diff --git a/parsers/ocsf/vpc-flow-logs-ocsf.conf b/parsers/ocsf/vpc-flow-logs-ocsf.conf new file mode 100644 index 0000000..4ab750e --- /dev/null +++ b/parsers/ocsf/vpc-flow-logs-ocsf.conf @@ -0,0 +1,42 @@ +{ + attributes: { + "dataSource.category": "security", + "dataSource.name": "AWS VPC Flow", + "dataSource.vendor": "AWS", + "metadata.version": "1.0.0-rc.3", + "class_uid": "4001", + "category_uid": "4", + "class_name": "Network Activity", + "category_name": "Network Activity" + }, + intermittentTimestamps: true, + patterns: { + vpcId: "vpc-[a-f0-9]{17}|-+", + subnetId: "subnet-[a-f0-9]{17}|-+", + instanceId: "i-[a-fA-F0-9]{17}|-+", + interfaceId: "eni-[a-fA-F0-9]{17}|-+", + accountId: "[a-f0-9]{12}|-+", + ip: "(?:[0-9]{1,3}.){3}[0-9]{1,3}|-+", + ipv6: "(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|-+", + port: "[0-9]{1,5}|-+", + }, + formats: [ + // Format of flow log for version 2 and IPv4 address is allowed + "$metadata.product.version$ $cloud.account_uid=accountId$ $dst_endpoint.interface_uid=interfaceId$ $src_endpoint.ip=ip$ $dst_endpoint.ip=ip$ $src_endpoint.port=port$ $dst_endpoint.port=port$ $connection_info.protocol_num=number$ $traffic.packets=number$ $traffic.bytes=number$ $start_time=number$ $end_time=number$ $type_name$ $status_code$", + + // Format of flow log for version 2 and IPv6 address is allowed. + "$metadata.product.version$ $cloud.account_uid=accountId$ $dst_endpoint.interface_uid=interfaceId$ $src_endpoint.ip=ipv6$ $dst_endpoint.ip=ipv6$ $src_endpoint.port=port$ $dst_endpoint.port=port$ $connection_info.protocol_num=number$ $traffic.packets=number$ $traffic.bytes=number$ $start_time=number$ $end_time=number$ $type_name$ $status_code$", + + // Format of flow log for version 3 and tcp-flags field are represented by the second-to-last value in the flow log. + "$metadata.product.version$ $dst_endpoint.vpc_uid=vpcId$ $dst_endpoint.subnet_uid=subnetId$ $dst_endpoint.instance_uid=instanceId$ $dst_endpoint.interface_uid=interfaceId$ $cloud.account_uid=accountId$ $connection_info.protocol_ver$ $src_endpoint.intermediate_ips=ip$ $dst_endpoint.intermediate_ips=ip$ $src_endpoint.port=port$ $dst_endpoint.port=port$ $src_endpoint.ip=ip$ $dst_endpoint.ip=ip$ $connection_info.protocol_num=number$ $traffic.bytes=number$ $traffic.packets=number$ $start_time=number$ $end_time=number$ $type_name$ $connection_info.tcp_flags=number$ $status_code$", + + // Format of flow log for version 3 and traffic through a transit gateway. + "$metadata.product.version$ $dst_endpoint.interface_uid=interfaceId$ $cloud.account_uid=accountId$ $dst_endpoint.vpc_uid=vpcId$ $dst_endpoint.subnet_uid=subnetId$ $dst_endpoint.instance_uid=instanceId$ $src_endpoint.intermediate_ips=ip$ $dst_endpoint.intermediate_ips=ip$ $src_endpoint.port=port$ $dst_endpoint.port=port$ $connection_info.protocol_num=number$ $connection_info.tcp_flags=number$ $connection_info.protocol_ver$ $src_endpoint.ip=ip$ $dst_endpoint.ip=ip$ $type_name$ $status_code$" + + // Format of flow log for version 5 + "$metadata.product.version$ $src_endpoint.intermediate_ips=ip$ $dst_endpoint.intermediate_ips=ip$ $src_endpoint.port=port$ $dst_endpoint.port=port$ $connection_info.protocol_num=number$ $start_time=number$ $end_time=number$ $connection_info.protocol_ver$ $traffic.packets=number$ $traffic.bytes=number$ $cloud.account_uid=accountId$ $dst_endpoint.vpc_uid=vpcId$ $dst_endpoint.subnet_uid=subnetId$ $dst_endpoint.instance_uid=instanceId$ $dst_endpoint.interface_uid=interfaceId$ $cloud.region$ $cloud.zone$ $sub_location_type$ $sub_location_id$ $type_name$ $connection_info.tcp_flags=number$ $src_endpoint.ip=ip$ $dst_endpoint.ip=ip$ $src_endpoint.svc_name$ $dst_endpoint.svc_name$ $connection_info.boundary$ $connection_info.direction$ $status_code$", + + // Format of flow log for the NAT gateway network interface + "$dst_endpoint.instance_uid=instanceId$ $dst_endpoint.interface_uid=interfaceId$ $src_endpoint.intermediate_ips=ip$ $dst_endpoint.intermediate_ips=ip$ $src_endpoint.ip=ip$ $dst_endpoint.ip=ip$" + ] +}