From f2bbfde48d5d5f36a1e44ce5f494cb58c968e413 Mon Sep 17 00:00:00 2001
From: jmorascalyr <42879226+jmorascalyr@users.noreply.github.com>
Date: Thu, 19 Sep 2024 18:21:36 -0600
Subject: [PATCH] Create s3-access-ocsf.conf

---
 parsers/ocsf/s3-access-ocsf.conf | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 parsers/ocsf/s3-access-ocsf.conf

diff --git a/parsers/ocsf/s3-access-ocsf.conf b/parsers/ocsf/s3-access-ocsf.conf
new file mode 100644
index 0000000..7cac79e
--- /dev/null
+++ b/parsers/ocsf/s3-access-ocsf.conf
@@ -0,0 +1,26 @@
+// Parser for AWS S3 bucket access log files.
+//
+// See http://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html.
+
+{
+  attributes: {
+    "dataSource.category": "security",
+    "dataSource.name": "AWS Bucket Access",
+    "dataSource.vendor": "AWS",
+    "metadata.version": "1.0.0-rc.3",
+    "class_uid": "4001",
+    "category_uid": "4",
+    "class_name": "Web Resources Activity",
+    "category_name": "Web Resources Activity"
+  },
+  formats: [
+    {
+      format: "$unmapped.bucketOwner$ $unmapped.bucket$ \\[$timestamp$\\] $src_endpoint.ip$ $actor.user.name$ " +
+              "$unmapped.requestId$ $unmapped.operation$ $unmapped.key$ \"$unmapped.method$ $unmapped.uri$ $unmapped.application_protocol
+
+$\" " +
+              "$status$ $unmapped.errorCode$ $unmapped.bytesSent$ $unmapped.objectSize$ $unmapped.totalTimeMs$ " +
+              "$unmapped.turnaroundTimeMs$ \"$unmapped.referrer$\" \"$unmapped.agent$\" $unmapped.versionId$"
+    }
+  ]
+}