity Management: Update", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'update'" + } + }, + { + "constant": { + "value": 1, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Create", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 300401, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": "Entity Management: Create", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'create'" + } + }, + { + "constant": { + "value": 4, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Delete", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 300404, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": "Entity Management: Delete", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'delete'" + } + }, + { + "constant": { + "value": 12, + "field": "activity_id", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Suspend", + "field": "activity_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 300412, + "field": "type_uid", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": "Entity Management: Suspend", + "field": "type_name", + "predicate": "unmapped.ActionType contains 'revoke'" + } + }, + { + "constant": { + "value": 99, + "field": "activity_id", + "predicate": "not (activity_id = *)" + } + }, + { + "copy": { + "from": "unmapped.ActionType", + "to": "activity_name", + "predicate": "not (activity_name = *)" + } + }, + { + "constant": { + "value": 300499, + "field": "type_uid", + "predicate": "not (type_uid = *)" + } + }, + { + "constant": { + "value": "Entity Management: Other", + "field": "type_name", + "predicate": "not (type_name = *)" + } + }, + { + "constant": { + "value": 1, + "field": "status_id", + "predicate": "unmapped.Allowed = true" + } + }, + { + "constant": { + "value": 2, + "field": "status_id", + "predicate": "unmapped.Allowed = false" + } + }, + { + "constant": { + "value": 99, + "field": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.Email", + "to": "actor.user.email_addr" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.name" + } + }, + { + "replace": { + "field": "actor.user.name", + "regexp": "(.*?)@(.*)", + "replacement": "$1" + } + }, + { + "copy": { + "from": "actor.user.email_addr", + "to": "actor.user.domain" + } + }, + { + "replace": { + "field": "actor.user.domain", + "regexp": "(.*?)@(.*)", + "replacement": "$2" + } + }, + { + "rename": { + "from": "unmapped.UserUID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.IPAddress", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.When", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.ActorEmail", + "to": "actor.user.email_addr" + } + }, + { + "rename": { + "from": "unmapped.ActorID", + "to": "actor.user.uid" + } + }, + { + "rename": { + "from": "unmapped.ActorType", + "to": "actor.user.type" + } + }, + { + "rename": { + "from": "unmapped.ActorIP", + "to": "src_endpoint.ip" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf index 0306ff4..4bf4705 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/google_cloud_dns_logs-latest/gcp_dns.conf @@ -1,55 +1,55 @@ -{ - "attributes": { - "dataSource.name": "GCP DNS", - "dataSource.vendor": "GCP", - "dataSource.category": "security", - "metadata.product.name": "GCP DNS", - "metadata.product.vendor_name": "GCP", - "metadata.version": "1.5.0" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.timestamp", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - { "constant": { "value": 4, "field": "category_uid" }}, - { "constant": { "value": "Network Activity", "field": "category_name" }}, - { "constant": { "value": 4003, "field": "class_uid" }}, - { "constant": { "value": "DNS Activity", "field": "class_name" }}, - { "constant": { "value": 1, "field": "activity_id" }}, - { "constant": { "value": "Query", "field": "activity_name" }}, - { "constant": { "value": 400301, "field": "type_uid" }}, - { "constant": { "value": "DNS Activity: Query", "field": "type_name" }}, - - { "rename": { "from": "unmapped.jsonPayload.queryName", "to": "query.hostname" }}, - { "rename": { "from": "unmapped.jsonPayload.queryType", "to": "query.type" }}, - { "rename": { "from": "unmapped.jsonPayload.rdata", "to": "answers.rdata" }}, - { "rename": { "from": "unmapped.type", "to": "answers.rdata" }}, - - { "rename": { "from": "unmapped.severity", "to": "severity_id" }}, - //mappings may be adjusted - { "cast": { "type": "enum", "field": "severity_id", "enum": {"DEFAULT":0,"DEBUG":99,"INFO":1,"NOTICE":2,"WARNING":3,"ERROR":4,"CRITICAL":5,"ALERT":5,"EMERGENCY":6}}} - - { "rename": { "from": "unmapped.receiveTimestamp", "to": "query_time" }}, - { "cast": { "field": "query_time", "type": "iso8601TimestampToEpochSec" }} - { "rename": { "from": "unmapped.timestamp", "to": "time" }}, - { "cast": { "field": "time", "type": "iso8601TimestampToEpochSec" }} - ] - } - ] - } -} +{ + "attributes": { + "dataSource.name": "GCP DNS", + "dataSource.vendor": "GCP", + "dataSource.category": "security", + "metadata.product.name": "GCP DNS", + "metadata.product.vendor_name": "GCP", + "metadata.version": "1.5.0" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.timestamp", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + { "constant": { "value": 4, "field": "category_uid" }}, + { "constant": { "value": "Network Activity", "field": "category_name" }}, + { "constant": { "value": 4003, "field": "class_uid" }}, + { "constant": { "value": "DNS Activity", "field": "class_name" }}, + { "constant": { "value": 1, "field": "activity_id" }}, + { "constant": { "value": "Query", "field": "activity_name" }}, + { "constant": { "value": 400301, "field": "type_uid" }}, + { "constant": { "value": "DNS Activity: Query", "field": "type_name" }}, + + { "rename": { "from": "unmapped.jsonPayload.queryName", "to": "query.hostname" }}, + { "rename": { "from": "unmapped.jsonPayload.queryType", "to": "query.type" }}, + { "rename": { "from": "unmapped.jsonPayload.rdata", "to": "answers.rdata" }}, + { "rename": { "from": "unmapped.type", "to": "answers.rdata" }}, + + { "rename": { "from": "unmapped.severity", "to": "severity_id" }}, + //mappings may be adjusted + { "cast": { "type": "enum", "field": "severity_id", "enum": {"DEFAULT":0,"DEBUG":99,"INFO":1,"NOTICE":2,"WARNING":3,"ERROR":4,"CRITICAL":5,"ALERT":5,"EMERGENCY":6}}} + + { "rename": { "from": "unmapped.receiveTimestamp", "to": "query_time" }}, + { "cast": { "field": "query_time", "type": "iso8601TimestampToEpochSec" }} + { "rename": { "from": "unmapped.timestamp", "to": "time" }}, + { "cast": { "field": "time", "type": "iso8601TimestampToEpochSec" }} + ] + } + ] + } +} diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf index a9a0e48..e598b35 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/imperva_waf_logs-latest/Imperva_waf.conf @@ -1,84 +1,84 @@ -{ - // specify a time zone if the timestamps in your log are not in GMT - // timezone: "GMT-0800" - attributes: { - "dataSource.name": "Imperva WAF", - "dataSource.vendor": "Imperva", - "dataSource.category": "security" - "metadata.product.name": "Imperva WAF", - "metadata.product.vendor_name": "Imperva" - }, - - patterns: { - tsPattern: "\\d+", - value: "[^\\s]+", - toDrop: "^(?!CEF).*$" - }, - - formats: [ - //drop logs - { - id: "drop", - format: "$unwanted=toDrop$", - discard: true - }, - - { - format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", - }, - { - format: ".*\\sstart=$timestamp=tsPattern$", - }, - { - format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", - }, - { - format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", - }, - { - format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", - }, - { - format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", - }, - { - format: ".*$_=identifier$=$unmapped._=value$", - repeat: true - } - ], - mappings: { - version: 0, - mappings: [ - { - predicate: "", - renames: [ - { - inputs : ["unmapped.dst"], - output : "dst_endpoint.ip", - type: "string" - }, - { - inputs: ["unmapped.dpt"], - output: "dst_endpoint.port", - type: "string" - }, - { - inputs: ["unmapped.src"], - output: "src_endpoint.ip", - type: "string" - }, - { - inputs: ["unmapped.spt"], - output: "src_endpoint.port", - type: "string" - }, - { - inputs: ["unmapped.Customer"], - output: "Account Name", - type: "string" - } - ] - } - ] - } +{ + // specify a time zone if the timestamps in your log are not in GMT + // timezone: "GMT-0800" + attributes: { + "dataSource.name": "Imperva WAF", + "dataSource.vendor": "Imperva", + "dataSource.category": "security" + "metadata.product.name": "Imperva WAF", + "metadata.product.vendor_name": "Imperva" + }, + + patterns: { + tsPattern: "\\d+", + value: "[^\\s]+", + toDrop: "^(?!CEF).*$" + }, + + formats: [ + //drop logs + { + id: "drop", + format: "$unwanted=toDrop$", + discard: true + }, + + { + format: "$unmapped.cef.version$\\|$metadata.vendor_name$\\|$metadata.product$\\|$metadata.product.version$\\|$unmapped.signature$\\|$event.type$\\|$severity$\\|", + }, + { + format: ".*\\sstart=$timestamp=tsPattern$", + }, + { + format: ".*requestClientApplication=$unmapped.requestClientApplication$\\sdeviceFacility", + }, + { + format: ".*\\scs2=$unmapped.cs2$\\scs2Label=$unmapped.cs2Label$\\scs3=$unmapped.cs3$\\scs3Label=$unmapped.cs3Label$\\scs1=$unmapped.cs1$\\scs1Label=$unmapped.cs1Label$\\scs4=$unmapped.cs4$\\scs4Label=$unmapped.cs4Label$\\scs5=$unmapped.cs5$\\scs5Label=$unmapped.cs5Label$\\scs6=$unmapped.cs6$\\scs6Label=$unmapped.cs6Label$\\scs7=$unmapped.cs7$\\scs7Label=$unmapped.cs7Label$\\scs8=$unmapped.cs8$\\scs8Label=$unmapped.cs8Label$\\sCustomer", + }, + { + format: ".*\\scs10=$unmapped.cs10$\\scs10Label=$unmapped.cs10Label$\\scpt", + }, + { + format: ".*\\sver=$unmapped.ver$\\s$unmapped.cipher$\\s", + }, + { + format: ".*$_=identifier$=$unmapped._=value$", + repeat: true + } + ], + mappings: { + version: 0, + mappings: [ + { + predicate: "", + renames: [ + { + inputs : ["unmapped.dst"], + output : "dst_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.dpt"], + output: "dst_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.src"], + output: "src_endpoint.ip", + type: "string" + }, + { + inputs: ["unmapped.spt"], + output: "src_endpoint.port", + type: "string" + }, + { + inputs: ["unmapped.Customer"], + output: "Account Name", + type: "string" + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf index 4b28d9c..bbc42a4 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/teleport_logs-latest/teleport.conf @@ -1,4175 +1,4175 @@ -{ - "attributes": { - "dataSource.name": "Teleport Audit", - "dataSource.vendor": "Teleport", - "dataSource.category": "security", - "metadata.product.name": "Teleport Audit", - "metadata.product.vendor_name": "Teleport", - "metadata.version": "1.5.0", - "cloud.provider": "AWS" - }, - "formats": [ - { - "format": "$unmapped.{parse=gron}$", - "rewrites": [ - { - "input": "unmapped.time", - "output": "timestamp", - "match": ".*", - "replace": "$0" - }, - { - "input": "unmapped.ts", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "unmapped.event in ('user.update','billing.plan.update')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300199 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('user.create','saml.created')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300101 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'user.delete'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 6 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Account Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300106 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.update'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 2 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Update" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600502 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.create'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 6 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Create" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600506 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.delete'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 7 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600507 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'db.session.query'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 4 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Query" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600504 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('db.session.postgres.statements.execute','db.session.postgres.statements.parse','db.session.postgres.statements.bind')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Datastore Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600599 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6005 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('cert.create','join_token.create','role.created','lock.created')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Create" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300401 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('role.delete','lock.delete')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 4 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300404 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'role.update'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 3 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Delete" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Entity Management" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300403 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3004 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('app.session.end','db.session.end','session.end','session.leave','desktop.session.end','mfa.auth.success')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 2 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Logoff" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Authentication" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300202 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3002 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('instance.join','session.start','session.join','user.login','bot.join','db.session.start','desktop.session.start','mfa.auth.success','port','db.session.mysql.init_db')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Logon" - } - }, - { - "constant": { - "field": "category_name", - "value": "Identity & Access Management" - } - }, - { - "constant": { - "field": "class_name", - "value": "Authentication" - } - }, - { - "constant": { - "field": "type_uid", - "value": 300201 - } - }, - { - "constant": { - "field": "category_uid", - "value": 3 - } - }, - { - "constant": { - "field": "class_uid", - "value": 3002 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event in ('kube.request','app.session.chunk','exec','scp','sftp','app.session.start','session.upload','session.data')", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Application Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "API Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 600399 - } - }, - { - "constant": { - "field": "category_uid", - "value": 6 - } - }, - { - "constant": { - "field": "class_uid", - "value": 6003 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'config.changed'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 99 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Other" - } - }, - { - "constant": { - "field": "category_name", - "value": "Discovery" - } - }, - { - "constant": { - "field": "class_name", - "value": "Device Config State Change" - } - }, - { - "constant": { - "field": "type_uid", - "value": 501999 - } - }, - { - "constant": { - "field": "category_uid", - "value": 5 - } - }, - { - "constant": { - "field": "class_uid", - "value": 5019 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'dns.query'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Query" - } - }, - { - "constant": { - "field": "category_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "DNS Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 400301 - } - }, - { - "constant": { - "field": "category_uid", - "value": 4 - } - }, - { - "constant": { - "field": "class_uid", - "value": 4003 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "unmapped.event == 'net.connection'", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "constant": { - "field": "activity_id", - "value": 1 - } - }, - { - "constant": { - "field": "activity_name", - "value": "Open" - } - }, - { - "constant": { - "field": "category_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "class_name", - "value": "Network Activity" - } - }, - { - "constant": { - "field": "type_uid", - "value": 400101 - } - }, - { - "constant": { - "field": "category_uid", - "value": 4 - } - }, - { - "constant": { - "field": "class_uid", - "value": 4001 - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - }, - { - "predicate": "true", - "transformations": [ - { - "copy": { - "from": "unmapped.event", - "to": "event.action" - } - }, - { - "rename": { - "from": "unmapped.severity", - "to": "severity_id" - } - }, - { - "rename": { - "from": "unmapped.target", - "to": "dns_query.name" - } - }, - { - "rename": { - "from": "unmapped.ts", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.event", - "to": "event.type" - } - }, - { - "rename": { - "from": "unmapped.addr.remote", - "to": "dst_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.user_name", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.cert_type", - "to": "managed_entity.type" - } - }, - { - "rename": { - "from": "unmapped.identity.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_agent", - "to": "http_request.user_agent" - } - }, - { - "rename": { - "from": "unmapped.identity.client_ip", - "to": "src_endpoint.ip" - } - }, - { - "rename": { - "from": "unmapped.server_hostname", - "to": "dst_endpoint.hostname" - } - }, - { - "rename": { - "from": "unmapped.verb", - "to": "http_request.http_method" - } - }, - { - "rename": { - "from": "unmapped.response_code", - "to": "http_response.code" - } - }, - { - "rename": { - "from": "unmapped.db_aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.method", - "to": "auth_protocol" - } - }, - { - "rename": { - "from": "unmapped.addr", - "to": "src_endpoint.name" - } - }, - { - "rename": { - "from": "unmapped.db_labels.account-id", - "to": "actor.user.account" - } - }, - { - "rename": { - "from": "unmapped.time", - "to": "time" - } - }, - { - "cast": { - "field": "time", - "type": "iso8601TimestampToEpochSec" - } - }, - { - "rename": { - "from": "unmapped.request_path", - "to": "http_request.url" - } - }, - { - "rename": { - "from": "unmapped.resource_api_group", - "to": "api.group.name" - } - }, - { - "rename": { - "from": "unmapped.user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.user_kind", - "to": "actor.user.type_id" - } - }, - { - "rename": { - "from": "unmapped.level", - "to": "severity" - } - }, - { - "rename": { - "from": "unmapped.aws_region", - "to": "cloud.region" - } - }, - { - "rename": { - "from": "unmapped.db_name", - "to": "database.name" - } - }, - { - "rename": { - "from": "unmapped.db_user", - "to": "actor.user.name" - } - }, - { - "rename": { - "from": "unmapped.db_query", - "to": "query_info.query_string" - } - }, - { - "rename": { - "from": "unmapped.name", - "to": "user.name" - } - } - ] - } - ] - } +{ + "attributes": { + "dataSource.name": "Teleport Audit", + "dataSource.vendor": "Teleport", + "dataSource.category": "security", + "metadata.product.name": "Teleport Audit", + "metadata.product.vendor_name": "Teleport", + "metadata.version": "1.5.0", + "cloud.provider": "AWS" + }, + "formats": [ + { + "format": "$unmapped.{parse=gron}$", + "rewrites": [ + { + "input": "unmapped.time", + "output": "timestamp", + "match": ".*", + "replace": "$0" + }, + { + "input": "unmapped.ts", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "unmapped.event in ('user.update','billing.plan.update')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300199 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('user.create','saml.created')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300101 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'user.delete'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 6 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Account Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300106 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.update'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 2 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Update" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600502 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.create'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 6 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Create" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600506 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.delete'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 7 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600507 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'db.session.query'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 4 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Query" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600504 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('db.session.postgres.statements.execute','db.session.postgres.statements.parse','db.session.postgres.statements.bind')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Datastore Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600599 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6005 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('cert.create','join_token.create','role.created','lock.created')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Create" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300401 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('role.delete','lock.delete')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 4 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300404 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'role.update'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 3 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Delete" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Entity Management" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300403 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3004 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('app.session.end','db.session.end','session.end','session.leave','desktop.session.end','mfa.auth.success')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 2 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Logoff" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Authentication" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300202 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3002 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('instance.join','session.start','session.join','user.login','bot.join','db.session.start','desktop.session.start','mfa.auth.success','port','db.session.mysql.init_db')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Logon" + } + }, + { + "constant": { + "field": "category_name", + "value": "Identity & Access Management" + } + }, + { + "constant": { + "field": "class_name", + "value": "Authentication" + } + }, + { + "constant": { + "field": "type_uid", + "value": 300201 + } + }, + { + "constant": { + "field": "category_uid", + "value": 3 + } + }, + { + "constant": { + "field": "class_uid", + "value": 3002 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event in ('kube.request','app.session.chunk','exec','scp','sftp','app.session.start','session.upload','session.data')", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Application Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "API Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 600399 + } + }, + { + "constant": { + "field": "category_uid", + "value": 6 + } + }, + { + "constant": { + "field": "class_uid", + "value": 6003 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'config.changed'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 99 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Other" + } + }, + { + "constant": { + "field": "category_name", + "value": "Discovery" + } + }, + { + "constant": { + "field": "class_name", + "value": "Device Config State Change" + } + }, + { + "constant": { + "field": "type_uid", + "value": 501999 + } + }, + { + "constant": { + "field": "category_uid", + "value": 5 + } + }, + { + "constant": { + "field": "class_uid", + "value": 5019 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'dns.query'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Query" + } + }, + { + "constant": { + "field": "category_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "DNS Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 400301 + } + }, + { + "constant": { + "field": "category_uid", + "value": 4 + } + }, + { + "constant": { + "field": "class_uid", + "value": 4003 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "unmapped.event == 'net.connection'", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "constant": { + "field": "activity_id", + "value": 1 + } + }, + { + "constant": { + "field": "activity_name", + "value": "Open" + } + }, + { + "constant": { + "field": "category_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "class_name", + "value": "Network Activity" + } + }, + { + "constant": { + "field": "type_uid", + "value": 400101 + } + }, + { + "constant": { + "field": "category_uid", + "value": 4 + } + }, + { + "constant": { + "field": "class_uid", + "value": 4001 + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + }, + { + "predicate": "true", + "transformations": [ + { + "copy": { + "from": "unmapped.event", + "to": "event.action" + } + }, + { + "rename": { + "from": "unmapped.severity", + "to": "severity_id" + } + }, + { + "rename": { + "from": "unmapped.target", + "to": "dns_query.name" + } + }, + { + "rename": { + "from": "unmapped.ts", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.event", + "to": "event.type" + } + }, + { + "rename": { + "from": "unmapped.addr.remote", + "to": "dst_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.user_name", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.cert_type", + "to": "managed_entity.type" + } + }, + { + "rename": { + "from": "unmapped.identity.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_agent", + "to": "http_request.user_agent" + } + }, + { + "rename": { + "from": "unmapped.identity.client_ip", + "to": "src_endpoint.ip" + } + }, + { + "rename": { + "from": "unmapped.server_hostname", + "to": "dst_endpoint.hostname" + } + }, + { + "rename": { + "from": "unmapped.verb", + "to": "http_request.http_method" + } + }, + { + "rename": { + "from": "unmapped.response_code", + "to": "http_response.code" + } + }, + { + "rename": { + "from": "unmapped.db_aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.method", + "to": "auth_protocol" + } + }, + { + "rename": { + "from": "unmapped.addr", + "to": "src_endpoint.name" + } + }, + { + "rename": { + "from": "unmapped.db_labels.account-id", + "to": "actor.user.account" + } + }, + { + "rename": { + "from": "unmapped.time", + "to": "time" + } + }, + { + "cast": { + "field": "time", + "type": "iso8601TimestampToEpochSec" + } + }, + { + "rename": { + "from": "unmapped.request_path", + "to": "http_request.url" + } + }, + { + "rename": { + "from": "unmapped.resource_api_group", + "to": "api.group.name" + } + }, + { + "rename": { + "from": "unmapped.user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.user_kind", + "to": "actor.user.type_id" + } + }, + { + "rename": { + "from": "unmapped.level", + "to": "severity" + } + }, + { + "rename": { + "from": "unmapped.aws_region", + "to": "cloud.region" + } + }, + { + "rename": { + "from": "unmapped.db_name", + "to": "database.name" + } + }, + { + "rename": { + "from": "unmapped.db_user", + "to": "actor.user.name" + } + }, + { + "rename": { + "from": "unmapped.db_query", + "to": "query_info.query_string" + } + }, + { + "rename": { + "from": "unmapped.name", + "to": "user.name" + } + } + ] + } + ] + } } \ No newline at end of file diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt index e0cd0ae..a3dfcc9 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/README.txt @@ -1,2 +1,2 @@ -This parser was created for customer Coats. +This parser was created for customer Coats. Log Ingested via HEC and structured /event endpoint \ No newline at end of file diff --git a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf index 523ad07..b80f819 100644 --- a/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf +++ b/Backend/utilities/parsers/sentinelone_new/ai-siem-main/parsers/community/zscaler_firewall_logs-latest/zscaler_firewall.conf @@ -1,61 +1,61 @@ -{ - - "attributes": { - "category_uid": "4", - "category_name": "Network Activity" - "metadata.product.name": "ZScaler Firewall", - "metadata.product.vendor_name": "ZScaler", - "metadata.version": "1.5.0", - "dataSource.category": "security", - "dataSource.name": "Zscaler Firewall", - "dataSource.vendor": "ZScaler" - }, - "formats": [ - { - "format": "$unmapped.{parse=json}$", - "rewrites": [ - { - "input": "unmapped.datetime", - "output": "timestamp", - "match": ".*", - "replace": "$0" - } - ] - - } - ], - "mappings": { - "version": 1, - "mappings": [ - { - "predicate": "true", - "transformations": [ - {"constant": { "value": 4, "field": "category_uid"}} - {"constant": { "value": "Network Activity", "field": "category_name"}} - {"constant": { "value": 4001, "field": "class_uid"}} - {"constant": { "value": "Network Activity", "field": "class_name"}} - {"constant": { "value": 6, "field": "activity_id"}} - {"constant": { "value": "Traffic", "field": "activity_name"}} - - {"constant": { "value": 0, "field": "severity_id"}} - {"constant": { "value": 400106, "field": "type_uid"}} - {"constant": { "value": "Network Activity: Traffic", "field": "type_name"}} - - {"rename": {"from": "unmapped.csip","to": "src_endpoint.ip"}}, - {"rename": {"from": "unmapped.csport","to": "src_endpoint.port"}}, - {"rename": {"from": "unmapped.cdip","to": "dst_endpoint.ip"}}, - {"rename": {"from": "unmapped.cdport","to": "dst_endpoint.port"}}, - - {"rename": {"from": "unmapped.user","to": "actor.user.email_addr"}}, - {"rename": {"from": "unmapped.devicehostname","to": "device.hostname"}}, - {"rename": {"from": "unmapped.deviceowner","to": "device.owner.name"}}, - - {"rename": {"from": "unmapped.datetime","to": "time"}}, - {"replace": {"field": "time", "regexp": "^[A-Za-z]{3}\\s(.*)", "replacement": "$1"}} - {"cast": {"type": "datetime", "field": "time", "format": "MMM dd HH:mm:ss yyyy"}} - - ] - } - ] - } +{ + + "attributes": { + "category_uid": "4", + "category_name": "Network Activity" + "metadata.product.name": "ZScaler Firewall", + "metadata.product.vendor_name": "ZScaler", + "metadata.version": "1.5.0", + "dataSource.category": "security", + "dataSource.name": "Zscaler Firewall", + "dataSource.vendor": "ZScaler" + }, + "formats": [ + { + "format": "$unmapped.{parse=json}$", + "rewrites": [ + { + "input": "unmapped.datetime", + "output": "timestamp", + "match": ".*", + "replace": "$0" + } + ] + + } + ], + "mappings": { + "version": 1, + "mappings": [ + { + "predicate": "true", + "transformations": [ + {"constant": { "value": 4, "field": "category_uid"}} + {"constant": { "value": "Network Activity", "field": "category_name"}} + {"constant": { "value": 4001, "field": "class_uid"}} + {"constant": { "value": "Network Activity", "field": "class_name"}} + {"constant": { "value": 6, "field": "activity_id"}} + {"constant": { "value": "Traffic", "field": "activity_name"}} + + {"constant": { "value": 0, "field": "severity_id"}} + {"constant": { "value": 400106, "field": "type_uid"}} + {"constant": { "value": "Network Activity: Traffic", "field": "type_name"}} + + {"rename": {"from": "unmapped.csip","to": "src_endpoint.ip"}}, + {"rename": {"from": "unmapped.csport","to": "src_endpoint.port"}}, + {"rename": {"from": "unmapped.cdip","to": "dst_endpoint.ip"}}, + {"rename": {"from": "unmapped.cdport","to": "dst_endpoint.port"}}, + + {"rename": {"from": "unmapped.user","to": "actor.user.email_addr"}}, + {"rename": {"from": "unmapped.devicehostname","to": "device.hostname"}}, + {"rename": {"from": "unmapped.deviceowner","to": "device.owner.name"}}, + + {"rename": {"from": "unmapped.datetime","to": "time"}}, + {"replace": {"field": "time", "regexp": "^[A-Za-z]{3}\\s(.*)", "replacement": "$1"}} + {"cast": {"type": "datetime", "field": "time", "format": "MMM dd HH:mm:ss yyyy"}} + + ] + } + ] + } } \ No newline at end of file diff --git a/Frontend/templates/log_generator.html b/Frontend/templates/log_generator.html index 5406a31..2d29338 100644 --- a/Frontend/templates/log_generator.html +++ b/Frontend/templates/log_generator.html @@ -861,10 +861,16 @@

Local Token Storage

if (response.ok) { alert('✓ Token stored in database'); } else { - throw new Error(`Server returned ${response.status}`); + let errorMessage = `Server returned ${response.status}`; + try { + const errorData = await response.json(); + if (errorData.detail) errorMessage = errorData.detail; + else if (errorData.error) errorMessage = errorData.error; + } catch {} + throw new Error(errorMessage); } } catch (err) { - alert('✗ Failed to store token in database. See console.'); + alert(`✗ Failed to store token in database: ${err.message}`); console.error(err); return; } @@ -881,8 +887,16 @@

Local Token Storage

try { const r = await fetch(`/destinations/${encodeURIComponent(d.id)}`, { method: 'DELETE' }); if (r.status !== 204) { - const txt = await r.text(); - throw new Error(`Failed to delete (${r.status}): ${txt}`); + let errorMessage = `Failed to delete (${r.status})`; + try { + const errorData = await r.json(); + if (errorData.detail) errorMessage = errorData.detail; + else if (errorData.error) errorMessage = errorData.error; + } catch { + const txt = await r.text(); + errorMessage += `: ${txt}`; + } + throw new Error(errorMessage); } // Also remove local token if exists if (window.tokenVault && window.tokenVault.hasToken(d.id)) { @@ -890,7 +904,7 @@

Local Token Storage

} await refreshDestinations(); } catch (err) { - alert('Failed to delete destination. See console.'); + alert(err.message || 'Failed to delete destination. See console.'); console.error(err); } }); @@ -971,9 +985,20 @@

Local Token Storage

}); if (!r.ok) { - const errorText = await r.text(); - console.error('Server error:', r.status, errorText); - throw new Error(`Failed to save destination (${r.status}): ${errorText}`); + let errorMessage = `Failed to save destination (${r.status})`; + try { + const errorData = await r.json(); + if (errorData.detail) { + errorMessage = errorData.detail; + } else if (errorData.error) { + errorMessage = errorData.error; + } + } catch { + const errorText = await r.text(); + errorMessage += `: ${errorText}`; + } + console.error('Server error:', r.status, errorMessage); + throw new Error(errorMessage); } const result = await r.json(); @@ -995,7 +1020,7 @@

Local Token Storage

const genBtn = document.querySelector('.nav-tab[data-target="generate-section"]'); if (genBtn) genBtn.click(); } catch (err) { - alert('Failed to save destination. See console.'); + alert(err.message || 'Failed to save destination. See console.'); console.error(err); } }); diff --git a/README.md b/README.md index 9ba59b6..8689dc1 100644 --- a/README.md +++ b/README.md @@ -19,16 +19,25 @@ If you're new to Docker, think of images as "apps" you build, and containers as - `docker-compose.yml`: Orchestrates API and UI - `.env`: Environment variables loaded by Compose +--- + ## Quick Start ### 1. Create Environment File -First time setup - copy the template to create your `.env` file: +First time setup - copy the example template to create your `.env` file: +```bash +cp .env.example .env +``` + +Or if you prefer the simplified version: ```bash cp ".env copy" .env ``` The default configuration has authentication disabled for easy local development (`DISABLE_AUTH=true`). This is perfect for getting started! +**Note**: See the [Detailed Configuration](#detailed-configuration) section below for complete environment variable documentation. + ### 2. Start Services Build and start both services: ```bash @@ -43,6 +52,8 @@ docker compose up -d --build docker compose down ``` +--- + ## Step-by-Step (Beginner Friendly) 1. Build images (compiles dependencies and copies code): ```bash @@ -72,32 +83,35 @@ curl http://localhost:8000/api/v1/health open http://localhost:9001 ``` +--- + ## Configuration (.env) -The `.env` file controls both services. Copy from `.env copy` if you haven't already: +The `.env` file controls both services. Use the comprehensive `.env.example` template: ```bash -cp ".env copy" .env +cp .env.example .env ``` -### Authentication Settings -By default, authentication is **disabled** for local development: -- `DISABLE_AUTH=true` - No API keys required (recommended for local dev) -- `BACKEND_API_KEY` - Not needed when auth is disabled +### Quick Configuration Overview -For production, enable authentication: +#### Local Development (Default) ```bash -DISABLE_AUTH=false -API_KEYS_ADMIN=your-secure-admin-key -BACKEND_API_KEY=your-secure-admin-key # Frontend uses this to talk to backend +DISABLE_AUTH=true +SECRET_KEY=dev-key +LOG_LEVEL=debug ``` +Perfect for testing and development. No SentinelOne integration required. -### Other Key Variables -- **HEC Batching** (used by UI when sending to HEC): - - `S1_HEC_BATCH=true` - - `S1_HEC_BATCH_MAX_BYTES=1048576` - - `S1_HEC_BATCH_FLUSH_MS=500` - - `S1_HEC_DEBUG=0` -- **Secret Key**: `SECRET_KEY` - Change for production deployments +#### Production with SentinelOne +```bash +DISABLE_AUTH=false +SECRET_KEY= +JARVIS_WRITE_KEYS= +S1_HEC_TOKEN= +S1_HEC_URL=https://ingest.REGION.sentinelone.net/api/v1/cloud_connect/events +S1_HEC_AUTH_SCHEME=Bearer +BACKEND_API_KEY= +``` ### Applying Configuration Changes After editing `.env`, restart containers: @@ -105,6 +119,108 @@ After editing `.env`, restart containers: docker compose down && docker compose up -d ``` +--- + +## Detailed Configuration + +For complete documentation of all environment variables, see [.env.example](.env.example). + +### Core Environment Variables + +#### Authentication & Security + +| Variable | Description | Required | Default | +|----------|-------------|----------|---------| +| `DISABLE_AUTH` | Disable authentication for local dev | No | `false` | +| `SECRET_KEY` | Encryption key for JWT/sessions | **Yes** (prod) | `change-me-in-production` | +| `JARVIS_ADMIN_KEYS` | Admin API keys (comma-separated) | No | - | +| `JARVIS_WRITE_KEYS` | Write-access AI SIEM API keys | **Yes** (prod) | - | +| `JARVIS_READ_KEYS` | Read-only AI SIEM API keys | No | - | +| `BACKEND_API_KEY` | Frontend→Backend API key | **Yes** (prod) | - | + +**Generate secure keys**: +```bash +# For SECRET_KEY +python -c "import secrets; print(secrets.token_urlsafe(32))" + +``` + +#### SentinelOne Integration + +##### HEC (HTTP Event Collector) - For Sending Events + +| Variable | Description | Required | Example | +|----------|-------------|----------|---------| +| `S1_HEC_TOKEN` | HEC token for **sending/writing** events to SentinelOne | No | `xxxxxxxx-xxxx-xxxx...` | +| `S1_HEC_URL` | HEC endpoint URL | No | `https://ingest.REGION.sentinelone.net/api/v1/cloud_connect/events` | +| `S1_HEC_AUTH_SCHEME` | Auth scheme: `Splunk` or `Bearer` (use `Bearer` for Cloud Connect) | No | `Bearer` | +| `S1_HEC_BATCH` | Enable batch mode | No | `true` | +| `S1_HEC_BATCH_MAX_BYTES` | Max batch size in bytes | No | `1048576` | +| `S1_HEC_BATCH_FLUSH_MS` | Batch flush interval (ms) | No | `500` | +| `S1_HEC_VERIFY` | Verify SSL certificates | No | `true` | +| `S1_HEC_DEBUG` | Debug level (0-2) | No | `0` | + +**Where to get tokens**: +- **HEC Token**: SentinelOne Console → Policy & Settings → API Keys → Log Access Keys (New Write Key for **sending** events) + + +#### Keyring (Frontend Credential Storage) + +| Variable | Description | Default | +|----------|-------------|---------| +| `KEYRING_CRYPTFILE_PASSWORD` | Keyring encryption password | `change-this-strong-password` | +| `KEYRING_CRYPTFILE_PATH` | Keyring file path | `/app/Frontend/.keyring.cfg` | +| `PYTHON_KEYRING_BACKEND` | Keyring backend type | `keyrings.alt.file.EncryptedKeyring` | + +--- + +## Parser Configuration + +### Parser Mappings File + +Parser mappings are configured in `Backend/event_generators/shared/parser_mappings.json`. This file defines two types of mappings: + +**1. `marketplace_to_product`** - Maps SentinelOne marketplace parser names to internal product generators: +```json +{ + "marketplace-awscloudtrail-latest": "aws_cloudtrail", + "marketplace-fortinetfortigate-latest": "fortinet_fortigate" +} +``` + +**2. `product_to_parser`** - Maps internal product names to SentinelOne parser names: +```json +{ + "aws_cloudtrail": "marketplace-awscloudtrail-latest", + "fortinet_fortigate": "fortinet_fortigate_candidate_logs-latest" +} +``` + +### Updating Parser Mappings + +To add or update parser mappings: + +1. Edit `Backend/event_generators/shared/parser_mappings.json` +2. Add your mapping in both sections if needed +3. Restart containers: + ```bash + docker compose restart + ``` + +**Example - Adding a new AWS parser:** +```json +{ + "marketplace_to_product": { + "marketplace-awss3-latest": "aws_s3" + }, + "product_to_parser": { + "aws_s3": "marketplace-awss3-latest" + } +} +``` + +--- + ## Common Commands - Rebuild everything after Dockerfile changes: ```bash @@ -124,29 +240,169 @@ docker logs -f jarvis-api ``` ## Troubleshooting + ### "Missing API key" or "API key required" errors **Symptom**: Frontend shows "Failed to save destination" with 403 errors about missing API key. -**Solution**: Create the `.env` file with `DISABLE_AUTH=true`: +**Root Cause**: `.env` file not created or `DISABLE_AUTH` not set to `true`. + +**Solution**: ```bash -cp ".env copy" .env +cp .env.example .env +# Edit .env and set: +# DISABLE_AUTH=true docker compose down && docker compose up -d ``` +### "Failed to send events to SentinelOne" +**Symptom**: Events not appearing in SentinelOne console. + +**Root Causes**: +1. Missing or invalid `S1_HEC_TOKEN` +2. Incorrect `S1_HEC_URL` +3. SSL certificate issues + +**Solutions**: +```bash +# 1. Verify your HEC token in .env +S1_HEC_TOKEN= + +# 2. Verify your instance URL format (no /raw suffix for Cloud Connect) +S1_HEC_URL=https://ingest.REGION.sentinelone.net/api/v1/cloud_connect/events +S1_HEC_AUTH_SCHEME=Bearer + +# 3. If SSL issues, temporarily disable verification (dev only!) +S1_HEC_VERIFY=false + +# 4. Enable debug logging +S1_HEC_DEBUG=2 + +# Restart and check logs +docker compose down && docker compose up -d +docker logs -f jarvis-api +``` + +### "Environment variable not loaded" +**Symptom**: Application doesn't use values from `.env` file or warnings about unset variables. + +**Root Cause**: Docker Compose not reading `.env` file or variables not defined. + +**Solutions**: +```bash +# 1. Ensure .env is in the same directory as docker-compose.yml +ls -la .env + +# 2. Variables can be empty (optional ones have defaults in docker-compose.yml) +# For example, S1_SDL_API_TOKEN can be left empty if not needed +S1_SDL_API_TOKEN= + +# 3. Restart containers (down + up, not just restart) +docker compose down +docker compose up -d + +# 4. Verify environment variables are loaded +docker exec jarvis-api env | grep S1_HEC_TOKEN +``` + ### "port already in use" -Another process is using that port. The UI maps `9001:8000`. Either stop the other app or change the left number in `docker-compose.yml`. +**Symptom**: `Error: bind: address already in use`. -### API keeps restarting with missing modules -Rebuild the API image: +**Solution**: +```bash +# Find process using port 8000 +lsof -i :8000 + +# Stop the process or change port in docker-compose.yml +# Change: "8000:8000" to "8080:8000" +``` + +#### API keeps restarting with missing modules +**Symptom**: Container restarts continuously with `ModuleNotFoundError`. + +**Solution**: ```bash docker compose build api --no-cache && docker compose up -d ``` -### API health is failing with missing `/event_generators` or `/parsers` -The image includes symlinks for these paths; ensure you rebuilt after recent changes. +#### API health is failing with missing `/event_generators` or `/parsers` +**Symptom**: Health check fails, missing directories. + +**Solution**: +```bash +# Ensure symlinks exist +ls -la Backend/api/event_generators +ls -la Backend/api/parsers + +# Rebuild with no cache +docker compose build --no-cache +docker compose up -d +``` + +#### Frontend can't reach backend +**Symptom**: Frontend shows "API connection failed". + +**Root Cause**: Incorrect `API_BASE_URL` configuration. + +**Solution**: +```bash +# In .env, set for Docker: +API_BASE_URL=http://api:8000 + +# For local development without Docker: +API_BASE_URL=http://localhost:8000 + +# Restart +docker compose down && docker compose up -d +``` + +#### CORS errors in browser +**Symptom**: Browser console shows CORS policy errors. + +**Solution**: +```bash +# Add your frontend URL to .env +BACKEND_CORS_ORIGINS=http://localhost:3000,https://yourdomain.com + +# Restart +docker compose down && docker compose up -d +``` + +### Debugging Tips + +#### Enable Debug Logging +```bash +# In .env +LOG_LEVEL=debug +S1_HEC_DEBUG=2 + +# Restart and watch logs +docker compose down && docker compose up -d +docker logs -f jarvis-api +``` + +#### Check Environment Variables +```bash +# View all env vars in API container +docker exec jarvis-api env + +# Check specific variable +docker exec jarvis-api env | grep S1_HEC_TOKEN +``` + +#### View Container Logs +```bash +# Real-time logs +docker logs -f jarvis-api +docker logs -f jarvis-frontend + +# Last 100 lines +docker logs --tail 100 jarvis-api + +# Logs since specific time +docker logs --since 10m jarvis-api +``` -### Frontend can’t reach backend -Inside containers, the UI uses `API_BASE_URL=http://api:8000`. From your host, use `http://localhost:8000` for the API and `http://localhost:9001` for the UI. +--- ## Development Tips - Live code mounting is enabled for the UI and backend content in Compose (read-only) to keep container images small and consistent. Rebuild images when you change Dockerfiles or dependencies. diff --git a/docker-compose.yml b/docker-compose.yml index 9a53b53..751bd0b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,3 @@ -version: '3.8' - services: api: build: @@ -15,12 +13,20 @@ services: - SECRET_KEY=${SECRET_KEY:-change-me-in-production} # Authentication settings - DISABLE_AUTH=${DISABLE_AUTH:-false} - - API_KEYS_ADMIN=${API_KEYS_ADMIN} - - API_KEYS_READ_ONLY=${API_KEYS_READ_ONLY} - - API_KEYS_WRITE=${API_KEYS_WRITE} + - JARVIS_ADMIN_KEYS=${JARVIS_ADMIN_KEYS} + - JARVIS_WRITE_KEYS=${JARVIS_WRITE_KEYS} + - JARVIS_READ_KEYS=${JARVIS_READ_KEYS} # SentinelOne integration - - S1_HEC_TOKEN=${S1_HEC_TOKEN} - - S1_SDL_API_TOKEN=${S1_SDL_API_TOKEN} + - S1_HEC_TOKEN=${S1_HEC_TOKEN:-} + - S1_HEC_URL=${S1_HEC_URL:-} + - S1_SDL_API_TOKEN=${S1_SDL_API_TOKEN:-} + # HEC batching and configuration + - S1_HEC_BATCH=${S1_HEC_BATCH:-false} + - S1_HEC_BATCH_MAX_BYTES=${S1_HEC_BATCH_MAX_BYTES:-1048576} + - S1_HEC_BATCH_FLUSH_MS=${S1_HEC_BATCH_FLUSH_MS:-500} + - S1_HEC_DEBUG=${S1_HEC_DEBUG:-0} + - S1_HEC_VERIFY=${S1_HEC_VERIFY:-true} + - S1_HEC_AUTH_SCHEME=${S1_HEC_AUTH_SCHEME:-Splunk} # Database - DATABASE_URL=sqlite+aiosqlite:///./data/jarvis_coding.db volumes: @@ -42,10 +48,16 @@ services: environment: - API_BASE_URL=http://api:8000 - BACKEND_API_KEY=${BACKEND_API_KEY} + # SentinelOne HEC Configuration + - S1_HEC_TOKEN=${S1_HEC_TOKEN} + - S1_HEC_URL=${S1_HEC_URL} + - S1_SDL_API_TOKEN=${S1_SDL_API_TOKEN:-} - S1_HEC_BATCH=${S1_HEC_BATCH} - S1_HEC_BATCH_MAX_BYTES=${S1_HEC_BATCH_MAX_BYTES} - S1_HEC_BATCH_FLUSH_MS=${S1_HEC_BATCH_FLUSH_MS} - S1_HEC_DEBUG=${S1_HEC_DEBUG} + - S1_HEC_VERIFY=${S1_HEC_VERIFY:-true} + - S1_HEC_AUTH_SCHEME=${S1_HEC_AUTH_SCHEME:-Splunk} - PYTHON_KEYRING_BACKEND=keyrings.alt.file.EncryptedKeyring - KEYRING_CRYPTFILE_PASSWORD=${KEYRING_CRYPTFILE_PASSWORD} - KEYRING_CRYPTFILE_PATH=${KEYRING_CRYPTFILE_PATH}