From af0c0244b11e94d2657633302e5a25402c35b4cd Mon Sep 17 00:00:00 2001 From: Omer Gull Date: Tue, 7 May 2024 09:35:24 +0300 Subject: [PATCH 1/3] Added new mappings and created some versioned folder for previous existing mappings --- .../aws-cloudtrail/authentication/README.md | 79 ++++++++++++++++ .../network_activity/README.md | 51 +++++++++++ .../AWS/1.1.0/aws-waf/http_activity/README.md | 54 +++++++++++ .../dns_activity/README.md | 47 ++++++++++ .../authentication/README.md | 63 +++++++++++++ .../alibaba-slb-logs/http_activity/README.md | 59 ++++++++++++ .../1.1.0/alibaba-waf/http_activity/README.md | 62 +++++++++++++ .../axis-activity-logs/dns_activity/README.md | 42 +++++++++ .../process_activity/README.md | 90 +++++++++++++++++++ .../authentication/README.md | 48 ++++++++++ .../bind-dns-events/dns_activity/README.md | 38 ++++++++ .../bind-dns-logs/dns_activity/README.md | 46 ++++++++++ .../inventory_info/README.md | 56 ++++++++++++ .../file_activity/README.md | 51 +++++++++++ .../network_activity/README.md | 63 +++++++++++++ .../process_activity/README.md | 54 +++++++++++ .../registry_key_activity/README.md | 57 ++++++++++++ .../registry_value_activity/README.md | 58 ++++++++++++ .../network_activity/README.md | 48 ++++++++++ .../network_activity/README.md | 59 ++++++++++++ .../network_activity/README.md | 41 +++++++++ .../network_activity/README.md | 39 ++++++++ .../dns_activity/README.md | 35 ++++++++ .../cloudflare-dns/dns_activity/README.md | 36 ++++++++ .../cloudflare-http/http_activity/README.md | 57 ++++++++++++ .../inventory_info/README.md | 49 ++++++++++ .../authentication/README.md | 50 +++++++++++ .../network_activity/README.md | 53 +++++++++++ .../1.1.0/gcp-audit/http_activity/README.md | 70 +++++++++++++++ .../http_activity/README.md | 62 +++++++++++++ .../imperva-waf-logs/http_activity/README.md | 62 +++++++++++++ .../dns_activity/README.md | 47 ++++++++++ .../infoblox-nios-dns/dns_activity/README.md | 43 +++++++++ .../inventory_info/README.md | 44 +++++++++ .../jamf-computers/inventory_info/README.md | 58 ++++++++++++ .../inventory_info/README.md | 39 ++++++++ .../azure-signin/authentication/README.md | 61 +++++++++++++ .../file_activity/README.md | 53 +++++++++++ .../inventory_info/README.md | 42 +++++++++ .../authentication/README.md | 56 ++++++++++++ .../network_activity/README.md | 54 +++++++++++ .../process_activity/README.md | 59 ++++++++++++ .../registry_key_activity/README.md | 49 ++++++++++ .../registry_value_activity/README.md | 58 ++++++++++++ .../1.1.0/iis-w3c/http_activity/README.md | 51 +++++++++++ .../o365-audit-logs/authentication/README.md | 49 ++++++++++ .../dns_activity/README.md | 42 +++++++++ .../1.0.0}/4624/4624_0.event | 0 .../1.0.0}/4624/4624_0.json | 0 .../1.0.0}/4624/README.md | 0 .../1.0.0}/4625/4625_0.event | 0 .../1.0.0}/4625/4625_0.json | 0 .../1.0.0}/4625/README.md | 0 .../1.0.0}/4661/4661.event | 0 .../1.0.0}/4661/4661.json | 0 .../1.0.0}/4661/README.md | 0 .../1.0.0}/4663/4663_0.event | 0 .../1.0.0}/4663/4663_0.json | 0 .../1.0.0}/4663/README.md | 0 .../1.0.0}/4673/4673_0.event | 0 .../1.0.0}/4673/4673_0.json | 0 .../1.0.0}/4673/README.md | 0 .../1.0.0}/4688/4688_0.event | 0 .../1.0.0}/4688/4688_0.json | 0 .../1.0.0}/4688/README.md | 0 .../1.0.0}/4689/4689_0.event | 0 .../1.0.0}/4689/4689_0.json | 0 .../1.0.0}/4689/README.md | 0 .../universal-wel/dns_activity/README.md | 55 ++++++++++++ .../registry_key_activity/README.md | 49 ++++++++++ .../registry_value_activity/README.md | 53 +++++++++++ .../authentication/README.md | 43 +++++++++ .../1.1.0/okta-logs/authentication/README.md | 73 +++++++++++++++ .../onelogin-events/authentication/README.md | 39 ++++++++ .../authentication/README.md | 56 ++++++++++++ .../http_activity/README.md | 73 +++++++++++++++ .../network_activity/README.md | 49 ++++++++++ .../inventory_info/README.md | 36 ++++++++ .../pan-edr-raw-logs/file_activity/README.md | 54 +++++++++++ .../network_activity/README.md | 56 ++++++++++++ .../process_activity/README.md | 53 +++++++++++ .../registry_key_activity/README.md | 49 ++++++++++ .../registry_value_activity/README.md | 52 +++++++++++ .../authentication/README.md | 46 ++++++++++ .../network_activity/README.md | 62 +++++++++++++ .../network_activity/README.md | 41 +++++++++ .../inventory_info/README.md | 52 +++++++++++ .../file_activity/README.md | 53 +++++++++++ .../network_activity/README.md | 60 +++++++++++++ .../process_activity/README.md | 55 ++++++++++++ .../registry_key_activity/README.md | 57 ++++++++++++ .../registry_value_activity/README.md | 64 +++++++++++++ .../http_activity/README.md | 59 ++++++++++++ .../http_activity/README.md | 75 ++++++++++++++++ .../network_activity/README.md | 68 ++++++++++++++ .../http_activity/README.md | 51 +++++++++++ .../slack-audit-logs/authentication/README.md | 51 +++++++++++ .../squid-proxy-logs/http_activity/README.md | 49 ++++++++++ .../http_activity/README.md | 61 +++++++++++++ .../dns_activity/README.md | 62 +++++++++++++ .../http_activity/README.md | 80 +++++++++++++++++ .../network_activity/README.md | 53 +++++++++++ .../Zeek/{ => 1.0.0}/conn_log/README.md | 0 .../conn_log/samples/conn_log.ocsf | 0 .../{ => 1.0.0}/conn_log/samples/conn_log.raw | 0 .../Zeek/{ => 1.0.0}/dns_log/README.md | 0 .../{ => 1.0.0}/dns_log/samples/dns_log.ocsf | 0 .../{ => 1.0.0}/dns_log/samples/dns_log.raw | 0 .../Zeek/{ => 1.0.0}/ssl_log/README.md | 0 .../{ => 1.0.0}/ssl_log/samples/ssl_log.ocsf | 0 .../{ => 1.0.0}/ssl_log/samples/ssl_log.raw | 0 .../zeek-conn-logs/network_activity/README.md | 42 +++++++++ .../zeek-dns-logs/dns_activity/README.md | 42 +++++++++ .../zscaler-zia-dns/dns_activity/README.md | 43 +++++++++ .../1.1.0/zscaler-zia/http_activity/README.md | 62 +++++++++++++ .../http_activity/README.md | 61 +++++++++++++ .../osquery-logs/network_activity/README.md | 47 ++++++++++ .../osquery-logs/process_activity/README.md | 41 +++++++++ 118 files changed, 4711 insertions(+) create mode 100644 mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md create mode 100644 mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md create mode 100644 mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md create mode 100644 mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md create mode 100644 mappings/markdown/Alibaba Cloud/1.1.0/alibaba-actiontrail/authentication/README.md create mode 100644 mappings/markdown/Alibaba Cloud/1.1.0/alibaba-slb-logs/http_activity/README.md create mode 100644 mappings/markdown/Alibaba Cloud/1.1.0/alibaba-waf/http_activity/README.md create mode 100644 mappings/markdown/Axis/1.1.0/axis-activity-logs/dns_activity/README.md create mode 100644 mappings/markdown/Beyondtrust/1.1.0/beyondtrust-events/process_activity/README.md create mode 100644 mappings/markdown/Beyondtrust/1.1.0/beyondtrust-passwordsafe/authentication/README.md create mode 100644 mappings/markdown/Bind/1.1.0/bind-dns-events/dns_activity/README.md create mode 100644 mappings/markdown/Bind/1.1.0/bind-dns-logs/dns_activity/README.md create mode 100644 mappings/markdown/Carbon Black/1.1.0/cb-platform-devices/inventory_info/README.md create mode 100644 mappings/markdown/Carbon Black/1.1.0/cb-platform-events/file_activity/README.md create mode 100644 mappings/markdown/Carbon Black/1.1.0/cb-platform-events/network_activity/README.md create mode 100644 mappings/markdown/Carbon Black/1.1.0/cb-platform-events/process_activity/README.md create mode 100644 mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_key_activity/README.md create mode 100644 mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_value_activity/README.md create mode 100644 mappings/markdown/CatoNetworks/1.1.0/cato-networks-security-events/network_activity/README.md create mode 100644 mappings/markdown/Checkpoint/1.1.0/checkpoint-traffic/network_activity/README.md create mode 100644 mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-asa-firewall/network_activity/README.md create mode 100644 mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-ftd-firewall/network_activity/README.md create mode 100644 mappings/markdown/Cisco/cisco-umbrella/1.1.0/cisco-umbrella-dns-logs/dns_activity/README.md create mode 100644 mappings/markdown/Cloudflare/1.1.0/cloudflare-dns/dns_activity/README.md create mode 100644 mappings/markdown/Cloudflare/1.1.0/cloudflare-http/http_activity/README.md create mode 100644 mappings/markdown/Cybereason/1.1.0/cybereason-sensors/inventory_info/README.md create mode 100644 mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md create mode 100644 mappings/markdown/Fortinet/1.1.0/fortinet-firewall/network_activity/README.md create mode 100644 mappings/markdown/GCP/1.1.0/gcp-audit/http_activity/README.md create mode 100644 mappings/markdown/Github/1.1.0/github-server-logs/http_activity/README.md create mode 100644 mappings/markdown/Imperva/1.1.0/imperva-waf-logs/http_activity/README.md create mode 100644 mappings/markdown/Infoblox/1.1.0/infoblox-bloxone-dns/dns_activity/README.md create mode 100644 mappings/markdown/Infoblox/1.1.0/infoblox-nios-dns/dns_activity/README.md create mode 100644 mappings/markdown/Island/1.1.0/island-browser-devices/inventory_info/README.md create mode 100644 mappings/markdown/JAMF/1.1.0/jamf-computers/inventory_info/README.md create mode 100644 mappings/markdown/Lansweeper/1.1.0/lansweeper-assets/inventory_info/README.md create mode 100644 mappings/markdown/Microsoft/Azure/1.1.0/azure-signin/authentication/README.md create mode 100644 mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-file-events/file_activity/README.md create mode 100644 mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-info/inventory_info/README.md create mode 100644 mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-logon-events/authentication/README.md create mode 100644 mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-network-events/network_activity/README.md create mode 100644 mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-process-events/process_activity/README.md create mode 100644 mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_key_activity/README.md create mode 100644 mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_value_activity/README.md create mode 100644 mappings/markdown/Microsoft/Microsoft IIS/1.1.0/iis-w3c/http_activity/README.md create mode 100644 mappings/markdown/Microsoft/office365/1.1.0/o365-audit-logs/authentication/README.md create mode 100644 mappings/markdown/Microsoft/windows-dns/1.1.0/windows-dns-debug-logs/dns_activity/README.md rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4624/4624_0.event (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4624/4624_0.json (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4624/README.md (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4625/4625_0.event (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4625/4625_0.json (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4625/README.md (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4661/4661.event (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4661/4661.json (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4661/README.md (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4663/4663_0.event (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4663/4663_0.json (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4663/README.md (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4673/4673_0.event (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4673/4673_0.json (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4673/README.md (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4688/4688_0.event (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4688/4688_0.json (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4688/README.md (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4689/4689_0.event (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4689/4689_0.json (100%) rename mappings/markdown/Microsoft/{Windows Events => windows-event-log/1.0.0}/4689/README.md (100%) create mode 100644 mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/dns_activity/README.md create mode 100644 mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_key_activity/README.md create mode 100644 mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_value_activity/README.md create mode 100644 mappings/markdown/Netiq/1.1.0/netiq-edirectory-audit/authentication/README.md create mode 100644 mappings/markdown/Okta/1.1.0/okta-logs/authentication/README.md create mode 100644 mappings/markdown/OneLogin/1.1.0/onelogin-events/authentication/README.md create mode 100644 mappings/markdown/Oracle/1.1.0/oracle-audit-logs/authentication/README.md create mode 100644 mappings/markdown/Oracle/1.1.0/oracle-service-logs/http_activity/README.md create mode 100644 mappings/markdown/Oracle/1.1.0/oracle-service-logs/network_activity/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-cortex-xdr-endpoints/inventory_info/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/file_activity/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/network_activity/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/process_activity/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_key_activity/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_value_activity/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-firewall-globalprotect/authentication/README.md create mode 100644 mappings/markdown/Palo Alto/1.1.0/pan-firewall-traffic/network_activity/README.md create mode 100644 mappings/markdown/Pfsense/1.1.0/pfsense-filter-logs/network_activity/README.md create mode 100644 mappings/markdown/Sentinel One/1.1.0/sentinelone-agents/inventory_info/README.md create mode 100644 mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/file_activity/README.md create mode 100644 mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/network_activity/README.md create mode 100644 mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/process_activity/README.md create mode 100644 mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_key_activity/README.md create mode 100644 mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_value_activity/README.md create mode 100644 mappings/markdown/Signal Sciences/1.1.0/signal-sciences-events/http_activity/README.md create mode 100644 mappings/markdown/Signal Sciences/1.1.0/signal-sciences-requests/http_activity/README.md create mode 100644 mappings/markdown/Silverpeak/1.1.0/silverpeak-firewall-logs/network_activity/README.md create mode 100644 mappings/markdown/Skyhigh/1.1.0/skyhigh-webgateway-alerts/http_activity/README.md create mode 100644 mappings/markdown/Slack/1.1.0/slack-audit-logs/authentication/README.md create mode 100644 mappings/markdown/Squid/1.1.0/squid-proxy-logs/http_activity/README.md create mode 100644 mappings/markdown/Symantec/1.1.0/symantec-cloud-secure-web-gateway-logs/http_activity/README.md create mode 100644 mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/dns_activity/README.md create mode 100644 mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/http_activity/README.md create mode 100644 mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/network_activity/README.md rename mappings/markdown/Zeek/{ => 1.0.0}/conn_log/README.md (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/conn_log/samples/conn_log.ocsf (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/conn_log/samples/conn_log.raw (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/dns_log/README.md (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/dns_log/samples/dns_log.ocsf (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/dns_log/samples/dns_log.raw (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/ssl_log/README.md (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/ssl_log/samples/ssl_log.ocsf (100%) rename mappings/markdown/Zeek/{ => 1.0.0}/ssl_log/samples/ssl_log.raw (100%) create mode 100644 mappings/markdown/Zeek/1.1.0/zeek-conn-logs/network_activity/README.md create mode 100644 mappings/markdown/Zeek/1.1.0/zeek-dns-logs/dns_activity/README.md create mode 100644 mappings/markdown/Zscaler/1.1.0/zscaler-zia-dns/dns_activity/README.md create mode 100644 mappings/markdown/Zscaler/1.1.0/zscaler-zia/http_activity/README.md create mode 100644 mappings/markdown/iboss/1.1.0/iboss-web-activity/http_activity/README.md create mode 100644 mappings/markdown/osquery/1.1.0/osquery-logs/network_activity/README.md create mode 100644 mappings/markdown/osquery/1.1.0/osquery-logs/process_activity/README.md diff --git a/mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md b/mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md new file mode 100644 index 00000000..d358b99b --- /dev/null +++ b/mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md @@ -0,0 +1,79 @@ +# Event Dossier: Aws Cloudtrail to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `aws` +* Product name: `aws-cloudtrail` +* Event codes: `EVENT_NAME in ('ConsoleLogin', 'AssumeRoleWithSAML')` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.authorizations | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('decision', CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN CASE WHEN RESPONSE_ELEMENTS:ConsoleLogin = 'Success' THEN 'allowed' ELSE 'denied' END WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN CASE WHEN RESPONSE_ELEMENTS:credentials:accessKeyId IS NOT NULL THEN 'allowed' ELSE 'denied' END END))``` | +| actor.session.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | +| actor.session.is_mfa | ```CASE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'No' THEN FALSE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'Yes' THEN TRUE ELSE NULL::BOOLEAN END``` | +| actor.user.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | +| actor.user.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | +| actor.user.email_addr | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' and CONTAINS(USER_IDENTITY:arn, '/') THEN SPLIT_PART(USER_IDENTITY:arn, '/', -1) WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN REQUEST_PARAMETERS:roleSessionName::VARCHAR END``` | +| actor.user.name | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_SESSION_CONTEXT_SESSION_ISSUER_USER_NAME::VARCHAR ELSE USER_IDENTITY_USER_NAME::VARCHAR END``` | +| actor.user.org.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | +| actor.user.uid | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_ARN::VARCHAR ELSE RESOURCES[0]:ARN::VARCHAR END``` | +| api.response.code | ```ERROR_CODE::NUMBER``` | +| api.response.error | ```ERROR_CODE::VARCHAR``` | +| api.response.error_message | ```ERROR_MESSAGE::VARCHAR``` | +| api.service.name | ```EVENT_SOURCE::VARCHAR``` | +| api.service.uid | ```EVENT_SOURCE::VARCHAR``` | +| api.service.version | ```EVENT_VERSION::VARCHAR``` | +| api.version | ```EVENT_VERSION::VARCHAR``` | +| auth_protocol | ```CASE (CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN '99'::NUMBER WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN '5'::NUMBER END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN '99'::NUMBER WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN '5'::NUMBER END``` | +| category_name | ```CASE ('3'::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```'3'::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| cloud.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | +| cloud.org.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | +| cloud.provider | ```'AWS'::VARCHAR``` | +| cloud.region | ```AWS_REGION::VARCHAR``` | +| dst_endpoint.domain | ```'amazonaws.com'::VARCHAR``` | +| dst_endpoint.hostname | ```EVENT_SOURCE::VARCHAR``` | +| dst_endpoint.name | ```EVENT_SOURCE::VARCHAR``` | +| dst_endpoint.type | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| dst_endpoint.type_id | ```1::NUMBER``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| is_mfa | ```CASE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'No' THEN FALSE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'Yes' THEN TRUE ELSE NULL::BOOLEAN END``` | +| is_remote | ```TRUE::BOOLEAN``` | +| metadata.event_code | ```event_name``` | +| metadata.product.name | ```'aws-cloudtrail'``` | +| metadata.product.vendor_name | ```'aws'``` | +| metadata.version | ```'1.1.0'``` | +| service.name | ```EVENT_SOURCE::VARCHAR``` | +| service.uid | ```EVENT_SOURCE::VARCHAR``` | +| service.version | ```EVENT_VERSION::VARCHAR``` | +| session.created_time | ```date_part('epoch_milliseconds', USER_IDENTITY_SESSION_CONTEXT_ATTRIBUTES_CREATION_DATE::TIMESTAMP_LTZ)``` | +| session.created_time_dt | ```USER_IDENTITY_SESSION_CONTEXT_ATTRIBUTES_CREATION_DATE::TIMESTAMP_LTZ``` | +| session.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | +| session.is_mfa | ```CASE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'No' THEN FALSE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'Yes' THEN TRUE ELSE NULL::BOOLEAN END``` | +| session.issuer | ```USER_IDENTITY_SESSION_CONTEXT_SESSION_ISSUER_ARN::VARCHAR``` | +| src_endpoint.ip | ```SOURCE_IP_ADDRESS::VARCHAR``` | +| status | ```CASE (CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN CASE WHEN RESPONSE_ELEMENTS:ConsoleLogin = '1'::NUMBER THEN '1'::number ELSE '2'::number END WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN CASE WHEN RESPONSE_ELEMENTS:credentials:accessKeyId IS NOT NULL THEN '1'::number ELSE '2'::number END END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_code | ```ERROR_CODE::VARCHAR``` | +| status_detail | ```ERROR_MESSAGE::VARCHAR``` | +| status_id | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN CASE WHEN RESPONSE_ELEMENTS:ConsoleLogin = '1'::NUMBER THEN '1'::number ELSE '2'::number END WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN CASE WHEN RESPONSE_ELEMENTS:credentials:accessKeyId IS NOT NULL THEN '1'::number ELSE '2'::number END END``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300201::NUMBER``` | +| user.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | +| user.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | +| user.email_addr | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' and CONTAINS(USER_IDENTITY:arn, '/') THEN SPLIT_PART(USER_IDENTITY:arn, '/', -1) WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN REQUEST_PARAMETERS:roleSessionName::VARCHAR END``` | +| user.name | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_SESSION_CONTEXT_SESSION_ISSUER_USER_NAME::VARCHAR ELSE USER_IDENTITY_USER_NAME::VARCHAR END``` | +| user.org.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | +| user.type | ```CASE (case when USER_IDENTITY_TYPE = 'Unknown' then 0 when USER_IDENTITY_TYPE in ('IAMUser', 'SAMLUser', 'WebIdentityUser') then 1 when USER_IDENTITY_TYPE = 'Root' then 2 else 99 end) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| user.type_id | ```case when USER_IDENTITY_TYPE = 'Unknown' then 0 when USER_IDENTITY_TYPE in ('IAMUser', 'SAMLUser', 'WebIdentityUser') then 1 when USER_IDENTITY_TYPE = 'Root' then 2 else 99 end``` | +| user.uid | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_ARN::VARCHAR ELSE RESOURCES[0]:ARN::VARCHAR END``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md b/mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md new file mode 100644 index 00000000..33aaf51a --- /dev/null +++ b/mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md @@ -0,0 +1,51 @@ +# Event Dossier: Aws Vpc Flow Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `aws` +* Product name: `aws-vpc-flow-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION = 'Block' then 2 WHEN ACTION = 'ACCEPT' then 1 WHEN ACTION is null then 0 ELSE 99 END::int::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION = 'Block' then 2 WHEN ACTION = 'ACCEPT' then 1 WHEN ACTION is null then 0 ELSE 99 END::int::NUMBER``` | +| activity_id | ```0::NUMBER``` | +| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.user.account.uid | ```ACCOUNT_ID::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| cloud.region | ```REGION::VARCHAR``` | +| connection_info.direction | ```CASE (CASE FLOW_DIRECTION WHEN 'ingress' THEN 1::NUMBER WHEN 'egress' THEN 2::NUMBER ELSE 0::NUMBER END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE FLOW_DIRECTION WHEN 'ingress' THEN 1::NUMBER WHEN 'egress' THEN 2::NUMBER ELSE 0::NUMBER END``` | +| connection_info.protocol_num | ```IANA_PROTOCOL_NUMBER::NUMBER``` | +| connection_info.protocol_ver | ```CASE (CASE TRAFFIC_TYPE WHEN 'IPv4' THEN 4::NUMBER WHEN 'IPv6' THEN 6 ELSE 0 END) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```CASE TRAFFIC_TYPE WHEN 'IPv4' THEN 4::NUMBER WHEN 'IPv6' THEN 6 ELSE 0 END``` | +| connection_info.tcp_flags | ```TCP_FLAGS::NUMBER``` | +| device.instance_uid | ```INSTANCE_ID::VARCHAR``` | +| device.interface_uid | ```INTERFACE_ID::VARCHAR``` | +| device.subnet_uid | ```SUBNET_ID::VARCHAR``` | +| device.vpc_uid | ```VPC_ID::VARCHAR``` | +| dst_endpoint.ip | ```DESTINATION_ADDRESS::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', END_TIME::TIMESTAMP_LTZ)``` | +| end_time_dt | ```END_TIME::TIMESTAMP_LTZ``` | +| metadata.product.name | ```'aws-vpc-flow-logs'``` | +| metadata.product.vendor_name | ```'aws'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```1::NUMBER``` | +| src_endpoint.ip | ```SOURCE_ADDRESS::VARCHAR``` | +| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', start_time::TIMESTAMP_LTZ)``` | +| time_dt | ```start_time::TIMESTAMP_LTZ``` | +| traffic.bytes_out | ```TOTAL_BYTES_TRANSFERRED::NUMBER``` | +| traffic.packets_out | ```TOTAL_PACKETS_TRANSFERRED::NUMBER``` | +| type_name | ```CASE (400100::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```400100::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md b/mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md new file mode 100644 index 00000000..b0a23185 --- /dev/null +++ b/mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md @@ -0,0 +1,54 @@ +# Event Dossier: Aws Waf to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `aws` +* Product name: `aws-waf` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION = 'ALLOW' THEN 1 WHEN ACTION = 'BLOCK' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION = 'ALLOW' THEN 1 WHEN ACTION = 'BLOCK' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN HTTP_REQUEST_HTTP_METHOD = 'CONNECT' THEN 1 WHEN HTTP_REQUEST_HTTP_METHOD = 'DELETE' THEN 2 WHEN HTTP_REQUEST_HTTP_METHOD = 'GET' THEN 3 WHEN HTTP_REQUEST_HTTP_METHOD = 'HEAD' THEN 4 WHEN HTTP_REQUEST_HTTP_METHOD = 'OPTIONS' THEN 5 WHEN HTTP_REQUEST_HTTP_METHOD = 'POST' THEN 6 WHEN HTTP_REQUEST_HTTP_METHOD = 'PUT' THEN 7 WHEN HTTP_REQUEST_HTTP_METHOD = 'TRACE' THEN 8 WHEN HTTP_REQUEST_HTTP_METHOD = NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN HTTP_REQUEST_HTTP_METHOD = 'CONNECT' THEN 1 WHEN HTTP_REQUEST_HTTP_METHOD = 'DELETE' THEN 2 WHEN HTTP_REQUEST_HTTP_METHOD = 'GET' THEN 3 WHEN HTTP_REQUEST_HTTP_METHOD = 'HEAD' THEN 4 WHEN HTTP_REQUEST_HTTP_METHOD = 'OPTIONS' THEN 5 WHEN HTTP_REQUEST_HTTP_METHOD = 'POST' THEN 6 WHEN HTTP_REQUEST_HTTP_METHOD = 'PUT' THEN 7 WHEN HTTP_REQUEST_HTTP_METHOD = 'TRACE' THEN 8 WHEN HTTP_REQUEST_HTTP_METHOD = NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| cloud.provider | ```'AWS'::VARCHAR``` | +| connection_info.boundary | ```CASE (5::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Localhost' WHEN 10 THEN 'Gateway VPC' WHEN 11 THEN 'Internet Gateway' WHEN 2 THEN 'Internal' WHEN 3 THEN 'External' WHEN 4 THEN 'Same VPC' WHEN 5 THEN 'Internet/VPC Gateway' WHEN 6 THEN 'Virtual Private Gateway' WHEN 7 THEN 'Intra-region VPC' WHEN 8 THEN 'Inter-region VPC' WHEN 9 THEN 'Local Gateway' WHEN 99 THEN 'Other' END``` | +| connection_info.boundary_id | ```5::NUMBER``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(HTTP_REQUEST_CLIENT_IP, 'INET'):family::NUMBER::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(HTTP_REQUEST_CLIENT_IP, 'INET'):family::NUMBER::NUMBER``` | +| connection_info.uid | ```HTTP_REQUEST_REQUEST_ID::VARCHAR``` | +| dst_endpoint.hostname | ```HTTP_REQUEST_HEADERS:host::VARCHAR``` | +| firewall_rule.match_details | ```TERMINATING_RULE_MATCH_DETAILS::VARCHAR``` | +| firewall_rule.rate_limit | ```RATE_BASED_RULE_LIST[0]:maxRateAllowed::NUMBER``` | +| firewall_rule.type | ```TERMINATING_RULE_TYPE::VARCHAR``` | +| firewall_rule.uid | ```TERMINATING_RULE_ID::VARCHAR``` | +| http_cookies.value | ```HTTP_REQUEST_HEADERS:cookie::VARCHAR``` | +| http_request.args | ```HTTP_REQUEST_ARGS::VARCHAR``` | +| http_request.http_method | ```CASE WHEN HTTP_REQUEST_HTTP_METHOD = 'CONNECT' THEN 'CONNECT' WHEN HTTP_REQUEST_HTTP_METHOD = 'DELETE' THEN 'DELETE' WHEN HTTP_REQUEST_HTTP_METHOD = 'GET' THEN 'GET' WHEN HTTP_REQUEST_HTTP_METHOD = 'HEAD' THEN 'HEAD' WHEN HTTP_REQUEST_HTTP_METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN HTTP_REQUEST_HTTP_METHOD = 'POST' THEN 'POST' WHEN HTTP_REQUEST_HTTP_METHOD = 'PUT' THEN 'PUT' WHEN HTTP_REQUEST_HTTP_METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.referrer | ```HTTP_REQUEST_HEADERS:referer::VARCHAR``` | +| http_request.uid | ```HTTP_REQUEST_REQUEST_ID::VARCHAR``` | +| http_request.url.hostname | ```HTTP_REQUEST_HEADERS:host::VARCHAR``` | +| http_request.url.path | ```HTTP_REQUEST_URI::VARCHAR``` | +| http_request.url.query_string | ```HTTP_REQUEST_ARGS::VARCHAR``` | +| http_request.user_agent | ```HTTP_REQUEST_HEADERS:"user-agent"::VARCHAR``` | +| http_request.version | ```HTTP_REQUEST_HTTP_VERSION::VARCHAR``` | +| metadata.product.name | ```'aws-waf'``` | +| metadata.product.vendor_name | ```'aws'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```HTTP_REQUEST_CLIENT_IP::VARCHAR``` | +| src_endpoint.location.country | ```HTTP_REQUEST_COUNTRY::VARCHAR``` | +| src_endpoint.name | ```HTTP_SOURCE_NAME::VARCHAR``` | +| src_endpoint.uid | ```HTTP_SOURCE_ID::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md b/mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md new file mode 100644 index 00000000..4295c1f2 --- /dev/null +++ b/mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md @@ -0,0 +1,47 @@ +# Event Dossier: Route53 Resolver Query Logs to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `aws` +* Product name: `route53-resolver-query-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| answers | ```RAW:answers::ARRAY``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| cloud.account.uid | ```ACCOUNT_ID::VARCHAR``` | +| cloud.region | ```REGION::VARCHAR``` | +| connection_info.protocol_name | ```LOWER(TRANSPORT)::VARCHAR``` | +| connection_info.protocol_num | ```CASE WHEN TRANSPORT = 'TCP' THEN 6 WHEN TRANSPORT = 'UDP' THEN 17 ELSE -1 END::NUMBER``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| firewall_rule.name | ```FIREWALL_RULE_ACTION::VARCHAR``` | +| metadata.product.name | ```'route53-resolver-query-logs'``` | +| metadata.product.vendor_name | ```'aws'``` | +| metadata.version | ```'1.1.0'``` | +| query.class | ```QUERY_CLASS::VARCHAR``` | +| query.hostname | ```QUERY_NAME::VARCHAR``` | +| query.type | ```QUERY_TYPE::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RETURN_CODE = 'NOERROR' THEN 0 WHEN RETURN_CODE = 'SERVFAIL' THEN 2 WHEN RETURN_CODE = 'NXDOMAIN' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RETURN_CODE = 'NOERROR' THEN 0 WHEN RETURN_CODE = 'SERVFAIL' THEN 2 WHEN RETURN_CODE = 'NXDOMAIN' THEN 3 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.instance_uid | ```SOURCE_IDS_INSTANCE_ID::VARCHAR``` | +| src_endpoint.ip | ```SOURCE_ADDRESS::VARCHAR``` | +| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', query_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```query_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400301::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```400301::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-actiontrail/authentication/README.md b/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-actiontrail/authentication/README.md new file mode 100644 index 00000000..f01e6465 --- /dev/null +++ b/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-actiontrail/authentication/README.md @@ -0,0 +1,63 @@ +# Event Dossier: Alibaba Actiontrail to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `alibaba` +* Product name: `alibaba-actiontrail` +* Event codes: `EVENT_NAME = 'ConsoleSignin'` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.user.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | +| api.response.error | ```ERROR_CODE::VARCHAR``` | +| api.response.error_message | ```ERROR_MESSAGE::VARCHAR``` | +| auth_protocol | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```0::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| cloud.provider | ```'Alibaba'::VARCHAR``` | +| cloud.region | ```ACS_REGION::VARCHAR``` | +| dst_endpoint.hostname | ```EVENT_SOURCE::VARCHAR``` | +| enrichments.name | ```EVENT_NAME::VARCHAR``` | +| http_request.length | ```REQUEST_PARAMETERS_LENGTH::NUMBER``` | +| http_request.uid | ```REQUEST_ID::VARCHAR``` | +| http_request.url.query_string | ```SPLIT_PART(ADDITIONAL_EVENT_DATA:callbackUrl, '?', 2)::VARCHAR``` | +| http_request.url.scheme | ```REGEXP_SUBSTR(ADDITIONAL_EVENT_DATA:callbackUrl, '^([a-zA-Z]+)')::VARCHAR``` | +| http_request.url.url_string | ```ADDITIONAL_EVENT_DATA:callbackUrl::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| is_cleartext | ```IFF(REGEXP_SUBSTR(ADDITIONAL_EVENT_DATA:callbackUrl, '^([a-zA-Z]+)') != 'https', 'true', 'false')::BOOLEAN``` | +| is_mfa | ```USER_IDENTITY_SESSION_CONTEXT_ATTRIBUTES:mfaAuthenticated::BOOLEAN``` | +| logon_type | ```CASE (3::NUMBER) WHEN 0 THEN 'System' WHEN 10 THEN 'Remote Interactive' WHEN 11 THEN 'Cached Interactive' WHEN 12 THEN 'Cached Remote Interactive' WHEN 13 THEN 'Cached Unlock' WHEN 2 THEN 'Interactive' WHEN 3 THEN 'Network' WHEN 4 THEN 'Batch' WHEN 5 THEN 'OS Service' WHEN 7 THEN 'Unlock' WHEN 8 THEN 'Network Cleartext' WHEN 9 THEN 'New Credentials' WHEN 99 THEN 'Other' END``` | +| logon_type_id | ```3::NUMBER``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'alibaba-actiontrail'``` | +| metadata.product.vendor_name | ```'alibaba'``` | +| metadata.version | ```'1.1.0'``` | +| service.name | ```SERVICE_NAME::VARCHAR``` | +| service.version | ```EVENT_VERSION::VARCHAR``` | +| session.is_mfa | ```ADDITIONAL_EVENT_DATA:mfaChecked::BOOLEAN``` | +| session.uid | ```EVENT_ID::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```SOURCE_IP_ADDRESS::VARCHAR``` | +| src_endpoint.vpc_uid | ```REQUEST_PARAMETERS_CLIENT_VPC_ID::VARCHAR``` | +| status | ```CASE (CASE WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NULL THEN 1 WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NOT NULL THEN 2 WHEN ERROR_CODE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NULL THEN 1 WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NOT NULL THEN 2 WHEN ERROR_CODE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300201::NUMBER``` | +| user.account.uid | ```USER_IDENTITY_ACCOUNT_ID::VARCHAR``` | +| user.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | +| user.name | ```USER_IDENTITY_USER_NAME::VARCHAR``` | +| user.type | ```CASE (CASE WHEN USER_IDENTITY_TYPE = 'ram-user' THEN 1 WHEN USER_IDENTITY_TYPE = 'root-account' THEN 2 WHEN USER_IDENTITY_TYPE = 'system' THEN 3 WHEN USER_IDENTITY_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| user.type_id | ```CASE WHEN USER_IDENTITY_TYPE = 'ram-user' THEN 1 WHEN USER_IDENTITY_TYPE = 'root-account' THEN 2 WHEN USER_IDENTITY_TYPE = 'system' THEN 3 WHEN USER_IDENTITY_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| user.uid_alt | ```USER_IDENTITY_PRINCIPAL_ID::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-slb-logs/http_activity/README.md b/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-slb-logs/http_activity/README.md new file mode 100644 index 00000000..4ebd9e3a --- /dev/null +++ b/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-slb-logs/http_activity/README.md @@ -0,0 +1,59 @@ +# Event Dossier: Alibaba Slb Logs to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `alibaba` +* Product name: `alibaba-slb-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN REQUEST_METHOD = 'UNKNOWN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN REQUEST_METHOD = 'UNKNOWN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER``` | +| dst_endpoint.ip | ```VIP_ADDR::VARCHAR``` | +| dst_endpoint.port | ```SLB_VPORT::VARCHAR``` | +| duration | ```TCPINFO_RTT::NUMBER``` | +| http_request.http_method | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 'CONNECT' WHEN REQUEST_METHOD = 'DELETE' THEN 'DELETE' WHEN REQUEST_METHOD = 'GET' THEN 'GET' WHEN REQUEST_METHOD = 'HEAD' THEN 'HEAD' WHEN REQUEST_METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN REQUEST_METHOD = 'POST' THEN 'POST' WHEN REQUEST_METHOD = 'PUT' THEN 'PUT' WHEN REQUEST_METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```REQUEST_LENGTH::NUMBER``` | +| http_request.referrer | ```HTTP_REFERER::VARCHAR``` | +| http_request.url.hostname | ```HTTP_HOST::VARCHAR``` | +| http_request.url.path | ```REQUEST_URI::VARCHAR``` | +| http_request.url.scheme | ```SCHEME::VARCHAR``` | +| http_request.user_agent | ```HTTP_USER_AGENT::VARCHAR``` | +| http_request.version | ```SERVER_PROTOCOL::VARCHAR``` | +| http_request.x_forwarded_for | ```HTTP_X_FORWARDED_FOR::VARCHAR``` | +| http_response.code | ```STATUS::NUMBER``` | +| load_balancer.code | ```UPSTREAM_STATUS::NUMBER``` | +| load_balancer.uid | ```SLBID::VARCHAR``` | +| metadata.product.name | ```'alibaba-slb-logs'``` | +| metadata.product.vendor_name | ```'alibaba'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| src_endpoint.port | ```CLIENT_PORT::VARCHAR``` | +| status | ```CASE (CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '3%%' THEN 2 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '3%%' THEN 2 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` | +| time_dt | ```time::TIMESTAMP_LTZ``` | +| tls.cipher | ```SSL_CIPHER::VARCHAR``` | +| tls.version | ```SSL_PROTOCOL::VARCHAR``` | +| traffic.bytes | ```(COALESCE(REQUEST_LENGTH, 0) + COALESCE(BODY_BYTES_SENT, 0))::NUMBER``` | +| traffic.bytes_in | ```REQUEST_LENGTH::NUMBER``` | +| traffic.bytes_out | ```BODY_BYTES_SENT::NUMBER``` | +| type_name | ```CASE (CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-waf/http_activity/README.md b/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-waf/http_activity/README.md new file mode 100644 index 00000000..17de0020 --- /dev/null +++ b/mappings/markdown/Alibaba Cloud/1.1.0/alibaba-waf/http_activity/README.md @@ -0,0 +1,62 @@ +# Event Dossier: Alibaba Waf to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `alibaba` +* Product name: `alibaba-waf` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN RAW:final_action::VARCHAR IS NULL THEN 1 WHEN RAW:final_action::VARCHAR = 'Block' THEN 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN RAW:final_action::VARCHAR IS NULL THEN 1 WHEN RAW:final_action::VARCHAR = 'Block' THEN 2 ELSE 99 END``` | +| activity_id | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 WHEN REQUEST_METHOD IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 WHEN REQUEST_METHOD IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.uid | ```USER_ID::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| cloud.provider | ```'Alibaba'::VARCHAR``` | +| cloud.region | ```REGION::VARCHAR``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| disposition | ```CASE (CASE WHEN RAW:final_action IS NULL THEN 1 WHEN RAW:final_action = 'Block' THEN 2 ELSE 99 END :: NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```CASE WHEN RAW:final_action IS NULL THEN 1 WHEN RAW:final_action = 'Block' THEN 2 ELSE 99 END :: NUMBER``` | +| dst_endpoint.hostname | ```HOST::VARCHAR``` | +| dst_endpoint.ip | ```REMOTE_ADDR::VARCHAR``` | +| dst_endpoint.port | ```REMOTE_PORT::VARCHAR``` | +| duration | ```REQUEST_TIME_MSEC::NUMBER``` | +| http_cookies.value | ```HTTP_COOKIE::VARCHAR``` | +| http_request.http_method | ```REQUEST_METHOD::VARCHAR``` | +| http_request.length | ```REQUEST_LENGTH::NUMBER``` | +| http_request.referrer | ```HTTP_REFERER::VARCHAR``` | +| http_request.url.hostname | ```HOST::VARCHAR``` | +| http_request.url.path | ```REQUEST_PATH::VARCHAR``` | +| http_request.url.query_string | ```QUERYSTRING::VARCHAR``` | +| http_request.url.scheme | ```SERVER_PROTOCOL::VARCHAR``` | +| http_request.user_agent | ```HTTP_USER_AGENT::VARCHAR``` | +| http_request.version | ```SERVER_PROTOCOL::VARCHAR``` | +| http_request.x_forwarded_for | ```HTTP_X_FORWARDED_FOR::VARCHAR``` | +| http_response.status | ```STATUS::VARCHAR``` | +| metadata.product.name | ```'alibaba-waf'``` | +| metadata.product.vendor_name | ```'alibaba'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```REAL_CLIENT_IP::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```TIME::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END``` | +| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` | +| time_dt | ```time::TIMESTAMP_LTZ``` | +| tls.cipher | ```SSL_CIPHER::VARCHAR``` | +| tls.version | ```SSL_PROTOCOL::VARCHAR``` | +| traffic.bytes_out | ```BODY_BYTES_SENT::NUMBER``` | +| type_name | ```CASE (CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Axis/1.1.0/axis-activity-logs/dns_activity/README.md b/mappings/markdown/Axis/1.1.0/axis-activity-logs/dns_activity/README.md new file mode 100644 index 00000000..ad856dfc --- /dev/null +++ b/mappings/markdown/Axis/1.1.0/axis-activity-logs/dns_activity/README.md @@ -0,0 +1,42 @@ +# Event Dossier: Axis Activity Logs to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `axis` +* Product name: `axis-activity-logs` +* Event codes: `EVENT_TYPE = 'DnsRequest'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN IS_BLOCKED='FALSE' THEN 1 WHEN IS_BLOCKED='TRUE' THEN 2 WHEN IS_BLOCKED IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN IS_BLOCKED='FALSE' THEN 1 WHEN IS_BLOCKED='TRUE' THEN 2 WHEN IS_BLOCKED IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```2::NUMBER``` | +| activity_name | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```USER_EMAIL::VARCHAR``` | +| actor.user.name | ```USERNAME::VARCHAR``` | +| actor.user.org.name | ```ORGANIZATION_NAME::VARCHAR``` | +| actor.user.org.uid | ```ORGANIZATION_ID::VARCHAR``` | +| actor.user.uid | ```USER_ID::VARCHAR``` | +| app_name | ```APP_NAME::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| cloud.provider | ```IDENTITY_PROVIDER_NAME::VARCHAR``` | +| device.os.name | ```OPERATING_SYSTEM::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OPERATING_SYSTEM='Windows' THEN 100 WHEN OPERATING_SYSTEM='Windows Mobile' THEN 101 WHEN OPERATING_SYSTEM='Linux' THEN 200 WHEN OPERATING_SYSTEM='Android' THEN 201 WHEN OPERATING_SYSTEM='Mac OS X' THEN 300 WHEN OPERATING_SYSTEM='iOS' THEN 301 WHEN OPERATING_SYSTEM='iPadOS' THEN 302 WHEN OPERATING_SYSTEM='Solaris' THEN 400 WHEN OPERATING_SYSTEM='AIX' THEN 401 WHEN OPERATING_SYSTEM='HP-UX' THEN 402 WHEN OPERATING_SYSTEM IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OPERATING_SYSTEM='Windows' THEN 100 WHEN OPERATING_SYSTEM='Windows Mobile' THEN 101 WHEN OPERATING_SYSTEM='Linux' THEN 200 WHEN OPERATING_SYSTEM='Android' THEN 201 WHEN OPERATING_SYSTEM='Mac OS X' THEN 300 WHEN OPERATING_SYSTEM='iOS' THEN 301 WHEN OPERATING_SYSTEM='iPadOS' THEN 302 WHEN OPERATING_SYSTEM='Solaris' THEN 400 WHEN OPERATING_SYSTEM='AIX' THEN 401 WHEN OPERATING_SYSTEM='HP-UX' THEN 402 WHEN OPERATING_SYSTEM IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| firewall_rule.name | ```RULE_NAME::VARCHAR``` | +| firewall_rule.uid | ```RULE_ID::VARCHAR``` | +| metadata.product.name | ```'axis-activity-logs'``` | +| metadata.product.vendor_name | ```'axis'``` | +| metadata.version | ```'1.1.0'``` | +| query.hostname | ```HOST_NAME::VARCHAR``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| src_endpoint.location.country | ```GEOLOCATION::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Beyondtrust/1.1.0/beyondtrust-events/process_activity/README.md b/mappings/markdown/Beyondtrust/1.1.0/beyondtrust-events/process_activity/README.md new file mode 100644 index 00000000..ef47e090 --- /dev/null +++ b/mappings/markdown/Beyondtrust/1.1.0/beyondtrust-events/process_activity/README.md @@ -0,0 +1,90 @@ +# Event Dossier: Beyondtrust Events to OCSF class Process Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `process_activity` +* Vendor name: `beyondtrust` +* Product name: `beyondtrust-events` +* Event codes: `EVENT_ACTION IN ('process-start-no-change', 'process-start-add-admin', 'process-start-cancelled-by-user', 'process-start-add-admin-on-demand', 'process-start-blocked', 'process-start-allowed')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN EVENT_ACTION is NULL AND EVENT_TYPE is NULL THEN 0 WHEN EVENT_ACTION = 'process-start-allowed' OR EVENT_TYPE[0] = 'allowed' THEN 1 WHEN EVENT_ACTION = 'process-start-blocked' OR EVENT_TYPE[0] = 'denied' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN EVENT_ACTION is NULL AND EVENT_TYPE is NULL THEN 0 WHEN EVENT_ACTION = 'process-start-allowed' OR EVENT_TYPE[0] = 'allowed' THEN 1 WHEN EVENT_ACTION = 'process-start-blocked' OR EVENT_TYPE[0] = 'denied' THEN 2 ELSE 99 END::NUMBER``` | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Launch' WHEN 2 THEN 'Terminate' WHEN 3 THEN 'Open' WHEN 4 THEN 'Inject' WHEN 5 THEN 'Set User ID' WHEN 99 THEN 'Other' END``` | +| actor.process.file.created_time | ```date_part('epoch_milliseconds', FILE:created::TIMESTAMP_LTZ)``` | +| actor.process.file.created_time_dt | ```FILE:created::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(FILE:hash:sha256 is NULL, IFF(FILE:hash:md5 is NULL, IFF(FILE:hash:sha1 is NULL, 0, 2), 1) , 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(FILE:hash:sha256 is NULL, IFF(FILE:hash:md5 is NULL, IFF(FILE:hash:sha1 is NULL, 0, 2), 1) , 3)::NUMBER, 'value', COALESCE(FILE:hash:sha256, COALESCE(FILE:hash:md5, COALESCE(FILE:hash:sha1, NULL)))::VARCHAR))``` | +| actor.process.file.name | ```FILE:name::VARCHAR``` | +| actor.process.file.owner.domain | ```FILE:Owner:DomainName::VARCHAR``` | +| actor.process.file.owner.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', FILE:group::VARCHAR, 'uid', FILE:gid::VARCHAR))``` | +| actor.process.file.owner.name | ```FILE:Owner:Name::VARCHAR``` | +| actor.process.file.parent_folder | ```FILE:directory::VARCHAR``` | +| actor.process.file.path | ```FILE:path::VARCHAR``` | +| actor.process.file.product.name | ```FILE:pe:product::VARCHAR``` | +| actor.process.file.product.version | ```FILE:pe:file_version::VARCHAR``` | +| actor.process.file.signature.certificate.subject | ```FILE:code_signature:subject_name::VARCHAR``` | +| actor.process.file.uid | ```FILE:uid::VARCHAR``` | +| actor.user.domain | ```USER:domain::VARCHAR``` | +| actor.user.name | ```USER:name::VARCHAR``` | +| actor.user.uid | ```USER:id::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'process_activity'``` | +| class_uid | ```1007``` | +| device.domain | ```HOST:domain::VARCHAR``` | +| device.hostname | ```HOST:hostname::VARCHAR``` | +| device.ip | ```HOST:ip[0]::VARCHAR``` | +| device.mac | ```HOST:mac[0]::VARCHAR``` | +| device.name | ```AGENT_NAME::VARCHAR``` | +| device.os.cpu_bits | ```CASE WHEN HOST:architecture = 'x64' THEN 64 WHEN HOST:architecture = 'x32' THEN 32 ELSE NULL END::NUMBER``` | +| device.os.name | ```HOST:os:name::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN HOST:os:type = 'windows' THEN 100 WHEN HOST:os:type = 'macos' THEN 300 WHEN HOST:os:type is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN HOST:os:type = 'windows' THEN 100 WHEN HOST:os:type = 'macos' THEN 300 WHEN HOST:os:type is NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.os.version | ```HOST:os:version::VARCHAR``` | +| device.type | ```CASE (CASE WHEN HOST:ChassisType = 'Laptop' THEN 3 WHEN HOST:ChassisType = 'Desktop' THEN 2 WHEN HOST:ChassisType is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```CASE WHEN HOST:ChassisType = 'Laptop' THEN 3 WHEN HOST:ChassisType = 'Desktop' THEN 2 WHEN HOST:ChassisType is NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', EVENT_END::TIMESTAMP_LTZ)``` | +| end_time_dt | ```EVENT_END::TIMESTAMP_LTZ``` | +| message | ```EVENT_REASON::VARCHAR``` | +| metadata.product.name | ```'beyondtrust-events'``` | +| metadata.product.vendor_name | ```'beyondtrust'``` | +| metadata.version | ```'1.1.0'``` | +| process.cmd_line | ```PROCESS:command_line::VARCHAR``` | +| process.created_time | ```date_part('epoch_milliseconds', PROCESS:start::TIMESTAMP_LTZ)``` | +| process.created_time_dt | ```PROCESS:start::TIMESTAMP_LTZ``` | +| process.file.created_time | ```date_part('epoch_milliseconds', PROCESS:HostedFile:created::TIMESTAMP_LTZ)``` | +| process.file.created_time_dt | ```PROCESS:HostedFile:created::TIMESTAMP_LTZ``` | +| process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(PROCESS:HostedFile:hash IS NOT NULL, IFF(PROCESS:HostedFile:hash:sha256 is NULL, IFF(PROCESS:HostedFile:hash:md5 is NULL, IFF(PROCESS:HostedFile:hash:sha1 is NULL, 0, 2), 1) , 3), IFF(FILE:hash:sha256 is NULL, IFF(FILE:hash:md5 is NULL, IFF(FILE:hash:sha1 is NULL, 0, 2), 1) , 3))::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(PROCESS:HostedFile:hash IS NOT NULL, IFF(PROCESS:HostedFile:hash:sha256 is NULL, IFF(PROCESS:HostedFile:hash:md5 is NULL, IFF(PROCESS:HostedFile:hash:sha1 is NULL, 0, 2), 1) , 3), IFF(FILE:hash:sha256 is NULL, IFF(FILE:hash:md5 is NULL, IFF(FILE:hash:sha1 is NULL, 0, 2), 1) , 3))::NUMBER, 'value', IFF(PROCESS:HostedFile:hash IS NOT NULL, COALESCE(PROCESS:HostedFile:hash:sha256, COALESCE(PROCESS:HostedFile:hash:md5, COALESCE(PROCESS:HostedFile:hash:sha1, NULL))), COALESCE(FILE:hash:sha256, COALESCE(FILE:hash:md5, COALESCE(FILE:hash:sha1, NULL))))::VARCHAR))``` | +| process.file.name | ```COALESCE(PROCESS:HostedFile:name, FILE:name)::VARCHAR``` | +| process.file.owner.name | ```COALESCE(PROCESS:HostedFile:owner, FILE:Owner.Name)::VARCHAR``` | +| process.file.parent_folder | ```COALESCE(PROCESS:HostedFile:directory, FILE:directory)::VARCHAR``` | +| process.file.path | ```COALESCE(PROCESS:HostedFile:path, FILE:path)::VARCHAR``` | +| process.file.product.name | ```PROCESS:HostedFile:pe:product::VARCHAR``` | +| process.file.product.version | ```PROCESS:HostedFile:pe:file_version::VARCHAR``` | +| process.file.signature.certificate.subject | ```COALESCE(PROCESS:HostedFile:code_signature:subject_name, FILE:code_signature:subject_name)::VARCHAR``` | +| process.file.uid | ```COALESCE(PROCESS:HostedFile:uid, FILE:uid)::VARCHAR``` | +| process.file.version | ```COALESCE(PROCESS:HostedFile:ProductVersion, FILE:ProductVersion)::VARCHAR``` | +| process.name | ```PROCESS:name::VARCHAR``` | +| process.parent_process.cmd_line | ```PROCESS:parent:command_line::VARCHAR``` | +| process.parent_process.name | ```PROCESS:parent:name::VARCHAR``` | +| process.parent_process.pid | ```PROCESS:parent:pid::NUMBER``` | +| process.parent_process.uid | ```PROCESS:parent:entity_id::VARCHAR``` | +| process.pid | ```PROCESS:pid::NUMBER``` | +| process.uid | ```PROCESS:entity_id::VARCHAR``` | +| process.user.domain | ```PROCESS:user:domain::VARCHAR``` | +| process.user.name | ```PROCESS:user:name::VARCHAR``` | +| process.user.uid | ```PROCESS:user:id::VARCHAR``` | +| severity | ```CASE (IFF(EVENT_SEVERITY is NULL, 0, 99)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```IFF(EVENT_SEVERITY is NULL, 0, 99)::NUMBER``` | +| start_time | ```date_part('epoch_milliseconds', EVENT_START::TIMESTAMP_LTZ)``` | +| start_time_dt | ```EVENT_START::TIMESTAMP_LTZ``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (100799::NUMBER) WHEN 100700 THEN 'Process Activity: Unknown' WHEN 100701 THEN 'Process Activity: Launch' WHEN 100702 THEN 'Process Activity: Terminate' WHEN 100703 THEN 'Process Activity: Open' WHEN 100704 THEN 'Process Activity: Inject' WHEN 100705 THEN 'Process Activity: Set User ID' WHEN 100799 THEN 'Process Activity: Other' END``` | +| type_uid | ```100799::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Beyondtrust/1.1.0/beyondtrust-passwordsafe/authentication/README.md b/mappings/markdown/Beyondtrust/1.1.0/beyondtrust-passwordsafe/authentication/README.md new file mode 100644 index 00000000..2288a2ef --- /dev/null +++ b/mappings/markdown/Beyondtrust/1.1.0/beyondtrust-passwordsafe/authentication/README.md @@ -0,0 +1,48 @@ +# Event Dossier: Beyondtrust Passwordsafe to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `beyondtrust` +* Product name: `beyondtrust-passwordsafe` +* Event codes: `EVENT_NAME = 'Login'` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```CASE WHEN ACTION_TYPE = 'Login' THEN 1 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION_TYPE = 'Login' THEN 1 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| auth_protocol | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```0::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| dst_endpoint.hostname | ```HOST_NAME::VARCHAR``` | +| dst_endpoint.ip | ```IP_ADDRESS::VARCHAR``` | +| logon_type | ```CASE (3::NUMBER) WHEN 0 THEN 'System' WHEN 10 THEN 'Remote Interactive' WHEN 11 THEN 'Cached Interactive' WHEN 12 THEN 'Cached Remote Interactive' WHEN 13 THEN 'Cached Unlock' WHEN 2 THEN 'Interactive' WHEN 3 THEN 'Network' WHEN 4 THEN 'Batch' WHEN 5 THEN 'OS Service' WHEN 7 THEN 'Unlock' WHEN 8 THEN 'Network Cleartext' WHEN 9 THEN 'New Credentials' WHEN 99 THEN 'Other' END``` | +| logon_type_id | ```3::NUMBER``` | +| message | ```MESSAGE::VARCHAR``` | +| metadata.event_code | ```EVENT_NAME``` | +| metadata.product.name | ```'beyondtrust-passwordsafe'``` | +| metadata.product.vendor_name | ```'beyondtrust'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```SOURCE_HOST::VARCHAR``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| status | ```CASE (CASE WHEN MESSAGE IS NULL THEN 1 WHEN MESSAGE IS NOT NULL THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_detail | ```COALESCE(CATEGORY, SYSTEM_NAME)::VARCHAR``` | +| status_id | ```CASE WHEN MESSAGE IS NULL THEN 1 WHEN MESSAGE IS NOT NULL THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` | +| time_dt | ```time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN ACTION_TYPE = 'Login' THEN 300201 WHEN ACTION_TYPE IS NULL THEN 300200 ELSE 300299 END::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```CASE WHEN ACTION_TYPE = 'Login' THEN 300201 WHEN ACTION_TYPE IS NULL THEN 300200 ELSE 300299 END::NUMBER``` | +| user.account.name | ```ACCOUNT_NAME::VARCHAR``` | +| user.account.uid | ```APP_USER_ID::VARCHAR``` | +| user.credential_uid | ```API_KEY::VARCHAR``` | +| user.name | ```USER_NAME::VARCHAR``` | +| user.uid | ```USER_ID::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Bind/1.1.0/bind-dns-events/dns_activity/README.md b/mappings/markdown/Bind/1.1.0/bind-dns-events/dns_activity/README.md new file mode 100644 index 00000000..f530710e --- /dev/null +++ b/mappings/markdown/Bind/1.1.0/bind-dns-events/dns_activity/README.md @@ -0,0 +1,38 @@ +# Event Dossier: Bind Dns Events to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `bind` +* Product name: `bind-dns-events` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| dst_endpoint.ip | ```DESTINATION_IP::VARCHAR``` | +| metadata.product.name | ```'bind-dns-events'``` | +| metadata.product.vendor_name | ```'bind'``` | +| metadata.version | ```'1.1.0'``` | +| query.class | ```QUERY_CLASS::VARCHAR``` | +| query.hostname | ```QUERY_NAME::VARCHAR``` | +| query.type | ```QUERY_TYPE::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| src_endpoint.port | ```CLIENT_PORT::VARCHAR``` | +| src_endpoint.uid | ```CLIENT_OBJECT_IDENTIFIER::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```to_varchar(event_time::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')``` | +| type_name | ```CASE (400301::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```400301::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Bind/1.1.0/bind-dns-logs/dns_activity/README.md b/mappings/markdown/Bind/1.1.0/bind-dns-logs/dns_activity/README.md new file mode 100644 index 00000000..7b03f17b --- /dev/null +++ b/mappings/markdown/Bind/1.1.0/bind-dns-logs/dns_activity/README.md @@ -0,0 +1,46 @@ +# Event Dossier: Bind Dns Logs to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `bind` +* Product name: `bind-dns-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN RAW:block IS NULL THEN 0 WHEN RAW:block = false THEN 1 WHEN RAW:block = true THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN RAW:block IS NULL THEN 0 WHEN RAW:block = false THEN 1 WHEN RAW:block = true THEN 2 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN RAW:event:action IS NULL THEN 0 WHEN RAW:event:action = 'dns_query' THEN 1 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN RAW:event:action IS NULL THEN 0 WHEN RAW:event:action = 'dns_query' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.pid | ```RAW:pid::NUMBER``` | +| answers | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT( 'flag_ids', ARRAY_CONSTRUCT(CASE WHEN HEADER_FLAGS[0] IS NULL THEN 0 WHEN HEADER_FLAGS[0] = 'AA' THEN 1 WHEN HEADER_FLAGS[0] = 'TC' THEN 2 WHEN HEADER_FLAGS[0] = 'RD' THEN 3 WHEN HEADER_FLAGS[0] = 'RA' THEN 4 WHEN HEADER_FLAGS[0] = 'AD' THEN 5 WHEN HEADER_FLAGS[0] = 'CD' THEN 6 ELSE 99 END), 'flags', ARRAY_CONSTRUCT(CASE (CASE WHEN HEADER_FLAGS[0] IS NULL THEN 0 WHEN HEADER_FLAGS[0] = 'AA' THEN 1 WHEN HEADER_FLAGS[0] = 'TC' THEN 2 WHEN HEADER_FLAGS[0] = 'RD' THEN 3 WHEN HEADER_FLAGS[0] = 'RA' THEN 4 WHEN HEADER_FLAGS[0] = 'AD' THEN 5 WHEN HEADER_FLAGS[0] = 'CD' THEN 6 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Authoritative Answer' WHEN 2 THEN 'Truncated Response' WHEN 3 THEN 'Recursion Desired' WHEN 4 THEN 'Recursion Available' WHEN 5 THEN 'Authentic Data' WHEN 6 THEN 'Checking Disabled' WHEN 99 THEN 'Other' END), 'ttl', RAW:answers[0]:ttl ))::ARRAY``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| connection_info.protocol_name | ```LOWER(NETWORK_PROTOCOL)::VARCHAR``` | +| connection_info.protocol_num | ```CASE WHEN NETWORK_PROTOCOL = 'TCP' THEN 6 WHEN NETWORK_PROTOCOL = 'UDP' THEN 17 ELSE -1 END::NUMBER``` | +| dst_endpoint.domain | ```RAW:dns:tld:domain::VARCHAR``` | +| dst_endpoint.hostname | ```RAW:host::VARCHAR``` | +| dst_endpoint.ip | ```DESTINATION_IP::VARCHAR``` | +| dst_endpoint.name | ```RAW:data_proc_endpoint::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | +| dst_endpoint.uid | ```RAW:h_id::VARCHAR``` | +| metadata.product.name | ```'bind-dns-logs'``` | +| metadata.product.vendor_name | ```'bind'``` | +| metadata.version | ```'1.1.0'``` | +| query.hostname | ```QUERIED_ADDRESS::VARCHAR``` | +| query.type | ```RECORD_TYPE::VARCHAR``` | +| severity | ```CASE (CASE WHEN RAW:severityName IS NULL THEN 0 WHEN RAW:severityName = 'info' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN RAW:severityName IS NULL THEN 0 WHEN RAW:severityName = 'info' THEN 1 ELSE 99 END::NUMBER``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| src_endpoint.name | ```RAW:logsource::VARCHAR``` | +| src_endpoint.port | ```RAW:source:port::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((400300 + (CASE WHEN RAW:event:action IS NULL THEN 0 WHEN RAW:event:action = 'dns_query' THEN 1 ELSE 99 END))::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```(400300 + (CASE WHEN RAW:event:action IS NULL THEN 0 WHEN RAW:event:action = 'dns_query' THEN 1 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Carbon Black/1.1.0/cb-platform-devices/inventory_info/README.md b/mappings/markdown/Carbon Black/1.1.0/cb-platform-devices/inventory_info/README.md new file mode 100644 index 00000000..440ed35b --- /dev/null +++ b/mappings/markdown/Carbon Black/1.1.0/cb-platform-devices/inventory_info/README.md @@ -0,0 +1,56 @@ +# Event Dossier: Cb Platform Devices to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `cb-defense` +* Product name: `cb-platform-devices` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```2::NUMBER``` | +| activity_name | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```EMAIL::VARCHAR``` | +| actor.user.name | ```LOGIN_USER_NAME::VARCHAR``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.created_time | ```date_part('epoch_milliseconds', REGISTERED_TIME::TIMESTAMP_LTZ)``` | +| device.created_time_dt | ```REGISTERED_TIME::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('uid', AD_GROUP_ID::VARCHAR))``` | +| device.hostname | ```NAME::VARCHAR``` | +| device.hypervisor | ```VIRTUALIZATION_PROVIDER::VARCHAR``` | +| device.instance_uid | ```VM_UUID::VARCHAR``` | +| device.ip | ```LAST_EXTERNAL_IP_ADDRESS::VARCHAR``` | +| device.last_seen_time | ```date_part('epoch_milliseconds', LAST_CONTACT_TIME::TIMESTAMP_LTZ)``` | +| device.last_seen_time_dt | ```LAST_CONTACT_TIME::TIMESTAMP_LTZ``` | +| device.location.region | ```LAST_LOCATION::VARCHAR``` | +| device.mac | ```MAC_ADDRESS::VARCHAR``` | +| device.modified_time | ```date_part('epoch_milliseconds', COALESCE(LAST_DEVICE_POLICY_CHANGE_TIME, LAST_POLICY_UPDATED_TIME)::TIMESTAMP_LTZ)``` | +| device.modified_time_dt | ```COALESCE(LAST_DEVICE_POLICY_CHANGE_TIME, LAST_POLICY_UPDATED_TIME)::TIMESTAMP_LTZ``` | +| device.org.name | ```ORGANIZATION_NAME::VARCHAR``` | +| device.org.uid | ```ORGANIZATION_ID::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OS IS NULL THEN 0 WHEN OS = 'WINDOWS' THEN 100 WHEN OS = 'LINUX' THEN 200 WHEN OS = 'MAC' THEN 300 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS IS NULL THEN 0 WHEN OS = 'WINDOWS' THEN 100 WHEN OS = 'LINUX' THEN 200 WHEN OS = 'MAC' THEN 300 ELSE 99 END::NUMBER``` | +| device.os.version | ```OS_VERSION::VARCHAR``` | +| device.uid | ```ID::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', SCAN_LAST_COMPLETE_TIME::TIMESTAMP_LTZ)``` | +| end_time_dt | ```SCAN_LAST_COMPLETE_TIME::TIMESTAMP_LTZ``` | +| metadata.product.name | ```'cb-platform-devices'``` | +| metadata.product.vendor_name | ```'cb-defense'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN VULNERABILITY_SEVERITY IS NULL THEN 0 WHEN VULNERABILITY_SEVERITY = 'LOW' THEN 2 WHEN VULNERABILITY_SEVERITY = 'MODERATE' THEN 3 WHEN VULNERABILITY_SEVERITY = 'IMPORTANT' THEN 4 WHEN VULNERABILITY_SEVERITY = 'CRITICAL' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN VULNERABILITY_SEVERITY IS NULL THEN 0 WHEN VULNERABILITY_SEVERITY = 'LOW' THEN 2 WHEN VULNERABILITY_SEVERITY = 'MODERATE' THEN 3 WHEN VULNERABILITY_SEVERITY = 'IMPORTANT' THEN 4 WHEN VULNERABILITY_SEVERITY = 'CRITICAL' THEN 5 ELSE 99 END::NUMBER``` | +| start_time | ```date_part('epoch_milliseconds', SCAN_LAST_ACTION_TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```SCAN_LAST_ACTION_TIME::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN STATUS IS NULL THEN 0 WHEN STATUS IN ('REGISTERED', 'DEREGISTERED', 'BYPASS') THEN 1 WHEN STATUS IN ('PENDING') THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS IS NULL THEN 0 WHEN STATUS IN ('REGISTERED', 'DEREGISTERED', 'BYPASS') THEN 1 WHEN STATUS IN ('PENDING') THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', last_contact_time::TIMESTAMP_LTZ)``` | +| time_dt | ```last_contact_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500102::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500102::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/file_activity/README.md b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/file_activity/README.md new file mode 100644 index 00000000..716f6948 --- /dev/null +++ b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/file_activity/README.md @@ -0,0 +1,51 @@ +# Event Dossier: Cb Platform Events to OCSF class File Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `file_activity` +* Vendor name: `cb-defense` +* Product name: `cb-platform-events` +* Event codes: `TYPE LIKE '%file%'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 10 THEN 'Encrypt' WHEN 11 THEN 'Decrypt' WHEN 12 THEN 'Mount' WHEN 13 THEN 'Unmount' WHEN 14 THEN 'Open' WHEN 2 THEN 'Read' WHEN 3 THEN 'Update' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Attributes' WHEN 7 THEN 'Set Security' WHEN 8 THEN 'Get Attributes' WHEN 9 THEN 'Get Security' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```PROCESS_CMDLINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (3::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', 3::NUMBER, 'value', PROCESS_HASH_SHA256::VARCHAR))``` | +| actor.process.file.owner.org.uid | ```ORG_KEY::VARCHAR``` | +| actor.process.file.path | ```PROCESS_PATH::VARCHAR``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (3::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', 3::NUMBER, 'value', PARENT_HASH_SHA256::VARCHAR))``` | +| actor.process.parent_process.file.path | ```PARENT_PATH::VARCHAR``` | +| actor.process.parent_process.pid | ```PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```PARENT_GUID::VARCHAR``` | +| actor.process.pid | ```PROCESS_PID::NUMBER``` | +| actor.process.uid | ```PROCESS_GUID::VARCHAR``` | +| actor.user.name | ```PROCESS_USERNAME::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'file_activity'``` | +| class_uid | ```1001``` | +| device.created_time | ```date_part('epoch_milliseconds', DEVICE_TIMESTAMP::TIMESTAMP_LTZ)``` | +| device.created_time_dt | ```DEVICE_TIMESTAMP::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', DEVICE_GROUP::VARCHAR))``` | +| device.ip | ```DEVICE_EXTERNAL_IP::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.os.name | ```DEVICE_OS::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (3::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', 3::NUMBER, 'value', FILEMOD_HASH_SHA256::VARCHAR))``` | +| file.modifier.name | ```FILEMOD_NAME::VARCHAR``` | +| message | ```EVENT_DESCRIPTION::VARCHAR``` | +| metadata.event_code | ```type``` | +| metadata.product.name | ```'cb-platform-events'``` | +| metadata.product.vendor_name | ```'cb-defense'``` | +| metadata.version | ```'1.1.0'``` | +| time | ```date_part('epoch_milliseconds', backend_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```backend_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (100199::NUMBER) WHEN 100100 THEN 'File System Activity: Unknown' WHEN 100101 THEN 'File System Activity: Create' WHEN 100102 THEN 'File System Activity: Read' WHEN 100103 THEN 'File System Activity: Update' WHEN 100104 THEN 'File System Activity: Delete' WHEN 100105 THEN 'File System Activity: Rename' WHEN 100106 THEN 'File System Activity: Set Attributes' WHEN 100107 THEN 'File System Activity: Set Security' WHEN 100108 THEN 'File System Activity: Get Attributes' WHEN 100109 THEN 'File System Activity: Get Security' WHEN 100110 THEN 'File System Activity: Encrypt' WHEN 100111 THEN 'File System Activity: Decrypt' WHEN 100112 THEN 'File System Activity: Mount' WHEN 100113 THEN 'File System Activity: Unmount' WHEN 100114 THEN 'File System Activity: Open' WHEN 100199 THEN 'File System Activity: Other' END``` | +| type_uid | ```100199::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/network_activity/README.md b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/network_activity/README.md new file mode 100644 index 00000000..1979b9bb --- /dev/null +++ b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/network_activity/README.md @@ -0,0 +1,63 @@ +# Event Dossier: Cb Platform Events to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `cb-defense` +* Product name: `cb-platform-events` +* Event codes: `TYPE IN ('endpoint.event.netconn', 'endpoint.event.netconn_proxy')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```PROCESS_CMDLINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER::NUMBER, 'value', COALESCE(PROCESS_HASH_SHA256, PROCESS_HASH_MD5)::VARCHAR))``` | +| actor.process.file.path | ```PROCESS_PATH::VARCHAR``` | +| actor.process.parent_process.cmd_line | ```PARENT_CMDLINE::VARCHAR``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(PARENT_HASH_SHA256, PARENT_HASH_MD5)::VARCHAR))``` | +| actor.process.parent_process.file.path | ```PARENT_PATH::VARCHAR``` | +| actor.process.parent_process.pid | ```PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```PARENT_GUID::VARCHAR``` | +| actor.process.pid | ```PROCESS_PID::NUMBER``` | +| actor.process.uid | ```PROCESS_GUID::VARCHAR``` | +| actor.process.user.name | ```PROCESS_USERNAME::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.direction | ```CASE (IFF(NETCONN_INBOUND = 'True', 1 , 0)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```IFF(NETCONN_INBOUND = 'True', 1 , 0)::NUMBER``` | +| connection_info.protocol_name | ```CASE WHEN NETCONN_PROTOCOL = 'PROTO_ICMP' THEN 'icmp' WHEN NETCONN_PROTOCOL = 'PROTO_TCP' THEN 'tcp' WHEN NETCONN_PROTOCOL = 'PROTO_UDP' THEN 'udp' ELSE NULL END::VARCHAR``` | +| connection_info.protocol_num | ```CASE WHEN NETCONN_PROTOCOL = 'PROTO_ICMP' THEN 1 WHEN NETCONN_PROTOCOL = 'PROTO_TCP' THEN 6 WHEN NETCONN_PROTOCOL = 'PROTO_UDP' THEN 17 ELSE NULL END::NUMBER``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', DEVICE_TIMESTAMP::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```DEVICE_TIMESTAMP::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', DEVICE_GROUP::VARCHAR))``` | +| device.ip | ```DEVICE_EXTERNAL_IP::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.org.uid | ```ORG_KEY::VARCHAR``` | +| device.os.name | ```DEVICE_OS::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| dst_endpoint.domain | ```NETCONN_DOMAIN::VARCHAR``` | +| dst_endpoint.ip | ```REMOTE_IP::VARCHAR``` | +| dst_endpoint.port | ```REMOTE_PORT::VARCHAR``` | +| message | ```EVENT_DESCRIPTION::VARCHAR``` | +| metadata.event_code | ```type``` | +| metadata.product.name | ```'cb-platform-events'``` | +| metadata.product.vendor_name | ```'cb-defense'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```LOCAL_IP::VARCHAR``` | +| src_endpoint.port | ```LOCAL_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', backend_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```backend_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400101::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```400101::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/process_activity/README.md b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/process_activity/README.md new file mode 100644 index 00000000..0513fe85 --- /dev/null +++ b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/process_activity/README.md @@ -0,0 +1,54 @@ +# Event Dossier: Cb Platform Events to OCSF class Process Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `process_activity` +* Vendor name: `cb-defense` +* Product name: `cb-platform-events` +* Event codes: `TYPE IN ('endpoint.event.procstart', 'endpoint.event.procend')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN ACTION IS NULL OR ACTION = '' THEN 0 WHEN ACTION = 'ACTION_PROCESS_TERMINATE' THEN 2 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION IS NULL OR ACTION = '' THEN 0 WHEN ACTION = 'ACTION_PROCESS_TERMINATE' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Launch' WHEN 2 THEN 'Terminate' WHEN 3 THEN 'Open' WHEN 4 THEN 'Inject' WHEN 5 THEN 'Set User ID' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'process_activity'``` | +| class_uid | ```1007``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', DEVICE_TIMESTAMP::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```DEVICE_TIMESTAMP::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', DEVICE_GROUP::VARCHAR))``` | +| device.ip | ```DEVICE_EXTERNAL_IP::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.org.uid | ```ORG_KEY::VARCHAR``` | +| device.os.name | ```DEVICE_OS::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| message | ```EVENT_DESCRIPTION::VARCHAR``` | +| metadata.event_code | ```type``` | +| metadata.product.name | ```'cb-platform-events'``` | +| metadata.product.vendor_name | ```'cb-defense'``` | +| metadata.version | ```'1.1.0'``` | +| process.cmd_line | ```PROCESS_CMDLINE::VARCHAR``` | +| process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(PROCESS_HASH_SHA256, PROCESS_HASH_MD5)::VARCHAR))``` | +| process.file.path | ```PROCESS_PATH::VARCHAR``` | +| process.parent_process.cmd_line | ```PARENT_CMDLINE::VARCHAR``` | +| process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(PARENT_HASH_SHA256, PARENT_HASH_MD5)::VARCHAR))``` | +| process.parent_process.file.path | ```PARENT_PATH::VARCHAR``` | +| process.parent_process.pid | ```PARENT_PID::NUMBER``` | +| process.parent_process.uid | ```PARENT_GUID::VARCHAR``` | +| process.pid | ```PROCESS_PID::NUMBER``` | +| process.uid | ```PROCESS_GUID::VARCHAR``` | +| process.user.name | ```PROCESS_USERNAME::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', backend_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```backend_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN ACTION IS NULL OR ACTION = '' THEN 100700 WHEN ACTION = 'ACTION_PROCESS_TERMINATE' THEN 100702 ELSE 100799 END::NUMBER) WHEN 100700 THEN 'Process Activity: Unknown' WHEN 100701 THEN 'Process Activity: Launch' WHEN 100702 THEN 'Process Activity: Terminate' WHEN 100703 THEN 'Process Activity: Open' WHEN 100704 THEN 'Process Activity: Inject' WHEN 100705 THEN 'Process Activity: Set User ID' WHEN 100799 THEN 'Process Activity: Other' END``` | +| type_uid | ```CASE WHEN ACTION IS NULL OR ACTION = '' THEN 100700 WHEN ACTION = 'ACTION_PROCESS_TERMINATE' THEN 100702 ELSE 100799 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_key_activity/README.md b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_key_activity/README.md new file mode 100644 index 00000000..d0e1592b --- /dev/null +++ b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_key_activity/README.md @@ -0,0 +1,57 @@ +# Event Dossier: Cb Platform Events to OCSF class Win/registry Key Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_key_activity` +* Vendor name: `cb-defense` +* Product name: `cb-platform-events` +* Event codes: `TYPE = 'endpoint.event.regmod' AND ACTION ILIKE '%KEY%'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN ACTION IS NULL OR ACTION = '' THEN 0 WHEN ACTION ILIKE '%ACTION_CREATE_KEY%' THEN 1 WHEN ACTION ILIKE '%ACTION_DELETE_KEY%' THEN 4 WHEN ACTION ILIKE '%ACTION_RENAME_KEY%' THEN 5 WHEN ACTION ILIKE '%ACTION_RESTORE_KEY%' THEN 7 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION IS NULL OR ACTION = '' THEN 0 WHEN ACTION ILIKE '%ACTION_CREATE_KEY%' THEN 1 WHEN ACTION ILIKE '%ACTION_DELETE_KEY%' THEN 4 WHEN ACTION ILIKE '%ACTION_RENAME_KEY%' THEN 5 WHEN ACTION ILIKE '%ACTION_RESTORE_KEY%' THEN 7 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 2 THEN 'Read' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Security' WHEN 7 THEN 'Restore' WHEN 8 THEN 'Import' WHEN 9 THEN 'Export' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```PROCESS_CMDLINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(PROCESS_HASH_SHA256, PROCESS_HASH_MD5)::VARCHAR))``` | +| actor.process.file.path | ```PROCESS_PATH::VARCHAR``` | +| actor.process.parent_process.cmd_line | ```PARENT_CMDLINE::VARCHAR``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(PARENT_HASH_SHA256, PARENT_HASH_MD5)::VARCHAR))``` | +| actor.process.parent_process.file.path | ```PARENT_PATH::VARCHAR``` | +| actor.process.parent_process.pid | ```PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```PARENT_GUID::VARCHAR``` | +| actor.process.pid | ```PROCESS_PID::NUMBER``` | +| actor.process.uid | ```PROCESS_GUID::VARCHAR``` | +| actor.process.user.name | ```PROCESS_USERNAME::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_key_activity'``` | +| class_uid | ```201001``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', DEVICE_TIMESTAMP::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```DEVICE_TIMESTAMP::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', DEVICE_GROUP::VARCHAR))``` | +| device.ip | ```DEVICE_EXTERNAL_IP::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.org.uid | ```ORG_KEY::VARCHAR``` | +| device.os.name | ```DEVICE_OS::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| disposition | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```0::NUMBER``` | +| message | ```EVENT_DESCRIPTION::VARCHAR``` | +| metadata.event_code | ```type``` | +| metadata.product.name | ```'cb-platform-events'``` | +| metadata.product.vendor_name | ```'cb-defense'``` | +| metadata.version | ```'1.1.0'``` | +| reg_key.path | ```REGMOD_NAME::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', backend_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```backend_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN ACTION IS NULL OR ACTION = '' THEN 20100100 WHEN ACTION ILIKE '%ACTION_CREATE_KEY%' THEN 20100101 WHEN ACTION ILIKE '%ACTION_DELETE_KEY%' THEN 20100104 WHEN ACTION ILIKE '%ACTION_RENAME_KEY%' THEN 20100105 WHEN ACTION ILIKE '%ACTION_RESTORE_KEY%' THEN 20100107 ELSE 20100199 END::NUMBER) WHEN 20100100 THEN 'Registry Key Activity: Unknown' WHEN 20100101 THEN 'Registry Key Activity: Create' WHEN 20100102 THEN 'Registry Key Activity: Read' WHEN 20100103 THEN 'Registry Key Activity: Modify' WHEN 20100104 THEN 'Registry Key Activity: Delete' WHEN 20100105 THEN 'Registry Key Activity: Rename' WHEN 20100106 THEN 'Registry Key Activity: Set Security' WHEN 20100107 THEN 'Registry Key Activity: Restore' WHEN 20100108 THEN 'Registry Key Activity: Import' WHEN 20100109 THEN 'Registry Key Activity: Export' WHEN 20100199 THEN 'Registry Key Activity: Other' END``` | +| type_uid | ```CASE WHEN ACTION IS NULL OR ACTION = '' THEN 20100100 WHEN ACTION ILIKE '%ACTION_CREATE_KEY%' THEN 20100101 WHEN ACTION ILIKE '%ACTION_DELETE_KEY%' THEN 20100104 WHEN ACTION ILIKE '%ACTION_RENAME_KEY%' THEN 20100105 WHEN ACTION ILIKE '%ACTION_RESTORE_KEY%' THEN 20100107 ELSE 20100199 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_value_activity/README.md b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_value_activity/README.md new file mode 100644 index 00000000..a5c8e00e --- /dev/null +++ b/mappings/markdown/Carbon Black/1.1.0/cb-platform-events/registry_value_activity/README.md @@ -0,0 +1,58 @@ +# Event Dossier: Cb Platform Events to OCSF class Win/registry Value Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_value_activity` +* Vendor name: `cb-defense` +* Product name: `cb-platform-events` +* Event codes: `TYPE = 'endpoint.event.regmod' AND ACTION ILIKE '%VALUE%'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN SENSOR_ACTION = 'ACTION_ALLOW' THEN 1 WHEN SENSOR_ACTION = 'ACTION_BLOCK' THEN 2 WHEN SENSOR_ACTION is NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN ACTION IS NULL OR ACTION = '' THEN 0 WHEN ACTION = 'ACTION_WRITE_VALUE' THEN 2 WHEN ACTION = 'ACTION_DELETE_VALUE' THEN 4 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION IS NULL OR ACTION = '' THEN 0 WHEN ACTION = 'ACTION_WRITE_VALUE' THEN 2 WHEN ACTION = 'ACTION_DELETE_VALUE' THEN 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Get' WHEN 2 THEN 'Set' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```PROCESS_CMDLINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PROCESS_HASH_SHA256 IS NULL AND PROCESS_HASH_MD5 IS NULL THEN 0 WHEN PROCESS_HASH_SHA256 IS NOT NULL THEN 3 WHEN PROCESS_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(PROCESS_HASH_SHA256, PROCESS_HASH_MD5)::VARCHAR))``` | +| actor.process.file.path | ```PROCESS_PATH::VARCHAR``` | +| actor.process.parent_process.cmd_line | ```PARENT_CMDLINE::VARCHAR``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN PARENT_HASH_SHA256 IS NULL AND PARENT_HASH_MD5 IS NULL THEN 0 WHEN PARENT_HASH_SHA256 IS NOT NULL THEN 3 WHEN PARENT_HASH_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(PARENT_HASH_SHA256, PARENT_HASH_MD5)::VARCHAR))``` | +| actor.process.parent_process.file.path | ```PARENT_PATH::VARCHAR``` | +| actor.process.parent_process.pid | ```PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```PARENT_GUID::VARCHAR``` | +| actor.process.pid | ```PROCESS_PID::NUMBER``` | +| actor.process.uid | ```PROCESS_GUID::VARCHAR``` | +| actor.process.user.name | ```PROCESS_USERNAME::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_value_activity'``` | +| class_uid | ```201002``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', DEVICE_TIMESTAMP::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```DEVICE_TIMESTAMP::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', DEVICE_GROUP::VARCHAR))``` | +| device.ip | ```DEVICE_EXTERNAL_IP::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.org.uid | ```ORG_KEY::VARCHAR``` | +| device.os.name | ```DEVICE_OS::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN DEVICE_OS ='WINDOWS' THEN 100 WHEN DEVICE_OS = 'LINUX' THEN 200 WHEN DEVICE_OS = 'MAC' THEN 300 WHEN DEVICE_OS is NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| disposition | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```0::NUMBER``` | +| message | ```EVENT_DESCRIPTION::VARCHAR``` | +| metadata.event_code | ```type``` | +| metadata.product.name | ```'cb-platform-events'``` | +| metadata.product.vendor_name | ```'cb-defense'``` | +| metadata.version | ```'1.1.0'``` | +| reg_value.name | ```''::VARCHAR``` | +| reg_value.path | ```REGMOD_NAME::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', backend_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```backend_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN ACTION IS NULL OR ACTION = '' THEN 20100200 WHEN ACTION = 'ACTION_WRITE_VALUE' THEN 20100202 WHEN ACTION = 'ACTION_DELETE_VALUE' THEN 20100204 ELSE 20100299 END::NUMBER) WHEN 20100200 THEN 'Registry Value Activity: Unknown' WHEN 20100201 THEN 'Registry Value Activity: Get' WHEN 20100202 THEN 'Registry Value Activity: Set' WHEN 20100203 THEN 'Registry Value Activity: Modify' WHEN 20100204 THEN 'Registry Value Activity: Delete' WHEN 20100299 THEN 'Registry Value Activity: Other' END``` | +| type_uid | ```CASE WHEN ACTION IS NULL OR ACTION = '' THEN 20100200 WHEN ACTION = 'ACTION_WRITE_VALUE' THEN 20100202 WHEN ACTION = 'ACTION_DELETE_VALUE' THEN 20100204 ELSE 20100299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/CatoNetworks/1.1.0/cato-networks-security-events/network_activity/README.md b/mappings/markdown/CatoNetworks/1.1.0/cato-networks-security-events/network_activity/README.md new file mode 100644 index 00000000..6580ecb7 --- /dev/null +++ b/mappings/markdown/CatoNetworks/1.1.0/cato-networks-security-events/network_activity/README.md @@ -0,0 +1,48 @@ +# Event Dossier: Cato Networks Security Events to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `CatoNetworks` +* Product name: `cato-networks-security-events` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION is NULL then 0 WHEN ACTION = 'Allow' then 1 WHEN ACTION = 'Block' then 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION is NULL then 0 WHEN ACTION = 'Allow' then 1 WHEN ACTION = 'Block' then 2 ELSE 99 END``` | +| activity_id | ```0::NUMBER``` | +| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| app_name | ```APPLICATION::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```LOWER(IP_PROTOCOL)::VARCHAR``` | +| connection_info.protocol_num | ```CASE WHEN LOWER(IP_PROTOCOL) = 'icmp' THEN 1 WHEN LOWER(IP_PROTOCOL) = 'tcp' THEN 6 WHEN LOWER(IP_PROTOCOL) = 'udp' THEN 17 WHEN LOWER(IP_PROTOCOL) = 'rvd' THEN 66 WHEN LOWER(IP_PROTOCOL) = 'sun_nd' THEN 77 WHEN LOWER(IP_PROTOCOL) = 'ipv6' THEN 41 WHEN LOWER(IP_PROTOCOL) = 'mobile' THEN 55 WHEN LOWER(IP_PROTOCOL) = 'fire' THEN 125 END``` | +| count | ```EVENT_COUNT::NUMBER``` | +| device.os.type | ```CASE (CASE WHEN OS_TYPE = 'OS_WINDOWS' THEN 100 WHEN OS_TYPE = 'OS_UNKNOWN' THEN 0 WHEN OS_TYPE = 'OS_MAC' THEN 300 WHEN OS_TYPE = 'OS_LINUX' THEN 200 WHEN OS_TYPE = 'OS_IOS' THEN 301 WHEN OS_TYPE = 'OS_EMBEDDED' THEN 99 WHEN OS_TYPE = 'OS_ANDROID' THEN 201 END) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_TYPE = 'OS_WINDOWS' THEN 100 WHEN OS_TYPE = 'OS_UNKNOWN' THEN 0 WHEN OS_TYPE = 'OS_MAC' THEN 300 WHEN OS_TYPE = 'OS_LINUX' THEN 200 WHEN OS_TYPE = 'OS_IOS' THEN 301 WHEN OS_TYPE = 'OS_EMBEDDED' THEN 99 WHEN OS_TYPE = 'OS_ANDROID' THEN 201 END``` | +| device.region | ```DEST_SITE::VARCHAR``` | +| dst_endpoint.domain | ```DOMAIN_NAME::VARCHAR``` | +| dst_endpoint.ip | ```DEST_IP::VARCHAR``` | +| dst_endpoint.location.country | ```DEST_COUNTRY::VARCHAR``` | +| dst_endpoint.location.isp | ```ISP_NAME::VARCHAR``` | +| dst_endpoint.location.region | ```DEST_SITE::VARCHAR``` | +| dst_endpoint.port | ```DEST_PORT::VARCHAR``` | +| firewall_rule.desc | ```RULE_NAME::VARCHAR``` | +| firewall_rule.name | ```RULE::VARCHAR``` | +| firewall_rule.uid | ```RULE_ID::VARCHAR``` | +| metadata.event_code | ```event_sub_type``` | +| metadata.product.name | ```'cato-networks-security-events'``` | +| metadata.product.vendor_name | ```'CatoNetworks'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```SRC_IP::VARCHAR``` | +| src_endpoint.location.country | ```SRC_COUNTRY::VARCHAR``` | +| src_endpoint.location.region | ```SRC_SITE::VARCHAR``` | +| src_endpoint.port | ```SRC_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Checkpoint/1.1.0/checkpoint-traffic/network_activity/README.md b/mappings/markdown/Checkpoint/1.1.0/checkpoint-traffic/network_activity/README.md new file mode 100644 index 00000000..f23d8520 --- /dev/null +++ b/mappings/markdown/Checkpoint/1.1.0/checkpoint-traffic/network_activity/README.md @@ -0,0 +1,59 @@ +# Event Dossier: Checkpoint Traffic to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `checkpoint` +* Product name: `checkpoint-traffic` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION='Allow' THEN 1 WHEN ACTION='Accept' THEN 1 WHEN ACTION='Block' THEN 2 WHEN ACTION='Reject' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION='Allow' THEN 1 WHEN ACTION='Accept' THEN 1 WHEN ACTION='Block' THEN 2 WHEN ACTION='Reject' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```2::NUMBER``` | +| activity_name | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.uid | ```RAW:loguid::VARCHAR``` | +| actor.session.created_time | ```date_part('epoch_milliseconds', BROWSE_TIME::TIMESTAMP_LTZ)``` | +| actor.session.created_time_dt | ```BROWSE_TIME::TIMESTAMP_LTZ``` | +| actor.session.uid | ```RAW:session_uid::VARCHAR``` | +| actor.user.domain | ```RAW:Domain::VARCHAR``` | +| actor.user.name | ```COALESCE(USER, RAW:src_user_name)::VARCHAR``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.direction | ```CASE (CASE WHEN RAW:ifdir='inbound' THEN 1 WHEN RAW:ifdir='outbound' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE WHEN RAW:ifdir='inbound' THEN 1 WHEN RAW:ifdir='outbound' THEN 2 ELSE 99 END::NUMBER``` | +| connection_info.protocol_num | ```PROTO::NUMBER``` | +| connection_info.session.expiration_time | ```date_part('epoch_milliseconds', RAW:expire_time::TIMESTAMP_LTZ)``` | +| connection_info.session.expiration_time_dt | ```RAW:expire_time::TIMESTAMP_LTZ``` | +| device.interface_name | ```RAW:ifname::VARCHAR``` | +| device.ip | ```ORIGIN::VARCHAR``` | +| device.name | ```ORIGIN_SIC_NAME::VARCHAR``` | +| dst_endpoint.domain | ```CASE WHEN PARSE_URL(RESOURCE,1):host::VARCHAR REGEXP '^[a-zA-Z0-9-]+(\\\ .[a-zA-Z0-9-]+){1,}$' THEN PARSE_URL(RESOURCE,1):host::VARCHAR ELSE NULL END::VARCHAR``` | +| dst_endpoint.hostname | ```DST_MACHINE_NAME::VARCHAR``` | +| dst_endpoint.ip | ```DST::VARCHAR``` | +| dst_endpoint.port | ```SERVICE::VARCHAR``` | +| dst_endpoint.zone | ```RAW:outzone::VARCHAR``` | +| firewall_rule.category | ```RAW:rule_action::VARCHAR``` | +| firewall_rule.name | ```RULE_NAME::VARCHAR``` | +| firewall_rule.uid | ```RAW:rule_uid::VARCHAR``` | +| message | ```COALESCE(RAW:message_info, RAW:decision)::VARCHAR``` | +| metadata.product.name | ```'checkpoint-traffic'``` | +| metadata.product.vendor_name | ```'checkpoint'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN SEVERITY = 0 THEN 1 WHEN SEVERITY = 1 THEN 2 WHEN SEVERITY = 2 THEN 3 WHEN SEVERITY = 3 THEN 4 WHEN SEVERITY = 4 THEN 5 WHEN SEVERITY = 'Critical' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN SEVERITY = 0 THEN 1 WHEN SEVERITY = 1 THEN 2 WHEN SEVERITY = 2 THEN 3 WHEN SEVERITY = 3 THEN 4 WHEN SEVERITY = 4 THEN 5 WHEN SEVERITY = 'Critical' THEN 5 ELSE 99 END::NUMBER``` | +| src_endpoint.hostname | ```SRC_MACHINE_NAME::VARCHAR``` | +| src_endpoint.ip | ```SRC::VARCHAR``` | +| src_endpoint.port | ```S_PORT::VARCHAR``` | +| src_endpoint.zone | ```RAW:inzone::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` | +| time_dt | ```time::TIMESTAMP_LTZ``` | +| traffic.bytes | ```BYTES::NUMBER``` | +| traffic.packets | ```PACKETS::NUMBER``` | +| type_name | ```CASE (400102::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```400102::NUMBER``` | +| url.path | ```RAW:http::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-asa-firewall/network_activity/README.md b/mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-asa-firewall/network_activity/README.md new file mode 100644 index 00000000..097b12a9 --- /dev/null +++ b/mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-asa-firewall/network_activity/README.md @@ -0,0 +1,41 @@ +# Event Dossier: Cisco Asa Firewall to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `cisco-firewall` +* Product name: `cisco-asa-firewall` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```6::NUMBER``` | +| activity_name | ```CASE (6::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.user.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', EXTRACTED_FIELDS:group::VARCHAR))``` | +| actor.user.name | ```SOURCE_USERNAME::VARCHAR``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```LOWER(EXTRACTED_FIELDS:protocol)::VARCHAR``` | +| device.ip | ```FIREWALL_IP::VARCHAR``` | +| dst_endpoint.ip | ```DESTINATION_IP::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | +| firewall_rule.uid | ```FIREWALL_IDENTIFIER::VARCHAR``` | +| message | ```RAW_LOG_MESSAGE::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'cisco-asa-firewall'``` | +| metadata.product.vendor_name | ```'cisco-firewall'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (SEVERITY::VARCHAR) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```SEVERITY::VARCHAR``` | +| src_endpoint.hostname | ```COALESCE(EXTRACTED_FIELDS:initiator_hostname,EXTRACTED_FIELDS:original_initiator_hostname)::VARCHAR``` | +| src_endpoint.ip | ```COALESCE(SOURCE_IP, EXTRACTED_FIELDS:original_initiator_ip, EXTRACTED_FIELDS:initiator_ip)::VARCHAR``` | +| src_endpoint.port | ```COALESCE(SOURCE_PORT, EXTRACTED_FIELDS:initiator_port)::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| traffic.bytes_in | ```EXTRACTED_FIELDS:responder_bytes::NUMBER``` | +| traffic.bytes_out | ```EXTRACTED_FIELDS:initiator_bytes::NUMBER``` | +| type_name | ```CASE (400106::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```400106::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-ftd-firewall/network_activity/README.md b/mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-ftd-firewall/network_activity/README.md new file mode 100644 index 00000000..f71b81bc --- /dev/null +++ b/mappings/markdown/Cisco/cisco-firewall/1.1.0/cisco-ftd-firewall/network_activity/README.md @@ -0,0 +1,39 @@ +# Event Dossier: Cisco Ftd Firewall to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `cisco-firewall` +* Product name: `cisco-ftd-firewall` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.user.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', EXTRACTED_FIELDS:group::VARCHAR))``` | +| actor.user.name | ```SOURCE_USERNAME::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| dst_endpoint.ip | ```COALESCE(DESTINATION_IP, EXTRACTED_FIELDS:target_ip)::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | +| message | ```RAW_LOG_MESSAGE::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'cisco-ftd-firewall'``` | +| metadata.product.vendor_name | ```'cisco-firewall'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN SEVERITY = 1 THEN 6 WHEN SEVERITY = 2 THEN 5 WHEN SEVERITY = 3 THEN 4 WHEN SEVERITY = 4 THEN 3 WHEN SEVERITY = 5 THEN 2 WHEN SEVERITY = 6 THEN 1 ELSE 0 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN SEVERITY = 1 THEN 6 WHEN SEVERITY = 2 THEN 5 WHEN SEVERITY = 3 THEN 4 WHEN SEVERITY = 4 THEN 3 WHEN SEVERITY = 5 THEN 2 WHEN SEVERITY = 6 THEN 1 ELSE 0 END::NUMBER``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (4001*100+99::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```4001*100+99::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Cisco/cisco-umbrella/1.1.0/cisco-umbrella-dns-logs/dns_activity/README.md b/mappings/markdown/Cisco/cisco-umbrella/1.1.0/cisco-umbrella-dns-logs/dns_activity/README.md new file mode 100644 index 00000000..263f1d19 --- /dev/null +++ b/mappings/markdown/Cisco/cisco-umbrella/1.1.0/cisco-umbrella-dns-logs/dns_activity/README.md @@ -0,0 +1,35 @@ +# Event Dossier: Cisco Umbrella Dns Logs to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `cisco-umbrella` +* Product name: `cisco-umbrella-dns-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION IS NULL THEN 0 WHEN ACTION = 'Allowed' THEN 1 WHEN ACTION = 'Blocked' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION IS NULL THEN 0 WHEN ACTION = 'Allowed' THEN 1 WHEN ACTION = 'Blocked' THEN 2 ELSE 99 END::NUMBER``` | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| metadata.product.name | ```'cisco-umbrella-dns-logs'``` | +| metadata.product.vendor_name | ```'cisco-umbrella'``` | +| metadata.version | ```'1.1.0'``` | +| query.hostname | ```DOMAIN::VARCHAR``` | +| query.type | ```REGEXP_SUBSTR(QUERY_TYPE, '([A-Za-z]+)')::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RESPONSE_CODE = 'NOERROR' THEN 0 WHEN RESPONSE_CODE = 'SERVFAIL' THEN 2 WHEN RESPONSE_CODE = 'NXDOMAIN' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RESPONSE_CODE = 'NOERROR' THEN 0 WHEN RESPONSE_CODE = 'SERVFAIL' THEN 2 WHEN RESPONSE_CODE = 'NXDOMAIN' THEN 3 ELSE 99 END::NUMBER``` | +| src_endpoint.domain | ```DOMAIN::VARCHAR``` | +| src_endpoint.ip | ```COALESCE(INTERNAL_IP, EXTERNAL_IP)::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400301::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```400301::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Cloudflare/1.1.0/cloudflare-dns/dns_activity/README.md b/mappings/markdown/Cloudflare/1.1.0/cloudflare-dns/dns_activity/README.md new file mode 100644 index 00000000..7d041b2e --- /dev/null +++ b/mappings/markdown/Cloudflare/1.1.0/cloudflare-dns/dns_activity/README.md @@ -0,0 +1,36 @@ +# Event Dossier: Cloudflare Dns to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `cloudflare` +* Product name: `cloudflare-dns` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| metadata.product.name | ```'cloudflare-dns'``` | +| metadata.product.vendor_name | ```'cloudflare'``` | +| metadata.version | ```'1.1.0'``` | +| query.hostname | ```QUERY_NAME::VARCHAR``` | +| query.type | ```QUERY_TYPE::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RESPONSE_CODE BETWEEN 0 AND 11 THEN RESPONSE_CODE WHEN RESPONSE_CODE BETWEEN 16 AND 23 THEN RESPONSE_CODE WHEN RESPONSE_CODE BETWEEN 12 AND 15 THEN 24 WHEN RESPONSE_CODE BETWEEN 24 AND 3840 THEN 24 WHEN RESPONSE_CODE BETWEEN 4096 AND 65534 THEN 24 WHEN RESPONSE_CODE BETWEEN 3841 AND 4095 THEN 25 WHEN RESPONSE_CODE = 65535 THEN 25 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RESPONSE_CODE BETWEEN 0 AND 11 THEN RESPONSE_CODE WHEN RESPONSE_CODE BETWEEN 16 AND 23 THEN RESPONSE_CODE WHEN RESPONSE_CODE BETWEEN 12 AND 15 THEN 24 WHEN RESPONSE_CODE BETWEEN 24 AND 3840 THEN 24 WHEN RESPONSE_CODE BETWEEN 4096 AND 65534 THEN 24 WHEN RESPONSE_CODE BETWEEN 3841 AND 4095 THEN 25 WHEN RESPONSE_CODE = 65535 THEN 25 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400399::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```400399::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Cloudflare/1.1.0/cloudflare-http/http_activity/README.md b/mappings/markdown/Cloudflare/1.1.0/cloudflare-http/http_activity/README.md new file mode 100644 index 00000000..54c0916a --- /dev/null +++ b/mappings/markdown/Cloudflare/1.1.0/cloudflare-http/http_activity/README.md @@ -0,0 +1,57 @@ +# Event Dossier: Cloudflare Http to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `cloudflare` +* Product name: `cloudflare-http` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN WAF_ACTION = 'unknown' THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN WAF_ACTION = 'unknown' THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```DECODE(CLIENT_REQUEST_METHOD, 'CONNECT', 1, 'DELETE', 2, 'GET', 3, 'HEAD', 4, 'OPTIONS', 5, 'POST', 6, 'PUT', 7, 'TRACE', 8,0)``` | +| activity_name | ```CASE (DECODE(CLIENT_REQUEST_METHOD, 'CONNECT', 1, 'DELETE', 2, 'GET', 3, 'HEAD', 4, 'OPTIONS', 5, 'POST', 6, 'PUT', 7, 'TRACE', 8,0)) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.boundary | ```CASE (5::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Localhost' WHEN 10 THEN 'Gateway VPC' WHEN 11 THEN 'Internet Gateway' WHEN 2 THEN 'Internal' WHEN 3 THEN 'External' WHEN 4 THEN 'Same VPC' WHEN 5 THEN 'Internet/VPC Gateway' WHEN 6 THEN 'Virtual Private Gateway' WHEN 7 THEN 'Intra-region VPC' WHEN 8 THEN 'Inter-region VPC' WHEN 9 THEN 'Local Gateway' WHEN 99 THEN 'Other' END``` | +| connection_info.boundary_id | ```5::NUMBER``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(ORIGIN_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(ORIGIN_IP, 'INET'):family::NUMBER``` | +| connection_info.uid | ```HASH::VARCHAR``` | +| dst_endpoint.hostname | ```CLIENT_REQUEST_HOST::VARCHAR``` | +| dst_endpoint.ip | ```COALESCE(ORIGIN_IP, EDGE_SERVER_IP)::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', EDGE_END_TIMESTAMP::TIMESTAMP_LTZ)``` | +| end_time_dt | ```EDGE_END_TIMESTAMP::TIMESTAMP_LTZ``` | +| firewall_rule.name | ```parse_json(FIREWALL_MATCHES_RULE_I_DS)[0]::VARCHAR``` | +| http_request.http_method | ```CLIENT_REQUEST_METHOD::VARCHAR``` | +| http_request.referrer | ```CLIENT_REQUEST_REFERER::VARCHAR``` | +| http_request.url.hostname | ```CLIENT_REQUEST_HOST::VARCHAR``` | +| http_request.url.path | ```CLIENT_REQUEST_PATH::VARCHAR``` | +| http_request.url.port | ```CLIENT_SRC_PORT::VARCHAR``` | +| http_request.user_agent | ```CLIENT_REQUEST_USER_AGENT::VARCHAR``` | +| http_response.length | ```COALESCE(EDGE_RESPONSE_BYTES, ORIGIN_RESPONSE_BYTES)::NUMBER``` | +| http_response.status | ```COALESCE(EDGE_RESPONSE_STATUS, ORIGIN_RESPONSE_STATUS)::VARCHAR``` | +| metadata.product.name | ```'cloudflare-http'``` | +| metadata.product.vendor_name | ```'cloudflare'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| src_endpoint.location.country | ```CLIENT_COUNTRY::VARCHAR``` | +| src_endpoint.port | ```CLIENT_SRC_PORT::VARCHAR``` | +| src_endpoint.type | ```CASE (CASE WHEN CLIENT_DEVICE_TYPE = 'desktop' THEN 2 WHEN CLIENT_DEVICE_TYPE = 'mobile' THEN 5 WHEN CLIENT_DEVICE_TYPE = 'tablet' THEN 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| src_endpoint.type_id | ```CASE WHEN CLIENT_DEVICE_TYPE = 'desktop' THEN 2 WHEN CLIENT_DEVICE_TYPE = 'mobile' THEN 5 WHEN CLIENT_DEVICE_TYPE = 'tablet' THEN 4 ELSE 99 END::NUMBER``` | +| start_time | ```date_part('epoch_milliseconds', EDGE_START_TIMESTAMP::TIMESTAMP_LTZ)``` | +| start_time_dt | ```EDGE_START_TIMESTAMP::TIMESTAMP_LTZ``` | +| status_code | ```CACHE_RESPONSE_STATUS::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', edge_start_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```edge_start_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (DECODE(CLIENT_REQUEST_METHOD, 'CONNECT', 400201, 'DELETE', 400202, 'GET', 400203, 'HEAD', 400204, 'OPTIONS', 400205, 'POST', 400206, 'PUT', 400207, 'TRACE', 400208,400200)) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```DECODE(CLIENT_REQUEST_METHOD, 'CONNECT', 400201, 'DELETE', 400202, 'GET', 400203, 'HEAD', 400204, 'OPTIONS', 400205, 'POST', 400206, 'PUT', 400207, 'TRACE', 400208,400200)``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Cybereason/1.1.0/cybereason-sensors/inventory_info/README.md b/mappings/markdown/Cybereason/1.1.0/cybereason-sensors/inventory_info/README.md new file mode 100644 index 00000000..5735ffa7 --- /dev/null +++ b/mappings/markdown/Cybereason/1.1.0/cybereason-sensors/inventory_info/README.md @@ -0,0 +1,49 @@ +# Event Dossier: Cybereason Sensors to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `Cybereason` +* Product name: `cybereason-sensors` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```0::NUMBER``` | +| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.domain | ```FQDN::VARCHAR``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', FIRST_SEEN_TIME::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```FIRST_SEEN_TIME::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', GROUP_NAME::VARCHAR, 'uid', GROUP_ID::VARCHAR))``` | +| device.ip | ```EXTERNAL_IP_ADDRESS::VARCHAR``` | +| device.last_seen_time | ```date_part('epoch_milliseconds', DISCONNECTION_TIME::TIMESTAMP_LTZ)``` | +| device.last_seen_time_dt | ```DISCONNECTION_TIME::TIMESTAMP_LTZ``` | +| device.modified_time | ```date_part('epoch_milliseconds', SENSOR_LAST_UPDATE::TIMESTAMP_LTZ)``` | +| device.modified_time_dt | ```SENSOR_LAST_UPDATE::TIMESTAMP_LTZ``` | +| device.name | ```MACHINE_NAME::VARCHAR``` | +| device.org.name | ```ORGANIZATION::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OS_TYPE='Windows' THEN 100 WHEN OS_TYPE='Windows Mobile' THEN 101 WHEN OS_TYPE='Linux' THEN 200 WHEN OS_TYPE='Android' THEN 201 WHEN OS_TYPE='macOS' THEN 300 WHEN OS_TYPE='iOS' THEN 301 WHEN OS_TYPE='iPadOS' THEN 302 WHEN OS_TYPE='Solaris' THEN 400 WHEN OS_TYPE='AIX' THEN 401 WHEN OS_TYPE='HP-UX' THEN 402 WHEN STATUS IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_TYPE='Windows' THEN 100 WHEN OS_TYPE='Windows Mobile' THEN 101 WHEN OS_TYPE='Linux' THEN 200 WHEN OS_TYPE='Android' THEN 201 WHEN OS_TYPE='macOS' THEN 300 WHEN OS_TYPE='iOS' THEN 301 WHEN OS_TYPE='iPadOS' THEN 302 WHEN OS_TYPE='Solaris' THEN 400 WHEN OS_TYPE='AIX' THEN 401 WHEN OS_TYPE='HP-UX' THEN 402 WHEN STATUS IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.os.version | ```OS_VERSION_TYPE::VARCHAR``` | +| device.type | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```0::NUMBER``` | +| device.uid | ```SENSOR_ID::VARCHAR``` | +| device.uid_alt | ```GUID::VARCHAR``` | +| metadata.product.name | ```'cybereason-sensors'``` | +| metadata.product.vendor_name | ```'Cybereason'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| status | ```CASE (CASE WHEN STATUS='Success' THEN 1 WHEN STATUS='Failure' THEN 2 WHEN STATUS IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS='Success' THEN 1 WHEN STATUS='Failure' THEN 2 WHEN STATUS IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', LAST_PYLUM_UPDATE_TIMESTAMP_MS::TIMESTAMP_LTZ)``` | +| time_dt | ```LAST_PYLUM_UPDATE_TIMESTAMP_MS::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500100::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500100::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md b/mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md new file mode 100644 index 00000000..ffcbf4c6 --- /dev/null +++ b/mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md @@ -0,0 +1,50 @@ +# Event Dossier: Duo Authentication Logs to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `duo` +* Product name: `duo-authentication-logs` +* Event codes: `EVENT_TYPE = 'authentication'` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| device.hostname | ```ACCESS_DEVICE_HOSTNAME::VARCHAR``` | +| device.ip | ```ACCESS_DEVICE_IP::VARCHAR``` | +| device.location.city | ```AUTH_DEVICE_LOCATION:city::VARCHAR``` | +| device.location.country | ```AUTH_DEVICE_LOCATION:country::VARCHAR``` | +| device.os.name | ```ACCESS_DEVICE_OS::VARCHAR``` | +| device.os.version | ```CONCAT(ACCESS_DEVICE_OS, ' ', RAW:access_device:os_version)::VARCHAR``` | +| device.type | ```CASE (CASE WHEN ACCESS_DEVICE_BROWSER IS NULL THEN 0 ELSE 8 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```CASE WHEN ACCESS_DEVICE_BROWSER IS NULL THEN 0 ELSE 8 END::NUMBER``` | +| device.uid | ```ACCESS_DEVICE_EPKEY::VARCHAR``` | +| is_mfa | ```IFF(FACTOR IS NULL OR FACTOR = 'not_available', false, true)::BOOLEAN``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'duo-authentication-logs'``` | +| metadata.product.vendor_name | ```'duo'``` | +| metadata.version | ```'1.1.0'``` | +| service.name | ```APPLICATION_NAME::VARCHAR``` | +| service.uid | ```APPLICATION_KEY::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```HOST::VARCHAR``` | +| status | ```CASE (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_detail | ```REASON::VARCHAR``` | +| status_id | ```CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((300200 + (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END))::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```(300200 + (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END))::NUMBER``` | +| user.email_addr | ```EMAIL::VARCHAR``` | +| user.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('name', USER_GROUPS[0]))::VARIANT``` | +| user.name | ```USER_NAME::VARCHAR``` | +| user.uid | ```USER_KEY::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Fortinet/1.1.0/fortinet-firewall/network_activity/README.md b/mappings/markdown/Fortinet/1.1.0/fortinet-firewall/network_activity/README.md new file mode 100644 index 00000000..64a9410b --- /dev/null +++ b/mappings/markdown/Fortinet/1.1.0/fortinet-firewall/network_activity/README.md @@ -0,0 +1,53 @@ +# Event Dossier: Fortinet Firewall to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `fortinet` +* Product name: `fortinet-firewall` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION='start' THEN 1 WHEN ACTION='accept' THEN 1 WHEN ACTION='permit' THEN 1 WHEN ACTION='close' THEN 2 WHEN ACTION='Reject' THEN 2 WHEN ACTION='block' THEN 2 WHEN ACTION='deny' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION='start' THEN 1 WHEN ACTION='accept' THEN 1 WHEN ACTION='permit' THEN 1 WHEN ACTION='close' THEN 2 WHEN ACTION='Reject' THEN 2 WHEN ACTION='block' THEN 2 WHEN ACTION='deny' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN TYPE is null then 0 WHEN TYPE = 'traffic' then 6 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN TYPE is null then 0 WHEN TYPE = 'traffic' then 6 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| authorizations.policy.uid | ```POLICY_ID::VARCHAR``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```SERVICE::VARCHAR``` | +| connection_info.protocol_num | ```PROTO::NUMBER``` | +| connection_info.session.count | ```TOTAL_SESSION::NUMBER``` | +| connection_info.session.uid | ```SESSION_ID::VARCHAR``` | +| device.name | ```DEV_NAME::VARCHAR``` | +| device.type | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```0::NUMBER``` | +| device.uid | ```DEV_ID::VARCHAR``` | +| dst_endpoint.interface_name | ```DST_INTF::VARCHAR``` | +| dst_endpoint.ip | ```DST_IP::VARCHAR``` | +| dst_endpoint.location.country | ```DST_COUNTRY::VARCHAR``` | +| dst_endpoint.port | ```DST_PORT::NUMBER``` | +| duration | ```DURATION::NUMBER``` | +| message | ```MSG::VARCHAR``` | +| metadata.event_code | ```type``` | +| metadata.product.name | ```'fortinet-firewall'``` | +| metadata.product.vendor_name | ```'fortinet'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN LEVEL='information' THEN 1 WHEN LEVEL='info' THEN 1 WHEN LEVEL='notice' THEN 2 WHEN LEVEL='warning' THEN 3 WHEN LEVEL='alert' THEN 4 WHEN LEVEL='critical' THEN 5 WHEN LEVEL='error' THEN 6 WHEN LEVEL IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN LEVEL='information' THEN 1 WHEN LEVEL='info' THEN 1 WHEN LEVEL='notice' THEN 2 WHEN LEVEL='warning' THEN 3 WHEN LEVEL='alert' THEN 4 WHEN LEVEL='critical' THEN 5 WHEN LEVEL='error' THEN 6 WHEN LEVEL IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| src_endpoint.interface_name | ```SRC_INTF::VARCHAR``` | +| src_endpoint.ip | ```SRC_IP::VARCHAR``` | +| src_endpoint.location.country | ```SRC_COUNTRY::VARCHAR``` | +| src_endpoint.port | ```SRC_PORT::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| traffic.bytes_in | ```RCVD_BYTE::NUMBER``` | +| traffic.bytes_out | ```SENT_BYTE::NUMBER``` | +| traffic.packets_in | ```RCVD_PKT::NUMBER``` | +| traffic.packets_out | ```SENT_PKT::NUMBER``` | +| type_name | ```CASE ((400100 + (CASE WHEN TYPE is null then 0 WHEN TYPE = 'traffic' then 6 ELSE 99 END))::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```(400100 + (CASE WHEN TYPE is null then 0 WHEN TYPE = 'traffic' then 6 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/GCP/1.1.0/gcp-audit/http_activity/README.md b/mappings/markdown/GCP/1.1.0/gcp-audit/http_activity/README.md new file mode 100644 index 00000000..47ad0747 --- /dev/null +++ b/mappings/markdown/GCP/1.1.0/gcp-audit/http_activity/README.md @@ -0,0 +1,70 @@ +# Event Dossier: Gcp Audit to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `gcp` +* Product name: `gcp-audit` +* Event codes: `LOG_TYPE = 'requests'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN HTTP_REQUEST:requestMethod = 'CONNECT' THEN 1 WHEN HTTP_REQUEST:requestMethod = 'DELETE' THEN 2 WHEN HTTP_REQUEST:requestMethod = 'GET' THEN 3 WHEN HTTP_REQUEST:requestMethod = 'HEAD' THEN 4 WHEN HTTP_REQUEST:requestMethod = 'OPTIONS' THEN 5 WHEN HTTP_REQUEST:requestMethod = 'POST' THEN 6 WHEN HTTP_REQUEST:requestMethod = 'PUT' THEN 7 WHEN HTTP_REQUEST:requestMethod = 'TRACE' THEN 8 WHEN HTTP_REQUEST:requestMethod IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN HTTP_REQUEST:requestMethod = 'CONNECT' THEN 1 WHEN HTTP_REQUEST:requestMethod = 'DELETE' THEN 2 WHEN HTTP_REQUEST:requestMethod = 'GET' THEN 3 WHEN HTTP_REQUEST:requestMethod = 'HEAD' THEN 4 WHEN HTTP_REQUEST:requestMethod = 'OPTIONS' THEN 5 WHEN HTTP_REQUEST:requestMethod = 'POST' THEN 6 WHEN HTTP_REQUEST:requestMethod = 'PUT' THEN 7 WHEN HTTP_REQUEST:requestMethod = 'TRACE' THEN 8 WHEN HTTP_REQUEST:requestMethod IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| api.operation | ```OPERATION::VARCHAR``` | +| api.response.code | ```HTTP_REQUEST:status::NUMBER``` | +| api.response.error_message | ```CASE WHEN HTTP_REQUEST:status ILIKE '4%%' THEN RAW:textPayload ELSE NULL END::VARCHAR``` | +| api.service.labels | ```RAW:labels::VARCHAR``` | +| api.service.name | ```RESOURCE_LABELS:service_name::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| cloud.account.type | ```CASE (5::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'LDAP Account' WHEN 10 THEN 'AWS Account' WHEN 2 THEN 'Windows Account' WHEN 3 THEN 'AWS IAM User' WHEN 4 THEN 'AWS IAM Role' WHEN 5 THEN 'GCP Account' WHEN 6 THEN 'Azure AD Account' WHEN 7 THEN 'Mac OS Account' WHEN 8 THEN 'Apple Account' WHEN 9 THEN 'Linux Account' WHEN 99 THEN 'Other' END``` | +| cloud.account.type_id | ```5::NUMBER``` | +| cloud.account.uid | ```RAW:labels:instanceId::VARCHAR``` | +| cloud.project_uid | ```RESOURCE_LABELS:project_id::VARCHAR``` | +| cloud.provider | ```'GCP'::VARCHAR``` | +| cloud.region | ```RESOURCE_LABELS:location::VARCHAR``` | +| connection_info.boundary | ```CASE (5::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Localhost' WHEN 10 THEN 'Gateway VPC' WHEN 11 THEN 'Internet Gateway' WHEN 2 THEN 'Internal' WHEN 3 THEN 'External' WHEN 4 THEN 'Same VPC' WHEN 5 THEN 'Internet/VPC Gateway' WHEN 6 THEN 'Virtual Private Gateway' WHEN 7 THEN 'Intra-region VPC' WHEN 8 THEN 'Inter-region VPC' WHEN 9 THEN 'Local Gateway' WHEN 99 THEN 'Other' END``` | +| connection_info.boundary_id | ```5::NUMBER``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(HTTP_REQUEST:remoteIp::VARCHAR, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(HTTP_REQUEST:remoteIp::VARCHAR, 'INET'):family::NUMBER``` | +| dst_endpoint.ip | ```HTTP_REQUEST:serverIp::VARCHAR``` | +| http_request.http_method | ```CASE WHEN HTTP_REQUEST:requestMethod = 'CONNECT' THEN 'CONNECT' WHEN HTTP_REQUEST:requestMethod = 'DELETE' THEN 'DELETE' WHEN HTTP_REQUEST:requestMethod = 'GET' THEN 'GET' WHEN HTTP_REQUEST:requestMethod = 'HEAD' THEN 'HEAD' WHEN HTTP_REQUEST:requestMethod = 'OPTIONS' THEN 'OPTIONS' WHEN HTTP_REQUEST:requestMethod = 'POST' THEN 'POST' WHEN HTTP_REQUEST:requestMethod = 'PUT' THEN 'PUT' WHEN HTTP_REQUEST:requestMethod = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```HTTP_REQUEST:requestSize::NUMBER``` | +| http_request.referrer | ```HTTP_REQUEST:referer::VARCHAR``` | +| http_request.url.resource_type | ```RESOURCE_TYPE::VARCHAR``` | +| http_request.url.scheme | ```REGEXP_SUBSTR(HTTP_REQUEST:requestUrl, '^([a-zA-Z]+)')::VARCHAR``` | +| http_request.url.url_string | ```HTTP_REQUEST:requestUrl::VARCHAR``` | +| http_request.user_agent | ```HTTP_REQUEST:userAgent::VARCHAR``` | +| http_request.version | ```REGEXP_SUBSTR(HTTP_REQUEST:protocol, '([0-9\.]+)')::VARCHAR``` | +| http_response.code | ```HTTP_REQUEST:status::NUMBER``` | +| http_response.latency | ```REGEXP_SUBSTR(HTTP_REQUEST:latency, '([0-9\.]+)')::NUMBER``` | +| http_response.length | ```HTTP_REQUEST:responseSize::NUMBER``` | +| http_status | ```HTTP_REQUEST:status::NUMBER``` | +| message | ```RAW:textPayload::VARCHAR``` | +| metadata.labels | ```LOG_LABELS::VARCHAR``` | +| metadata.log_name | ```LOG_NAME::VARCHAR``` | +| metadata.logged_time | ```date_part('epoch_milliseconds', RAW:receiveTimestamp::TIMESTAMP_LTZ)``` | +| metadata.logged_time_dt | ```RAW:receiveTimestamp::TIMESTAMP_LTZ``` | +| metadata.product.name | ```'gcp-audit'``` | +| metadata.product.vendor_name | ```'gcp'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN SEVERITY='INFO' THEN 1 WHEN SEVERITY='WARNING' THEN 2 WHEN SEVERITY='ERROR' THEN 4 WHEN SEVERITY IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN SEVERITY='INFO' THEN 1 WHEN SEVERITY='WARNING' THEN 2 WHEN SEVERITY='ERROR' THEN 4 WHEN SEVERITY IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| src_endpoint.ip | ```HTTP_REQUEST:remoteIp::VARCHAR``` | +| status | ```CASE (CASE WHEN HTTP_REQUEST:status ILIKE '2%%' THEN 1 WHEN HTTP_REQUEST:status ILIKE '4%%' THEN 2 WHEN HTTP_REQUEST:status IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_detail | ```RAW:textPayload::VARCHAR``` | +| status_id | ```CASE WHEN HTTP_REQUEST:status ILIKE '2%%' THEN 1 WHEN HTTP_REQUEST:status ILIKE '4%%' THEN 2 WHEN HTTP_REQUEST:status IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN HTTP_REQUEST:requestMethod = 'CONNECT' THEN 400201 WHEN HTTP_REQUEST:requestMethod = 'DELETE' THEN 400202 WHEN HTTP_REQUEST:requestMethod = 'GET' THEN 400203 WHEN HTTP_REQUEST:requestMethod = 'HEAD' THEN 400204 WHEN HTTP_REQUEST:requestMethod = 'OPTIONS' THEN 400205 WHEN HTTP_REQUEST:requestMethod = 'POST' THEN 400206 WHEN HTTP_REQUEST:requestMethod = 'PUT' THEN 400207 WHEN HTTP_REQUEST:requestMethod = 'TRACE' THEN 400208 WHEN HTTP_REQUEST:requestMethod IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN HTTP_REQUEST:requestMethod = 'CONNECT' THEN 400201 WHEN HTTP_REQUEST:requestMethod = 'DELETE' THEN 400202 WHEN HTTP_REQUEST:requestMethod = 'GET' THEN 400203 WHEN HTTP_REQUEST:requestMethod = 'HEAD' THEN 400204 WHEN HTTP_REQUEST:requestMethod = 'OPTIONS' THEN 400205 WHEN HTTP_REQUEST:requestMethod = 'POST' THEN 400206 WHEN HTTP_REQUEST:requestMethod = 'PUT' THEN 400207 WHEN HTTP_REQUEST:requestMethod = 'TRACE' THEN 400208 WHEN HTTP_REQUEST:requestMethod IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Github/1.1.0/github-server-logs/http_activity/README.md b/mappings/markdown/Github/1.1.0/github-server-logs/http_activity/README.md new file mode 100644 index 00000000..ea13e56b --- /dev/null +++ b/mappings/markdown/Github/1.1.0/github-server-logs/http_activity/README.md @@ -0,0 +1,62 @@ +# Event Dossier: Github Server Logs to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `github` +* Product name: `github-server-logs` +* Event codes: `PROTOCOL = 'http' OR REQUEST_METHOD IS NOT NULL` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN REQUEST_METHOD = 'connect' THEN 1 WHEN REQUEST_METHOD = 'delete' THEN 2 WHEN REQUEST_METHOD = 'get' THEN 3 WHEN REQUEST_METHOD = 'head' THEN 4 WHEN REQUEST_METHOD = 'options' THEN 5 WHEN REQUEST_METHOD = 'post' THEN 6 WHEN REQUEST_METHOD = 'put' THEN 7 WHEN REQUEST_METHOD = 'trace' THEN 8 WHEN REQUEST_METHOD IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN REQUEST_METHOD = 'connect' THEN 1 WHEN REQUEST_METHOD = 'delete' THEN 2 WHEN REQUEST_METHOD = 'get' THEN 3 WHEN REQUEST_METHOD = 'head' THEN 4 WHEN REQUEST_METHOD = 'options' THEN 5 WHEN REQUEST_METHOD = 'post' THEN 6 WHEN REQUEST_METHOD = 'put' THEN 7 WHEN REQUEST_METHOD = 'trace' THEN 8 WHEN REQUEST_METHOD IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| app_name | ```APP::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(COALESCE(IP, REMOTE_ADDRESS), 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(COALESCE(IP, REMOTE_ADDRESS), 'INET'):family::NUMBER``` | +| connection_info.session.uid | ```RAW:user_session_id::VARCHAR``` | +| count | ```RAW:worker_request_count::NUMBER``` | +| dst_endpoint.type | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| dst_endpoint.type_id | ```1::NUMBER``` | +| dst_endpoint.uid | ```RAW:server_id::VARCHAR``` | +| http_request.args | ```RAW:query_string::VARCHAR``` | +| http_request.http_method | ```CASE WHEN REQUEST_METHOD = 'connect' THEN 'CONNECT' WHEN REQUEST_METHOD = 'delete' THEN 'DELETE' WHEN REQUEST_METHOD = 'get' THEN 'GET' WHEN REQUEST_METHOD = 'head' THEN 'HEAD' WHEN REQUEST_METHOD = 'options' THEN 'OPTIONS' WHEN REQUEST_METHOD = 'post' THEN 'POST' WHEN REQUEST_METHOD = 'put' THEN 'PUT' WHEN REQUEST_METHOD = 'trace' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```RAW:content_length::NUMBER``` | +| http_request.referrer | ```RAW:referer::VARCHAR``` | +| http_request.uid | ```REQUEST_ID::VARCHAR``` | +| http_request.url.hostname | ```REQUEST_HOST::VARCHAR``` | +| http_request.url.path | ```RAW:path_info::VARCHAR``` | +| http_request.url.query_string | ```RAW:query_string::VARCHAR``` | +| http_request.url.resource_type | ```REPO::VARCHAR``` | +| http_request.url.scheme | ```REGEXP_SUBSTR(URL, '^([a-zA-Z]+)')::VARCHAR``` | +| http_request.url.url_string | ```URL::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| http_request.x_forwarded_for | ```RAW:x_forwarded_for::VARCHAR``` | +| http_response.code | ```STATUS::NUMBER``` | +| http_status | ```STATUS::NUMBER``` | +| message | ```MESSAGE::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'github-server-logs'``` | +| metadata.product.vendor_name | ```'github'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```COALESCE(IP, REMOTE_ADDRESS)::VARCHAR``` | +| src_endpoint.name | ```RAW:user::VARCHAR``` | +| status | ```CASE (CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN REQUEST_METHOD = 'connect' THEN 400201 WHEN REQUEST_METHOD = 'delete' THEN 400202 WHEN REQUEST_METHOD = 'get' THEN 400203 WHEN REQUEST_METHOD = 'head' THEN 400204 WHEN REQUEST_METHOD = 'options' THEN 400205 WHEN REQUEST_METHOD = 'post' THEN 400206 WHEN REQUEST_METHOD = 'put' THEN 400207 WHEN REQUEST_METHOD = 'trace' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN REQUEST_METHOD = 'connect' THEN 400201 WHEN REQUEST_METHOD = 'delete' THEN 400202 WHEN REQUEST_METHOD = 'get' THEN 400203 WHEN REQUEST_METHOD = 'head' THEN 400204 WHEN REQUEST_METHOD = 'options' THEN 400205 WHEN REQUEST_METHOD = 'post' THEN 400206 WHEN REQUEST_METHOD = 'put' THEN 400207 WHEN REQUEST_METHOD = 'trace' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Imperva/1.1.0/imperva-waf-logs/http_activity/README.md b/mappings/markdown/Imperva/1.1.0/imperva-waf-logs/http_activity/README.md new file mode 100644 index 00000000..ec59cbf3 --- /dev/null +++ b/mappings/markdown/Imperva/1.1.0/imperva-waf-logs/http_activity/README.md @@ -0,0 +1,62 @@ +# Event Dossier: Imperva Waf Logs to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `imperva` +* Product name: `imperva-waf-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN METHOD is NULL THEN 0 WHEN METHOD = 'Connect' THEN 1 WHEN METHOD = 'Delete' THEN 2 WHEN METHOD = 'Get' THEN 3 WHEN METHOD = 'Head' THEN 4 WHEN METHOD = 'Options' THEN 5 WHEN METHOD = 'Post' THEN 6 WHEN METHOD = 'Put' THEN 7 WHEN METHOD = 'Trace' THEN 8 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN METHOD is NULL THEN 0 WHEN METHOD = 'Connect' THEN 1 WHEN METHOD = 'Delete' THEN 2 WHEN METHOD = 'Get' THEN 3 WHEN METHOD = 'Head' THEN 4 WHEN METHOD = 'Options' THEN 5 WHEN METHOD = 'Post' THEN 6 WHEN METHOD = 'Put' THEN 7 WHEN METHOD = 'Trace' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| app_name | ```CLAPP::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| device.zone | ```POP_NAME::VARCHAR``` | +| dst_endpoint.domain | ```SITE_NAME::VARCHAR``` | +| dst_endpoint.ip | ```SIP::VARCHAR``` | +| dst_endpoint.location.coordinates | ```ARRAY_CONSTRUCT(LONGITUDE, LATITUDE)``` | +| dst_endpoint.location.country | ```COUNTRY_CODE::VARCHAR``` | +| dst_endpoint.port | ```SPT::VARCHAR``` | +| dst_endpoint.zone | ```POP_NAME::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', RESPONSE_END_TIME::TIMESTAMP_LTZ)``` | +| end_time_dt | ```RESPONSE_END_TIME::TIMESTAMP_LTZ``` | +| http_request.http_method | ```METHOD::VARCHAR``` | +| http_request.length | ```CONTENT_LENGTH::NUMBER``` | +| http_request.referrer | ```REFERRER::VARCHAR``` | +| http_request.uid | ```REQUEST_ID::VARCHAR``` | +| http_request.url.hostname | ```SPLIT_PART(URL, '/', 1)::VARCHAR``` | +| http_request.url.path | ```REGEXP_SUBSTR(URL, '/[^? ]+')::VARCHAR``` | +| http_request.url.url_string | ```URL::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| http_request.x_forwarded_for | ```X_FORWARDED_FOR::VARCHAR``` | +| http_response.code | ```HTTP_STATUS_CODE::NUMBER``` | +| http_response.message | ```REQUEST_RESULT::VARCHAR``` | +| http_status | ```HTTP_STATUS_CODE::NUMBER``` | +| metadata.product.name | ```'imperva-waf-logs'``` | +| metadata.product.vendor_name | ```'imperva'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN 'SEVERITY' IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN 'SEVERITY' IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', REQUEST_START_TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```REQUEST_START_TIME::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN HTTP_STATUS_CODE ILIKE '2%%' THEN 1 WHEN HTTP_STATUS_CODE ILIKE '4%%' THEN 2 WHEN HTTP_STATUS_CODE ILIKE '5%%' THEN 2 WHEN HTTP_STATUS_CODE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN HTTP_STATUS_CODE ILIKE '2%%' THEN 1 WHEN HTTP_STATUS_CODE ILIKE '4%%' THEN 2 WHEN HTTP_STATUS_CODE ILIKE '5%%' THEN 2 WHEN HTTP_STATUS_CODE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', request_start_time::TIMESTAMP_LTZ)``` | +| time_dt | ```request_start_time::TIMESTAMP_LTZ``` | +| tls.version | ```PROTOCOL_VERSION::VARCHAR``` | +| type_name | ```CASE (CASE WHEN METHOD = 'CONNECT' THEN 400201 WHEN METHOD = 'DELETE' THEN 400202 WHEN METHOD = 'GET' THEN 400203 WHEN METHOD = 'HEAD' THEN 400204 WHEN METHOD = 'OPTIONS' THEN 400205 WHEN METHOD = 'POST' THEN 400206 WHEN METHOD = 'PUT' THEN 400207 WHEN METHOD = 'TRACE' THEN 400208 WHEN METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN METHOD = 'CONNECT' THEN 400201 WHEN METHOD = 'DELETE' THEN 400202 WHEN METHOD = 'GET' THEN 400203 WHEN METHOD = 'HEAD' THEN 400204 WHEN METHOD = 'OPTIONS' THEN 400205 WHEN METHOD = 'POST' THEN 400206 WHEN METHOD = 'PUT' THEN 400207 WHEN METHOD = 'TRACE' THEN 400208 WHEN METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Infoblox/1.1.0/infoblox-bloxone-dns/dns_activity/README.md b/mappings/markdown/Infoblox/1.1.0/infoblox-bloxone-dns/dns_activity/README.md new file mode 100644 index 00000000..3f52dec5 --- /dev/null +++ b/mappings/markdown/Infoblox/1.1.0/infoblox-bloxone-dns/dns_activity/README.md @@ -0,0 +1,47 @@ +# Event Dossier: Infoblox Bloxone Dns to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `infoblox` +* Product name: `infoblox-bloxone-dns` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN OPCODE IS NULL THEN 0 WHEN OPCODE = 'Query' THEN 1 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN OPCODE IS NULL THEN 0 WHEN OPCODE = 'Query' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| answers | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('flag_ids', ARRAY_CONSTRUCT( CASE WHEN RESPONDER_FLAGS:responder_authoritative_answer::BOOLEAN = TRUE THEN 1 ELSE 99 END, CASE WHEN RESPONDER_FLAGS:responder_truncated::BOOLEAN = TRUE THEN 2 ELSE 99 END, CASE WHEN RESPONDER_FLAGS:responder_recursion_desired::BOOLEAN = TRUE THEN 3 ELSE 99 END, CASE WHEN RESPONDER_FLAGS:responder_recursion_available::BOOLEAN = TRUE THEN 4 ELSE 99 END, CASE WHEN RESPONDER_FLAGS:responder_authentic_data::BOOLEAN = TRUE THEN 5 ELSE 99 END, CASE WHEN RESPONDER_FLAGS:responder_checking_disabled::BOOLEAN = TRUE THEN 6 ELSE 99 END)::ARRAY))::ARRAY``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| cloud.region | ```REGION::VARCHAR``` | +| connection_info.protocol_name | ```CASE WHEN PROTOCOL = 6 THEN 'tcp' WHEN PROTOCOL = 17 THEN 'udp' ELSE NULL END::VARCHAR``` | +| connection_info.protocol_num | ```PROTOCOL::NUMBER``` | +| device.org.uid | ```CLIENT_IDENTIFIER::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| dst_endpoint.ip | ```RESPONDER_IP::VARCHAR``` | +| dst_endpoint.port | ```RESPONDER_PORT::VARCHAR``` | +| metadata.product.name | ```'infoblox-bloxone-dns'``` | +| metadata.product.vendor_name | ```'infoblox'``` | +| metadata.version | ```'1.1.0'``` | +| query.class | ```RAW:qclass::VARCHAR``` | +| query.hostname | ```QUERY_NAME::VARCHAR``` | +| query.type | ```RESOURCE_RECORD_TYPE::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RETURN_CODE = 'NoError' THEN 0 WHEN RETURN_CODE = 'FORMERR' THEN 1 WHEN RETURN_CODE = 'ServFail' THEN 2 WHEN RETURN_CODE = 'NXDomain' THEN 3 WHEN RETURN_CODE = 'REFUSED' THEN 5 WHEN RETURN_CODE = 'ServFail' THEN 2 WHEN RETURN_CODE = 'NXDomain' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RETURN_CODE = 'NoError' THEN 0 WHEN RETURN_CODE = 'FORMERR' THEN 1 WHEN RETURN_CODE = 'ServFail' THEN 2 WHEN RETURN_CODE = 'NXDomain' THEN 3 WHEN RETURN_CODE = 'REFUSED' THEN 5 WHEN RETURN_CODE = 'ServFail' THEN 2 WHEN RETURN_CODE = 'NXDomain' THEN 3 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```REQUESTER_IP::VARCHAR``` | +| src_endpoint.port | ```REQUESTER_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((400300 + (CASE WHEN OPCODE IS NULL THEN 0 WHEN OPCODE = 'Query' THEN 1 ELSE 99 END))::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```(400300 + (CASE WHEN OPCODE IS NULL THEN 0 WHEN OPCODE = 'Query' THEN 1 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Infoblox/1.1.0/infoblox-nios-dns/dns_activity/README.md b/mappings/markdown/Infoblox/1.1.0/infoblox-nios-dns/dns_activity/README.md new file mode 100644 index 00000000..d2e61313 --- /dev/null +++ b/mappings/markdown/Infoblox/1.1.0/infoblox-nios-dns/dns_activity/README.md @@ -0,0 +1,43 @@ +# Event Dossier: Infoblox Nios Dns to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `infoblox` +* Product name: `infoblox-nios-dns` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'query' THEN 1 WHEN EVENT_TYPE = 'response' THEN 2 WHEN EVENT_TYPE = 'traffic' THEN 6 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'query' THEN 1 WHEN EVENT_TYPE = 'response' THEN 2 WHEN EVENT_TYPE = 'traffic' THEN 6 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| answers | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('flag_ids', ARRAY_CONSTRUCT(CASE WHEN FLAGS IS NULL THEN 0 WHEN FLAGS = 'A' THEN 1 WHEN FLAGS = 'T' THEN 2 ELSE 99 END), 'class', RESPONSE_RECORDS[0].class, 'type', RESPONSE_RECORDS[0].type, 'ttl', RESPONSE_RECORDS[0].ttl))::ARRAY``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| connection_info.protocol_name | ```PROTOCOL::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| dst_endpoint.ip | ```NAME_SERVER_IP::VARCHAR``` | +| metadata.product.name | ```'infoblox-nios-dns'``` | +| metadata.product.vendor_name | ```'infoblox'``` | +| metadata.version | ```'1.1.0'``` | +| query.class | ```CLASS::VARCHAR``` | +| query.hostname | ```QUERIED_DOMAIN::VARCHAR``` | +| query.type | ```TYPE::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RESPONSE_CODE = 'NOERROR' THEN 0 WHEN RESPONSE_CODE = 'FORMERR' THEN 1 WHEN RESPONSE_CODE = 'SERVFAIL' THEN 2 WHEN RESPONSE_CODE = 'NXDOMAIN' THEN 3 WHEN RESPONSE_CODE = 'REFUSED' THEN 5 WHEN RESPONSE_CODE = 'NOTAUTH' THEN 9 WHEN RESPONSE_CODE = 'BADVERS' THEN 16 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RESPONSE_CODE = 'NOERROR' THEN 0 WHEN RESPONSE_CODE = 'FORMERR' THEN 1 WHEN RESPONSE_CODE = 'SERVFAIL' THEN 2 WHEN RESPONSE_CODE = 'NXDOMAIN' THEN 3 WHEN RESPONSE_CODE = 'REFUSED' THEN 5 WHEN RESPONSE_CODE = 'NOTAUTH' THEN 9 WHEN RESPONSE_CODE = 'BADVERS' THEN 16 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```REQUESTER_IP::VARCHAR``` | +| src_endpoint.port | ```REQUESTER_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((400300 + (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'query' THEN 1 WHEN EVENT_TYPE = 'response' THEN 2 WHEN EVENT_TYPE = 'traffic' THEN 6 ELSE 99 END))::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```(400300 + (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'query' THEN 1 WHEN EVENT_TYPE = 'response' THEN 2 WHEN EVENT_TYPE = 'traffic' THEN 6 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Island/1.1.0/island-browser-devices/inventory_info/README.md b/mappings/markdown/Island/1.1.0/island-browser-devices/inventory_info/README.md new file mode 100644 index 00000000..b743deb5 --- /dev/null +++ b/mappings/markdown/Island/1.1.0/island-browser-devices/inventory_info/README.md @@ -0,0 +1,44 @@ +# Event Dossier: Island Browser Devices to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `Island` +* Product name: `island-browser-devices` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```2::NUMBER``` | +| activity_name | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```EMAIL::VARCHAR``` | +| actor.user.name | ```USER_NAME::VARCHAR``` | +| actor.user.uid | ```USER_ID::VARCHAR``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.hw_info.cpu_type | ```CPU_MODEL::VARCHAR``` | +| device.hw_info.ram_size | ```RAM_SIZE::NUMBER``` | +| device.hw_info.serial_number | ```SERIAL_NUMBER::VARCHAR``` | +| device.ip | ```EXTERNAL_IP_ADDRESS::VARCHAR``` | +| device.last_seen_time | ```date_part('epoch_milliseconds', LAST_SEEN::TIMESTAMP_LTZ)``` | +| device.last_seen_time_dt | ```LAST_SEEN::TIMESTAMP_LTZ``` | +| device.mac | ```MAC_ADDRESS::VARCHAR``` | +| device.name | ```MACHINE_NAME::VARCHAR``` | +| device.os.name | ```OS_PLATFORM::VARCHAR``` | +| device.os.version | ```OS_VERSION::VARCHAR``` | +| device.uid | ```MACHINE_ID::VARCHAR``` | +| metadata.product.name | ```'island-browser-devices'``` | +| metadata.product.vendor_name | ```'Island'``` | +| metadata.tenant_uid | ```TENANT_ID::VARCHAR``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', created_date::TIMESTAMP_LTZ)``` | +| time_dt | ```created_date::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500102::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500102::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/JAMF/1.1.0/jamf-computers/inventory_info/README.md b/mappings/markdown/JAMF/1.1.0/jamf-computers/inventory_info/README.md new file mode 100644 index 00000000..3eb6b384 --- /dev/null +++ b/mappings/markdown/JAMF/1.1.0/jamf-computers/inventory_info/README.md @@ -0,0 +1,58 @@ +# Event Dossier: Jamf Computers to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `jamf` +* Product name: `jamf-computers` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', GENERAL_INITIAL_ENTRY_DATE_UTC::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```GENERAL_INITIAL_ENTRY_DATE_UTC::TIMESTAMP_LTZ``` | +| device.hw_info.bios_manufacturer | ```HARDWARE_MAKE::VARCHAR``` | +| device.hw_info.cpu_cores | ```HARDWARE:number_cores::NUMBER``` | +| device.hw_info.cpu_count | ```HARDWARE:number_processors::NUMBER``` | +| device.hw_info.cpu_speed | ```COALESCE(HARDWARE:processor_speed::NUMBER, HARDWARE:processor_speed_mhz::NUMBER)::NUMBER``` | +| device.hw_info.cpu_type | ```HARDWARE:processor_type::VARCHAR``` | +| device.hw_info.ram_size | ```COALESCE(HARDWARE:total_ram::NUMBER, HARDWARE:total_ram_mb::NUMBER)::NUMBER``` | +| device.hw_info.serial_number | ```GENERAL_SERIAL_NUMBER::VARCHAR``` | +| device.ip | ```COALESCE(GENERAL_IP_ADDRESS::VARCHAR, GENERAL_LAST_REPORTED_IP::VARCHAR)::VARCHAR``` | +| device.is_managed | ```GENERAL_REMOTE_MANAGEMENT:manage::BOOLEAN``` | +| device.last_seen_time | ```date_part('epoch_milliseconds', GENERAL_LAST_ENROLLED_DATE_UTC::TIMESTAMP_LTZ)``` | +| device.last_seen_time_dt | ```GENERAL_LAST_ENROLLED_DATE_UTC::TIMESTAMP_LTZ``` | +| device.location.city | ```LOCATION:building::VARCHAR``` | +| device.location.provider | ```LOCATION:department::VARCHAR``` | +| device.mac | ```COALESCE(GENERAL_MAC_ADDRESS::VARCHAR, GENERAL_ALT_MAC_ADDRESS::VARCHAR)::VARCHAR``` | +| device.modified_time | ```date_part('epoch_milliseconds', GENERAL_LAST_CONTACT_TIME_UTC::TIMESTAMP_LTZ)``` | +| device.modified_time_dt | ```GENERAL_LAST_CONTACT_TIME_UTC::TIMESTAMP_LTZ``` | +| device.name | ```GENERAL_NAME::VARCHAR``` | +| device.network_interfaces | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('type', CASE (CASE WHEN GENERAL_NETWORK_ADAPTER_TYPE IS NULL THEN 0 WHEN GENERAL_NETWORK_ADAPTER_TYPE = 'Ethernet' THEN 1 WHEN GENERAL_NETWORK_ADAPTER_TYPE = 'IEEE80211' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Wired' WHEN 2 THEN 'Wireless' WHEN 3 THEN 'Mobile' WHEN 4 THEN 'Tunnel' WHEN 99 THEN 'Other' END, 'type_id', CASE WHEN GENERAL_NETWORK_ADAPTER_TYPE IS NULL THEN 0 WHEN GENERAL_NETWORK_ADAPTER_TYPE = 'Ethernet' THEN 1 WHEN GENERAL_NETWORK_ADAPTER_TYPE = 'IEEE80211' THEN 2 ELSE 99 END::NUMBER))``` | +| device.os.build | ```HARDWARE_OS_BUILD::VARCHAR``` | +| device.os.name | ```GENERAL_PLATFORM::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN HARDWARE_OS_NAME IS NULL THEN 0 WHEN HARDWARE_OS_NAME = 'macOS' THEN 300 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN HARDWARE_OS_NAME IS NULL THEN 0 WHEN HARDWARE_OS_NAME = 'macOS' THEN 300 ELSE 99 END::NUMBER``` | +| device.os.version | ```HARDWARE_OS_VERSION::VARCHAR``` | +| device.region | ```GENERAL_SITE:name::VARCHAR``` | +| device.type | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```0::NUMBER``` | +| device.uid | ```GENERAL_UDID::VARCHAR``` | +| metadata.product.name | ```'jamf-computers'``` | +| metadata.product.vendor_name | ```'jamf'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', sample_time::TIMESTAMP_LTZ)``` | +| time_dt | ```sample_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500199::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500199::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Lansweeper/1.1.0/lansweeper-assets/inventory_info/README.md b/mappings/markdown/Lansweeper/1.1.0/lansweeper-assets/inventory_info/README.md new file mode 100644 index 00000000..e3a53360 --- /dev/null +++ b/mappings/markdown/Lansweeper/1.1.0/lansweeper-assets/inventory_info/README.md @@ -0,0 +1,39 @@ +# Event Dossier: Lansweeper Assets to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `lansweeper` +* Product name: `lansweeper-assets` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```0::NUMBER``` | +| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', FIRST_SEEN::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```FIRST_SEEN::TIMESTAMP_LTZ``` | +| device.ip | ```IP_ADDRESS::VARCHAR``` | +| device.last_seen_time | ```date_part('epoch_milliseconds', LAST_SEEN::TIMESTAMP_LTZ)``` | +| device.last_seen_time_dt | ```LAST_SEEN::TIMESTAMP_LTZ``` | +| device.mac | ```MAC::VARCHAR``` | +| device.name | ```NAME::VARCHAR``` | +| device.type | ```CASE (CASE WHEN TYPE = 'Server' THEN 1 WHEN TYPE = 'Desktop' THEN 2 WHEN TYPE = 'Laptop' THEN 3 WHEN TYPE = 'Tablet' THEN 4 WHEN TYPE = 'Mobile' THEN 5 WHEN TYPE = 'Virtual' THEN 6 WHEN TYPE = 'IOT' THEN 7 WHEN TYPE = 'Browser' THEN 8 WHEN TYPE = 'Firewall' THEN 9 WHEN TYPE = 'Switch' THEN 10 WHEN TYPE = 'Hub' THEN 11 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```CASE WHEN TYPE = 'Server' THEN 1 WHEN TYPE = 'Desktop' THEN 2 WHEN TYPE = 'Laptop' THEN 3 WHEN TYPE = 'Tablet' THEN 4 WHEN TYPE = 'Mobile' THEN 5 WHEN TYPE = 'Virtual' THEN 6 WHEN TYPE = 'IOT' THEN 7 WHEN TYPE = 'Browser' THEN 8 WHEN TYPE = 'Firewall' THEN 9 WHEN TYPE = 'Switch' THEN 10 WHEN TYPE = 'Hub' THEN 11 ELSE 99 END::NUMBER``` | +| device.uid | ```KEY::VARCHAR``` | +| metadata.product.name | ```'lansweeper-assets'``` | +| metadata.product.vendor_name | ```'lansweeper'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', SNAPSHOT_TIME::TIMESTAMP_LTZ)``` | +| time_dt | ```SNAPSHOT_TIME::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500100::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500100::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Azure/1.1.0/azure-signin/authentication/README.md b/mappings/markdown/Microsoft/Azure/1.1.0/azure-signin/authentication/README.md new file mode 100644 index 00000000..8dc7f1e6 --- /dev/null +++ b/mappings/markdown/Microsoft/Azure/1.1.0/azure-signin/authentication/README.md @@ -0,0 +1,61 @@ +# Event Dossier: Azure Signin to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `azure` +* Product name: `azure-signin` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| api.version | ```OPERATION_VERSION::VARCHAR``` | +| auth_protocol | ```CASE (CASE WHEN PROPERTIES:authenticationProtocol='NTLM' THEN 1 WHEN PROPERTIES:authenticationProtocol='Kerberos' THEN 2 WHEN PROPERTIES:authenticationProtocol='Digest' THEN 3 WHEN PROPERTIES:authenticationProtocol='OpenID' THEN 4 WHEN PROPERTIES:authenticationProtocol='SAML' THEN 5 WHEN PROPERTIES:authenticationProtocol='OAUTH 2.0' THEN 6 WHEN PROPERTIES:authenticationProtocol='PAP' THEN 7 WHEN PROPERTIES:authenticationProtocol='CHAP' THEN 8 WHEN PROPERTIES:authenticationProtocol='EAP' THEN 9 WHEN PROPERTIES:authenticationProtocol='RADIUS' THEN 10 WHEN PROPERTIES:authenticationProtocol IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```CASE WHEN PROPERTIES:authenticationProtocol='NTLM' THEN 1 WHEN PROPERTIES:authenticationProtocol='Kerberos' THEN 2 WHEN PROPERTIES:authenticationProtocol='Digest' THEN 3 WHEN PROPERTIES:authenticationProtocol='OpenID' THEN 4 WHEN PROPERTIES:authenticationProtocol='SAML' THEN 5 WHEN PROPERTIES:authenticationProtocol='OAUTH 2.0' THEN 6 WHEN PROPERTIES:authenticationProtocol='PAP' THEN 7 WHEN PROPERTIES:authenticationProtocol='CHAP' THEN 8 WHEN PROPERTIES:authenticationProtocol='EAP' THEN 9 WHEN PROPERTIES:authenticationProtocol='RADIUS' THEN 10 WHEN PROPERTIES:authenticationProtocol IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| cloud.account.name | ```PROPERTIES:homeTenantName::VARCHAR``` | +| cloud.account.type | ```CASE (6::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'LDAP Account' WHEN 10 THEN 'AWS Account' WHEN 2 THEN 'Windows Account' WHEN 3 THEN 'AWS IAM User' WHEN 4 THEN 'AWS IAM Role' WHEN 5 THEN 'GCP Account' WHEN 6 THEN 'Azure AD Account' WHEN 7 THEN 'Mac OS Account' WHEN 8 THEN 'Apple Account' WHEN 9 THEN 'Linux Account' WHEN 99 THEN 'Other' END``` | +| cloud.account.type_id | ```6::NUMBER``` | +| cloud.account.uid | ```TENANT_ID::VARCHAR``` | +| cloud.provider | ```PROPERTIES_TOKEN_ISSUER_TYPE::VARCHAR``` | +| device.is_managed | ```PROPERTIES_DEVICE_DETAIL:isManaged::BOOLEAN``` | +| device.name | ```PROPERTIES_DEVICE_DETAIL:displayName::VARCHAR``` | +| device.os.name | ```PROPERTIES_DEVICE_DETAIL:operatingSystem::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='WindowsPhone' THEN 101 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem ilike '%Windows%' THEN 100 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='Linux' THEN 200 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='Android' THEN 201 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='MacOs' THEN 300 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem ilike 'iOS' THEN 301 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='iPadOS' THEN 302 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='Solaris' THEN 400 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='AIX' THEN 401 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='HP-UX' THEN 402 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='WindowsPhone' THEN 101 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem ilike '%Windows%' THEN 100 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='Linux' THEN 200 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='Android' THEN 201 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='MacOs' THEN 300 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem ilike 'iOS' THEN 301 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='iPadOS' THEN 302 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='Solaris' THEN 400 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='AIX' THEN 401 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem='HP-UX' THEN 402 WHEN PROPERTIES_DEVICE_DETAIL:operatingSystem IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.uid | ```PROPERTIES_DEVICE_DETAIL:deviceId::VARCHAR``` | +| http_request.uid | ```PROPERTIES:originalRequestId::VARCHAR``` | +| http_request.user_agent | ```PROPERTIES:userAgent::VARCHAR``` | +| is_mfa | ```IFF(PROPERTIES:authenticationRequirement='multiFactorAuthentication', true, false)::BOOLEAN``` | +| logon_process.created_time | ```date_part('epoch_milliseconds', PROPERTIES_CREATED_DATE_TIME::TIMESTAMP_LTZ)``` | +| logon_process.created_time_dt | ```PROPERTIES_CREATED_DATE_TIME::TIMESTAMP_LTZ``` | +| metadata.event_code | ```category``` | +| metadata.product.name | ```'azure-signin'``` | +| metadata.product.vendor_name | ```'azure'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN PROPERTIES_RISK_LEVEL_AGGREGATED='informational' THEN 1 WHEN COALESCE(PROPERTIES_RISK_LEVEL_AGGREGATED, PROPERTIES:riskLevel)='low' THEN 2 WHEN COALESCE(PROPERTIES_RISK_LEVEL_AGGREGATED, PROPERTIES:riskLevel)='medium' THEN 3 WHEN COALESCE(PROPERTIES_RISK_LEVEL_AGGREGATED, PROPERTIES:riskLevel)='high' THEN 4 WHEN PROPERTIES_RISK_LEVEL_AGGREGATED='critical' THEN 5 WHEN PROPERTIES_RISK_LEVEL_AGGREGATED='fatal' THEN 6 WHEN PROPERTIES_RISK_LEVEL_AGGREGATED IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN PROPERTIES_RISK_LEVEL_AGGREGATED='informational' THEN 1 WHEN COALESCE(PROPERTIES_RISK_LEVEL_AGGREGATED, PROPERTIES:riskLevel)='low' THEN 2 WHEN COALESCE(PROPERTIES_RISK_LEVEL_AGGREGATED, PROPERTIES:riskLevel)='medium' THEN 3 WHEN COALESCE(PROPERTIES_RISK_LEVEL_AGGREGATED, PROPERTIES:riskLevel)='high' THEN 4 WHEN PROPERTIES_RISK_LEVEL_AGGREGATED='critical' THEN 5 WHEN PROPERTIES_RISK_LEVEL_AGGREGATED='fatal' THEN 6 WHEN PROPERTIES_RISK_LEVEL_AGGREGATED IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| src_endpoint.ip | ```CALLER_IP_ADDRESS::VARCHAR``` | +| src_endpoint.location.city | ```PROPERTIES_LOCATION:city::VARCHAR``` | +| src_endpoint.location.country | ```PROPERTIES_LOCATION:countryOrRegion::VARCHAR``` | +| status | ```CASE (CASE WHEN PROPERTIES:statusCode='OK' THEN 1 WHEN PROPERTIES:statusCode IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_code | ```PROPERTIES_STATUS:errorCode::VARCHAR``` | +| status_detail | ```COALESCE(PROPERTIES_STATUS:failureReason, PROPERTIES_STATUS:additionalDetails)::VARCHAR``` | +| status_id | ```CASE WHEN PROPERTIES:statusCode='OK' THEN 1 WHEN PROPERTIES:statusCode IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300201::NUMBER``` | +| user.credential_uid | ```PROPERTIES:servicePrincipalCredentialKeyId::VARCHAR``` | +| user.name | ```COALESCE(PROPERTIES:userDisplayName, PROPERTIES:servicePrincipalName)::VARCHAR``` | +| user.type | ```CASE (CASE WHEN PROPERTIES:userType IN ('Member', 'User') THEN 1 WHEN PROPERTIES:userType='Admin' THEN 2 WHEN PROPERTIES:userType='System' THEN 3 WHEN PROPERTIES:userType IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| user.type_id | ```CASE WHEN PROPERTIES:userType IN ('Member', 'User') THEN 1 WHEN PROPERTIES:userType='Admin' THEN 2 WHEN PROPERTIES:userType='System' THEN 3 WHEN PROPERTIES:userType IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| user.uid | ```COALESCE(PROPERTIES:userId, PROPERTIES:servicePrincipalId)::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-file-events/file_activity/README.md b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-file-events/file_activity/README.md new file mode 100644 index 00000000..0d1372fd --- /dev/null +++ b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-file-events/file_activity/README.md @@ -0,0 +1,53 @@ +# Event Dossier: Mdatp Device File Events to OCSF class File Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `file_activity` +* Vendor name: `mdatp` +* Product name: `mdatp-device-file-events` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE ACTION_TYPE WHEN 'FileCreated' THEN 1 WHEN 'FileModified' THEN 3 WHEN 'FileDeleted' THEN 4 WHEN 'FileRenamed' THEN 5 ELSE 0 END``` | +| activity_name | ```CASE (CASE ACTION_TYPE WHEN 'FileCreated' THEN 1 WHEN 'FileModified' THEN 3 WHEN 'FileDeleted' THEN 4 WHEN 'FileRenamed' THEN 5 ELSE 0 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 10 THEN 'Encrypt' WHEN 11 THEN 'Decrypt' WHEN 12 THEN 'Mount' WHEN 13 THEN 'Unmount' WHEN 14 THEN 'Open' WHEN 2 THEN 'Read' WHEN 3 THEN 'Update' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Attributes' WHEN 7 THEN 'Set Security' WHEN 8 THEN 'Get Attributes' WHEN 9 THEN 'Get Security' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```INITIATING_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.owner.account.name | ```INITIATING_PROCESS_ACCOUNT_NAME::VARCHAR``` | +| actor.process.file.owner.account.uid | ```INITIATING_PROCESS_ACCOUNT_SID::VARCHAR``` | +| actor.process.file.owner.domain | ```INITIATING_PROCESS_ACCOUNT_DOMAIN::VARCHAR``` | +| actor.process.file.owner.uid | ```INITIATING_PROCESS_ACCOUNT_SID::VARCHAR``` | +| actor.process.file.parent_folder | ```INITIATING_PROCESS_FOLDER_PATH::VARCHAR``` | +| actor.process.integrity | ```CASE (CASE INITIATING_PROCESS_INTEGRITY_LEVEL::VARCHAR WHEN 'Untrusted' THEN 1 WHEN 'Low' THEN 2 WHEN 'Medium' THEN 3 WHEN 'High' THEN 4 WHEN 'System' THEN 5 ELSE 0 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Untrusted' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'System' WHEN 6 THEN 'Protected' WHEN 99 THEN 'Other' END``` | +| actor.process.integrity_id | ```CASE INITIATING_PROCESS_INTEGRITY_LEVEL::VARCHAR WHEN 'Untrusted' THEN 1 WHEN 'Low' THEN 2 WHEN 'Medium' THEN 3 WHEN 'High' THEN 4 WHEN 'System' THEN 5 ELSE 0 END``` | +| actor.process.parent_process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.created_time_dt | ```INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.file.name | ```INITIATING_PROCESS_PARENT_FILE_NAME::VARCHAR``` | +| actor.process.parent_process.pid | ```INITIATING_PROCESS_PARENT_ID::NUMBER``` | +| actor.process.pid | ```INITIATING_PROCESS_ID::NUMBER``` | +| api.operation | ```OPERATION_NAME::VARCHAR``` | +| class_name | ```'file_activity'``` | +| class_uid | ```1001``` | +| device.container.uid | ```APP_GUARD_CONTAINER_ID::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| file.confidentiality | ```CASE (CASE WHEN SENSITIVITY_LABEL='Public' THEN 1 WHEN SENSITIVITY_LABEL='Confidential' THEN 2 WHEN SENSITIVITY_LABEL='Internal' THEN 3 WHEN SENSITIVITY_LABEL='Restricted' THEN 4 WHEN SENSITIVITY_LABEL IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Not Confidential' WHEN 2 THEN 'Confidential' WHEN 3 THEN 'Secret' WHEN 4 THEN 'Top Secret' WHEN 99 THEN 'Other' END``` | +| file.confidentiality_id | ```CASE WHEN SENSITIVITY_LABEL='Public' THEN 1 WHEN SENSITIVITY_LABEL='Confidential' THEN 2 WHEN SENSITIVITY_LABEL='Internal' THEN 3 WHEN SENSITIVITY_LABEL='Restricted' THEN 4 WHEN SENSITIVITY_LABEL IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| file.created_time | ```date_part('epoch_milliseconds', TIMESTAMP::TIMESTAMP_LTZ)``` | +| file.created_time_dt | ```TIMESTAMP::TIMESTAMP_LTZ``` | +| file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN MD5 is not null THEN 1 WHEN SHA1 is not null THEN 2 WHEN SHA256 is not null THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN MD5 is not null THEN 1 WHEN SHA1 is not null THEN 2 WHEN SHA256 is not null THEN 3 ELSE 99 END::NUMBER))``` | +| file.name | ```FILE_NAME::VARCHAR``` | +| file.path | ```FOLDER_PATH::VARCHAR``` | +| metadata.product.name | ```'mdatp-device-file-events'``` | +| metadata.product.vendor_name | ```'mdatp'``` | +| metadata.version | ```'1.1.0'``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE ACTION_TYPE WHEN 'FileCreated' THEN 100101 WHEN 'FileModified' THEN 100103 WHEN 'FileDeleted' THEN 100104 WHEN 'FileRenamed' THEN 100105 ELSE 100100 END) WHEN 100100 THEN 'File System Activity: Unknown' WHEN 100101 THEN 'File System Activity: Create' WHEN 100102 THEN 'File System Activity: Read' WHEN 100103 THEN 'File System Activity: Update' WHEN 100104 THEN 'File System Activity: Delete' WHEN 100105 THEN 'File System Activity: Rename' WHEN 100106 THEN 'File System Activity: Set Attributes' WHEN 100107 THEN 'File System Activity: Set Security' WHEN 100108 THEN 'File System Activity: Get Attributes' WHEN 100109 THEN 'File System Activity: Get Security' WHEN 100110 THEN 'File System Activity: Encrypt' WHEN 100111 THEN 'File System Activity: Decrypt' WHEN 100112 THEN 'File System Activity: Mount' WHEN 100113 THEN 'File System Activity: Unmount' WHEN 100114 THEN 'File System Activity: Open' WHEN 100199 THEN 'File System Activity: Other' END``` | +| type_uid | ```CASE ACTION_TYPE WHEN 'FileCreated' THEN 100101 WHEN 'FileModified' THEN 100103 WHEN 'FileDeleted' THEN 100104 WHEN 'FileRenamed' THEN 100105 ELSE 100100 END``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-info/inventory_info/README.md b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-info/inventory_info/README.md new file mode 100644 index 00000000..dce8ebf2 --- /dev/null +++ b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-info/inventory_info/README.md @@ -0,0 +1,42 @@ +# Event Dossier: Mdatp Device Info to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `mdatp` +* Product name: `mdatp-device-info` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```2::NUMBER``` | +| activity_name | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| actor.session.uid | ```PARSE_JSON(LOGGED_ON_USERS[0])[0]:Sid::VARCHAR``` | +| actor.user.name | ```PARSE_JSON(LOGGED_ON_USERS[0])[0]:UserName::VARCHAR``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.container.tag | ```REGISTRY_DEVICE_TAG::VARCHAR``` | +| device.domain | ```PARSE_JSON(LOGGED_ON_USERS[0])[0]:DomainName::VARCHAR``` | +| device.groups | ```ARRAY_CONSTRUCT(MACHINE_GROUP)``` | +| device.ip | ```PUBLIC_IP::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.os.build | ```OS_BUILD::VARCHAR``` | +| device.os.cpu_bits | ```CASE WHEN OS_ARCHITECTURE ILIKE '%64%' THEN 64 WHEN OS_ARCHITECTURE ILIKE '%32%' THEN 32 ELSE NULL END::NUMBER``` | +| device.os.type | ```CASE (CASE WHEN OS_PLATFORM ILIKE '%Windows%' THEN 100 WHEN OS_PLATFORM = 'Linux' THEN 200 WHEN OS_PLATFORM = 'macOS' THEN 300 WHEN OS_PLATFORM = 'Android' THEN 201 WHEN OS_PLATFORM = 'iOS' THEN 301 WHEN OS_PLATFORM IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_PLATFORM ILIKE '%Windows%' THEN 100 WHEN OS_PLATFORM = 'Linux' THEN 200 WHEN OS_PLATFORM = 'macOS' THEN 300 WHEN OS_PLATFORM = 'Android' THEN 201 WHEN OS_PLATFORM = 'iOS' THEN 301 WHEN OS_PLATFORM IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.os.version | ```OS_VERSION::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| metadata.product.name | ```'mdatp-device-info'``` | +| metadata.product.vendor_name | ```'mdatp'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```99::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500199::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500199::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-logon-events/authentication/README.md b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-logon-events/authentication/README.md new file mode 100644 index 00000000..6b7f8aec --- /dev/null +++ b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-logon-events/authentication/README.md @@ -0,0 +1,56 @@ +# Event Dossier: Mdatp Device Logon Events to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `mdatp` +* Product name: `mdatp-device-logon-events` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'LogonSuccess' THEN 1 WHEN ACTION_TYPE = 'LogonFailed' THEN 2 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'LogonSuccess' THEN 1 WHEN ACTION_TYPE = 'LogonFailed' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```INITIATING_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN INITIATING_PROCESS_SHA256 IS NULL AND INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA256 IS NOT NULL THEN 3 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN INITIATING_PROCESS_SHA256 IS NULL AND INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA256 IS NOT NULL THEN 3 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(INITIATING_PROCESS_SHA256, INITIATING_PROCESS_SHA1, INITIATING_PROCESS_MD5)::VARCHAR))``` | +| actor.process.file.name | ```INITIATING_PROCESS_FILE_NAME::VARCHAR``` | +| actor.process.file.path | ```INITIATING_PROCESS_FOLDER_PATH::VARCHAR``` | +| actor.process.integrity | ```CASE (CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Untrusted' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'System' WHEN 6 THEN 'Protected' WHEN 99 THEN 'Other' END``` | +| actor.process.integrity_id | ```CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER``` | +| actor.process.parent_process.file.name | ```INITIATING_PROCESS_PARENT_FILE_NAME::VARCHAR``` | +| actor.process.parent_process.pid | ```INITIATING_PROCESS_PARENT_ID::NUMBER``` | +| actor.process.pid | ```INITIATING_PROCESS_ID::NUMBER``` | +| actor.process.user.account.name | ```INITIATING_PROCESS_ACCOUNT_NAME::VARCHAR``` | +| actor.process.user.account.uid | ```INITIATING_PROCESS_ACCOUNT_SID::VARCHAR``` | +| actor.process.user.domain | ```INITIATING_PROCESS_ACCOUNT_DOMAIN::VARCHAR``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| device.container.uid | ```APP_GUARD_CONTAINER_ID::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| is_remote | ```REMOTE_IP IS NOT NULL``` | +| logon_process.uid | ```LOGON_ID::VARCHAR``` | +| logon_type | ```CASE (CASE WHEN LOGON_TYPE = 'Interactive' THEN 2 WHEN LOGON_TYPE = 'Network' THEN 3 WHEN LOGON_TYPE = 'Batch' THEN 4 WHEN LOGON_TYPE = 'Unlock' THEN 7 WHEN LOGON_TYPE = 'NetworkCleartext' THEN 8 WHEN LOGON_TYPE = 'NewCredentials' THEN 9 WHEN LOGON_TYPE = 'RemoteInteractive' THEN 10 WHEN LOGON_TYPE = 'CachedInteractive' THEN 11 WHEN LOGON_TYPE = 'CachedRemoteInteractive' THEN 12 ELSE 99 END::NUMBER) WHEN 0 THEN 'System' WHEN 10 THEN 'Remote Interactive' WHEN 11 THEN 'Cached Interactive' WHEN 12 THEN 'Cached Remote Interactive' WHEN 13 THEN 'Cached Unlock' WHEN 2 THEN 'Interactive' WHEN 3 THEN 'Network' WHEN 4 THEN 'Batch' WHEN 5 THEN 'OS Service' WHEN 7 THEN 'Unlock' WHEN 8 THEN 'Network Cleartext' WHEN 9 THEN 'New Credentials' WHEN 99 THEN 'Other' END``` | +| logon_type_id | ```CASE WHEN LOGON_TYPE = 'Interactive' THEN 2 WHEN LOGON_TYPE = 'Network' THEN 3 WHEN LOGON_TYPE = 'Batch' THEN 4 WHEN LOGON_TYPE = 'Unlock' THEN 7 WHEN LOGON_TYPE = 'NetworkCleartext' THEN 8 WHEN LOGON_TYPE = 'NewCredentials' THEN 9 WHEN LOGON_TYPE = 'RemoteInteractive' THEN 10 WHEN LOGON_TYPE = 'CachedInteractive' THEN 11 WHEN LOGON_TYPE = 'CachedRemoteInteractive' THEN 12 ELSE 99 END::NUMBER``` | +| metadata.product.name | ```'mdatp-device-logon-events'``` | +| metadata.product.vendor_name | ```'mdatp'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.hostname | ```REMOTE_DEVICE_NAME::VARCHAR``` | +| src_endpoint.ip | ```REMOTE_IP::VARCHAR``` | +| src_endpoint.port | ```REMOTE_PORT::VARCHAR``` | +| status | ```CASE (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'LogonSuccess' THEN 1 WHEN ACTION_TYPE = 'LogonFailed' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'LogonSuccess' THEN 1 WHEN ACTION_TYPE = 'LogonFailed' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((300200 +(CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'LogonSuccess' THEN 1 WHEN ACTION_TYPE = 'LogonFailed' THEN 2 ELSE 99 END))::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```(300200 +(CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'LogonSuccess' THEN 1 WHEN ACTION_TYPE = 'LogonFailed' THEN 2 ELSE 99 END))::NUMBER``` | +| user.domain | ```ACCOUNT_DOMAIN::VARCHAR``` | +| user.name | ```ACCOUNT_NAME::VARCHAR``` | +| user.uid | ```ACCOUNT_SID::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-network-events/network_activity/README.md b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-network-events/network_activity/README.md new file mode 100644 index 00000000..c7ccd2b6 --- /dev/null +++ b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-network-events/network_activity/README.md @@ -0,0 +1,54 @@ +# Event Dossier: Mdatp Device Network Events to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `mdatp` +* Product name: `mdatp-device-network-events` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION_TYPE ILIKE ANY ('%ConnectionSuccess%', '%ConnectionCreated%', '%ConnectionAccepted%', '%ConnectionFound%') THEN 1 WHEN ACTION_TYPE ILIKE '%ConnectionFailed%' THEN 2 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION_TYPE ILIKE ANY ('%ConnectionSuccess%', '%ConnectionCreated%', '%ConnectionAccepted%', '%ConnectionFound%') THEN 1 WHEN ACTION_TYPE ILIKE '%ConnectionFailed%' THEN 2 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN ACTION_TYPE ILIKE ANY ('%ConnectionSuccess%', '%ConnectionCreated%', '%ConnectionAccepted%', '%ConnectionFound%') THEN 1 WHEN ACTION_TYPE ILIKE '%ConnectionFailed%' THEN 4 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION_TYPE ILIKE ANY ('%ConnectionSuccess%', '%ConnectionCreated%', '%ConnectionAccepted%', '%ConnectionFound%') THEN 1 WHEN ACTION_TYPE ILIKE '%ConnectionFailed%' THEN 4 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```INITIATING_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.container.uid | ```APP_GUARD_CONTAINER_ID::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(INITIATING_PROCESS_SHA1, INITIATING_PROCESS_MD5)::VARCHAR))``` | +| actor.process.file.name | ```INITIATING_PROCESS_FILE_NAME::VARCHAR``` | +| actor.process.file.path | ```INITIATING_PROCESS_FOLDER_PATH::VARCHAR``` | +| actor.process.integrity | ```CASE (CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Untrusted' THEN 1 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='System' THEN 5 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Protected' THEN 6 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Untrusted' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'System' WHEN 6 THEN 'Protected' WHEN 99 THEN 'Other' END``` | +| actor.process.integrity_id | ```CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Untrusted' THEN 1 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='System' THEN 5 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL='Protected' THEN 6 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| actor.process.parent_process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.created_time_dt | ```INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.name | ```INITIATING_PROCESS_PARENT_FILE_NAME::VARCHAR``` | +| actor.process.parent_process.pid | ```INITIATING_PROCESS_PARENT_ID::NUMBER``` | +| actor.process.pid | ```INITIATING_PROCESS_ID::NUMBER``` | +| actor.process.user.account.name | ```INITIATING_PROCESS_ACCOUNT_NAME::VARCHAR``` | +| actor.process.user.account.uid | ```INITIATING_PROCESS_ACCOUNT_SID::VARCHAR``` | +| actor.process.user.domain | ```INITIATING_PROCESS_ACCOUNT_DOMAIN::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| dst_endpoint.ip | ```REMOTE_IP::VARCHAR``` | +| dst_endpoint.port | ```REMOTE_PORT::NUMBER``` | +| metadata.product.name | ```'mdatp-device-network-events'``` | +| metadata.product.vendor_name | ```'mdatp'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```LOCAL_IP::VARCHAR``` | +| src_endpoint.port | ```LOCAL_PORT::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((400100 + (CASE WHEN ACTION_TYPE='ConnectionSuccess' THEN 1 WHEN ACTION_TYPE='ConnectionFailed' THEN 4 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END))::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```(400100 + (CASE WHEN ACTION_TYPE='ConnectionSuccess' THEN 1 WHEN ACTION_TYPE='ConnectionFailed' THEN 4 WHEN ACTION_TYPE IS NULL THEN 0 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-process-events/process_activity/README.md b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-process-events/process_activity/README.md new file mode 100644 index 00000000..ca3727f3 --- /dev/null +++ b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-process-events/process_activity/README.md @@ -0,0 +1,59 @@ +# Event Dossier: Mdatp Device Process Events to OCSF class Process Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `process_activity` +* Vendor name: `mdatp` +* Product name: `mdatp-device-process-events` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE='ProcessCreated' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE='ProcessCreated' THEN 1 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE='ProcessCreated' THEN 1 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE='ProcessCreated' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Launch' WHEN 2 THEN 'Terminate' WHEN 3 THEN 'Open' WHEN 4 THEN 'Inject' WHEN 5 THEN 'Set User ID' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'process_activity'``` | +| class_uid | ```1007``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| metadata.product.name | ```'mdatp-device-process-events'``` | +| metadata.product.vendor_name | ```'mdatp'``` | +| metadata.version | ```'1.1.0'``` | +| process.cmd_line | ```PROCESS_COMMAND_LINE::VARCHAR``` | +| process.created_time | ```date_part('epoch_milliseconds', PROCESS_CREATION_TIME::TIMESTAMP_LTZ)``` | +| process.created_time_dt | ```PROCESS_CREATION_TIME::TIMESTAMP_LTZ``` | +| process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN SHA256 IS NULL AND SHA1 IS NULL AND MD5 IS NULL THEN 0 WHEN SHA256 IS NOT NULL THEN 3 WHEN SHA1 IS NOT NULL THEN 2 WHEN MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN SHA256 IS NULL AND SHA1 IS NULL AND MD5 IS NULL THEN 0 WHEN SHA256 IS NOT NULL THEN 3 WHEN SHA1 IS NOT NULL THEN 2 WHEN MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(SHA256, SHA1, MD5)::VARCHAR))``` | +| process.file.name | ```FILE_NAME::VARCHAR``` | +| process.file.path | ```FOLDER_PATH::VARCHAR``` | +| process.integrity | ```CASE (CASE WHEN PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN PROCESS_INTEGRITY_LEVEL = 'Untrusted' THEN 1 WHEN PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Untrusted' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'System' WHEN 6 THEN 'Protected' WHEN 99 THEN 'Other' END``` | +| process.integrity_id | ```CASE WHEN PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN PROCESS_INTEGRITY_LEVEL = 'Untrusted' THEN 1 WHEN PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER``` | +| process.parent_process.cmd_line | ```INITIATING_PROCESS_COMMAND_LINE::VARCHAR``` | +| process.parent_process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ)``` | +| process.parent_process.created_time_dt | ```INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ``` | +| process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN INITIATING_PROCESS_SHA256 IS NULL AND INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA256 IS NOT NULL THEN 3 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN INITIATING_PROCESS_SHA256 IS NULL AND INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA256 IS NOT NULL THEN 3 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(INITIATING_PROCESS_SHA256, INITIATING_PROCESS_SHA1, INITIATING_PROCESS_MD5)::VARCHAR))``` | +| process.parent_process.file.name | ```INITIATING_PROCESS_FILE_NAME::VARCHAR``` | +| process.parent_process.file.path | ```INITIATING_PROCESS_FOLDER_PATH::VARCHAR``` | +| process.parent_process.integrity | ```CASE (CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Untrusted' THEN 1 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Untrusted' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'System' WHEN 6 THEN 'Protected' WHEN 99 THEN 'Other' END``` | +| process.parent_process.integrity_id | ```CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Untrusted' THEN 1 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER``` | +| process.parent_process.parent_process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ)``` | +| process.parent_process.parent_process.created_time_dt | ```INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ``` | +| process.parent_process.parent_process.file.name | ```INITIATING_PROCESS_PARENT_FILE_NAME::VARCHAR``` | +| process.parent_process.parent_process.pid | ```INITIATING_PROCESS_PARENT_ID::NUMBER``` | +| process.parent_process.pid | ```INITIATING_PROCESS_ID::NUMBER``` | +| process.parent_process.user.domain | ```INITIATING_PROCESS_ACCOUNT_DOMAIN::VARCHAR``` | +| process.parent_process.user.name | ```INITIATING_PROCESS_ACCOUNT_NAME::VARCHAR``` | +| process.parent_process.user.uid | ```INITIATING_PROCESS_ACCOUNT_SID::VARCHAR``` | +| process.pid | ```PROCESS_ID::NUMBER``` | +| process.user.domain | ```ACCOUNT_DOMAIN::VARCHAR``` | +| process.user.name | ```ACCOUNT_NAME::VARCHAR``` | +| process.user.uid | ```ACCOUNT_SID::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((100700 + (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE='ProcessCreated' THEN 1 ELSE 99 END))::NUMBER) WHEN 100700 THEN 'Process Activity: Unknown' WHEN 100701 THEN 'Process Activity: Launch' WHEN 100702 THEN 'Process Activity: Terminate' WHEN 100703 THEN 'Process Activity: Open' WHEN 100704 THEN 'Process Activity: Inject' WHEN 100705 THEN 'Process Activity: Set User ID' WHEN 100799 THEN 'Process Activity: Other' END``` | +| type_uid | ```(100700 + (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE='ProcessCreated' THEN 1 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_key_activity/README.md b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_key_activity/README.md new file mode 100644 index 00000000..07686f11 --- /dev/null +++ b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_key_activity/README.md @@ -0,0 +1,49 @@ +# Event Dossier: Mdatp Device Registry Events to OCSF class Win/registry Key Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_key_activity` +* Vendor name: `mdatp` +* Product name: `mdatp-device-registry-events` +* Event codes: `ACTION_TYPE ILIKE '%RegistryKey%'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'RegistryKeyCreated' THEN 1 WHEN ACTION_TYPE = 'RegistryKeyDeleted' THEN 4 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'RegistryKeyCreated' THEN 1 WHEN ACTION_TYPE = 'RegistryKeyDeleted' THEN 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 2 THEN 'Read' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Security' WHEN 7 THEN 'Restore' WHEN 8 THEN 'Import' WHEN 9 THEN 'Export' WHEN 99 THEN 'Other' END``` | +| actor.process.parent_process.cmd_line | ```INITIATING_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.parent_process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.created_time_dt | ```INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN INITIATING_PROCESS_SHA1 IS NULL AND INITIATING_PROCESS_MD5 IS NULL THEN 0 WHEN INITIATING_PROCESS_SHA1 IS NOT NULL THEN 2 WHEN INITIATING_PROCESS_MD5 IS NOT NULL THEN 1 ELSE 99 END::NUMBER, 'value', COALESCE(INITIATING_PROCESS_SHA1, INITIATING_PROCESS_MD5)::VARCHAR))``` | +| actor.process.parent_process.file.name | ```INITIATING_PROCESS_FILE_NAME::VARCHAR``` | +| actor.process.parent_process.file.parent_folder | ```INITIATING_PROCESS_FOLDER_PATH::VARCHAR``` | +| actor.process.parent_process.integrity | ```CASE (CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Untrusted' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'System' WHEN 6 THEN 'Protected' WHEN 99 THEN 'Other' END``` | +| actor.process.parent_process.integrity_id | ```CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 ELSE 99 END::NUMBER``` | +| actor.process.parent_process.parent_process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.parent_process.created_time_dt | ```INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.parent_process.file.name | ```INITIATING_PROCESS_PARENT_FILE_NAME::VARCHAR``` | +| actor.process.parent_process.parent_process.uid | ```INITIATING_PROCESS_PARENT_ID::VARCHAR``` | +| actor.process.parent_process.uid | ```INITIATING_PROCESS_ID::VARCHAR``` | +| actor.process.parent_process.user.account.name | ```INITIATING_PROCESS_ACCOUNT_NAME::VARCHAR``` | +| actor.process.parent_process.user.account.uid | ```INITIATING_PROCESS_ACCOUNT_SID::VARCHAR``` | +| actor.process.parent_process.user.domain | ```INITIATING_PROCESS_ACCOUNT_DOMAIN::VARCHAR``` | +| class_name | ```'win/registry_key_activity'``` | +| class_uid | ```201001``` | +| device.container.uid | ```APP_GUARD_CONTAINER_ID::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| metadata.product.name | ```'mdatp-device-registry-events'``` | +| metadata.product.vendor_name | ```'mdatp'``` | +| metadata.version | ```'1.1.0'``` | +| reg_key.path | ```REGISTRY_KEY::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((20100100 + (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'RegistryKeyCreated' THEN 1 WHEN ACTION_TYPE = 'RegistryKeyDeleted' THEN 4 ELSE 99 END))::NUMBER) WHEN 20100100 THEN 'Registry Key Activity: Unknown' WHEN 20100101 THEN 'Registry Key Activity: Create' WHEN 20100102 THEN 'Registry Key Activity: Read' WHEN 20100103 THEN 'Registry Key Activity: Modify' WHEN 20100104 THEN 'Registry Key Activity: Delete' WHEN 20100105 THEN 'Registry Key Activity: Rename' WHEN 20100106 THEN 'Registry Key Activity: Set Security' WHEN 20100107 THEN 'Registry Key Activity: Restore' WHEN 20100108 THEN 'Registry Key Activity: Import' WHEN 20100109 THEN 'Registry Key Activity: Export' WHEN 20100199 THEN 'Registry Key Activity: Other' END``` | +| type_uid | ```(20100100 + (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'RegistryKeyCreated' THEN 1 WHEN ACTION_TYPE = 'RegistryKeyDeleted' THEN 4 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_value_activity/README.md b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_value_activity/README.md new file mode 100644 index 00000000..a2003f31 --- /dev/null +++ b/mappings/markdown/Microsoft/Defender for endpoint/1.1.0/mdatp-device-registry-events/registry_value_activity/README.md @@ -0,0 +1,58 @@ +# Event Dossier: Mdatp Device Registry Events to OCSF class Win/registry Value Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_value_activity` +* Vendor name: `mdatp` +* Product name: `mdatp-device-registry-events` +* Event codes: `ACTION_TYPE ILIKE '%RegistryValue%'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'RegistryValueSet' then 2 WHEN ACTION_TYPE = 'RegistryValueDeleted' then 4 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION_TYPE IS NULL THEN 0 WHEN ACTION_TYPE = 'RegistryValueSet' then 2 WHEN ACTION_TYPE = 'RegistryValueDeleted' then 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Get' WHEN 2 THEN 'Set' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```INITIATING_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```INITIATING_PROCESS_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(INITIATING_PROCESS_MD5 IS NULL, IFF(INITIATING_PROCESS_SHA1 IS NULL, 0, 2), 1)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(INITIATING_PROCESS_MD5 IS NULL, IFF(INITIATING_PROCESS_SHA1 IS NULL, 0, 2), 1)::NUMBER, 'value', COALESCE(INITIATING_PROCESS_MD5, INITIATING_PROCESS_SHA1)::VARCHAR))``` | +| actor.process.file.name | ```INITIATING_PROCESS_FILE_NAME::VARCHAR``` | +| actor.process.file.parent_folder | ```INITIATING_PROCESS_FOLDER_PATH::VARCHAR``` | +| actor.process.integrity | ```CASE (CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Untrusted' THEN 1 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Untrusted' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'System' WHEN 6 THEN 'Protected' WHEN 99 THEN 'Other' END``` | +| actor.process.integrity_id | ```CASE WHEN INITIATING_PROCESS_INTEGRITY_LEVEL IS NULL THEN 0 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Untrusted' THEN 1 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Low' THEN 2 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'Medium' THEN 3 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'High' THEN 4 WHEN INITIATING_PROCESS_INTEGRITY_LEVEL = 'System' THEN 5 ELSE 99 END::NUMBER``` | +| actor.process.parent_process.created_time | ```date_part('epoch_milliseconds', INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.created_time_dt | ```INITIATING_PROCESS_PARENT_CREATION_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.file.name | ```INITIATING_PROCESS_PARENT_FILE_NAME::VARCHAR``` | +| actor.process.parent_process.uid | ```INITIATING_PROCESS_PARENT_ID::VARCHAR``` | +| actor.process.uid | ```INITIATING_PROCESS_ID::VARCHAR``` | +| actor.process.user.account.name | ```INITIATING_PROCESS_ACCOUNT_NAME::VARCHAR``` | +| actor.process.user.account.uid | ```INITIATING_PROCESS_ACCOUNT_SID::VARCHAR``` | +| actor.process.user.domain | ```INITIATING_PROCESS_ACCOUNT_DOMAIN::VARCHAR``` | +| api.operation | ```OPERATION_NAME::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_value_activity'``` | +| class_uid | ```201002``` | +| device.container.uid | ```APP_GUARD_CONTAINER_ID::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| device.uid | ```DEVICE_ID::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| metadata.product.name | ```'mdatp-device-registry-events'``` | +| metadata.product.vendor_name | ```'mdatp'``` | +| metadata.version | ```'1.1.0'``` | +| prev_reg_value.name | ```PREVIOUS_REGISTRY_VALUE_NAME::VARCHAR``` | +| reg_value.name | ```REGISTRY_VALUE_NAME::VARCHAR``` | +| reg_value.path | ```REGISTRY_KEY::VARCHAR``` | +| reg_value.type | ```CASE (CASE WHEN REGISTRY_VALUE_TYPE IS NULL THEN 0 WHEN REGISTRY_VALUE_TYPE = 'Binary' THEN 1 WHEN REGISTRY_VALUE_TYPE = 'Dword' THEN 2 WHEN REGISTRY_VALUE_TYPE = 'ExpandString' THEN 4 WHEN REGISTRY_VALUE_TYPE = 'Link' THEN 5 WHEN REGISTRY_VALUE_TYPE = 'MultiString' THEN 6 WHEN REGISTRY_VALUE_TYPE = 'None' THEN 7 WHEN REGISTRY_VALUE_TYPE = 'Qword' THEN 8 WHEN REGISTRY_VALUE_TYPE = 'String' THEN 10 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'REG_BINARY' WHEN 10 THEN 'REG_SZ' WHEN 2 THEN 'REG_DWORD' WHEN 3 THEN 'REG_DWORD_BIG_ENDIAN' WHEN 4 THEN 'REG_EXPAND_SZ' WHEN 5 THEN 'REG_LINK' WHEN 6 THEN 'REG_MULTI_SZ' WHEN 7 THEN 'REG_NONE' WHEN 8 THEN 'REG_QWORD' WHEN 9 THEN 'REG_QWORD_LITTLE_ENDIAN' WHEN 99 THEN 'Other' END``` | +| reg_value.type_id | ```CASE WHEN REGISTRY_VALUE_TYPE IS NULL THEN 0 WHEN REGISTRY_VALUE_TYPE = 'Binary' THEN 1 WHEN REGISTRY_VALUE_TYPE = 'Dword' THEN 2 WHEN REGISTRY_VALUE_TYPE = 'ExpandString' THEN 4 WHEN REGISTRY_VALUE_TYPE = 'Link' THEN 5 WHEN REGISTRY_VALUE_TYPE = 'MultiString' THEN 6 WHEN REGISTRY_VALUE_TYPE = 'None' THEN 7 WHEN REGISTRY_VALUE_TYPE = 'Qword' THEN 8 WHEN REGISTRY_VALUE_TYPE = 'String' THEN 10 ELSE 99 END::NUMBER``` | +| severity | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```99::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN ACTION_TYPE IS NULL THEN 20100200 WHEN ACTION_TYPE = 'RegistryValueSet' then 20100202 WHEN ACTION_TYPE = 'RegistryValueDeleted' then 20100204 ELSE 20100299 END::NUMBER) WHEN 20100200 THEN 'Registry Value Activity: Unknown' WHEN 20100201 THEN 'Registry Value Activity: Get' WHEN 20100202 THEN 'Registry Value Activity: Set' WHEN 20100203 THEN 'Registry Value Activity: Modify' WHEN 20100204 THEN 'Registry Value Activity: Delete' WHEN 20100299 THEN 'Registry Value Activity: Other' END``` | +| type_uid | ```CASE WHEN ACTION_TYPE IS NULL THEN 20100200 WHEN ACTION_TYPE = 'RegistryValueSet' then 20100202 WHEN ACTION_TYPE = 'RegistryValueDeleted' then 20100204 ELSE 20100299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Microsoft IIS/1.1.0/iis-w3c/http_activity/README.md b/mappings/markdown/Microsoft/Microsoft IIS/1.1.0/iis-w3c/http_activity/README.md new file mode 100644 index 00000000..b3ff13f5 --- /dev/null +++ b/mappings/markdown/Microsoft/Microsoft IIS/1.1.0/iis-w3c/http_activity/README.md @@ -0,0 +1,51 @@ +# Event Dossier: Iis W3c to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `Microsoft IIS` +* Product name: `iis-w3c` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```DECODE(METHOD, 'CONNECT', 1, 'DELETE', 2, 'GET', 3,'HEAD', 4, 'OPTIONS', 5, 'POST', 6, 'PUT', 7, 'TRACE', 8,0)``` | +| activity_name | ```CASE (DECODE(METHOD, 'CONNECT', 1, 'DELETE', 2, 'GET', 3,'HEAD', 4, 'OPTIONS', 5, 'POST', 6, 'PUT', 7, 'TRACE', 8,0)) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```USERNAME::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| dst_endpoint.ip | ```SERVER_IP::VARCHAR``` | +| dst_endpoint.name | ```SERVER_NAME::VARCHAR``` | +| dst_endpoint.port | ```SERVER_PORT::VARCHAR``` | +| duration | ```TIME_TAKEN::NUMBER``` | +| http_cookies.name | ```COOKIE::VARCHAR``` | +| http_request.http_method | ```METHOD::VARCHAR``` | +| http_request.length | ```BYTES_SENT::NUMBER``` | +| http_request.referrer | ```REFERRER::VARCHAR``` | +| http_request.url.query_string | ```URI_QUERY::VARCHAR``` | +| http_request.url.url_string | ```URI_STEM::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| http_response.code | ```STATUS_CODE::NUMBER``` | +| http_response.length | ```BYTES_RECEIVED::NUMBER``` | +| metadata.product.name | ```'iis-w3c'``` | +| metadata.product.vendor_name | ```'Microsoft IIS'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| status | ```CASE (CASE WHEN STATUS_CODE ILIKE '2%%' THEN 1 WHEN STATUS_CODE ILIKE '4%%' THEN 2 WHEN STATUS_CODE ILIKE '5%%' THEN 2 WHEN STATUS_CODE IS NULL THEN 0 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_code | ```STATUS_CODE::VARCHAR``` | +| status_id | ```CASE WHEN STATUS_CODE ILIKE '2%%' THEN 1 WHEN STATUS_CODE ILIKE '4%%' THEN 2 WHEN STATUS_CODE ILIKE '5%%' THEN 2 WHEN STATUS_CODE IS NULL THEN 0 ELSE 99 END``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (DECODE(METHOD, 'CONNECT', 400201, 'DELETE', 400202, 'GET', 400203,'HEAD', 400204, 'OPTIONS', 400205, 'POST', 400206, 'PUT', 400207, 'TRACE', 400208,400200)) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```DECODE(METHOD, 'CONNECT', 400201, 'DELETE', 400202, 'GET', 400203,'HEAD', 400204, 'OPTIONS', 400205, 'POST', 400206, 'PUT', 400207, 'TRACE', 400208,400200)``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/office365/1.1.0/o365-audit-logs/authentication/README.md b/mappings/markdown/Microsoft/office365/1.1.0/o365-audit-logs/authentication/README.md new file mode 100644 index 00000000..51d4fdea --- /dev/null +++ b/mappings/markdown/Microsoft/office365/1.1.0/o365-audit-logs/authentication/README.md @@ -0,0 +1,49 @@ +# Event Dossier: O365 Audit Logs to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `office365` +* Product name: `o365-audit-logs` +* Event codes: `OPERATION in ('UserLoginFailed', 'UserLoggedIn')` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.process.session.uid | ```RECORD_SPECIFIC_DETAILS:device_properties:session_id::VARCHAR``` | +| auth_protocol | ```CASE (CASE WHEN RECORD_SPECIFIC_DETAILS:extended_properties:request_type ILIKE '%OAuth2%' THEN 6 WHEN RECORD_SPECIFIC_DETAILS:extended_properties:request_type ILIKE '%Saml%' THEN 5 WHEN RECORD_SPECIFIC_DETAILS:extended_properties:request_type IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```CASE WHEN RECORD_SPECIFIC_DETAILS:extended_properties:request_type ILIKE '%OAuth2%' THEN 6 WHEN RECORD_SPECIFIC_DETAILS:extended_properties:request_type ILIKE '%Saml%' THEN 5 WHEN RECORD_SPECIFIC_DETAILS:extended_properties:request_type IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| cloud.provider | ```WORKLOAD::VARCHAR``` | +| device.name | ```RECORD_SPECIFIC_DETAILS:device_properties:display_name::VARCHAR``` | +| device.os.name | ```RECORD_SPECIFIC_DETAILS:device_properties:os::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Windows' THEN 100 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Windows Mobile' THEN 101 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Linux' THEN 200 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Android' THEN 201 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='macOS' THEN 300 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='iOS' THEN 301 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='iPadOS' THEN 302 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Solaris' THEN 400 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='AIX' THEN 401 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='HP-UX' THEN 402 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Windows' THEN 100 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Windows Mobile' THEN 101 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Linux' THEN 200 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Android' THEN 201 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='macOS' THEN 300 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='iOS' THEN 301 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='iPadOS' THEN 302 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='Solaris' THEN 400 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='AIX' THEN 401 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os='HP-UX' THEN 402 WHEN RECORD_SPECIFIC_DETAILS:device_properties:os IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| device.uid | ```RECORD_SPECIFIC_DETAILS:device_properties:id::VARCHAR``` | +| http_request.user_agent | ```RECORD_SPECIFIC_DETAILS:extended_properties:user_agent::VARCHAR``` | +| metadata.event_code | ```workload``` | +| metadata.product.name | ```'o365-audit-logs'``` | +| metadata.product.vendor_name | ```'office365'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| status | ```CASE (CASE WHEN RESULT_STATUS IN ('Success', 'Succeeded') THEN 1 WHEN RESULT_STATUS='Failed' THEN 2 WHEN RESULT_STATUS IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_detail | ```RECORD_SPECIFIC_DETAILS:extended_properties:result_status_detail::VARCHAR``` | +| status_id | ```CASE WHEN RESULT_STATUS IN ('Success', 'Succeeded') THEN 1 WHEN RESULT_STATUS='Failed' THEN 2 WHEN RESULT_STATUS IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300201::NUMBER``` | +| user.credential_uid | ```USER_KEY::VARCHAR``` | +| user.org.uid | ```ORGANIZATION_ID::VARCHAR``` | +| user.type | ```CASE (CASE WHEN USER_TYPE=0 THEN 1 WHEN USER_TYPE=2 THEN 2 WHEN USER_TYPE=4 THEN 3 WHEN USER_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| user.type_id | ```CASE WHEN USER_TYPE=0 THEN 1 WHEN USER_TYPE=2 THEN 2 WHEN USER_TYPE=4 THEN 3 WHEN USER_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| user.uid | ```USER_ID::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/windows-dns/1.1.0/windows-dns-debug-logs/dns_activity/README.md b/mappings/markdown/Microsoft/windows-dns/1.1.0/windows-dns-debug-logs/dns_activity/README.md new file mode 100644 index 00000000..0525f689 --- /dev/null +++ b/mappings/markdown/Microsoft/windows-dns/1.1.0/windows-dns-debug-logs/dns_activity/README.md @@ -0,0 +1,42 @@ +# Event Dossier: Windows Dns Debug Logs to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `windows-dns` +* Product name: `windows-dns-debug-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN AUTHORITATIVE_ANSWER='TRUE' THEN 1 WHEN AUTHORITATIVE_ANSWER='FALSE' THEN 2 WHEN AUTHORITATIVE_ANSWER IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN AUTHORITATIVE_ANSWER='TRUE' THEN 1 WHEN AUTHORITATIVE_ANSWER='FALSE' THEN 2 WHEN AUTHORITATIVE_ANSWER IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN QUERY_TYPE_PRETTY='Query' THEN 1 WHEN QUERY_TYPE_PRETTY='Response' THEN 2 WHEN QUERY_TYPE_PRETTY='Traffic' THEN 6 WHEN QUERY_TYPE_PRETTY IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN QUERY_TYPE_PRETTY='Query' THEN 1 WHEN QUERY_TYPE_PRETTY='Response' THEN 2 WHEN QUERY_TYPE_PRETTY='Traffic' THEN 6 WHEN QUERY_TYPE_PRETTY IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| answers | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('flags', SPLIT(REGEXP_REPLACE(FLAGS_CHAR_CODES, '(.)', '\\1.'), '.')))::VARIANT``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| connection_info.direction | ```CASE (CASE WHEN SEND_RECEIVE_INDICATOR='Rcv' THEN 1 WHEN SEND_RECEIVE_INDICATOR='Snd' THEN 2 WHEN SEND_RECEIVE_INDICATOR IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE WHEN SEND_RECEIVE_INDICATOR='Rcv' THEN 1 WHEN SEND_RECEIVE_INDICATOR='Snd' THEN 2 WHEN SEND_RECEIVE_INDICATOR IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| connection_info.protocol_name | ```PROTOCOL::VARCHAR``` | +| dst_endpoint.ip | ```REMOTE_IP::VARCHAR``` | +| metadata.product.name | ```'windows-dns-debug-logs'``` | +| metadata.product.vendor_name | ```'windows-dns'``` | +| metadata.version | ```'1.1.0'``` | +| query.hostname | ```QUESTION_NAME::VARCHAR``` | +| query.opcode | ```OPCODE::VARCHAR``` | +| query.opcode_id | ```CASE WHEN OPCODE_PRETTY='Standard Query' THEN 0 WHEN OPCODE_PRETTY='Inverse Query' THEN 1 WHEN OPCODE_PRETTY='Status' THEN 2 WHEN OPCODE_PRETTY='Reserved' THEN 3 WHEN OPCODE_PRETTY='Notify' THEN 4 WHEN OPCODE_PRETTY='Update' THEN 5 WHEN OPCODE_PRETTY='DSO Message' THEN 6 END::NUMBER``` | +| query.type | ```QUESTION_TYPE::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RESPONSE_CODE='NOERROR' THEN 0 WHEN RESPONSE_CODE='FORMERROR' THEN 1 WHEN RESPONSE_CODE='SERVFAIL' THEN 2 WHEN RESPONSE_CODE='NXDOMAIN' THEN 100 WHEN RESPONSE_CODE='NOTIMP' THEN 4 WHEN RESPONSE_CODE='REFUSED' THEN 5 WHEN RESPONSE_CODE='YXDOMAIN' THEN 6 WHEN RESPONSE_CODE='YXRRSET' THEN 7 WHEN RESPONSE_CODE='NXRRSET' THEN 8 WHEN RESPONSE_CODE='NOTAUTH' THEN 9 WHEN RESPONSE_CODE='NOTZONE' THEN 10 WHEN RESPONSE_CODE='DSOTYPENI' THEN 11 WHEN RESPONSE_CODE='BADSIG_VERS' THEN 16 WHEN RESPONSE_CODE='BADKEY' THEN 17 WHEN RESPONSE_CODE='BADTIME' THEN 18 WHEN RESPONSE_CODE='BADMODE' THEN 19 WHEN RESPONSE_CODE='BADNAME' THEN 20 WHEN RESPONSE_CODE='BADALG' THEN 21 WHEN RESPONSE_CODE='BADTRUNC' THEN 22 WHEN RESPONSE_CODE='BADCOOKIE' THEN 23 WHEN RESPONSE_CODE='UNASSIGNED' THEN 24 WHEN RESPONSE_CODE='RESERVED' THEN 25 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RESPONSE_CODE='NOERROR' THEN 0 WHEN RESPONSE_CODE='FORMERROR' THEN 1 WHEN RESPONSE_CODE='SERVFAIL' THEN 2 WHEN RESPONSE_CODE='NXDOMAIN' THEN 100 WHEN RESPONSE_CODE='NOTIMP' THEN 4 WHEN RESPONSE_CODE='REFUSED' THEN 5 WHEN RESPONSE_CODE='YXDOMAIN' THEN 6 WHEN RESPONSE_CODE='YXRRSET' THEN 7 WHEN RESPONSE_CODE='NXRRSET' THEN 8 WHEN RESPONSE_CODE='NOTAUTH' THEN 9 WHEN RESPONSE_CODE='NOTZONE' THEN 10 WHEN RESPONSE_CODE='DSOTYPENI' THEN 11 WHEN RESPONSE_CODE='BADSIG_VERS' THEN 16 WHEN RESPONSE_CODE='BADKEY' THEN 17 WHEN RESPONSE_CODE='BADTIME' THEN 18 WHEN RESPONSE_CODE='BADMODE' THEN 19 WHEN RESPONSE_CODE='BADNAME' THEN 20 WHEN RESPONSE_CODE='BADALG' THEN 21 WHEN RESPONSE_CODE='BADTRUNC' THEN 22 WHEN RESPONSE_CODE='BADCOOKIE' THEN 23 WHEN RESPONSE_CODE='UNASSIGNED' THEN 24 WHEN RESPONSE_CODE='RESERVED' THEN 25 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN QUERY_TYPE_PRETTY='Query' THEN 400301 WHEN QUERY_TYPE_PRETTY='Response' THEN 400302 WHEN QUERY_TYPE_PRETTY='Traffic' THEN 400306 WHEN QUERY_TYPE_PRETTY IS NULL THEN 400300 ELSE 400399 END::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```CASE WHEN QUERY_TYPE_PRETTY='Query' THEN 400301 WHEN QUERY_TYPE_PRETTY='Response' THEN 400302 WHEN QUERY_TYPE_PRETTY='Traffic' THEN 400306 WHEN QUERY_TYPE_PRETTY IS NULL THEN 400300 ELSE 400399 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/Windows Events/4624/4624_0.event b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4624/4624_0.event similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4624/4624_0.event rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4624/4624_0.event diff --git a/mappings/markdown/Microsoft/Windows Events/4624/4624_0.json b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4624/4624_0.json similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4624/4624_0.json rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4624/4624_0.json diff --git a/mappings/markdown/Microsoft/Windows Events/4624/README.md b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4624/README.md similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4624/README.md rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4624/README.md diff --git a/mappings/markdown/Microsoft/Windows Events/4625/4625_0.event b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4625/4625_0.event similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4625/4625_0.event rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4625/4625_0.event diff --git a/mappings/markdown/Microsoft/Windows Events/4625/4625_0.json b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4625/4625_0.json similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4625/4625_0.json rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4625/4625_0.json diff --git a/mappings/markdown/Microsoft/Windows Events/4625/README.md b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4625/README.md similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4625/README.md rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4625/README.md diff --git a/mappings/markdown/Microsoft/Windows Events/4661/4661.event b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4661/4661.event similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4661/4661.event rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4661/4661.event diff --git a/mappings/markdown/Microsoft/Windows Events/4661/4661.json b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4661/4661.json similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4661/4661.json rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4661/4661.json diff --git a/mappings/markdown/Microsoft/Windows Events/4661/README.md b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4661/README.md similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4661/README.md rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4661/README.md diff --git a/mappings/markdown/Microsoft/Windows Events/4663/4663_0.event b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4663/4663_0.event similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4663/4663_0.event rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4663/4663_0.event diff --git a/mappings/markdown/Microsoft/Windows Events/4663/4663_0.json b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4663/4663_0.json similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4663/4663_0.json rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4663/4663_0.json diff --git a/mappings/markdown/Microsoft/Windows Events/4663/README.md b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4663/README.md similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4663/README.md rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4663/README.md diff --git a/mappings/markdown/Microsoft/Windows Events/4673/4673_0.event b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4673/4673_0.event similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4673/4673_0.event rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4673/4673_0.event diff --git a/mappings/markdown/Microsoft/Windows Events/4673/4673_0.json b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4673/4673_0.json similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4673/4673_0.json rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4673/4673_0.json diff --git a/mappings/markdown/Microsoft/Windows Events/4673/README.md b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4673/README.md similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4673/README.md rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4673/README.md diff --git a/mappings/markdown/Microsoft/Windows Events/4688/4688_0.event b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4688/4688_0.event similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4688/4688_0.event rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4688/4688_0.event diff --git a/mappings/markdown/Microsoft/Windows Events/4688/4688_0.json b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4688/4688_0.json similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4688/4688_0.json rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4688/4688_0.json diff --git a/mappings/markdown/Microsoft/Windows Events/4688/README.md b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4688/README.md similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4688/README.md rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4688/README.md diff --git a/mappings/markdown/Microsoft/Windows Events/4689/4689_0.event b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4689/4689_0.event similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4689/4689_0.event rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4689/4689_0.event diff --git a/mappings/markdown/Microsoft/Windows Events/4689/4689_0.json b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4689/4689_0.json similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4689/4689_0.json rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4689/4689_0.json diff --git a/mappings/markdown/Microsoft/Windows Events/4689/README.md b/mappings/markdown/Microsoft/windows-event-log/1.0.0/4689/README.md similarity index 100% rename from mappings/markdown/Microsoft/Windows Events/4689/README.md rename to mappings/markdown/Microsoft/windows-event-log/1.0.0/4689/README.md diff --git a/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/dns_activity/README.md b/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/dns_activity/README.md new file mode 100644 index 00000000..8834ae07 --- /dev/null +++ b/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/dns_activity/README.md @@ -0,0 +1,55 @@ +# Event Dossier: Universal Wel to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `windows-event-log` +* Product name: `universal-wel` +* Event codes: `PROVIDER ilike '%Microsoft-Windows-Dns-Client%' AND EVENT_ID IN (3006, 3016, 3009, 3010, 3019, 3012, 3013, 3008, 3018, 3020, 3011, 3014, 3007)` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN RAW:Message IS NULL THEN 0 WHEN RAW:Message ILIKE '%response%' THEN 2 WHEN RAW:Message ILIKE '%query%' AND RAW:Message NOT ILIKE '%response%' THEN 1 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN RAW:Message IS NULL THEN 0 WHEN RAW:Message ILIKE '%response%' THEN 2 WHEN RAW:Message ILIKE '%query%' AND RAW:Message NOT ILIKE '%response%' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.pid | ```RAW:ExecutionProcessID::NUMBER``` | +| actor.process.tid | ```RAW:ExecutionThreadID::NUMBER``` | +| actor.user.account.name | ```RAW:AccountName::VARCHAR``` | +| actor.user.uid | ```RAW:UserID::VARCHAR``` | +| answers | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('rdata', REGEXP_SUBSTR(RAW:QueryResults, '[a-zA-Z0-9-]+(\\.[a-zA-Z0-9-]+){1,}|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')))::VARIANT``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| device.domain | ```RAW:Domain::VARCHAR``` | +| device.hostname | ```MACHINE_NAME::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| dst_endpoint.ip | ```MESSAGE_DETAILS:dns_server_ip::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', RAW:EventReceivedTime::TIMESTAMP_LTZ)``` | +| end_time_dt | ```RAW:EventReceivedTime::TIMESTAMP_LTZ``` | +| message | ```RAW:Message::VARCHAR``` | +| metadata.event_code | ```event_id``` | +| metadata.product.name | ```'universal-wel'``` | +| metadata.product.vendor_name | ```'windows-event-log'``` | +| metadata.version | ```'1.1.0'``` | +| query.hostname | ```MESSAGE_DETAILS:queried_domain::VARCHAR``` | +| query.opcode | ```RAW:Opcode::VARCHAR``` | +| query.opcode_id | ```RAW:OpcodeValue::NUMBER``` | +| query.type | ```MESSAGE_DETAILS:type::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RAW:ResponseStatus::NUMBER BETWEEN 0 AND 11 THEN RAW:ResponseStatus::NUMBER WHEN RAW:ResponseStatus::NUMBER BETWEEN 16 AND 23 THEN RAW:ResponseStatus::NUMBER WHEN RAW:ResponseStatus::NUMBER BETWEEN 12 AND 15 THEN 24 WHEN RAW:ResponseStatus::NUMBER BETWEEN 24 AND 3840 THEN 24 WHEN RAW:ResponseStatus::NUMBER BETWEEN 4096 AND 65534 THEN 24 WHEN RAW:ResponseStatus::NUMBER BETWEEN 3841 AND 4095 THEN 25 WHEN RAW:ResponseStatus::NUMBER = 65535 THEN 25 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RAW:ResponseStatus::NUMBER BETWEEN 0 AND 11 THEN RAW:ResponseStatus::NUMBER WHEN RAW:ResponseStatus::NUMBER BETWEEN 16 AND 23 THEN RAW:ResponseStatus::NUMBER WHEN RAW:ResponseStatus::NUMBER BETWEEN 12 AND 15 THEN 24 WHEN RAW:ResponseStatus::NUMBER BETWEEN 24 AND 3840 THEN 24 WHEN RAW:ResponseStatus::NUMBER BETWEEN 4096 AND 65534 THEN 24 WHEN RAW:ResponseStatus::NUMBER BETWEEN 3841 AND 4095 THEN 25 WHEN RAW:ResponseStatus::NUMBER = 65535 THEN 25 ELSE 99 END::NUMBER``` | +| severity | ```CASE (CASE WHEN RAW:Severity IS NULL THEN 0 WHEN RAW:Severity = 'INFO' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN RAW:Severity IS NULL THEN 0 WHEN RAW:Severity = 'INFO' THEN 1 ELSE 99 END::NUMBER``` | +| src_endpoint.interface_name | ```RAW:AdapterName::VARCHAR``` | +| src_endpoint.interface_uid | ```RAW:InterfaceIndex::VARCHAR``` | +| src_endpoint.ip | ```MESSAGE_DETAILS:local_addresses[0]::VARCHAR``` | +| status_code | ```RAW:QueryStatus::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((400300 + (CASE WHEN RAW:Message IS NULL THEN 0 WHEN RAW:Message ILIKE '%response%' THEN 2 WHEN RAW:Message ILIKE '%query%' AND RAW:Message NOT ILIKE '%response%' THEN 1 ELSE 99 END))::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```(400300 + (CASE WHEN RAW:Message IS NULL THEN 0 WHEN RAW:Message ILIKE '%response%' THEN 2 WHEN RAW:Message ILIKE '%query%' AND RAW:Message NOT ILIKE '%response%' THEN 1 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_key_activity/README.md b/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_key_activity/README.md new file mode 100644 index 00000000..891555c3 --- /dev/null +++ b/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_key_activity/README.md @@ -0,0 +1,49 @@ +# Event Dossier: Universal Wel to OCSF class Win/registry Key Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_key_activity` +* Vendor name: `windows-event-log` +* Product name: `universal-wel` +* Event codes: `raw:Category = 'Registry' AND EVENT_ID = 4663` +--- + +| OCSF | RAW | +| --- | --- | +| access_mask | ```TO_NUMBER(SUBSTRING(RAW:AccessMask, 3), 'XX')::NUMBER``` | +| action | ```CASE (CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = TRUE THEN 1 WHEN AUDIT_SUCCESS = FALSE THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = TRUE THEN 1 WHEN AUDIT_SUCCESS = FALSE THEN 2 ELSE 99 END::NUMBER``` | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 2 THEN 'Read' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Security' WHEN 7 THEN 'Restore' WHEN 8 THEN 'Import' WHEN 9 THEN 'Export' WHEN 99 THEN 'Other' END``` | +| actor.process.file.name | ```MESSAGE_DETAILS:process_information:process_name::VARCHAR``` | +| actor.process.pid | ```RAW:ExecutionProcessID::NUMBER``` | +| actor.process.tid | ```RAW:ExecutionThreadID::NUMBER``` | +| actor.process.uid | ```MESSAGE_DETAILS:process_information:process_id::VARCHAR``` | +| actor.user.account.name | ```MESSAGE_DETAILS:subject:account_name::VARCHAR``` | +| actor.user.domain | ```MESSAGE_DETAILS:subject:account_domain::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_key_activity'``` | +| class_uid | ```201001``` | +| device.hostname | ```MACHINE_NAME::VARCHAR``` | +| device.ip | ```RAW:MessageSourceAddress::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| end_time | ```date_part('epoch_milliseconds', to_varchar(RAW:EventReceivedTime::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')::TIMESTAMP_LTZ)``` | +| end_time_dt | ```to_varchar(RAW:EventReceivedTime::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')``` | +| message | ```RAW:Message::VARCHAR``` | +| metadata.event_code | ```event_id``` | +| metadata.product.name | ```'universal-wel'``` | +| metadata.product.vendor_name | ```'windows-event-log'``` | +| metadata.version | ```'1.1.0'``` | +| reg_key.path | ```MESSAGE_DETAILS:object:object_name::VARCHAR``` | +| severity | ```CASE (CASE WHEN RAW:Severity IS NULL THEN 0 WHEN RAW:Severity = 'INFO' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN RAW:Severity IS NULL THEN 0 WHEN RAW:Severity = 'INFO' THEN 1 ELSE 99 END::NUMBER``` | +| status | ```CASE (CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = TRUE THEN 1 WHEN AUDIT_SUCCESS = FALSE THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = TRUE THEN 1 WHEN AUDIT_SUCCESS = FALSE THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (20100199::NUMBER) WHEN 20100100 THEN 'Registry Key Activity: Unknown' WHEN 20100101 THEN 'Registry Key Activity: Create' WHEN 20100102 THEN 'Registry Key Activity: Read' WHEN 20100103 THEN 'Registry Key Activity: Modify' WHEN 20100104 THEN 'Registry Key Activity: Delete' WHEN 20100105 THEN 'Registry Key Activity: Rename' WHEN 20100106 THEN 'Registry Key Activity: Set Security' WHEN 20100107 THEN 'Registry Key Activity: Restore' WHEN 20100108 THEN 'Registry Key Activity: Import' WHEN 20100109 THEN 'Registry Key Activity: Export' WHEN 20100199 THEN 'Registry Key Activity: Other' END``` | +| type_uid | ```20100199::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_value_activity/README.md b/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_value_activity/README.md new file mode 100644 index 00000000..48004c46 --- /dev/null +++ b/mappings/markdown/Microsoft/windows-event-log/1.1.0/universal-wel/registry_value_activity/README.md @@ -0,0 +1,53 @@ +# Event Dossier: Universal Wel to OCSF class Win/registry Value Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_value_activity` +* Vendor name: `windows-event-log` +* Product name: `universal-wel` +* Event codes: `RAW:Category = 'Registry' AND EVENT_ID = 4657` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = true THEN 1 WHEN AUDIT_SUCCESS = false THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = true THEN 1 WHEN AUDIT_SUCCESS = false THEN 2 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN MESSAGE_DETAILS:object:operation_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:object:operation_type ILIKE '%modified%' THEN 3 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN MESSAGE_DETAILS:object:operation_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:object:operation_type ILIKE '%modified%' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Get' WHEN 2 THEN 'Set' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 99 THEN 'Other' END``` | +| actor.process.file.path | ```MESSAGE_DETAILS:process_information:process_name::VARCHAR``` | +| actor.process.pid | ```RAW:ExecutionProcessID::NUMBER``` | +| actor.process.tid | ```RAW:ExecutionThreadID::NUMBER``` | +| actor.process.uid | ```MESSAGE_DETAILS:process_information:process_id::VARCHAR``` | +| actor.user.account.name | ```MESSAGE_DETAILS:subject:account_name::VARCHAR``` | +| actor.user.domain | ```MESSAGE_DETAILS:subject:account_domain::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_value_activity'``` | +| class_uid | ```201002``` | +| device.hostname | ```MACHINE_NAME::VARCHAR``` | +| device.ip | ```RAW:MessageSourceAddress::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| end_time | ```date_part('epoch_milliseconds', to_varchar(RAW:EventReceivedTime::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')::TIMESTAMP_LTZ)``` | +| end_time_dt | ```to_varchar(RAW:EventReceivedTime::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')``` | +| message | ```RAW:Message::VARCHAR``` | +| metadata.event_code | ```event_id``` | +| metadata.product.name | ```'universal-wel'``` | +| metadata.product.vendor_name | ```'windows-event-log'``` | +| metadata.version | ```'1.1.0'``` | +| prev_reg_value.type | ```CASE (CASE WHEN MESSAGE_DETAILS:change_information:old_value_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:change_information:old_value_type = 'REG_SZ' THEN 10 WHEN MESSAGE_DETAILS:change_information:old_value_type = 'REG_DWORD' THEN 2 WHEN MESSAGE_DETAILS:change_information:old_value_type = 'REG_BINARY' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'REG_BINARY' WHEN 10 THEN 'REG_SZ' WHEN 2 THEN 'REG_DWORD' WHEN 3 THEN 'REG_DWORD_BIG_ENDIAN' WHEN 4 THEN 'REG_EXPAND_SZ' WHEN 5 THEN 'REG_LINK' WHEN 6 THEN 'REG_MULTI_SZ' WHEN 7 THEN 'REG_NONE' WHEN 8 THEN 'REG_QWORD' WHEN 9 THEN 'REG_QWORD_LITTLE_ENDIAN' WHEN 99 THEN 'Other' END``` | +| prev_reg_value.type_id | ```CASE WHEN MESSAGE_DETAILS:change_information:old_value_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:change_information:old_value_type = 'REG_SZ' THEN 10 WHEN MESSAGE_DETAILS:change_information:old_value_type = 'REG_DWORD' THEN 2 WHEN MESSAGE_DETAILS:change_information:old_value_type = 'REG_BINARY' THEN 1 ELSE 99 END::NUMBER``` | +| reg_value.name | ```MESSAGE_DETAILS:object:object_value_name::VARCHAR``` | +| reg_value.path | ```MESSAGE_DETAILS:object:object_name::VARCHAR``` | +| reg_value.type | ```CASE (CASE WHEN MESSAGE_DETAILS:change_information:new_value_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:change_information:new_value_type = 'REG_SZ' THEN 10 WHEN MESSAGE_DETAILS:change_information:new_value_type = 'REG_DWORD' THEN 2 WHEN MESSAGE_DETAILS:change_information:new_value_type = 'REG_BINARY' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'REG_BINARY' WHEN 10 THEN 'REG_SZ' WHEN 2 THEN 'REG_DWORD' WHEN 3 THEN 'REG_DWORD_BIG_ENDIAN' WHEN 4 THEN 'REG_EXPAND_SZ' WHEN 5 THEN 'REG_LINK' WHEN 6 THEN 'REG_MULTI_SZ' WHEN 7 THEN 'REG_NONE' WHEN 8 THEN 'REG_QWORD' WHEN 9 THEN 'REG_QWORD_LITTLE_ENDIAN' WHEN 99 THEN 'Other' END``` | +| reg_value.type_id | ```CASE WHEN MESSAGE_DETAILS:change_information:new_value_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:change_information:new_value_type = 'REG_SZ' THEN 10 WHEN MESSAGE_DETAILS:change_information:new_value_type = 'REG_DWORD' THEN 2 WHEN MESSAGE_DETAILS:change_information:new_value_type = 'REG_BINARY' THEN 1 ELSE 99 END::NUMBER``` | +| severity | ```CASE (CASE WHEN RAW:Severity IS NULL THEN 0 WHEN RAW:Severity = 'INFO' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN RAW:Severity IS NULL THEN 0 WHEN RAW:Severity = 'INFO' THEN 1 ELSE 99 END::NUMBER``` | +| status | ```CASE (CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = true THEN 1 WHEN AUDIT_SUCCESS = false THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN AUDIT_SUCCESS IS NULL THEN 0 WHEN AUDIT_SUCCESS = true THEN 1 WHEN AUDIT_SUCCESS = false THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((20100200 + (CASE WHEN MESSAGE_DETAILS:object:operation_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:object:operation_type ILIKE '%modified%' THEN 3 ELSE 99 END))::NUMBER) WHEN 20100200 THEN 'Registry Value Activity: Unknown' WHEN 20100201 THEN 'Registry Value Activity: Get' WHEN 20100202 THEN 'Registry Value Activity: Set' WHEN 20100203 THEN 'Registry Value Activity: Modify' WHEN 20100204 THEN 'Registry Value Activity: Delete' WHEN 20100299 THEN 'Registry Value Activity: Other' END``` | +| type_uid | ```(20100200 + (CASE WHEN MESSAGE_DETAILS:object:operation_type IS NULL THEN 0 WHEN MESSAGE_DETAILS:object:operation_type ILIKE '%modified%' THEN 3 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Netiq/1.1.0/netiq-edirectory-audit/authentication/README.md b/mappings/markdown/Netiq/1.1.0/netiq-edirectory-audit/authentication/README.md new file mode 100644 index 00000000..2ee31d54 --- /dev/null +++ b/mappings/markdown/Netiq/1.1.0/netiq-edirectory-audit/authentication/README.md @@ -0,0 +1,43 @@ +# Event Dossier: Netiq Edirectory Audit to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `netiq` +* Product name: `netiq-edirectory-audit` +* Event codes: `EVENT_NAME in ('LOGIN')` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```CASE WHEN EVENT_NAME IS NULL THEN 0 WHEN EVENT_NAME = 'LOGIN' THEN 1 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN EVENT_NAME IS NULL THEN 0 WHEN EVENT_NAME = 'LOGIN' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```SOURCE_USER::VARCHAR``` | +| api.service.name | ```SOURCE_SERVICE_NAME::VARCHAR``` | +| api.service.version | ```SOURCE_PROCESS::VARCHAR``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| device.hostname | ```DEVICE_HOST::VARCHAR``` | +| device.ip | ```DEVICE::VARCHAR``` | +| message | ```RAW:msg::VARCHAR``` | +| metadata.event_code | ```event_name``` | +| metadata.product.name | ```'netiq-edirectory-audit'``` | +| metadata.product.vendor_name | ```'netiq'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (RAW:severity::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```RAW:severity::NUMBER``` | +| src_endpoint.ip | ```COALESCE(RAW:src, SPLIT_PART(INTRUDER_ADDRESS, ':', 2))::VARCHAR``` | +| src_endpoint.port | ```RAW:spt::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', RECEIVED_TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```RECEIVED_TIME::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN OUTCOME IS NULL THEN 0 WHEN OUTCOME = 'Success' THEN 1 WHEN OUTCOME = 'Failure' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN OUTCOME IS NULL THEN 0 WHEN OUTCOME = 'Success' THEN 1 WHEN OUTCOME = 'Failure' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', received_time::TIMESTAMP_LTZ)``` | +| time_dt | ```received_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300200 + CASE WHEN EVENT_NAME IS NULL THEN 0 WHEN EVENT_NAME = 'LOGIN' THEN 1 ELSE 99 END::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300200 + CASE WHEN EVENT_NAME IS NULL THEN 0 WHEN EVENT_NAME = 'LOGIN' THEN 1 ELSE 99 END::NUMBER``` | +| user.name | ```SOURCE_USER::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Okta/1.1.0/okta-logs/authentication/README.md b/mappings/markdown/Okta/1.1.0/okta-logs/authentication/README.md new file mode 100644 index 00000000..d7233b55 --- /dev/null +++ b/mappings/markdown/Okta/1.1.0/okta-logs/authentication/README.md @@ -0,0 +1,73 @@ +# Event Dossier: Okta Logs to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `okta` +* Product name: `okta-logs` +* Event codes: `EVENT_TYPE ILIKE '%user.authentication%' OR EVENT_TYPE ILIKE '%user.mfa.okta_verify%' OR EVENT_TYPE IN ('user.session.start' , 'system.push.send_factor_verify_push')` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```IFF(EVENT_TYPE = 'user.authentication.slo', 2, 1)::NUMBER``` | +| activity_name | ```CASE (IFF(EVENT_TYPE = 'user.authentication.slo', 2, 1)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```ACTOR_ALTERNATE_ID::VARCHAR``` | +| actor.user.name | ```ACTOR_DISPLAY_NAME::VARCHAR``` | +| actor.user.type | ```CASE (CASE WHEN ACTOR_TYPE IS NULL THEN 0 WHEN ACTOR_TYPE = 'User' THEN 1 WHEN ACTOR_TYPE = 'SystemPrincipal' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| actor.user.type_id | ```CASE WHEN ACTOR_TYPE IS NULL THEN 0 WHEN ACTOR_TYPE = 'User' THEN 1 WHEN ACTOR_TYPE = 'SystemPrincipal' THEN 3 ELSE 99 END::NUMBER``` | +| actor.user.uid | ```ACTOR_ID::VARCHAR``` | +| auth_protocol | ```CASE (CASE WHEN DEBUG_CONTEXT:debugData:signOnMode ILIKE '%OpenID%' THEN 4 WHEN DEBUG_CONTEXT:debugData:signOnMode ILIKE '%SAML%' THEN 5 WHEN EVENT_TYPE = 'user.authentication.auth_via_radius' THEN 10 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```CASE WHEN DEBUG_CONTEXT:debugData:signOnMode ILIKE '%OpenID%' THEN 4 WHEN DEBUG_CONTEXT:debugData:signOnMode ILIKE '%SAML%' THEN 5 WHEN EVENT_TYPE = 'user.authentication.auth_via_radius' THEN 10 ELSE 99 END::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| device.domain | ```SECURITY_CONTEXT:domain::VARCHAR``` | +| device.ip | ```CLIENT_IP_ADDRESS::VARCHAR``` | +| device.location.city | ```CLIENT_GEOGRAPHICAL_CONTEXT_CITY::VARCHAR``` | +| device.location.coordinates | ```ARRAY_CONSTRUCT(CLIENT_GEOGRAPHICAL_CONTEXT_GEOLOCATION:lon, CLIENT_GEOGRAPHICAL_CONTEXT_GEOLOCATION:lat)::ARRAY``` | +| device.location.country | ```CLIENT_GEOGRAPHICAL_CONTEXT_COUNTRY::VARCHAR``` | +| device.location.isp | ```SECURITY_CONTEXT:isp::VARCHAR``` | +| device.location.postal_code | ```CLIENT_GEOGRAPHICAL_CONTEXT_POSTAL_CODE::VARCHAR``` | +| device.org.name | ```SECURITY_CONTEXT:asOrg::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN CLIENT_USER_AGENT_OS ILIKE 'unknown' OR CLIENT_USER_AGENT_OS IS NULL THEN 0 WHEN CLIENT_USER_AGENT_OS ILIKE 'Windows%' THEN 100 WHEN CLIENT_USER_AGENT_OS IN ('Linux', 'Ubuntu') THEN 200 WHEN CLIENT_USER_AGENT_OS ILIKE 'Android%' THEN 201 WHEN CLIENT_USER_AGENT_OS ILIKE 'Mac%' THEN 300 WHEN CLIENT_USER_AGENT_OS ILIKE 'iOS%ipad%' THEN 302 WHEN CLIENT_USER_AGENT_OS ILIKE 'iOS%' THEN 301 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN CLIENT_USER_AGENT_OS ILIKE 'unknown' OR CLIENT_USER_AGENT_OS IS NULL THEN 0 WHEN CLIENT_USER_AGENT_OS ILIKE 'Windows%' THEN 100 WHEN CLIENT_USER_AGENT_OS IN ('Linux', 'Ubuntu') THEN 200 WHEN CLIENT_USER_AGENT_OS ILIKE 'Android%' THEN 201 WHEN CLIENT_USER_AGENT_OS ILIKE 'Mac%' THEN 300 WHEN CLIENT_USER_AGENT_OS ILIKE 'iOS%ipad%' THEN 302 WHEN CLIENT_USER_AGENT_OS ILIKE 'iOS%' THEN 301 ELSE 99 END::NUMBER``` | +| device.risk_level | ```CASE (CASE REGEXP_SUBSTR(DEBUG_CONTEXT:debugData:risk::VARCHAR, 'level=(\\w+)', 1, 1, 'e', 1) WHEN 'LOW' THEN 1 WHEN 'MEDIUM' THEN 2 WHEN 'HIGH' THEN 3 ELSE 0 END::NUMBER) WHEN 0 THEN 'Info' WHEN 1 THEN 'Low' WHEN 2 THEN 'Medium' WHEN 3 THEN 'High' WHEN 4 THEN 'Critical' END``` | +| device.risk_level_id | ```CASE REGEXP_SUBSTR(DEBUG_CONTEXT:debugData:risk::VARCHAR, 'level=(\\w+)', 1, 1, 'e', 1) WHEN 'LOW' THEN 1 WHEN 'MEDIUM' THEN 2 WHEN 'HIGH' THEN 3 ELSE 0 END::NUMBER``` | +| device.type | ```CASE (CASE WHEN CLIENT_DEVICE ILIKE 'unknown' OR CLIENT_DEVICE IS NULL THEN 0 WHEN CLIENT_DEVICE = 'Computer' THEN 2 WHEN CLIENT_DEVICE = 'Tablet' THEN 4 WHEN CLIENT_DEVICE = 'Mobile' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```CASE WHEN CLIENT_DEVICE ILIKE 'unknown' OR CLIENT_DEVICE IS NULL THEN 0 WHEN CLIENT_DEVICE = 'Computer' THEN 2 WHEN CLIENT_DEVICE = 'Tablet' THEN 4 WHEN CLIENT_DEVICE = 'Mobile' THEN 5 ELSE 99 END::NUMBER``` | +| device.uid | ```CLIENT_ID::VARCHAR``` | +| device.zone | ```CLIENT_ZONE::VARCHAR``` | +| http_request.uid | ```DEBUG_CONTEXT:debugData:requestId::VARCHAR``` | +| http_request.url.hostname | ```IFF(PARSE_URL(DEBUG_CONTEXT:debugData:origin, 1):error IS NULL, PARSE_URL(DEBUG_CONTEXT:debugData:origin, 1):host, NULL)::VARCHAR``` | +| http_request.url.path | ```SPLIT_PART(DEBUG_CONTEXT:debugData:url, '?', 1)::VARCHAR``` | +| http_request.url.port | ```IFF(PARSE_URL(DEBUG_CONTEXT:debugData:origin, 1):error IS NULL, PARSE_URL(DEBUG_CONTEXT:debugData:origin, 1):port, NULL)::VARCHAR``` | +| http_request.url.query_string | ```IFF(SPLIT_PART(DEBUG_CONTEXT:debugData:url, '?', -1) = '', NULL, SPLIT_PART(DEBUG_CONTEXT:debugData:url, '?', -1))::VARCHAR``` | +| http_request.url.scheme | ```IFF(PARSE_URL(DEBUG_CONTEXT:debugData:origin, 1):error IS NULL, PARSE_URL(DEBUG_CONTEXT:debugData:origin, 1):scheme, NULL)::VARCHAR``` | +| http_request.user_agent | ```CLIENT_USER_AGENT_RAW_USER_AGENT::VARCHAR``` | +| logon_process.uid | ```UUID::VARCHAR``` | +| message | ```DISPLAY_MESSAGE::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'okta-logs'``` | +| metadata.product.vendor_name | ```'okta'``` | +| metadata.version | ```'1.1.0'``` | +| session.uid | ```AUTHENTICATION_CONTEXT:externalSessionId::VARCHAR``` | +| severity | ```CASE (CASE WHEN SEVERITY IS NULL THEN 0 WHEN SEVERITY = 'INFO' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN SEVERITY IS NULL THEN 0 WHEN SEVERITY = 'INFO' THEN 1 ELSE 99 END::NUMBER``` | +| start_time | ```date_part('epoch_milliseconds', PUBLISHED::TIMESTAMP_LTZ)``` | +| start_time_dt | ```to_varchar(PUBLISHED::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')``` | +| status | ```CASE (CASE WHEN OUTCOME_RESULT IS NULL THEN 0 WHEN OUTCOME_RESULT = 'SUCCESS' THEN 1 WHEN OUTCOME_RESULT = 'FAILURE' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_detail | ```OUTCOME_REASON::VARCHAR``` | +| status_id | ```CASE WHEN OUTCOME_RESULT IS NULL THEN 0 WHEN OUTCOME_RESULT = 'SUCCESS' THEN 1 WHEN OUTCOME_RESULT = 'FAILURE' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', published::TIMESTAMP_LTZ)``` | +| time_dt | ```to_varchar(published::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')``` | +| type_name | ```CASE (CASE WHEN SEVERITY IS NULL THEN 300200 WHEN SEVERITY = 'INFO' THEN 300201 ELSE 300299 END::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```CASE WHEN SEVERITY IS NULL THEN 300200 WHEN SEVERITY = 'INFO' THEN 300201 ELSE 300299 END::NUMBER``` | +| user.email_addr | ```ACTOR_ALTERNATE_ID::VARCHAR``` | +| user.name | ```ACTOR_DISPLAY_NAME::VARCHAR``` | +| user.type | ```CASE (CASE WHEN ACTOR_TYPE IS NULL THEN 0 WHEN ACTOR_TYPE = 'User' THEN 1 WHEN ACTOR_TYPE = 'SystemPrincipal' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| user.type_id | ```CASE WHEN ACTOR_TYPE IS NULL THEN 0 WHEN ACTOR_TYPE = 'User' THEN 1 WHEN ACTOR_TYPE = 'SystemPrincipal' THEN 3 ELSE 99 END::NUMBER``` | +| user.uid | ```ACTOR_ID::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/OneLogin/1.1.0/onelogin-events/authentication/README.md b/mappings/markdown/OneLogin/1.1.0/onelogin-events/authentication/README.md new file mode 100644 index 00000000..fd773c59 --- /dev/null +++ b/mappings/markdown/OneLogin/1.1.0/onelogin-events/authentication/README.md @@ -0,0 +1,39 @@ +# Event Dossier: Onelogin Events to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `OneLogin` +* Product name: `onelogin-events` +* Event codes: `EVENT_TYPE_ID IN (5, 6)` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.user.account.uid | ```ACCOUNT_ID::VARCHAR``` | +| actor.user.name | ```COALESCE(ACTOR_USER_NAME, ACTOR_SYSTEM)::VARCHAR``` | +| actor.user.uid | ```COALESCE(ACTOR_USER_ID, ASSUMING_ACTING_USER_ID)::VARCHAR``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| device.name | ```OTP_DEVICE_NAME::VARCHAR``` | +| device.uid | ```OTP_DEVICE_ID::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| metadata.product.name | ```'onelogin-events'``` | +| metadata.product.vendor_name | ```'OneLogin'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```IPADDR::VARCHAR``` | +| src_endpoint.uid | ```RAW:event:client_id::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300201::NUMBER``` | +| user.name | ```USER_NAME::VARCHAR``` | +| user.uid | ```USER_ID::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Oracle/1.1.0/oracle-audit-logs/authentication/README.md b/mappings/markdown/Oracle/1.1.0/oracle-audit-logs/authentication/README.md new file mode 100644 index 00000000..daaa6cba --- /dev/null +++ b/mappings/markdown/Oracle/1.1.0/oracle-audit-logs/authentication/README.md @@ -0,0 +1,56 @@ +# Event Dossier: Oracle Audit Logs to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `oracle` +* Product name: `oracle-audit-logs` +* Event codes: `EVENT_NAME in ('InteractiveLogin', 'ReceiveSamlSpSsoResonse')` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| api.group.uid | ```EVENT_GROUPING_ID::VARCHAR``` | +| api.operation | ```ACTION::VARCHAR``` | +| api.response.code | ```STATUS::NUMBER``` | +| api.response.data | ```RESPONSE::VARIANT``` | +| api.response.message | ```MESSAGE::VARCHAR``` | +| auth_protocol | ```CASE (CASE WHEN ADDITIONAL_DETAILS:ssoIdentityProviderType = 'SAML' THEN 5 WHEN ADDITIONAL_DETAILS:ssoIdentityProviderType IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```CASE WHEN ADDITIONAL_DETAILS:ssoIdentityProviderType = 'SAML' THEN 5 WHEN ADDITIONAL_DETAILS:ssoIdentityProviderType IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| cloud.account.uid | ```TENANT_ID::VARCHAR``` | +| cloud.provider | ```'Oracle'::VARCHAR``` | +| cloud.region | ```AVAILABILITY_DOMAIN::VARCHAR``` | +| http_request.http_method | ```CASE WHEN ACTION = 'CONNECT' THEN 'CONNECT' WHEN ACTION = 'DELETE' THEN 'DELETE' WHEN ACTION = 'GET' THEN 'GET' WHEN ACTION = 'HEAD' THEN 'HEAD' WHEN ACTION = 'OPTIONS' THEN 'OPTIONS' WHEN ACTION = 'POST' THEN 'POST' WHEN ACTION = 'PUT' THEN 'PUT' WHEN ACTION = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.uid | ```REQUEST_ID::VARCHAR``` | +| http_request.url.path | ```REQUEST_PATH::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| logon_type | ```CASE (3::NUMBER) WHEN 0 THEN 'System' WHEN 10 THEN 'Remote Interactive' WHEN 11 THEN 'Cached Interactive' WHEN 12 THEN 'Cached Remote Interactive' WHEN 13 THEN 'Cached Unlock' WHEN 2 THEN 'Interactive' WHEN 3 THEN 'Network' WHEN 4 THEN 'Batch' WHEN 5 THEN 'OS Service' WHEN 7 THEN 'Unlock' WHEN 8 THEN 'Network Cleartext' WHEN 9 THEN 'New Credentials' WHEN 99 THEN 'Other' END``` | +| logon_type_id | ```3::NUMBER``` | +| message | ```MESSAGE::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.logged_time | ```date_part('epoch_milliseconds', to_varchar(INGESTED_TIME::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')::TIMESTAMP_LTZ)``` | +| metadata.logged_time_dt | ```to_varchar(INGESTED_TIME::TIMESTAMP_LTZ, 'YYYY-MM-DD"T"HH24:MI:SS.FF3"Z"')``` | +| metadata.product.name | ```'oracle-audit-logs'``` | +| metadata.product.vendor_name | ```'oracle'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```IP_ADDRESS::VARCHAR``` | +| status | ```CASE (CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '3%%' THEN 2 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '3%%' THEN 2 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` | +| time_dt | ```time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300201::NUMBER``` | +| user.credential_uid | ```CREDENTIALS::VARCHAR``` | +| user.domain | ```ADDITIONAL_DETAILS:domainName::VARCHAR``` | +| user.email_addr | ```ADDITIONAL_DETAILS:actorName::VARCHAR``` | +| user.name | ```ADDITIONAL_DETAILS:actorDisplayName::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Oracle/1.1.0/oracle-service-logs/http_activity/README.md b/mappings/markdown/Oracle/1.1.0/oracle-service-logs/http_activity/README.md new file mode 100644 index 00000000..8b9a163c --- /dev/null +++ b/mappings/markdown/Oracle/1.1.0/oracle-service-logs/http_activity/README.md @@ -0,0 +1,73 @@ +# Event Dossier: Oracle Service Logs to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `oracle` +* Product name: `oracle-service-logs` +* Event codes: `event_type = 'com.oraclecloud.loadbalancer.waf'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'block' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'block' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN RAW:data:request:method = 'CONNECT' THEN 1 WHEN RAW:data:request:method = 'DELETE' THEN 2 WHEN RAW:data:request:method = 'GET' THEN 3 WHEN RAW:data:request:method = 'HEAD' THEN 4 WHEN RAW:data:request:method = 'OPTIONS' THEN 5 WHEN RAW:data:request:method = 'POST' THEN 6 WHEN RAW:data:request:method = 'PUT' THEN 7 WHEN RAW:data:request:method = 'TRACE' THEN 8 WHEN RAW:data:request:method IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN RAW:data:request:method = 'CONNECT' THEN 1 WHEN RAW:data:request:method = 'DELETE' THEN 2 WHEN RAW:data:request:method = 'GET' THEN 3 WHEN RAW:data:request:method = 'HEAD' THEN 4 WHEN RAW:data:request:method = 'OPTIONS' THEN 5 WHEN RAW:data:request:method = 'POST' THEN 6 WHEN RAW:data:request:method = 'PUT' THEN 7 WHEN RAW:data:request:method = 'TRACE' THEN 8 WHEN RAW:data:request:method IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| cloud.account.uid | ```TENANT_ID::VARCHAR``` | +| cloud.org.name | ```'Oracle'::VARCHAR``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(RAW:data:clientAddr, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(RAW:data:clientAddr, 'INET'):family::NUMBER``` | +| connection_info.uid | ```ID::VARCHAR``` | +| disposition | ```CASE (CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'block' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'block' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| dst_endpoint.hostname | ```RAW:data:responseProvider::VARCHAR``` | +| dst_endpoint.ip | ```IFF(RAW:data:responseProvider ILIKE '%%:%%', SPLIT_PART(RAW:data:responseProvider, ':', 1), NULL)::VARCHAR``` | +| dst_endpoint.port | ```IFF(RAW:data:responseProvider ILIKE '%%:%%', SPLIT_PART(RAW:data:responseProvider, ':', 2), NULL)::VARCHAR``` | +| firewall_rule.match_details | ```RAW:data:requestProtection:matchedRules::VARCHAR``` | +| firewall_rule.uid | ```RAW:data:requestProtection:matchedIds::VARCHAR``` | +| http_cookies.http_only | ```IFF(RAW:data:request:cookie IS NOT NULL AND RAW:data:request:cookie ILIKE '%%httponly;%%','true', 'false')::BOOLEAN``` | +| http_cookies.is_secure | ```IFF(RAW:data:request:cookie IS NOT NULL AND RAW:data:request:cookie ILIKE '%%secure;%%','true', 'false')::BOOLEAN``` | +| http_cookies.value | ```RAW:data:request:cookie::VARCHAR``` | +| http_request.http_method | ```CASE WHEN RAW:data:request:method = 'CONNECT' THEN 'CONNECT' WHEN RAW:data:request:method = 'DELETE' THEN 'DELETE' WHEN RAW:data:request:method = 'GET' THEN 'GET' WHEN RAW:data:request:method = 'HEAD' THEN 'HEAD' WHEN RAW:data:request:method = 'OPTIONS' THEN 'OPTIONS' WHEN RAW:data:request:method = 'POST' THEN 'POST' WHEN RAW:data:request:method = 'PUT' THEN 'PUT' WHEN RAW:data:request:method = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.uid | ```RAW:data:request:id::VARCHAR``` | +| http_request.url.path | ```SPLIT_PART(RAW:data:request:path, '?', 1)::VARCHAR``` | +| http_request.url.port | ```RAW:data:listenerPort::VARCHAR``` | +| http_request.url.query_string | ```SPLIT_PART(RAW:data:request:path, '?', 2)::VARCHAR``` | +| http_request.url.scheme | ```REGEXP_SUBSTR(RAW:data:request:httpVersion, '^([a-zA-Z]+)')::VARCHAR``` | +| http_request.url.url_string | ```RAW:data:request:path::VARCHAR``` | +| http_request.user_agent | ```RAW:data:request:agent::VARCHAR``` | +| http_request.version | ```REGEXP_SUBSTR(RAW:data:request:httpVersion, '([0-9\.]+)')::VARCHAR``` | +| http_response.code | ```RAW:data:response:code::NUMBER``` | +| http_response.content_type | ```RAW:data:response:contentType::VARCHAR``` | +| http_response.length | ```RAW:data:response:size::NUMBER``` | +| http_status | ```RAW:data:response:code::NUMBER``` | +| metadata.event_code | ```EVENT_TYPE``` | +| metadata.log_version | ```SPEC_VERSION::VARCHAR``` | +| metadata.product.name | ```'oracle-service-logs'``` | +| metadata.product.vendor_name | ```'oracle'``` | +| metadata.version | ```'1.1.0'``` | +| proxy_endpoint.hostname | ```RAW:data:host::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```RAW:data:clientAddr::VARCHAR``` | +| src_endpoint.location.country | ```RAW:data:countryCode::VARCHAR``` | +| src_endpoint.name | ```SOURCE::VARCHAR``` | +| src_endpoint.port | ```RAW:data:listenerPort::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', INGESTED_TIME::VARCHAR::TIMESTAMP_LTZ)``` | +| start_time_dt | ```INGESTED_TIME::VARCHAR::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN RAW:data:response:code ILIKE '2%%' THEN 1 WHEN RAW:data:response:code ILIKE '4%%' THEN 2 WHEN RAW:data:response:code ILIKE '5%%' THEN 2 WHEN RAW:data:response:code IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN RAW:data:response:code ILIKE '2%%' THEN 1 WHEN RAW:data:response:code ILIKE '4%%' THEN 2 WHEN RAW:data:response:code ILIKE '5%%' THEN 2 WHEN RAW:data:response:code IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` | +| time_dt | ```time::TIMESTAMP_LTZ``` | +| traffic.bytes_in | ```RAW:data:response:size::NUMBER``` | +| type_name | ```CASE (CASE WHEN RAW:data:request:method = 'CONNECT' THEN 400201 WHEN RAW:data:request:method = 'DELETE' THEN 400202 WHEN RAW:data:request:method = 'GET' THEN 400203 WHEN RAW:data:request:method = 'HEAD' THEN 400204 WHEN RAW:data:request:method = 'OPTIONS' THEN 400205 WHEN RAW:data:request:method = 'POST' THEN 400206 WHEN RAW:data:request:method = 'PUT' THEN 400207 WHEN RAW:data:request:method = 'TRACE' THEN 400208 WHEN RAW:data:request:method IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN RAW:data:request:method = 'CONNECT' THEN 400201 WHEN RAW:data:request:method = 'DELETE' THEN 400202 WHEN RAW:data:request:method = 'GET' THEN 400203 WHEN RAW:data:request:method = 'HEAD' THEN 400204 WHEN RAW:data:request:method = 'OPTIONS' THEN 400205 WHEN RAW:data:request:method = 'POST' THEN 400206 WHEN RAW:data:request:method = 'PUT' THEN 400207 WHEN RAW:data:request:method = 'TRACE' THEN 400208 WHEN RAW:data:request:method IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Oracle/1.1.0/oracle-service-logs/network_activity/README.md b/mappings/markdown/Oracle/1.1.0/oracle-service-logs/network_activity/README.md new file mode 100644 index 00000000..a5ce5eda --- /dev/null +++ b/mappings/markdown/Oracle/1.1.0/oracle-service-logs/network_activity/README.md @@ -0,0 +1,49 @@ +# Event Dossier: Oracle Service Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `oracle` +* Product name: `oracle-service-logs` +* Event codes: `contains(EVENT_TYPE ,'com.oraclecloud.networkfirewall') OR contains(EVENT_TYPE ,'com.oraclecloud.vcn.flowlogs')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION = 'ACCEPT' THEN 1 WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'REJECT' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION = 'ACCEPT' THEN 1 WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'REJECT' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```0::NUMBER``` | +| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| cloud.provider | ```'Oracle'::VARCHAR``` | +| connection_info.protocol_name | ```LOWER(COALESCE(PROTOCOL_NAME, RAW:data:proto))::VARCHAR``` | +| connection_info.protocol_num | ```PROTOCOL::NUMBER``` | +| dst_endpoint.ip | ```COALESCE(DESTINATION_ADDRESS, RAW:data:dst)::VARCHAR``` | +| dst_endpoint.port | ```COALESCE(DESTINATION_PORT, RAW:data:dport)::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', END_TIME::TIMESTAMP_LTZ)``` | +| end_time_dt | ```END_TIME::TIMESTAMP_LTZ``` | +| firewall_rule.name | ```RAW:data:rule::VARCHAR``` | +| firewall_rule.uid | ```RAW:data:rule_uuid::VARCHAR``` | +| metadata.event_code | ```EVENT_TYPE``` | +| metadata.product.name | ```'oracle-service-logs'``` | +| metadata.product.vendor_name | ```'oracle'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (CASE WHEN RAW:data:severity IS NULL THEN 0 WHEN RAW:data:severity = 'medium' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```CASE WHEN RAW:data:severity IS NULL THEN 0 WHEN RAW:data:severity = 'medium' THEN 3 ELSE 99 END::NUMBER``` | +| src_endpoint.ip | ```COALESCE(SOURCE_ADDRESS, RAW:data:src)::VARCHAR``` | +| src_endpoint.port | ```COALESCE(SOURCE_PORT, RAW:data:sport)::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', START_TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```START_TIME::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN STATUS IS NULL THEN 0 WHEN STATUS = 'OK' THEN 1 WHEN STATUS = 'SKIPDATA' THEN 2 ELSE 99 END::NUMBER::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS IS NULL THEN 0 WHEN STATUS = 'OK' THEN 1 WHEN STATUS = 'SKIPDATA' THEN 2 ELSE 99 END::NUMBER::NUMBER``` | +| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` | +| time_dt | ```time::TIMESTAMP_LTZ``` | +| traffic.bytes_out | ```BYTES_OUT::NUMBER``` | +| traffic.packets | ```PACKETS::NUMBER``` | +| type_name | ```CASE (400100::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```400100::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-cortex-xdr-endpoints/inventory_info/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-cortex-xdr-endpoints/inventory_info/README.md new file mode 100644 index 00000000..1cc258cd --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-cortex-xdr-endpoints/inventory_info/README.md @@ -0,0 +1,36 @@ +# Event Dossier: Pan Cortex Xdr Endpoints to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `paloalto` +* Product name: `pan-cortex-xdr-endpoints` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```USERS[0]::VARCHAR``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.hostname | ```HOST_NAME::VARCHAR``` | +| device.ip | ```IP[0]::VARCHAR``` | +| device.is_managed | ```CASE WHEN OPERATIONAL_STATUS IN ('PROTECTED', 'PARTIALLY_PROTECTED') THEN TRUE ELSE FALSE END::BOOLEAN``` | +| device.last_seen_time | ```date_part('epoch_milliseconds', LAST_SEEN::TIMESTAMP_LTZ)``` | +| device.last_seen_time_dt | ```LAST_SEEN::TIMESTAMP_LTZ``` | +| device.type | ```CASE (CASE WHEN AGENT_TYPE IS NULL THEN 0 WHEN AGENT_TYPE = 'Server' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```CASE WHEN AGENT_TYPE IS NULL THEN 0 WHEN AGENT_TYPE = 'Server' THEN 1 ELSE 99 END::NUMBER``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| metadata.product.name | ```'pan-cortex-xdr-endpoints'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| time | ```date_part('epoch_milliseconds', last_seen::TIMESTAMP_LTZ)``` | +| time_dt | ```last_seen::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500199::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500199::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/file_activity/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/file_activity/README.md new file mode 100644 index 00000000..921d76d7 --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/file_activity/README.md @@ -0,0 +1,54 @@ +# Event Dossier: Pan Edr Raw Logs to OCSF class File Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `file_activity` +* Vendor name: `paloalto` +* Product name: `pan-edr-raw-logs` +* Event codes: `event_type = 3` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0:NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0:NUMBER``` | +| actor.process.cmd_line | ```OS_ACTOR_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 1 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 0 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 1 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 0 end::NUMBER, 'value', COALESCE(OS_ACTOR_PROCESS_IMAGE_SHA256, OS_ACTOR_PROCESS_IMAGE_MD5)::VARCHAR))``` | +| actor.process.file.name | ```OS_ACTOR_PROCESS_IMAGE_NAME::VARCHAR``` | +| actor.process.file.path | ```OS_ACTOR_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.pid | ```OS_ACTOR_PROCESS_OS_PID::NUMBER``` | +| actor.process.tid | ```OS_ACTOR_THREAD_THREAD_ID::NUMBER``` | +| actor.process.user.name | ```OS_ACTOR_PRIMARY_USERNAME::VARCHAR``` | +| actor.process.user.uid | ```OS_ACTOR_PRIMARY_USER_SID::VARCHAR``` | +| class_name | ```'file_activity'``` | +| class_uid | ```1001``` | +| device.hostname | ```AGENT_HOSTNAME::VARCHAR``` | +| device.ip | ```COALESCE(AGENT_IP_ADDRESSES[0], AGENT_IP_ADDRESSES_V6[0])::VARCHAR``` | +| device.mac | ```AGENT_INTERFACE_MAP_MAC[0]::VARCHAR``` | +| device.os.type | ```CASE (case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER``` | +| device.os.version | ```AGENT_OS_SUB_TYPE::VARCHAR``` | +| device.subnet | ```COALESCE(raw:agent_interface_map[0]:ipv4_subnet_mask, raw:agent_interface_map[0]:ipv6_subnet_mask)::VARCHAR``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| file.accessed_time | ```date_part('epoch_milliseconds', ACTION_FILE_ACCESS_TIME::TIMESTAMP_LTZ)``` | +| file.accessed_time_dt | ```ACTION_FILE_ACCESS_TIME::TIMESTAMP_LTZ``` | +| file.created_time | ```date_part('epoch_milliseconds', ACTION_FILE_CREATE_TIME::TIMESTAMP_LTZ)``` | +| file.created_time_dt | ```ACTION_FILE_CREATE_TIME::TIMESTAMP_LTZ``` | +| file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (case when ACTION_FILE_SHA256 is null and ACTION_FILE_MD5 is null then 1 when ACTION_FILE_SHA256 is not null then 3 when ACTION_FILE_MD5 is not null then 1 else 0 end::NUMBER ::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', case when ACTION_FILE_SHA256 is null and ACTION_FILE_MD5 is null then 1 when ACTION_FILE_SHA256 is not null then 3 when ACTION_FILE_MD5 is not null then 1 else 0 end::NUMBER ::NUMBER))``` | +| file.modified_time | ```date_part('epoch_milliseconds', ACTION_FILE_MOD_TIME::TIMESTAMP_LTZ)``` | +| file.modified_time_dt | ```ACTION_FILE_MOD_TIME::TIMESTAMP_LTZ``` | +| file.name | ```ACTION_FILE_NAME::VARCHAR``` | +| file.owner.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', ACTION_FILE_GROUP_NAME::VARCHAR, 'uid', ACTION_FILE_GROUP::VARCHAR))``` | +| file.owner.name | ```ACTION_FILE_OWNER_NAME::VARCHAR``` | +| file.owner.uid | ```ACTION_FILE_OWNER::VARCHAR``` | +| file.path | ```ACTION_FILE_PATH::VARCHAR``` | +| file.size | ```ACTION_FILE_SIZE::NUMBER``` | +| file.type | ```CASE (case when ACTION_FILE_DEVICE_TYPE = 0 then 0 when ACTION_FILE_DEVICE_TYPE = 1 then 6 else 0 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Regular File' WHEN 2 THEN 'Folder' WHEN 3 THEN 'Character Device' WHEN 4 THEN 'Block Device' WHEN 5 THEN 'Local Socket' WHEN 6 THEN 'Named Pipe' WHEN 7 THEN 'Symbolic Link' WHEN 99 THEN 'Other' END``` | +| file.type_id | ```case when ACTION_FILE_DEVICE_TYPE = 0 then 0 when ACTION_FILE_DEVICE_TYPE = 1 then 6 else 0 end::NUMBER``` | +| metadata.product.name | ```'pan-edr-raw-logs'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| time | ```date_part('epoch_milliseconds', event_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```event_timestamp::TIMESTAMP_LTZ``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/network_activity/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/network_activity/README.md new file mode 100644 index 00000000..00f3ef24 --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/network_activity/README.md @@ -0,0 +1,56 @@ +# Event Dossier: Pan Edr Raw Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `paloalto` +* Product name: `pan-edr-raw-logs` +* Event codes: `EVENT_TYPE = 2` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN event_sub_type IN (1, 2, 3, 7, 8, 9, 13) THEN 1 WHEN event_sub_type IN (4, 10, 11) THEN 2 WHEN event_sub_type = 6 THEN 4 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN event_sub_type IN (1, 2, 3, 7, 8, 9, 13) THEN 1 WHEN event_sub_type IN (4, 10, 11) THEN 2 WHEN event_sub_type = 6 THEN 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```OS_ACTOR_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER, 'value', COALESCE(OS_ACTOR_PROCESS_IMAGE_SHA256, OS_ACTOR_PROCESS_IMAGE_MD5)::VARCHAR))``` | +| actor.process.file.name | ```OS_ACTOR_PROCESS_IMAGE_NAME::VARCHAR``` | +| actor.process.file.path | ```OS_ACTOR_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.pid | ```OS_ACTOR_PROCESS_OS_PID::NUMBER``` | +| actor.process.tid | ```OS_ACTOR_THREAD_THREAD_ID::NUMBER``` | +| actor.user.name | ```OS_ACTOR_PRIMARY_USERNAME::VARCHAR``` | +| actor.user.uid | ```OS_ACTOR_PRIMARY_USER_SID::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```CASE WHEN ACTION_NETWORK_PROTOCOL=6 THEN 'tcp' WHEN ACTION_NETWORK_PROTOCOL=17 THEN 'udp' ELSE NULL END::VARCHAR``` | +| connection_info.protocol_num | ```ACTION_NETWORK_PROTOCOL::NUMBER``` | +| connection_info.session.created_time | ```date_part('epoch_milliseconds', ACTION_NETWORK_CREATION_TIME::TIMESTAMP_LTZ)``` | +| connection_info.session.created_time_dt | ```ACTION_NETWORK_CREATION_TIME::TIMESTAMP_LTZ``` | +| connection_info.uid | ```ACTION_NETWORK_CONNECTION_ID::VARCHAR``` | +| device.hostname | ```AGENT_HOSTNAME::VARCHAR``` | +| device.ip | ```COALESCE(AGENT_IP_ADDRESSES[0], AGENT_IP_ADDRESSES_V6[0])::VARCHAR``` | +| device.mac | ```AGENT_INTERFACE_MAP_MAC[0]::VARCHAR``` | +| device.os.type | ```CASE (case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER``` | +| device.os.version | ```AGENT_OS_SUB_TYPE::VARCHAR``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| dst_endpoint.ip | ```ACTION_REMOTE_IP::VARCHAR``` | +| dst_endpoint.port | ```ACTION_REMOTE_PORT::VARCHAR``` | +| metadata.product.name | ```'pan-edr-raw-logs'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```ACTION_LOCAL_IP::VARCHAR``` | +| src_endpoint.port | ```ACTION_LOCAL_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```event_timestamp::TIMESTAMP_LTZ``` | +| traffic.bytes | ```(ACTION_TOTAL_UPLOAD + ACTION_TOTAL_DOWNLOAD)::NUMBER``` | +| traffic.bytes_in | ```ACTION_TOTAL_DOWNLOAD::NUMBER``` | +| traffic.bytes_out | ```ACTION_TOTAL_UPLOAD::NUMBER``` | +| type_name | ```CASE ((400100 + CASE WHEN event_sub_type IN (1, 2, 3, 7, 8, 9, 13) THEN 1 WHEN event_sub_type IN (4, 10, 11) THEN 2 WHEN event_sub_type = 6 THEN 4 ELSE 99 END)::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```(400100 + CASE WHEN event_sub_type IN (1, 2, 3, 7, 8, 9, 13) THEN 1 WHEN event_sub_type IN (4, 10, 11) THEN 2 WHEN event_sub_type = 6 THEN 4 ELSE 99 END)::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/process_activity/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/process_activity/README.md new file mode 100644 index 00000000..5f5401dd --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/process_activity/README.md @@ -0,0 +1,53 @@ +# Event Dossier: Pan Edr Raw Logs to OCSF class Process Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `process_activity` +* Vendor name: `paloalto` +* Product name: `pan-edr-raw-logs` +* Event codes: `EVENT_TYPE = 1` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN event_sub_type is null THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 2 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN event_sub_type is null THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Launch' WHEN 2 THEN 'Terminate' WHEN 3 THEN 'Open' WHEN 4 THEN 'Inject' WHEN 5 THEN 'Set User ID' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```OS_ACTOR_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER, 'value', COALESCE(OS_ACTOR_PROCESS_IMAGE_SHA256, OS_ACTOR_PROCESS_IMAGE_MD5)::VARCHAR))``` | +| actor.process.file.name | ```OS_ACTOR_PROCESS_IMAGE_NAME::VARCHAR``` | +| actor.process.file.path | ```OS_ACTOR_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.pid | ```OS_ACTOR_PROCESS_OS_PID::NUMBER``` | +| actor.process.tid | ```OS_ACTOR_THREAD_THREAD_ID::NUMBER``` | +| actor.process.user.name | ```OS_ACTOR_PRIMARY_USERNAME::VARCHAR``` | +| actor.process.user.uid | ```OS_ACTOR_PRIMARY_USER_SID::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'process_activity'``` | +| class_uid | ```1007``` | +| device.hostname | ```AGENT_HOSTNAME::VARCHAR``` | +| device.ip | ```COALESCE(AGENT_IP_ADDRESSES[0], AGENT_IP_ADDRESSES_V6[0])::VARCHAR``` | +| device.mac | ```AGENT_INTERFACE_MAP_MAC[0]::VARCHAR``` | +| device.os.type | ```CASE (case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER``` | +| device.os.version | ```AGENT_OS_SUB_TYPE::VARCHAR``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| metadata.product.name | ```'pan-edr-raw-logs'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| process.cmd_line | ```ACTION_PROCESS_IMAGE_COMMAND_LINE::VARCHAR``` | +| process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (CASE WHEN ACTION_PROCESS_IMAGE_SHA256 IS NULL AND ACTION_PROCESS_IMAGE_MD5 IS NULL THEN 0 WHEN ACTION_PROCESS_IMAGE_SHA256 IS NOT NULL THEN 3 WHEN ACTION_PROCESS_IMAGE_MD5 IS NOT NULL THEN 1 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', CASE WHEN ACTION_PROCESS_IMAGE_SHA256 IS NULL AND ACTION_PROCESS_IMAGE_MD5 IS NULL THEN 0 WHEN ACTION_PROCESS_IMAGE_SHA256 IS NOT NULL THEN 3 WHEN ACTION_PROCESS_IMAGE_MD5 IS NOT NULL THEN 1 END::NUMBER, 'value', COALESCE(ACTION_PROCESS_IMAGE_SHA256, ACTION_PROCESS_IMAGE_MD5)::VARCHAR))``` | +| process.file.name | ```ACTION_PROCESS_IMAGE_NAME::VARCHAR``` | +| process.file.path | ```ACTION_PROCESS_IMAGE_PATH::VARCHAR``` | +| process.pid | ```ACTION_PROCESS_OS_PID::NUMBER``` | +| process.terminated_time | ```date_part('epoch_milliseconds', ACTION_PROCESS_TERMINATION_DATE::TIMESTAMP_LTZ)``` | +| process.terminated_time_dt | ```ACTION_PROCESS_TERMINATION_DATE::TIMESTAMP_LTZ``` | +| process.user.name | ```ACTION_PROCESS_USERNAME::VARCHAR``` | +| process.user.uid | ```ACTION_PROCESS_USER_SID::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```event_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((100700 + (CASE WHEN event_sub_type is null THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 2 ELSE 99 END))::NUMBER) WHEN 100700 THEN 'Process Activity: Unknown' WHEN 100701 THEN 'Process Activity: Launch' WHEN 100702 THEN 'Process Activity: Terminate' WHEN 100703 THEN 'Process Activity: Open' WHEN 100704 THEN 'Process Activity: Inject' WHEN 100705 THEN 'Process Activity: Set User ID' WHEN 100799 THEN 'Process Activity: Other' END``` | +| type_uid | ```(100700 + (CASE WHEN event_sub_type is null THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 2 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_key_activity/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_key_activity/README.md new file mode 100644 index 00000000..8fb168c9 --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_key_activity/README.md @@ -0,0 +1,49 @@ +# Event Dossier: Pan Edr Raw Logs to OCSF class Win/registry Key Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_key_activity` +* Vendor name: `paloalto` +* Product name: `pan-edr-raw-logs` +* Event codes: `EVENT_TYPE = 4 AND EVENT_SUB_TYPE IN (1, 2, 3)` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 4 WHEN event_sub_type = 3 THEN 5 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 4 WHEN event_sub_type = 3 THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 2 THEN 'Read' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Security' WHEN 7 THEN 'Restore' WHEN 8 THEN 'Import' WHEN 9 THEN 'Export' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```OS_ACTOR_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER, 'value', COALESCE(OS_ACTOR_PROCESS_IMAGE_SHA256, OS_ACTOR_PROCESS_IMAGE_MD5)::VARCHAR))``` | +| actor.process.file.name | ```OS_ACTOR_PROCESS_IMAGE_NAME::VARCHAR``` | +| actor.process.file.path | ```OS_ACTOR_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.pid | ```OS_ACTOR_PROCESS_OS_PID::NUMBER``` | +| actor.process.tid | ```OS_ACTOR_THREAD_THREAD_ID::NUMBER``` | +| actor.user.name | ```OS_ACTOR_PRIMARY_USERNAME::VARCHAR``` | +| actor.user.uid | ```OS_ACTOR_PRIMARY_USER_SID::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_key_activity'``` | +| class_uid | ```201001``` | +| device.hostname | ```AGENT_HOSTNAME::VARCHAR``` | +| device.ip | ```COALESCE(AGENT_IP_ADDRESSES[0], AGENT_IP_ADDRESSES_V6[0])::VARCHAR``` | +| device.mac | ```AGENT_INTERFACE_MAP_MAC[0]::VARCHAR``` | +| device.os.type | ```CASE (case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER``` | +| device.os.version | ```AGENT_OS_SUB_TYPE::VARCHAR``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| metadata.product.name | ```'pan-edr-raw-logs'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| reg_key.path | ```RAW:action_registry_key_name::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```event_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((20100100 + (CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 4 WHEN event_sub_type = 3 THEN 5 ELSE 99 END))::NUMBER) WHEN 20100100 THEN 'Registry Key Activity: Unknown' WHEN 20100101 THEN 'Registry Key Activity: Create' WHEN 20100102 THEN 'Registry Key Activity: Read' WHEN 20100103 THEN 'Registry Key Activity: Modify' WHEN 20100104 THEN 'Registry Key Activity: Delete' WHEN 20100105 THEN 'Registry Key Activity: Rename' WHEN 20100106 THEN 'Registry Key Activity: Set Security' WHEN 20100107 THEN 'Registry Key Activity: Restore' WHEN 20100108 THEN 'Registry Key Activity: Import' WHEN 20100109 THEN 'Registry Key Activity: Export' WHEN 20100199 THEN 'Registry Key Activity: Other' END``` | +| type_uid | ```(20100100 + (CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 1 THEN 1 WHEN event_sub_type = 2 THEN 4 WHEN event_sub_type = 3 THEN 5 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_value_activity/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_value_activity/README.md new file mode 100644 index 00000000..0fa4df2b --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-edr-raw-logs/registry_value_activity/README.md @@ -0,0 +1,52 @@ +# Event Dossier: Pan Edr Raw Logs to OCSF class Win/registry Value Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_value_activity` +* Vendor name: `paloalto` +* Product name: `pan-edr-raw-logs` +* Event codes: `EVENT_TYPE = 4 AND EVENT_SUB_TYPE IN (4, 5)` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 4 THEN 2 WHEN event_sub_type = 5 THEN 4 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 4 THEN 2 WHEN event_sub_type = 5 THEN 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Get' WHEN 2 THEN 'Set' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```OS_ACTOR_PROCESS_COMMAND_LINE::VARCHAR``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', case when OS_ACTOR_PROCESS_IMAGE_SHA256 is null and OS_ACTOR_PROCESS_IMAGE_MD5 is null then 0 when OS_ACTOR_PROCESS_IMAGE_SHA256 is not null then 3 when OS_ACTOR_PROCESS_IMAGE_MD5 is not null then 1 else 99 end::NUMBER, 'value', COALESCE(OS_ACTOR_PROCESS_IMAGE_SHA256, OS_ACTOR_PROCESS_IMAGE_MD5)::VARCHAR))``` | +| actor.process.file.name | ```OS_ACTOR_PROCESS_IMAGE_NAME::VARCHAR``` | +| actor.process.file.path | ```OS_ACTOR_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.pid | ```OS_ACTOR_PROCESS_OS_PID::NUMBER``` | +| actor.process.tid | ```OS_ACTOR_THREAD_THREAD_ID::NUMBER``` | +| actor.user.name | ```OS_ACTOR_PRIMARY_USERNAME::VARCHAR``` | +| actor.user.uid | ```OS_ACTOR_PRIMARY_USER_SID::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_value_activity'``` | +| class_uid | ```201002``` | +| device.hostname | ```AGENT_HOSTNAME::VARCHAR``` | +| device.ip | ```COALESCE(AGENT_IP_ADDRESSES[0], AGENT_IP_ADDRESSES_V6[0])::VARCHAR``` | +| device.mac | ```AGENT_INTERFACE_MAP_MAC[0]::VARCHAR``` | +| device.os.type | ```CASE (case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```case when AGENT_OS_TYPE = 1 then 100 when AGENT_OS_TYPE = 2 then 300 when AGENT_OS_TYPE = 4 then 200 else 0 end::NUMBER``` | +| device.os.version | ```AGENT_OS_SUB_TYPE::VARCHAR``` | +| device.uid | ```AGENT_ID::VARCHAR``` | +| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```99::NUMBER``` | +| metadata.product.name | ```'pan-edr-raw-logs'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| reg_value.name | ```RAW:action_registry_value_name::VARCHAR``` | +| reg_value.path | ```RAW:action_registry_key_name::VARCHAR``` | +| reg_value.type | ```CASE (CASE WHEN RAW:action_registry_value_type IS NULL THEN 0 WHEN RAW:action_registry_value_type = 4 THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'REG_BINARY' WHEN 10 THEN 'REG_SZ' WHEN 2 THEN 'REG_DWORD' WHEN 3 THEN 'REG_DWORD_BIG_ENDIAN' WHEN 4 THEN 'REG_EXPAND_SZ' WHEN 5 THEN 'REG_LINK' WHEN 6 THEN 'REG_MULTI_SZ' WHEN 7 THEN 'REG_NONE' WHEN 8 THEN 'REG_QWORD' WHEN 9 THEN 'REG_QWORD_LITTLE_ENDIAN' WHEN 99 THEN 'Other' END``` | +| reg_value.type_id | ```CASE WHEN RAW:action_registry_value_type IS NULL THEN 0 WHEN RAW:action_registry_value_type = 4 THEN 2 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```event_timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((20100200 + (CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 4 THEN 2 WHEN event_sub_type = 5 THEN 4 ELSE 99 END))::NUMBER) WHEN 20100200 THEN 'Registry Value Activity: Unknown' WHEN 20100201 THEN 'Registry Value Activity: Get' WHEN 20100202 THEN 'Registry Value Activity: Set' WHEN 20100203 THEN 'Registry Value Activity: Modify' WHEN 20100204 THEN 'Registry Value Activity: Delete' WHEN 20100299 THEN 'Registry Value Activity: Other' END``` | +| type_uid | ```(20100200 + (CASE WHEN event_sub_type IS NULL THEN 0 WHEN event_sub_type = 4 THEN 2 WHEN event_sub_type = 5 THEN 4 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-firewall-globalprotect/authentication/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-firewall-globalprotect/authentication/README.md new file mode 100644 index 00000000..4a55e919 --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-firewall-globalprotect/authentication/README.md @@ -0,0 +1,46 @@ +# Event Dossier: Pan Firewall Globalprotect to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `paloalto` +* Product name: `pan-firewall-globalprotect` +* Event codes: `EVENT_ID = 'portal-auth'` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| api.response.error | ```ERROR_CODE::VARCHAR``` | +| auth_protocol | ```CASE (CASE WHEN AUTHENTICATION_METHOD IS NULL THEN 0 WHEN AUTHENTICATION_METHOD = 'SAML' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```CASE WHEN AUTHENTICATION_METHOD IS NULL THEN 0 WHEN AUTHENTICATION_METHOD = 'SAML' THEN 5 ELSE 99 END::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| duration | ```(LOGIN_DURATION * 1000)::NUMBER``` | +| metadata.product.name | ```'pan-firewall-globalprotect'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| session.expiration_reason | ```COALESCE(ERROR, REASON)::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```HOST_ID::VARCHAR``` | +| src_endpoint.hw_info.serial_number | ```MACHINE_SERIAL_NUMBER::VARCHAR``` | +| src_endpoint.ip | ```COALESCE(PUBLIC_IP, PUBLIC_IP_V6)::VARCHAR``` | +| src_endpoint.location.region | ```SOURCE_REGION::VARCHAR``` | +| src_endpoint.name | ```MACHINE_NAME::VARCHAR``` | +| src_endpoint.os.name | ```CLIENT_OS::VARCHAR``` | +| src_endpoint.os.type | ```CASE (CASE WHEN CLIENT_OS IS NULL THEN 0 WHEN CLIENT_OS = 'Windows' THEN 100 WHEN CLIENT_OS = 'Linux' THEN 200 WHEN CLIENT_OS = 'Mac' THEN 300 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| src_endpoint.os.type_id | ```CASE WHEN CLIENT_OS IS NULL THEN 0 WHEN CLIENT_OS = 'Windows' THEN 100 WHEN CLIENT_OS = 'Linux' THEN 200 WHEN CLIENT_OS = 'Mac' THEN 300 ELSE 99 END::NUMBER``` | +| src_endpoint.os.version | ```CLIENT_OS_VERSION::VARCHAR``` | +| status | ```CASE (CASE WHEN STATUS IS NULL THEN 0 WHEN STATUS = 'success' THEN 1 WHEN STATUS = 'failure' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS IS NULL THEN 0 WHEN STATUS = 'success' THEN 1 WHEN STATUS = 'failure' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', generated_time::TIMESTAMP_LTZ)``` | +| time_dt | ```generated_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```300201::NUMBER``` | +| user.name | ```SOURCE_USER::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Palo Alto/1.1.0/pan-firewall-traffic/network_activity/README.md b/mappings/markdown/Palo Alto/1.1.0/pan-firewall-traffic/network_activity/README.md new file mode 100644 index 00000000..9ded157f --- /dev/null +++ b/mappings/markdown/Palo Alto/1.1.0/pan-firewall-traffic/network_activity/README.md @@ -0,0 +1,62 @@ +# Event Dossier: Pan Firewall Traffic to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `paloalto` +* Product name: `pan-firewall-traffic` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION is null then 0 WHEN ACTION = 'allow' then 1 WHEN ACTION = 'deny' then 2 WHEN ACTION = 'drop' then 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION is null then 0 WHEN ACTION = 'allow' then 1 WHEN ACTION = 'deny' then 2 WHEN ACTION = 'drop' then 2 ELSE 99 END``` | +| activity_id | ```CASE WHEN TYPE is null then 0 WHEN TYPE = 'TRAFFIC' then 6 ELSE 99 END``` | +| activity_name | ```CASE (CASE WHEN TYPE is null then 0 WHEN TYPE = 'TRAFFIC' then 6 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```SOURCE_USER::VARCHAR``` | +| app_name | ```APPLICATION::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```PROTOCOL::VARCHAR``` | +| connection_info.protocol_num | ```CASE WHEN PROTOCOL = 'tcp' THEN 6 WHEN PROTOCOL = 'udp' THEN 17 WHEN PROTOCOL = 'icmp' THEN 1 ELSE -1 END``` | +| connection_info.session.expiration_reason | ```SESSION_END_REASON::VARCHAR``` | +| connection_info.session.uid | ```SESSION_ID::VARCHAR``` | +| device.name | ```DEVICE_NAME::VARCHAR``` | +| dst_endpoint.intermediate_ips | ```ARRAY_CONSTRUCT(NAT_DESTINATION_IP::VARCHAR)``` | +| dst_endpoint.ip | ```DESTINATION_ADDRESS::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | +| dst_endpoint.zone | ```DESTINATION_ZONE::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', TRY_TO_TIMESTAMP_LTZ(RECEIVE_TIME,'yyyy/mm/dd hh24:mi:ss')::TIMESTAMP_LTZ)``` | +| end_time_dt | ```TRY_TO_TIMESTAMP_LTZ(RECEIVE_TIME,'yyyy/mm/dd hh24:mi:ss')::TIMESTAMP_LTZ``` | +| firewall_rule.category | ```CATEGORY::VARCHAR``` | +| firewall_rule.name | ```RULE_NAME::VARCHAR``` | +| firewall_rule.uid | ```RULE_UUID::VARCHAR``` | +| metadata.product.name | ```'pan-firewall-traffic'``` | +| metadata.product.vendor_name | ```'paloalto'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.intermediate_ips | ```ARRAY_CONSTRUCT(NAT_SOURCE_IP::VARCHAR)``` | +| src_endpoint.ip | ```SOURCE_ADDRESS::VARCHAR``` | +| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | +| src_endpoint.zone | ```SOURCE_ZONE::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', START_TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```START_TIME::TIMESTAMP_LTZ``` | +| time | ```date_part('epoch_milliseconds', generated_time::TIMESTAMP_LTZ)``` | +| time_dt | ```generated_time::TIMESTAMP_LTZ``` | +| traffic.bytes | ```BYTES::NUMBER``` | +| traffic.bytes_in | ```BYTES_RECEIVED::NUMBER``` | +| traffic.bytes_out | ```BYTES_SENT::NUMBER``` | +| traffic.chunks | ```SCTP_CHUNKS::NUMBER``` | +| traffic.chunks_in | ```SCTP_CHUNKS_RECEIVED::NUMBER``` | +| traffic.chunks_out | ```SCTP_CHUNKS_SENT::NUMBER``` | +| traffic.packets | ```PACKETS::NUMBER``` | +| traffic.packets_in | ```PACKETS_RECEIVED::NUMBER``` | +| traffic.packets_out | ```PACKETS_SENT::NUMBER``` | +| type_name | ```CASE (CASE WHEN ACTION is null then 400100 WHEN ACTION = 'allow' then 400101 WHEN ACTION = 'deny' then 400102 WHEN ACTION = 'drop' then 400102 ELSE 400199 END) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```CASE WHEN ACTION is null then 400100 WHEN ACTION = 'allow' then 400101 WHEN ACTION = 'deny' then 400102 WHEN ACTION = 'drop' then 400102 ELSE 400199 END``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Pfsense/1.1.0/pfsense-filter-logs/network_activity/README.md b/mappings/markdown/Pfsense/1.1.0/pfsense-filter-logs/network_activity/README.md new file mode 100644 index 00000000..5af21ce8 --- /dev/null +++ b/mappings/markdown/Pfsense/1.1.0/pfsense-filter-logs/network_activity/README.md @@ -0,0 +1,41 @@ +# Event Dossier: Pfsense Filter Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `pfsense` +* Product name: `pfsense-filter-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN action = 'pass' THEN 1 WHEN action = 'block' THEN 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN action = 'pass' THEN 1 WHEN action = 'block' THEN 2 ELSE 99 END``` | +| activity_id | ```0::NUMBER``` | +| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.pid | ```PID::NUMBER``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.direction | ```CASE (CASE WHEN DIRECTION = 'in' THEN 1 WHEN DIRECTION = 'out' THEN 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE WHEN DIRECTION = 'in' THEN 1 WHEN DIRECTION = 'out' THEN 2 ELSE 99 END``` | +| connection_info.protocol_num | ```PROTOCOL_ID::NUMBER``` | +| connection_info.protocol_ver | ```CASE (IP_VERSION::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```IP_VERSION::NUMBER``` | +| device.interface_name | ```INTERFACE::VARCHAR``` | +| dst_endpoint.ip | ```DESTINATION_IP::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | +| firewall_rule.uid | ```RULE_NUMBER::VARCHAR``` | +| metadata.product.name | ```'pfsense-filter-logs'``` | +| metadata.product.vendor_name | ```'pfsense'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400100::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```400100::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Sentinel One/1.1.0/sentinelone-agents/inventory_info/README.md b/mappings/markdown/Sentinel One/1.1.0/sentinelone-agents/inventory_info/README.md new file mode 100644 index 00000000..0a61fa80 --- /dev/null +++ b/mappings/markdown/Sentinel One/1.1.0/sentinelone-agents/inventory_info/README.md @@ -0,0 +1,52 @@ +# Event Dossier: Sentinelone Agents to OCSF class Inventory Info + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `inventory_info` +* Vendor name: `sentinelone` +* Product name: `sentinelone-agents` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Log' WHEN 2 THEN 'Collect' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (5::NUMBER) WHEN 5 THEN 'Discovery' END``` | +| category_uid | ```5::NUMBER``` | +| class_name | ```'inventory_info'``` | +| class_uid | ```5001``` | +| device.created_time | ```date_part('epoch_milliseconds', CREATED_AT::TIMESTAMP_LTZ)``` | +| device.created_time_dt | ```CREATED_AT::TIMESTAMP_LTZ``` | +| device.domain | ```DOMAIN::VARCHAR``` | +| device.first_seen_time | ```date_part('epoch_milliseconds', REGISTERED_AT::TIMESTAMP_LTZ)``` | +| device.first_seen_time_dt | ```REGISTERED_AT::TIMESTAMP_LTZ``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('name', GROUP_NAME::VARCHAR))``` | +| device.hostname | ```COMPUTER_NAME::VARCHAR``` | +| device.hw_info.cpu_cores | ```RAW:coreCount::NUMBER``` | +| device.hw_info.cpu_count | ```RAW:cpuCount::NUMBER``` | +| device.hw_info.ram_size | ```RAW:totalMemory::NUMBER``` | +| device.hw_info.serial_number | ```RAW:serialNumber::VARCHAR``` | +| device.ip | ```EXTERNAL_IP::VARCHAR``` | +| device.last_seen_time | ```date_part('epoch_milliseconds', LAST_ACTIVE_DATE::TIMESTAMP_LTZ)``` | +| device.last_seen_time_dt | ```LAST_ACTIVE_DATE::TIMESTAMP_LTZ``` | +| device.modified_time | ```date_part('epoch_milliseconds', UPDATED_AT::TIMESTAMP_LTZ)``` | +| device.modified_time_dt | ```UPDATED_AT::TIMESTAMP_LTZ``` | +| device.name | ```MODEL_NAME::VARCHAR``` | +| device.network_interfaces | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('ip', NETWORK_INTERFACES[0].gatewayIp::VARCHAR, 'mac', NETWORK_INTERFACES[0].gatewayMacAddress::VARCHAR, 'name', NETWORK_INTERFACES[0].name::VARCHAR, 'uid', NETWORK_INTERFACES[0].id::VARCHAR))``` | +| device.os.name | ```OS_NAME::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OS_TYPE IS NULL THEN 0 WHEN OS_TYPE = 'windows' THEN 100 WHEN OS_TYPE = 'linux' THEN 200 WHEN OS_TYPE = 'macos' THEN 300 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_TYPE IS NULL THEN 0 WHEN OS_TYPE = 'windows' THEN 100 WHEN OS_TYPE = 'linux' THEN 200 WHEN OS_TYPE = 'macos' THEN 300 ELSE 99 END::NUMBER``` | +| device.type | ```CASE (CASE WHEN MACHINE_TYPE IS NULL THEN 0 WHEN MACHINE_TYPE = 'server' THEN 1 WHEN MACHINE_TYPE = 'desktop' THEN 2 WHEN MACHINE_TYPE = 'laptop' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```CASE WHEN MACHINE_TYPE IS NULL THEN 0 WHEN MACHINE_TYPE = 'server' THEN 1 WHEN MACHINE_TYPE = 'desktop' THEN 2 WHEN MACHINE_TYPE = 'laptop' THEN 3 ELSE 99 END::NUMBER``` | +| device.uid | ```UUID::VARCHAR``` | +| device.uid_alt | ```ID::VARCHAR``` | +| metadata.product.name | ```'sentinelone-agents'``` | +| metadata.product.vendor_name | ```'sentinelone'``` | +| metadata.version | ```'1.1.0'``` | +| time | ```date_part('epoch_milliseconds', last_active_date::TIMESTAMP_LTZ)``` | +| time_dt | ```last_active_date::TIMESTAMP_LTZ``` | +| type_name | ```CASE (500101::NUMBER) WHEN 500100 THEN 'Device Inventory Info: Unknown' WHEN 500101 THEN 'Device Inventory Info: Log' WHEN 500102 THEN 'Device Inventory Info: Collect' WHEN 500199 THEN 'Device Inventory Info: Other' END``` | +| type_uid | ```500101::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/file_activity/README.md b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/file_activity/README.md new file mode 100644 index 00000000..5f7f685c --- /dev/null +++ b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/file_activity/README.md @@ -0,0 +1,53 @@ +# Event Dossier: Sentinelone Raw Events V2 to OCSF class File Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `file_activity` +* Vendor name: `sentinelone` +* Product name: `sentinelone-raw-events-v2` +* Event codes: `EVENT_TYPE IN ('File Creation', 'File Deletion', 'File Modification', 'File Rename')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'File Creation' THEN 1 WHEN EVENT_TYPE = 'File Modification' THEN 3 WHEN EVENT_TYPE = 'File Deletion' THEN 4 WHEN EVENT_TYPE = 'File Rename' THEN 5 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'File Creation' THEN 1 WHEN EVENT_TYPE = 'File Modification' THEN 3 WHEN EVENT_TYPE = 'File Deletion' THEN 4 WHEN EVENT_TYPE = 'File Rename' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 10 THEN 'Encrypt' WHEN 11 THEN 'Decrypt' WHEN 12 THEN 'Mount' WHEN 13 THEN 'Unmount' WHEN 14 THEN 'Open' WHEN 2 THEN 'Read' WHEN 3 THEN 'Update' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Attributes' WHEN 7 THEN 'Set Security' WHEN 8 THEN 'Get Attributes' WHEN 9 THEN 'Get Security' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```SRC_PROCESS_CMDLINE::VARCHAR``` | +| actor.process.container.image.path | ```SRC_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```SRC_PROCESS_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(SRC_PROCESS_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(SRC_PROCESS_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER))``` | +| actor.process.name | ```SRC_PROCESS_NAME::VARCHAR``` | +| actor.process.parent_process.cmd_line | ```SRC_PROCESS_PARENT_CMDLINE::VARCHAR``` | +| actor.process.parent_process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.created_time_dt | ```SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(SRC_PROCESS_PARENT_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(SRC_PROCESS_PARENT_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER, 'value', SRC_PROCESS_PARENT_IMAGE_SHA256::VARCHAR))``` | +| actor.process.parent_process.name | ```SRC_PROCESS_PARENT_NAME::VARCHAR``` | +| actor.process.parent_process.pid | ```SRC_PROCESS_PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```SRC_PROCESS_PARENT_UID::VARCHAR``` | +| actor.process.pid | ```SRC_PROCESS_PID::NUMBER``` | +| actor.process.uid | ```SRC_PROCESS_UID::VARCHAR``` | +| actor.process.user.name | ```SRC_PROCESS_USER_NAME::VARCHAR``` | +| actor.session.uid | ```LOGIN_USER_SID::VARCHAR``` | +| actor.user.name | ```LOGIN_USER_NAME::VARCHAR``` | +| class_name | ```'file_activity'``` | +| class_uid | ```1001``` | +| device.hostname | ```COMPUTER_NAME::VARCHAR``` | +| device.ip | ```SRC_IP_ADDRESS::VARCHAR``` | +| device.os.name | ```OS_NAME::VARCHAR``` | +| device.os.type | ```CASE (CASE OS_FAMILY WHEN 'linux' THEN 200 WHEN 'windows' THEN 100 WHEN 'osx' THEN 300 WHEN null THEN 0 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE OS_FAMILY WHEN 'linux' THEN 200 WHEN 'windows' THEN 100 WHEN 'osx' THEN 300 WHEN null THEN 0 ELSE 99 END``` | +| file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(TGT_FILE_SHA256 IS NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(TGT_FILE_SHA256 IS NULL, 0, 3)::NUMBER, 'value', TGT_FILE_SHA256::VARCHAR))``` | +| file.path | ```TGT_FILE_PATH::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'sentinelone-raw-events-v2'``` | +| metadata.product.vendor_name | ```'sentinelone'``` | +| metadata.version | ```'1.1.0'``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((100100 + (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'File Creation' THEN 1 WHEN EVENT_TYPE = 'File Modification' THEN 3 WHEN EVENT_TYPE = 'File Deletion' THEN 4 WHEN EVENT_TYPE = 'File Rename' THEN 5 ELSE 99 END))::NUMBER) WHEN 100100 THEN 'File System Activity: Unknown' WHEN 100101 THEN 'File System Activity: Create' WHEN 100102 THEN 'File System Activity: Read' WHEN 100103 THEN 'File System Activity: Update' WHEN 100104 THEN 'File System Activity: Delete' WHEN 100105 THEN 'File System Activity: Rename' WHEN 100106 THEN 'File System Activity: Set Attributes' WHEN 100107 THEN 'File System Activity: Set Security' WHEN 100108 THEN 'File System Activity: Get Attributes' WHEN 100109 THEN 'File System Activity: Get Security' WHEN 100110 THEN 'File System Activity: Encrypt' WHEN 100111 THEN 'File System Activity: Decrypt' WHEN 100112 THEN 'File System Activity: Mount' WHEN 100113 THEN 'File System Activity: Unmount' WHEN 100114 THEN 'File System Activity: Open' WHEN 100199 THEN 'File System Activity: Other' END``` | +| type_uid | ```(100100 + (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'File Creation' THEN 1 WHEN EVENT_TYPE = 'File Modification' THEN 3 WHEN EVENT_TYPE = 'File Deletion' THEN 4 WHEN EVENT_TYPE = 'File Rename' THEN 5 ELSE 99 END))::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/network_activity/README.md b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/network_activity/README.md new file mode 100644 index 00000000..67313213 --- /dev/null +++ b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/network_activity/README.md @@ -0,0 +1,60 @@ +# Event Dossier: Sentinelone Raw Events V2 to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `sentinelone` +* Product name: `sentinelone-raw-events-v2` +* Event codes: `EVENT_TYPE IN ('IP Listen', 'IP Connect')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```99::NUMBER``` | +| activity_name | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```SRC_PROCESS_CMDLINE::VARCHAR``` | +| actor.process.container.image.path | ```SRC_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```SRC_PROCESS_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(SRC_PROCESS_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(SRC_PROCESS_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER, 'value', SRC_PROCESS_IMAGE_SHA256::VARCHAR))``` | +| actor.process.parent_process.cmd_line | ```SRC_PROCESS_PARENT_CMDLINE::VARCHAR``` | +| actor.process.parent_process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.created_time_dt | ```SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (IFF(SRC_PROCESS_PARENT_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', IFF(SRC_PROCESS_PARENT_IMAGE_SHA256 IS NULL, 0, 3)::NUMBER, 'value', SRC_PROCESS_PARENT_IMAGE_SHA256::VARCHAR))``` | +| actor.process.parent_process.name | ```SRC_PROCESS_PARENT_NAME::VARCHAR``` | +| actor.process.parent_process.pid | ```SRC_PROCESS_PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```SRC_PROCESS_PARENT_UID::VARCHAR``` | +| actor.process.pid | ```SRC_PROCESS_PID::NUMBER``` | +| actor.process.uid | ```SRC_PROCESS_UID::VARCHAR``` | +| actor.process.user.name | ```SRC_PROCESS_USER_NAME::VARCHAR``` | +| actor.session.uid | ```LOGIN_USER_SID::VARCHAR``` | +| actor.user.name | ```LOGIN_USER_NAME::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.direction | ```CASE (CASE WHEN DIRECTION IS NULL THEN 0 WHEN DIRECTION = 'INCOMING' THEN 1 WHEN DIRECTION = 'OUTGOING' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE WHEN DIRECTION IS NULL THEN 0 WHEN DIRECTION = 'INCOMING' THEN 1 WHEN DIRECTION = 'OUTGOING' THEN 2 ELSE 99 END::NUMBER``` | +| connection_info.protocol_name | ```RAW:"event.network.protocolName"::VARCHAR``` | +| device.name | ```COMPUTER_NAME::VARCHAR``` | +| device.os.name | ```OS_NAME::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OS_FAMILY IS NULL THEN 0 WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 WHEN OS_FAMILY = 'osx' THEN 300 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_FAMILY IS NULL THEN 0 WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 WHEN OS_FAMILY = 'osx' THEN 300 ELSE 99 END::NUMBER``` | +| dst_endpoint.ip | ```DST_IP_ADDRESS::VARCHAR``` | +| dst_endpoint.port | ```DST_PORT_NUMBER::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'sentinelone-raw-events-v2'``` | +| metadata.product.vendor_name | ```'sentinelone'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```SRC_IP_ADDRESS::VARCHAR``` | +| src_endpoint.port | ```SRC_PORT_NUMBER::VARCHAR``` | +| status | ```CASE (CASE WHEN RAW:"event.network.connectionStatus"::VARCHAR IS NULL THEN 0 WHEN RAW:"event.network.connectionStatus"::VARCHAR = 'SUCCESS' THEN 1 WHEN RAW:"event.network.connectionStatus"::VARCHAR = 'FAILURE' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN RAW:"event.network.connectionStatus"::VARCHAR IS NULL THEN 0 WHEN RAW:"event.network.connectionStatus"::VARCHAR = 'SUCCESS' THEN 1 WHEN RAW:"event.network.connectionStatus"::VARCHAR = 'FAILURE' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400199::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```400199::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/process_activity/README.md b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/process_activity/README.md new file mode 100644 index 00000000..c3c159c5 --- /dev/null +++ b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/process_activity/README.md @@ -0,0 +1,55 @@ +# Event Dossier: Sentinelone Raw Events V2 to OCSF class Process Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `process_activity` +* Vendor name: `sentinelone` +* Product name: `sentinelone-raw-events-v2` +* Event codes: `event_type = 'Process Creation'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```1::NUMBER``` | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Launch' WHEN 2 THEN 'Terminate' WHEN 3 THEN 'Open' WHEN 4 THEN 'Inject' WHEN 5 THEN 'Set User ID' WHEN 99 THEN 'Other' END``` | +| actor.session.uid | ```LOGIN_USER_SID::VARCHAR``` | +| actor.user.name | ```LOGIN_USER_NAME::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'process_activity'``` | +| class_uid | ```1007``` | +| device.name | ```COMPUTER_NAME::VARCHAR``` | +| device.os.name | ```OS_NAME::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 ELSE 99 END::NUMBER``` | +| device.uid | ```AGENT_UUID::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'sentinelone-raw-events-v2'``` | +| metadata.product.vendor_name | ```'sentinelone'``` | +| metadata.version | ```'1.1.0'``` | +| process.cmd_line | ```SRC_PROCESS_CMDLINE::VARCHAR``` | +| process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_START_TIME::TIMESTAMP_LTZ)``` | +| process.created_time_dt | ```SRC_PROCESS_START_TIME::TIMESTAMP_LTZ``` | +| process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (iff(SRC_PROCESS_IMAGE_SHA256 is NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', iff(SRC_PROCESS_IMAGE_SHA256 is NULL, 0, 3)::NUMBER, 'value', iff(SRC_PROCESS_IMAGE_SHA256 is NULL, NULL, SRC_PROCESS_IMAGE_SHA256)::VARCHAR))``` | +| process.file.path | ```SRC_PROCESS_IMAGE_PATH::VARCHAR``` | +| process.name | ```SRC_PROCESS_NAME::VARCHAR``` | +| process.parent_process.cmd_line | ```SRC_PROCESS_PARENT_CMDLINE::VARCHAR``` | +| process.parent_process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ)``` | +| process.parent_process.created_time_dt | ```SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ``` | +| process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, 0, 3)::NUMBER, 'value', iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, NULL, SRC_PROCESS_PARENT_IMAGE_SHA256)::VARCHAR))``` | +| process.parent_process.name | ```SRC_PROCESS_PARENT_NAME::VARCHAR``` | +| process.parent_process.pid | ```SRC_PROCESS_PARENT_PID::NUMBER``` | +| process.parent_process.uid | ```SRC_PROCESS_PARENT_UID::VARCHAR``` | +| process.pid | ```SRC_PROCESS_PID::NUMBER``` | +| process.uid | ```SRC_PROCESS_UID::VARCHAR``` | +| process.user.name | ```SRC_PROCESS_USER_NAME::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (100799::NUMBER) WHEN 100700 THEN 'Process Activity: Unknown' WHEN 100701 THEN 'Process Activity: Launch' WHEN 100702 THEN 'Process Activity: Terminate' WHEN 100703 THEN 'Process Activity: Open' WHEN 100704 THEN 'Process Activity: Inject' WHEN 100705 THEN 'Process Activity: Set User ID' WHEN 100799 THEN 'Process Activity: Other' END``` | +| type_uid | ```100799::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_key_activity/README.md b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_key_activity/README.md new file mode 100644 index 00000000..97925ba4 --- /dev/null +++ b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_key_activity/README.md @@ -0,0 +1,57 @@ +# Event Dossier: Sentinelone Raw Events V2 to OCSF class Win/registry Key Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_key_activity` +* Vendor name: `sentinelone` +* Product name: `sentinelone-raw-events-v2` +* Event codes: `EVENT_TYPE ILIKE '%Registry Key%'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'Registry Key Create' THEN 1 WHEN EVENT_TYPE = 'Registry Key Security Changed' THEN 3 WHEN EVENT_TYPE = 'Registry Key Delete' THEN 4 WHEN EVENT_TYPE = 'Registry Key Rename' THEN 5 WHEN EVENT_TYPE = 'Registry Key Export' THEN 9 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'Registry Key Create' THEN 1 WHEN EVENT_TYPE = 'Registry Key Security Changed' THEN 3 WHEN EVENT_TYPE = 'Registry Key Delete' THEN 4 WHEN EVENT_TYPE = 'Registry Key Rename' THEN 5 WHEN EVENT_TYPE = 'Registry Key Export' THEN 9 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Create' WHEN 2 THEN 'Read' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 5 THEN 'Rename' WHEN 6 THEN 'Set Security' WHEN 7 THEN 'Restore' WHEN 8 THEN 'Import' WHEN 9 THEN 'Export' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```SRC_PROCESS_CMDLINE::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```SRC_PROCESS_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (iff(SRC_PROCESS_IMAGE_SHA256 is NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', iff(SRC_PROCESS_IMAGE_SHA256 is NULL, 0, 3)::NUMBER, 'value', iff(SRC_PROCESS_IMAGE_SHA256 is NULL, NULL, SRC_PROCESS_IMAGE_SHA256)::VARCHAR))``` | +| actor.process.file.path | ```SRC_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.name | ```SRC_PROCESS_NAME::VARCHAR``` | +| actor.process.parent_process.cmd_line | ```SRC_PROCESS_PARENT_CMDLINE::VARCHAR``` | +| actor.process.parent_process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.created_time_dt | ```SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, 0, 3)::NUMBER, 'value', iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, NULL, SRC_PROCESS_PARENT_IMAGE_SHA256)::VARCHAR))``` | +| actor.process.parent_process.name | ```SRC_PROCESS_PARENT_NAME::VARCHAR``` | +| actor.process.parent_process.pid | ```SRC_PROCESS_PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```SRC_PROCESS_PARENT_UID::VARCHAR``` | +| actor.process.pid | ```SRC_PROCESS_PID::NUMBER``` | +| actor.process.uid | ```SRC_PROCESS_UID::VARCHAR``` | +| actor.process.user.name | ```SRC_PROCESS_USER_NAME::VARCHAR``` | +| actor.session.uid | ```LOGIN_USER_SID::VARCHAR``` | +| actor.user.name | ```LOGIN_USER_NAME::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_key_activity'``` | +| class_uid | ```201001``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('uid', GET(RAW, 'group.id')::VARCHAR))``` | +| device.name | ```COMPUTER_NAME::VARCHAR``` | +| device.os.name | ```OS_NAME::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OS_FAMILY IS NULL THEN 0 WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_FAMILY IS NULL THEN 0 WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 ELSE 99 END::NUMBER``` | +| device.uid | ```AGENT_UUID::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'sentinelone-raw-events-v2'``` | +| metadata.product.vendor_name | ```'sentinelone'``` | +| metadata.version | ```'1.1.0'``` | +| reg_key.path | ```GET(RAW, 'registry.keyPath')::VARCHAR``` | +| severity | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```99::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 20100100 WHEN EVENT_TYPE = 'Registry Key Create' THEN 20100101 WHEN EVENT_TYPE = 'Registry Key Security Changed' THEN 20100103 WHEN EVENT_TYPE = 'Registry Key Delete' THEN 20100104 WHEN EVENT_TYPE = 'Registry Key Rename' THEN 20100105 WHEN EVENT_TYPE = 'Registry Key Export' THEN 20100109 ELSE 20100199 END::NUMBER) WHEN 20100100 THEN 'Registry Key Activity: Unknown' WHEN 20100101 THEN 'Registry Key Activity: Create' WHEN 20100102 THEN 'Registry Key Activity: Read' WHEN 20100103 THEN 'Registry Key Activity: Modify' WHEN 20100104 THEN 'Registry Key Activity: Delete' WHEN 20100105 THEN 'Registry Key Activity: Rename' WHEN 20100106 THEN 'Registry Key Activity: Set Security' WHEN 20100107 THEN 'Registry Key Activity: Restore' WHEN 20100108 THEN 'Registry Key Activity: Import' WHEN 20100109 THEN 'Registry Key Activity: Export' WHEN 20100199 THEN 'Registry Key Activity: Other' END``` | +| type_uid | ```CASE WHEN EVENT_TYPE IS NULL THEN 20100100 WHEN EVENT_TYPE = 'Registry Key Create' THEN 20100101 WHEN EVENT_TYPE = 'Registry Key Security Changed' THEN 20100103 WHEN EVENT_TYPE = 'Registry Key Delete' THEN 20100104 WHEN EVENT_TYPE = 'Registry Key Rename' THEN 20100105 WHEN EVENT_TYPE = 'Registry Key Export' THEN 20100109 ELSE 20100199 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_value_activity/README.md b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_value_activity/README.md new file mode 100644 index 00000000..a95ea50e --- /dev/null +++ b/mappings/markdown/Sentinel One/1.1.0/sentinelone-raw-events-v2/registry_value_activity/README.md @@ -0,0 +1,64 @@ +# Event Dossier: Sentinelone Raw Events V2 to OCSF class Win/registry Value Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `registry_value_activity` +* Vendor name: `sentinelone` +* Product name: `sentinelone-raw-events-v2` +* Event codes: `EVENT_TYPE ILIKE '%Registry Value%'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'Registry Value Modified' THEN 3 WHEN EVENT_TYPE = 'Registry Value Delete' THEN 4 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 0 WHEN EVENT_TYPE = 'Registry Value Modified' THEN 3 WHEN EVENT_TYPE = 'Registry Value Delete' THEN 4 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Get' WHEN 2 THEN 'Set' WHEN 3 THEN 'Modify' WHEN 4 THEN 'Delete' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```SRC_PROCESS_CMDLINE::VARCHAR``` | +| actor.process.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.created_time_dt | ```SRC_PROCESS_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (iff(SRC_PROCESS_IMAGE_SHA256 is NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', iff(SRC_PROCESS_IMAGE_SHA256 is NULL, 0, 3)::NUMBER, 'value', iff(SRC_PROCESS_IMAGE_SHA256 is NULL, NULL, SRC_PROCESS_IMAGE_SHA256)::VARCHAR))``` | +| actor.process.file.path | ```SRC_PROCESS_IMAGE_PATH::VARCHAR``` | +| actor.process.name | ```SRC_PROCESS_NAME::VARCHAR``` | +| actor.process.parent_process.cmd_line | ```SRC_PROCESS_PARENT_CMDLINE::VARCHAR``` | +| actor.process.parent_process.file.created_time | ```date_part('epoch_milliseconds', SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ)``` | +| actor.process.parent_process.file.created_time_dt | ```SRC_PROCESS_PARENT_START_TIME::TIMESTAMP_LTZ``` | +| actor.process.parent_process.file.hashes | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('algorithm', CASE (iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, 0, 3)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'MD5' WHEN 2 THEN 'SHA-1' WHEN 3 THEN 'SHA-256' WHEN 4 THEN 'SHA-512' WHEN 5 THEN 'CTPH' WHEN 6 THEN 'TLSH' WHEN 7 THEN 'quickXorHash' WHEN 99 THEN 'Other' END, 'algorithm_id', iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, 0, 3)::NUMBER, 'value', iff(SRC_PROCESS_PARENT_IMAGE_SHA256 is NULL, NULL, SRC_PROCESS_PARENT_IMAGE_SHA256)::VARCHAR))``` | +| actor.process.parent_process.name | ```SRC_PROCESS_PARENT_NAME::VARCHAR``` | +| actor.process.parent_process.pid | ```SRC_PROCESS_PARENT_PID::NUMBER``` | +| actor.process.parent_process.uid | ```SRC_PROCESS_PARENT_UID::VARCHAR``` | +| actor.process.pid | ```SRC_PROCESS_PID::NUMBER``` | +| actor.process.uid | ```SRC_PROCESS_UID::VARCHAR``` | +| actor.process.user.name | ```SRC_PROCESS_USER_NAME::VARCHAR``` | +| actor.session.uid | ```LOGIN_USER_SID::VARCHAR``` | +| actor.user.name | ```LOGIN_USER_NAME::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'win/registry_value_activity'``` | +| class_uid | ```201002``` | +| device.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('uid', GET(RAW, 'group.id')::VARCHAR))``` | +| device.name | ```COMPUTER_NAME::VARCHAR``` | +| device.os.name | ```OS_NAME::VARCHAR``` | +| device.os.type | ```CASE (CASE WHEN OS_FAMILY IS NULL THEN 0 WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 100 THEN 'Windows' WHEN 101 THEN 'Windows Mobile' WHEN 200 THEN 'Linux' WHEN 201 THEN 'Android' WHEN 300 THEN 'macOS' WHEN 301 THEN 'iOS' WHEN 302 THEN 'iPadOS' WHEN 400 THEN 'Solaris' WHEN 401 THEN 'AIX' WHEN 402 THEN 'HP-UX' WHEN 99 THEN 'Other' END``` | +| device.os.type_id | ```CASE WHEN OS_FAMILY IS NULL THEN 0 WHEN OS_FAMILY = 'windows' THEN 100 WHEN OS_FAMILY = 'linux' THEN 200 ELSE 99 END::NUMBER``` | +| device.uid | ```AGENT_UUID::VARCHAR``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'sentinelone-raw-events-v2'``` | +| metadata.product.vendor_name | ```'sentinelone'``` | +| metadata.version | ```'1.1.0'``` | +| prev_reg_value.name | ```''::VARCHAR``` | +| prev_reg_value.path | ```GET(RAW, 'registry.keyPath')::VARCHAR``` | +| prev_reg_value.type | ```CASE (CASE WHEN GET(RAW, 'registry.oldValueType') is NULL THEN 0 WHEN GET(RAW, 'registry.oldValueType') = 'BINARY' THEN 1 WHEN GET(RAW, 'registry.oldValueType') = 'DWORD' THEN 2 WHEN GET(RAW, 'registry.oldValueType') = 'LINK' THEN 5 WHEN GET(RAW, 'registry.oldValueType') = 'MULTI_SZ' THEN 6 WHEN GET(RAW, 'registry.oldValueType') = 'QWORD' THEN 8 WHEN GET(RAW, 'registry.oldValueType') = 'SZ' THEN 10 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'REG_BINARY' WHEN 10 THEN 'REG_SZ' WHEN 2 THEN 'REG_DWORD' WHEN 3 THEN 'REG_DWORD_BIG_ENDIAN' WHEN 4 THEN 'REG_EXPAND_SZ' WHEN 5 THEN 'REG_LINK' WHEN 6 THEN 'REG_MULTI_SZ' WHEN 7 THEN 'REG_NONE' WHEN 8 THEN 'REG_QWORD' WHEN 9 THEN 'REG_QWORD_LITTLE_ENDIAN' WHEN 99 THEN 'Other' END``` | +| prev_reg_value.type_id | ```CASE WHEN GET(RAW, 'registry.oldValueType') is NULL THEN 0 WHEN GET(RAW, 'registry.oldValueType') = 'BINARY' THEN 1 WHEN GET(RAW, 'registry.oldValueType') = 'DWORD' THEN 2 WHEN GET(RAW, 'registry.oldValueType') = 'LINK' THEN 5 WHEN GET(RAW, 'registry.oldValueType') = 'MULTI_SZ' THEN 6 WHEN GET(RAW, 'registry.oldValueType') = 'QWORD' THEN 8 WHEN GET(RAW, 'registry.oldValueType') = 'SZ' THEN 10 ELSE 99 END::NUMBER``` | +| reg_value.name | ```''::VARCHAR``` | +| reg_value.path | ```GET(RAW, 'registry.keyPath')::VARCHAR``` | +| reg_value.type | ```CASE (CASE WHEN GET(RAW, 'registry.valueType') is NULL THEN 0 WHEN GET(RAW, 'registry.valueType') = 'BINARY' THEN 1 WHEN GET(RAW, 'registry.valueType') = 'DWORD' THEN 2 WHEN GET(RAW, 'registry.valueType') = 'LINK' THEN 5 WHEN GET(RAW, 'registry.valueType') = 'MULTI_SZ' THEN 6 WHEN GET(RAW, 'registry.valueType') = 'QWORD' THEN 8 WHEN GET(RAW, 'registry.valueType') = 'SZ' THEN 10 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'REG_BINARY' WHEN 10 THEN 'REG_SZ' WHEN 2 THEN 'REG_DWORD' WHEN 3 THEN 'REG_DWORD_BIG_ENDIAN' WHEN 4 THEN 'REG_EXPAND_SZ' WHEN 5 THEN 'REG_LINK' WHEN 6 THEN 'REG_MULTI_SZ' WHEN 7 THEN 'REG_NONE' WHEN 8 THEN 'REG_QWORD' WHEN 9 THEN 'REG_QWORD_LITTLE_ENDIAN' WHEN 99 THEN 'Other' END``` | +| reg_value.type_id | ```CASE WHEN GET(RAW, 'registry.valueType') is NULL THEN 0 WHEN GET(RAW, 'registry.valueType') = 'BINARY' THEN 1 WHEN GET(RAW, 'registry.valueType') = 'DWORD' THEN 2 WHEN GET(RAW, 'registry.valueType') = 'LINK' THEN 5 WHEN GET(RAW, 'registry.valueType') = 'MULTI_SZ' THEN 6 WHEN GET(RAW, 'registry.valueType') = 'QWORD' THEN 8 WHEN GET(RAW, 'registry.valueType') = 'SZ' THEN 10 ELSE 99 END::NUMBER``` | +| severity | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```99::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 20100200 WHEN EVENT_TYPE = 'Registry Value Modified' THEN 20100203 WHEN EVENT_TYPE = 'Registry Value Delete' THEN 20100204 ELSE 20100299 END::NUMBER) WHEN 20100200 THEN 'Registry Value Activity: Unknown' WHEN 20100201 THEN 'Registry Value Activity: Get' WHEN 20100202 THEN 'Registry Value Activity: Set' WHEN 20100203 THEN 'Registry Value Activity: Modify' WHEN 20100204 THEN 'Registry Value Activity: Delete' WHEN 20100299 THEN 'Registry Value Activity: Other' END``` | +| type_uid | ```CASE WHEN EVENT_TYPE IS NULL THEN 20100200 WHEN EVENT_TYPE = 'Registry Value Modified' THEN 20100203 WHEN EVENT_TYPE = 'Registry Value Delete' THEN 20100204 ELSE 20100299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Signal Sciences/1.1.0/signal-sciences-events/http_activity/README.md b/mappings/markdown/Signal Sciences/1.1.0/signal-sciences-events/http_activity/README.md new file mode 100644 index 00000000..ea4f74d2 --- /dev/null +++ b/mappings/markdown/Signal Sciences/1.1.0/signal-sciences-events/http_activity/README.md @@ -0,0 +1,59 @@ +# Event Dossier: Signal Sciences Events to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `signal_sciences` +* Product name: `signal-sciences-events` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION = 'info' THEN 1 WHEN ACTION = 'flagged' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION = 'info' THEN 1 WHEN ACTION = 'flagged' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN REQUEST_METHOD = 'UNKNOWN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN REQUEST_METHOD = 'UNKNOWN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(SOURCE_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(SOURCE_IP, 'INET'):family::NUMBER``` | +| dst_endpoint.hostname | ```REQUEST_SERVER_HOSTNAME::VARCHAR``` | +| dst_endpoint.location.country | ```REMOTE_COUNTRY_CODE::VARCHAR``` | +| dst_endpoint.name | ```REQUEST_SERVER_NAME::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', EXPIRES::TIMESTAMP_LTZ)``` | +| end_time_dt | ```EXPIRES::TIMESTAMP_LTZ``` | +| http_cookies.name | ```REQUEST_HEADERSIN:cookie::VARCHAR``` | +| http_request.http_method | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 'CONNECT' WHEN REQUEST_METHOD = 'DELETE' THEN 'DELETE' WHEN REQUEST_METHOD = 'GET' THEN 'GET' WHEN REQUEST_METHOD = 'HEAD' THEN 'HEAD' WHEN REQUEST_METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN REQUEST_METHOD = 'POST' THEN 'POST' WHEN REQUEST_METHOD = 'PUT' THEN 'PUT' WHEN REQUEST_METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.referrer | ```REQUEST_HEADERSIN:referer::VARCHAR``` | +| http_request.url.path | ```REQUEST_PATH::VARCHAR``` | +| http_request.url.scheme | ```REQUEST_SCHEME::VARCHAR``` | +| http_request.user_agent | ```USER_AGENTS::VARCHAR``` | +| http_request.version | ```REQUEST_PROTOCOL::VARCHAR``` | +| http_request.x_forwarded_for | ```REQUEST_HEADERSIN:"X-Forwarded-For"::VARCHAR``` | +| http_response.code | ```REQUEST_RESPONSE_CODE::NUMBER``` | +| http_response.content_type | ```REQUEST_HEADERSOUT:"content-type"::VARCHAR``` | +| http_response.latency | ```REQUEST_RESPONSE_MILLIS::NUMBER``` | +| http_response.length | ```REQUEST_RESPONSE_SIZE::NUMBER``` | +| metadata.event_code | ```EVENT_TYPE``` | +| metadata.product.name | ```'signal-sciences-events'``` | +| metadata.product.vendor_name | ```'signal_sciences'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```REMOTE_HOSTNAME::VARCHAR``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| status | ```CASE (CASE WHEN REQUEST_RESPONSE_CODE ILIKE '2%%' THEN 1 WHEN REQUEST_RESPONSE_CODE ILIKE '4%%' THEN 2 WHEN REQUEST_RESPONSE_CODE ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN REQUEST_RESPONSE_CODE ILIKE '2%%' THEN 1 WHEN REQUEST_RESPONSE_CODE ILIKE '4%%' THEN 2 WHEN REQUEST_RESPONSE_CODE ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| tls.server_ciphers | ```REQUEST_TLS_CIPHER::VARCHAR``` | +| tls.version | ```REQUEST_TLS_PROTOCOL::VARCHAR``` | +| type_name | ```CASE (CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Signal Sciences/1.1.0/signal-sciences-requests/http_activity/README.md b/mappings/markdown/Signal Sciences/1.1.0/signal-sciences-requests/http_activity/README.md new file mode 100644 index 00000000..5806a32d --- /dev/null +++ b/mappings/markdown/Signal Sciences/1.1.0/signal-sciences-requests/http_activity/README.md @@ -0,0 +1,75 @@ +# Event Dossier: Signal Sciences Requests to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `signal_sciences` +* Product name: `signal-sciences-requests` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN AGENT_RESPONSE_CODE = 200 THEN 1 WHEN AGENT_RESPONSE_CODE >= 301 THEN 2 WHEN AGENT_RESPONSE_CODE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN AGENT_RESPONSE_CODE = 200 THEN 1 WHEN AGENT_RESPONSE_CODE >= 301 THEN 2 WHEN AGENT_RESPONSE_CODE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN METHOD = 'CONNECT' THEN 1 WHEN METHOD = 'DELETE' THEN 2 WHEN METHOD = 'GET' THEN 3 WHEN METHOD = 'HEAD' THEN 4 WHEN METHOD = 'OPTIONS' THEN 5 WHEN METHOD = 'POST' THEN 6 WHEN METHOD = 'PUT' THEN 7 WHEN METHOD = 'TRACE' THEN 8 WHEN METHOD IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN METHOD = 'CONNECT' THEN 1 WHEN METHOD = 'DELETE' THEN 2 WHEN METHOD = 'GET' THEN 3 WHEN METHOD = 'HEAD' THEN 4 WHEN METHOD = 'OPTIONS' THEN 5 WHEN METHOD = 'POST' THEN 6 WHEN METHOD = 'PUT' THEN 7 WHEN METHOD = 'TRACE' THEN 8 WHEN METHOD IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```HEADERSOUT['X-AUSERNAME']::VARCHAR``` | +| actor.user.uid | ```HEADERSOUT['X-AUSERID']::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(REMOTE_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(REMOTE_IP, 'INET'):family::NUMBER``` | +| disposition | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```0::NUMBER``` | +| dst_endpoint.name | ```SERVER_NAME::VARCHAR``` | +| firewall_rule.rate_limit | ```HEADERSOUT['X-RateLimit-Limit']::NUMBER``` | +| http_cookies.is_http_only | ```IFF(HEADERSOUT['Set-Cookie'] IS NOT NULL AND HEADERSOUT['Set-Cookie'] ILIKE '%%httponly;%%','true', 'false')::BOOLEAN``` | +| http_cookies.is_secure | ```IFF(HEADERSOUT['Set-Cookie'] IS NOT NULL AND HEADERSOUT['Set-Cookie'] ILIKE '%%secure;%%','true', 'false')::BOOLEAN``` | +| http_cookies.value | ```HEADERSOUT['Set-Cookie']::VARCHAR``` | +| http_request.http_method | ```CASE WHEN METHOD = 'CONNECT' THEN 'CONNECT' WHEN METHOD = 'DELETE' THEN 'DELETE' WHEN METHOD = 'GET' THEN 'GET' WHEN METHOD = 'HEAD' THEN 'HEAD' WHEN METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN METHOD = 'POST' THEN 'POST' WHEN METHOD = 'PUT' THEN 'PUT' WHEN METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```TRY_TO_NUMERIC(TO_VARCHAR(HEADERSIN['Content-Length']))::NUMBER``` | +| http_request.referrer | ```HEADERSIN['referer']::VARCHAR``` | +| http_request.uid | ```ID::VARCHAR``` | +| http_request.url.hostname | ```HEADERSIN['Host']::VARCHAR``` | +| http_request.url.path | ```PATH::VARCHAR``` | +| http_request.url.port | ```HEADERSIN['X-Forwarded-Port']::VARCHAR``` | +| http_request.url.scheme | ```SCHEME::VARCHAR``` | +| http_request.url.url_string | ```URI::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| http_request.version | ```REGEXP_SUBSTR(PROTOCOL, '([0-9\.]+)')::VARCHAR``` | +| http_request.x_forwarded_for | ```HEADERSIN['X-Forwarded-For']::VARCHAR``` | +| http_response.code | ```RESPONSE_CODE::NUMBER``` | +| http_response.content_type | ```HEADERSOUT['content-type']::VARCHAR``` | +| http_response.latency | ```RESPONSE_MILLIS::NUMBER``` | +| http_response.length | ```RESPONSE_SIZE::NUMBER``` | +| load_balancer.code | ```AGENT_RESPONSE_CODE::NUMBER``` | +| load_balancer.status_detail | ```HEADERSIN['X-SigSci-Tags']::VARCHAR``` | +| metadata.event_code | ```method``` | +| metadata.product.name | ```'signal-sciences-requests'``` | +| metadata.product.vendor_name | ```'signal_sciences'``` | +| metadata.version | ```'1.1.0'``` | +| proxy_endpoint.hostname | ```SERVER_HOSTNAME::VARCHAR``` | +| proxy_http_request.uid | ```HEADERSIN['X-Request-ID']::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```REMOTE_HOSTNAME::VARCHAR``` | +| src_endpoint.ip | ```REMOTE_IP::VARCHAR``` | +| src_endpoint.location.country | ```REMOTE_COUNTRY_CODE::VARCHAR``` | +| status | ```CASE (CASE WHEN RESPONSE_CODE ILIKE '2%%' THEN 1 WHEN RESPONSE_CODE ILIKE '4%%' THEN 2 WHEN RESPONSE_CODE ILIKE '5%%' THEN 2 WHEN RESPONSE_CODE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN RESPONSE_CODE ILIKE '2%%' THEN 1 WHEN RESPONSE_CODE ILIKE '4%%' THEN 2 WHEN RESPONSE_CODE ILIKE '5%%' THEN 2 WHEN RESPONSE_CODE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| tls.cipher | ```TLS_CIPHER::VARCHAR``` | +| tls.version | ```TLS_PROTOCOL::VARCHAR``` | +| traffic.bytes | ```TRY_TO_NUMERIC(TO_VARCHAR(HEADERSIN['Content-Length'])) + RESPONSE_SIZE::NUMBER``` | +| traffic.bytes_in | ```TRY_TO_NUMERIC(TO_VARCHAR(HEADERSIN['Content-Length']))::NUMBER``` | +| traffic.bytes_out | ```RESPONSE_SIZE::NUMBER``` | +| type_name | ```CASE (CASE WHEN METHOD = 'CONNECT' THEN 400201 WHEN METHOD = 'DELETE' THEN 400202 WHEN METHOD = 'GET' THEN 400203 WHEN METHOD = 'HEAD' THEN 400204 WHEN METHOD = 'OPTIONS' THEN 400205 WHEN METHOD = 'POST' THEN 400206 WHEN METHOD = 'PUT' THEN 400207 WHEN METHOD = 'TRACE' THEN 400208 WHEN METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN METHOD = 'CONNECT' THEN 400201 WHEN METHOD = 'DELETE' THEN 400202 WHEN METHOD = 'GET' THEN 400203 WHEN METHOD = 'HEAD' THEN 400204 WHEN METHOD = 'OPTIONS' THEN 400205 WHEN METHOD = 'POST' THEN 400206 WHEN METHOD = 'PUT' THEN 400207 WHEN METHOD = 'TRACE' THEN 400208 WHEN METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Silverpeak/1.1.0/silverpeak-firewall-logs/network_activity/README.md b/mappings/markdown/Silverpeak/1.1.0/silverpeak-firewall-logs/network_activity/README.md new file mode 100644 index 00000000..ecd26e58 --- /dev/null +++ b/mappings/markdown/Silverpeak/1.1.0/silverpeak-firewall-logs/network_activity/README.md @@ -0,0 +1,68 @@ +# Event Dossier: Silverpeak Firewall Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `silverpeak` +* Product name: `silverpeak-firewall-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'drop' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'drop' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN REASON = 'flow create' THEN 1 WHEN REASON = 'flow end' THEN 2 WHEN REASON = 'security policy deny' THEN 5 WHEN REASON IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN REASON = 'flow create' THEN 1 WHEN REASON = 'flow end' THEN 2 WHEN REASON = 'security policy deny' THEN 5 WHEN REASON IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| app_name | ```APPLICATION::VARCHAR``` | +| authorizations.policy.name | ```POLICY::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.direction | ```CASE (CASE WHEN DIRECTION = 'Inbound' THEN 1 WHEN DIRECTION = 'Outbound' THEN 2 WHEN DIRECTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE WHEN DIRECTION = 'Inbound' THEN 1 WHEN DIRECTION = 'Outbound' THEN 2 WHEN DIRECTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| connection_info.protocol_name | ```PROTOCOL::VARCHAR``` | +| connection_info.protocol_num | ```CASE WHEN PROTOCOL = 'icmp' THEN 1 WHEN PROTOCOL = 'tcp' THEN 6 WHEN PROTOCOL = 'udp' THEN 17 WHEN PROTOCOL IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(SOURCE_ADDRESS, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(SOURCE_ADDRESS, 'INET'):family::NUMBER``` | +| connection_info.tcp_flags | ```TRY_CAST(TCP_FLAGS AS NUMBER)::NUMBER``` | +| connection_info.uid | ```FLOW_ID::VARCHAR``` | +| disposition | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```0::NUMBER``` | +| dst_endpoint.hostname | ```HOST::VARCHAR``` | +| dst_endpoint.interface_name | ```INTERFACE_IMPACTED::VARCHAR``` | +| dst_endpoint.ip | ```DESTINATION_ADDRESS::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT ::VARCHAR``` | +| dst_endpoint.zone | ```TO_ZONE::VARCHAR``` | +| end_time | ```date_part('epoch_milliseconds', END_TIME::VARCHAR::TIMESTAMP_LTZ)``` | +| end_time_dt | ```END_TIME::VARCHAR::TIMESTAMP_LTZ``` | +| metadata.event_code | ```log_level``` | +| metadata.product.name | ```'silverpeak-firewall-logs'``` | +| metadata.product.vendor_name | ```'silverpeak'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.interface_name | ```INTERFACE_ORIGIN::VARCHAR``` | +| src_endpoint.ip | ```SOURCE_ADDRESS::VARCHAR``` | +| src_endpoint.port | ```SOURCE_PORT ::VARCHAR``` | +| src_endpoint.proxy_endpoint.ip | ```NAT_IP_ADDRESS_ORIGIN::VARCHAR``` | +| src_endpoint.proxy_endpoint.port | ```NAT_TCP_UDP_PORT_ORIGIN::VARCHAR``` | +| src_endpoint.svc_name | ```IP_SERVICE_TYPE::VARCHAR``` | +| src_endpoint.zone | ```FROM_ZONE::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', START_TIME::VARCHAR::TIMESTAMP_LTZ)``` | +| start_time_dt | ```START_TIME::VARCHAR::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'drop' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN ACTION = 'allow' THEN 1 WHEN ACTION = 'drop' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', timestamp::TIMESTAMP_LTZ)``` | +| time_dt | ```timestamp::TIMESTAMP_LTZ``` | +| traffic.bytes | ```RECEIVED_OCTETS + TRANSMITTED_OCTETS::NUMBER``` | +| traffic.bytes_in | ```RECEIVED_OCTETS::NUMBER``` | +| traffic.bytes_out | ```TRANSMITTED_OCTETS::NUMBER``` | +| traffic.packets | ```RECEIVED_PACKETS + TRANSMITTED_PACKETS::NUMBER``` | +| traffic.packets_in | ```RECEIVED_PACKETS::NUMBER``` | +| traffic.packets_out | ```TRANSMITTED_PACKETS::NUMBER``` | +| type_name | ```CASE (CASE WHEN REASON = 'flow create' THEN 400101 WHEN REASON = 'flow end' THEN 400102 WHEN REASON = 'security policy deny' THEN 400105 WHEN REASON IS NULL THEN 400100 ELSE 400199 END::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```CASE WHEN REASON = 'flow create' THEN 400101 WHEN REASON = 'flow end' THEN 400102 WHEN REASON = 'security policy deny' THEN 400105 WHEN REASON IS NULL THEN 400100 ELSE 400199 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Skyhigh/1.1.0/skyhigh-webgateway-alerts/http_activity/README.md b/mappings/markdown/Skyhigh/1.1.0/skyhigh-webgateway-alerts/http_activity/README.md new file mode 100644 index 00000000..419dab3e --- /dev/null +++ b/mappings/markdown/Skyhigh/1.1.0/skyhigh-webgateway-alerts/http_activity/README.md @@ -0,0 +1,51 @@ +# Event Dossier: Skyhigh Webgateway Alerts to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `skyhigh` +* Product name: `skyhigh-webgateway-alerts` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN BLOCK_RESULT = 0 THEN 1 WHEN BLOCK_RESULT = 10 THEN 2 WHEN BLOCK_RESULT = 22 THEN 2 WHEN BLOCK_RESULT = 81 THEN 2 WHEN BLOCK_RESULT = 103 THEN 2 WHEN BLOCK_RESULT IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN BLOCK_RESULT = 0 THEN 1 WHEN BLOCK_RESULT = 10 THEN 2 WHEN BLOCK_RESULT = 22 THEN 2 WHEN BLOCK_RESULT = 81 THEN 2 WHEN BLOCK_RESULT = 103 THEN 2 WHEN BLOCK_RESULT IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN METHOD = 'UNKNOWN' THEN 0 WHEN METHOD = 'CONNECT' THEN 1 WHEN METHOD = 'DELETE' THEN 2 WHEN METHOD = 'GET' THEN 3 WHEN METHOD = 'HEAD' THEN 4 WHEN METHOD = 'OPTIONS' THEN 5 WHEN METHOD = 'POST' THEN 6 WHEN METHOD = 'PUT' THEN 7 WHEN METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN METHOD = 'UNKNOWN' THEN 0 WHEN METHOD = 'CONNECT' THEN 1 WHEN METHOD = 'DELETE' THEN 2 WHEN METHOD = 'GET' THEN 3 WHEN METHOD = 'HEAD' THEN 4 WHEN METHOD = 'OPTIONS' THEN 5 WHEN METHOD = 'POST' THEN 6 WHEN METHOD = 'PUT' THEN 7 WHEN METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```AUTH_USER::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.boundary | ```CASE (5::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Localhost' WHEN 10 THEN 'Gateway VPC' WHEN 11 THEN 'Internet Gateway' WHEN 2 THEN 'Internal' WHEN 3 THEN 'External' WHEN 4 THEN 'Same VPC' WHEN 5 THEN 'Internet/VPC Gateway' WHEN 6 THEN 'Virtual Private Gateway' WHEN 7 THEN 'Intra-region VPC' WHEN 8 THEN 'Inter-region VPC' WHEN 9 THEN 'Local Gateway' WHEN 99 THEN 'Other' END``` | +| connection_info.boundary_id | ```5::NUMBER``` | +| connection_info.direction | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```2::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(SOURCE_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(SOURCE_IP, 'INET'):family::NUMBER``` | +| dst_endpoint.ip | ```SERVER_IP::VARCHAR``` | +| http_request.http_method | ```CASE WHEN METHOD = 'CONNECT' THEN 'CONNECT' WHEN METHOD = 'DELETE' THEN 'DELETE' WHEN METHOD = 'GET' THEN 'GET' WHEN METHOD = 'HEAD' THEN 'HEAD' WHEN METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN METHOD = 'POST' THEN 'POST' WHEN METHOD = 'PUT' THEN 'PUT' WHEN METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```BYTES_FROM_CLIENT::NUMBER``` | +| http_request.url.hostname | ```HOST::VARCHAR``` | +| http_request.url.port | ```URL_PORT::VARCHAR``` | +| http_request.url.url_string | ```URL::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| http_response.code | ```STATUS_CODE::NUMBER``` | +| http_response.length | ```BYTES_TO_CLIENT::NUMBER``` | +| metadata.product.name | ```'skyhigh-webgateway-alerts'``` | +| metadata.product.vendor_name | ```'skyhigh'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| status | ```CASE (CASE WHEN STATUS_CODE ILIKE '2%%' THEN 1 WHEN STATUS_CODE ILIKE '3%%' THEN 2 WHEN STATUS_CODE ILIKE '4%%' THEN 2 WHEN STATUS_CODE ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN STATUS_CODE ILIKE '2%%' THEN 1 WHEN STATUS_CODE ILIKE '3%%' THEN 2 WHEN STATUS_CODE ILIKE '4%%' THEN 2 WHEN STATUS_CODE ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', time_stamp::TIMESTAMP_LTZ)``` | +| time_dt | ```time_stamp::TIMESTAMP_LTZ``` | +| traffic.bytes | ```(COALESCE(BYTES_FROM_CLIENT, 0) + COALESCE(BYTES_TO_CLIENT, 0))::NUMBER``` | +| traffic.bytes_in | ```BYTES_TO_CLIENT::NUMBER``` | +| traffic.bytes_out | ```BYTES_FROM_CLIENT::NUMBER``` | +| type_name | ```CASE (CASE WHEN METHOD = 'CONNECT' THEN 400201 WHEN METHOD = 'DELETE' THEN 400202 WHEN METHOD = 'GET' THEN 400203 WHEN METHOD = 'HEAD' THEN 400204 WHEN METHOD = 'OPTIONS' THEN 400205 WHEN METHOD = 'POST' THEN 400206 WHEN METHOD = 'PUT' THEN 400207 WHEN METHOD = 'TRACE' THEN 400208 WHEN METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN METHOD = 'CONNECT' THEN 400201 WHEN METHOD = 'DELETE' THEN 400202 WHEN METHOD = 'GET' THEN 400203 WHEN METHOD = 'HEAD' THEN 400204 WHEN METHOD = 'OPTIONS' THEN 400205 WHEN METHOD = 'POST' THEN 400206 WHEN METHOD = 'PUT' THEN 400207 WHEN METHOD = 'TRACE' THEN 400208 WHEN METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Slack/1.1.0/slack-audit-logs/authentication/README.md b/mappings/markdown/Slack/1.1.0/slack-audit-logs/authentication/README.md new file mode 100644 index 00000000..ea88664b --- /dev/null +++ b/mappings/markdown/Slack/1.1.0/slack-audit-logs/authentication/README.md @@ -0,0 +1,51 @@ +# Event Dossier: Slack Audit Logs to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `slack` +* Product name: `slack-audit-logs` +* Event codes: `ACTION IN ('user_login', 'user_login_failed')` +--- + +| OCSF | RAW | +| --- | --- | +| activity_id | ```CASE WHEN ACTION = 'user_login' THEN 1 WHEN ACTION = 'user_login_failed' THEN 2 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN ACTION = 'user_login' THEN 1 WHEN ACTION = 'user_login_failed' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```ACTOR_USER_EMAIL::VARCHAR``` | +| actor.user.name | ```ACTOR_USER_NAME::VARCHAR``` | +| actor.user.type | ```CASE (CASE WHEN ACTOR_TYPE IS NULL THEN 0 WHEN ACTOR_TYPE = 'user' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| actor.user.type_id | ```CASE WHEN ACTOR_TYPE IS NULL THEN 0 WHEN ACTOR_TYPE = 'user' THEN 1 ELSE 99 END::NUMBER``` | +| actor.user.uid | ```ACTOR_USER_ID::VARCHAR``` | +| auth_protocol | ```CASE (CASE WHEN DETAILS:config_type IS NULL THEN 0 WHEN DETAILS:config_type = 'SAML' THEN 5 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | +| auth_protocol_id | ```CASE WHEN DETAILS:config_type IS NULL THEN 0 WHEN DETAILS:config_type = 'SAML' THEN 5 ELSE 99 END::NUMBER``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| dst_endpoint.uid | ```CONTEXT_LOCATION_ID::VARCHAR``` | +| http_request.user_agent | ```CONTEXT_USER_AGENT::VARCHAR``` | +| is_mfa | ```CASE WHEN DETAILS:config_type IS NOT NULL THEN TRUE ELSE FALSE END::BOOLEAN``` | +| logon_process.file.name | ```ENTITY_FILE_NAME::VARCHAR``` | +| logon_process.file.uid | ```ENTITY_FILE_ID::VARCHAR``` | +| logon_process.session.uid | ```CONTEXT_SESSION_ID::VARCHAR``` | +| logon_process.user.domain | ```CONTEXT_LOCATION_DOMAIN::VARCHAR``` | +| metadata.product.name | ```'slack-audit-logs'``` | +| metadata.product.vendor_name | ```'slack'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CONTEXT_IP_ADDRESS::VARCHAR``` | +| status | ```CASE (CASE WHEN ACTION = 'user_login' THEN 1 WHEN ACTION = 'user_login_failed' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN ACTION = 'user_login' THEN 1 WHEN ACTION = 'user_login_failed' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', date_create::TIMESTAMP_LTZ)``` | +| time_dt | ```date_create::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((300200 + (CASE WHEN ACTION = 'user_login' THEN 1 WHEN ACTION = 'user_login_failed' THEN 2 ELSE 99 END))::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```(300200 + (CASE WHEN ACTION = 'user_login' THEN 1 WHEN ACTION = 'user_login_failed' THEN 2 ELSE 99 END))::NUMBER``` | +| user.email_addr | ```RAW:entity:user:email::VARCHAR``` | +| user.name | ```RAW:entity:user:name::VARCHAR``` | +| user.type | ```CASE (CASE WHEN ENTITY_TYPE IS NULL THEN 0 WHEN ENTITY_TYPE = 'user' THEN 1 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | +| user.type_id | ```CASE WHEN ENTITY_TYPE IS NULL THEN 0 WHEN ENTITY_TYPE = 'user' THEN 1 ELSE 99 END::NUMBER``` | +| user.uid | ```RAW:entity:user:id::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Squid/1.1.0/squid-proxy-logs/http_activity/README.md b/mappings/markdown/Squid/1.1.0/squid-proxy-logs/http_activity/README.md new file mode 100644 index 00000000..103d1b9e --- /dev/null +++ b/mappings/markdown/Squid/1.1.0/squid-proxy-logs/http_activity/README.md @@ -0,0 +1,49 @@ +# Event Dossier: Squid Proxy Logs to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `squid` +* Product name: `squid-proxy-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN REQUEST_METHOD = 'NaN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN REQUEST_METHOD = 'NaN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```USER_EMAIL::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (CASE WHEN INTERNAL_IP is not null THEN 3 ELSE 2 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE WHEN INTERNAL_IP is not null THEN 3 ELSE 2 END``` | +| dst_endpoint.ip | ```DESTINATION_IP::VARCHAR``` | +| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | +| http_request.http_method | ```REQUEST_METHOD::VARCHAR``` | +| http_request.length | ```REQUEST_SIZE::NUMBER``` | +| http_request.url.scheme | ```URL_SCHEME::VARCHAR``` | +| http_request.url.url_string | ```REQUEST_URL::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT_DETAILS::VARCHAR``` | +| http_response.code | ```RESPONSE_STATUS_CODE::NUMBER``` | +| http_response.length | ```RESPONSE_SIZE::NUMBER``` | +| metadata.product.name | ```'squid-proxy-logs'``` | +| metadata.product.vendor_name | ```'squid'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```SOURCE_IP::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', EVENT_TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```EVENT_TIME::TIMESTAMP_LTZ``` | +| status | ```CASE (CASE WHEN RESPONSE_STATUS_CODE ILIKE '2%%' THEN 1 WHEN RESPONSE_STATUS_CODE IS NULL THEN 0 ELSE 2 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN RESPONSE_STATUS_CODE ILIKE '2%%' THEN 1 WHEN RESPONSE_STATUS_CODE IS NULL THEN 0 ELSE 2 END``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| traffic.bytes | ```RESPONSE_SIZE::NUMBER + REQUEST_SIZE::NUMBER``` | +| traffic.bytes_in | ```RESPONSE_SIZE::NUMBER``` | +| traffic.bytes_out | ```REQUEST_SIZE::NUMBER``` | +| type_name | ```CASE (CASE WHEN REQUEST_METHOD is null THEN 400200 WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 ELSE 4002099 END) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN REQUEST_METHOD is null THEN 400200 WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 ELSE 4002099 END``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Symantec/1.1.0/symantec-cloud-secure-web-gateway-logs/http_activity/README.md b/mappings/markdown/Symantec/1.1.0/symantec-cloud-secure-web-gateway-logs/http_activity/README.md new file mode 100644 index 00000000..7506e3f4 --- /dev/null +++ b/mappings/markdown/Symantec/1.1.0/symantec-cloud-secure-web-gateway-logs/http_activity/README.md @@ -0,0 +1,61 @@ +# Event Dossier: Symantec Cloud Secure Web Gateway Logs to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `symantec` +* Product name: `symantec-cloud-secure-web-gateway-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN SERVER_ACTION = 'TUNNELED' THEN 1 WHEN SERVER_ACTION = 'TCP_TUNNELED' THEN 1 WHEN SERVER_ACTION = 'DENIED' THEN 2 WHEN SERVER_ACTION = 'FAILED' THEN 2 WHEN SERVER_ACTION = 'TCP_DENIED' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN SERVER_ACTION = 'TUNNELED' THEN 1 WHEN SERVER_ACTION = 'TCP_TUNNELED' THEN 1 WHEN SERVER_ACTION = 'DENIED' THEN 2 WHEN SERVER_ACTION = 'FAILED' THEN 2 WHEN SERVER_ACTION = 'TCP_DENIED' THEN 2 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN CLIENT_TO_SERVER_METHOD = 'UNKNOWN' THEN 0 WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 1 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 2 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 3 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 4 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 5 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 6 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 7 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN CLIENT_TO_SERVER_METHOD = 'UNKNOWN' THEN 0 WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 1 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 2 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 3 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 4 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 5 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 6 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 7 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```CLIENT_TO_SERVER_USERDN::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.boundary | ```CASE (5::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Localhost' WHEN 10 THEN 'Gateway VPC' WHEN 11 THEN 'Internet Gateway' WHEN 2 THEN 'Internal' WHEN 3 THEN 'External' WHEN 4 THEN 'Same VPC' WHEN 5 THEN 'Internet/VPC Gateway' WHEN 6 THEN 'Virtual Private Gateway' WHEN 7 THEN 'Intra-region VPC' WHEN 8 THEN 'Inter-region VPC' WHEN 9 THEN 'Local Gateway' WHEN 99 THEN 'Other' END``` | +| connection_info.boundary_id | ```5::NUMBER``` | +| connection_info.direction | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```2::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER``` | +| device.name | ```CLIENT_DEVICE_NAME::VARCHAR``` | +| dst_endpoint.ip | ```RESPONSE_IP::VARCHAR``` | +| dst_endpoint.location.country | ```RESPONSE_SUPPLIER_COUNTRY::VARCHAR``` | +| http_request.http_method | ```CASE WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 'CONNECT' WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 'DELETE' WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 'GET' WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 'HEAD' WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 'POST' WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 'PUT' WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```CLIENT_TO_SERVER_BYTES::NUMBER``` | +| http_request.referrer | ```CLIENT_TO_SERVER_REQUEST_HEADER_REFERER::VARCHAR``` | +| http_request.url.hostname | ```CLIENT_TO_SERVER_HOST::VARCHAR``` | +| http_request.url.path | ```CLIENT_TO_SERVER_URI_PATH::VARCHAR``` | +| http_request.url.port | ```CLIENT_TO_SERVER_URI_PORT::VARCHAR``` | +| http_request.url.query_string | ```CLIENT_TO_SERVER_URI_QUERY::VARCHAR``` | +| http_request.url.scheme | ```CLIENT_TO_SERVER_URI_SCHEME::VARCHAR``` | +| http_request.user_agent | ```CLIENT_TO_SERVER_USER_AGENT::VARCHAR``` | +| http_response.code | ```SERVER_TO_CLIENT_STATUS::NUMBER``` | +| http_response.content_type | ```RESPONSE_HEADER_CONTENT_TYPE::VARCHAR``` | +| http_response.length | ```SERVER_TO_CLIENT_BYTES::NUMBER``` | +| metadata.product.name | ```'symantec-cloud-secure-web-gateway-logs'``` | +| metadata.product.vendor_name | ```'symantec'``` | +| metadata.version | ```'1.1.0'``` | +| proxy_endpoint.ip | ```SERVER_IP::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| status | ```CASE (CASE WHEN SERVER_TO_CLIENT_STATUS ILIKE '2%%' THEN 1 WHEN SERVER_TO_CLIENT_STATUS ILIKE '4%%' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN SERVER_TO_CLIENT_STATUS ILIKE '2%%' THEN 1 WHEN SERVER_TO_CLIENT_STATUS ILIKE '4%%' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| tls.client_ciphers | ```CLIENT_TO_SERVER_CONNECTION_NEGOTIATED_CIPHER::VARCHAR``` | +| tls.server_ciphers | ```RESPONSE_CONNECTION_NEGOTIATED_CIPHER::VARCHAR``` | +| traffic.bytes_in | ```SERVER_TO_CLIENT_BYTES::NUMBER``` | +| traffic.bytes_out | ```CLIENT_TO_SERVER_BYTES::NUMBER``` | +| type_name | ```CASE (CASE WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 400201 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 400202 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 400203 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 400204 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 400205 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 400206 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 400207 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 400208 WHEN CLIENT_TO_SERVER_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 400201 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 400202 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 400203 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 400204 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 400205 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 400206 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 400207 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 400208 WHEN CLIENT_TO_SERVER_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/dns_activity/README.md b/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/dns_activity/README.md new file mode 100644 index 00000000..59e0aa56 --- /dev/null +++ b/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/dns_activity/README.md @@ -0,0 +1,62 @@ +# Event Dossier: Vectra Metadata Logs to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `vectra` +* Product name: `vectra-metadata-logs` +* Event codes: `METADATA_TYPE = 'metadata_dns'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN RAW:rejected = 'false' THEN 1 WHEN RAW:rejected = 'true' THEN 2 WHEN RAW:rejected IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN RAW:rejected = 'false' THEN 1 WHEN RAW:rejected = 'true' THEN 2 WHEN RAW:rejected IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.session.is_remote | ```LOCAL_RESP::BOOLEAN``` | +| actor.session.uid | ```ORIG_SLUID::VARCHAR``` | +| answers | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('rdata', RAW:answers, 'ttl', TTLS))::ARRAY``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_name | ```CASE WHEN PROTO = 6 THEN 'tcp' WHEN PROTO = 17 THEN 'udp' END::VARCHAR``` | +| connection_info.protocol_num | ```PROTO::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(ID_ORIG_H, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(ID_ORIG_H, 'INET'):family::NUMBER``` | +| connection_info.session.is_remote | ```LOCAL_ORIG::BOOLEAN``` | +| connection_info.session.uid | ```RESP_SLUID::VARCHAR``` | +| connection_info.uid | ```UID::VARCHAR``` | +| disposition | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```0::NUMBER``` | +| dst_endpoint.hostname | ```RESP_HOSTNAME::VARCHAR``` | +| dst_endpoint.ip | ```ID_RESP_H::VARCHAR``` | +| dst_endpoint.port | ```RAW['id.resp_p']::VARCHAR``` | +| dst_endpoint.uid | ```RESP_HUID::VARCHAR``` | +| load_balancer.uid | ```SENSOR_UID::VARCHAR``` | +| metadata.event_code | ```METADATA_TYPE``` | +| metadata.product.name | ```'vectra-metadata-logs'``` | +| metadata.product.vendor_name | ```'vectra'``` | +| metadata.version | ```'1.1.0'``` | +| query.class | ```RAW:qclass_name::VARCHAR``` | +| query.hostname | ```QUERY::VARCHAR``` | +| query.type | ```QTYPE_NAME::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RAW:rcode_name = 'NoError' THEN 0 WHEN RAW:rcode_name = 'FormErr' THEN 1 WHEN RAW:rcode_name = 'ServFail' THEN 2 WHEN RAW:rcode_name = 'NXDomain' THEN 3 WHEN RAW:rcode_name = 'NotImp' THEN 4 WHEN RAW:rcode_name = 'Refused' THEN 5 WHEN RAW:rcode_name = 'YXRRSet' THEN 7 WHEN RAW:rcode_name = 'NotAuth' THEN 9 WHEN RAW:rcode_name IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RAW:rcode_name = 'NoError' THEN 0 WHEN RAW:rcode_name = 'FormErr' THEN 1 WHEN RAW:rcode_name = 'ServFail' THEN 2 WHEN RAW:rcode_name = 'NXDomain' THEN 3 WHEN RAW:rcode_name = 'NotImp' THEN 4 WHEN RAW:rcode_name = 'Refused' THEN 5 WHEN RAW:rcode_name = 'YXRRSet' THEN 7 WHEN RAW:rcode_name = 'NotAuth' THEN 9 WHEN RAW:rcode_name IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```RAW:orig_hostname::VARCHAR``` | +| src_endpoint.ip | ```ID_ORIG_H::VARCHAR``` | +| src_endpoint.port | ```ID_ORIG_P::VARCHAR``` | +| src_endpoint.uid | ```ORIG_HUID::VARCHAR``` | +| status | ```CASE (CASE WHEN RAW:rejected = 'false' THEN 1 WHEN RAW:rejected = 'true' THEN 2 WHEN RAW:rejected IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN RAW:rejected = 'false' THEN 1 WHEN RAW:rejected = 'true' THEN 2 WHEN RAW:rejected IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400301::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```400301::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/http_activity/README.md b/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/http_activity/README.md new file mode 100644 index 00000000..53dcf870 --- /dev/null +++ b/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/http_activity/README.md @@ -0,0 +1,80 @@ +# Event Dossier: Vectra Metadata Logs to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `vectra` +* Product name: `vectra-metadata-logs` +* Event codes: `METADATA_TYPE IN ('metadata_httpsessioninfo')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN RAW:method = 'CONNECT' THEN 1 WHEN RAW:method = 'DELETE' THEN 2 WHEN RAW:method = 'GET' THEN 3 WHEN RAW:method = 'HEAD' THEN 4 WHEN RAW:method = 'OPTIONS' THEN 5 WHEN RAW:method = 'POST' THEN 6 WHEN RAW:method = 'PUT' THEN 7 WHEN RAW:method = 'TRACE' THEN 8 WHEN RAW:method IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN RAW:method = 'CONNECT' THEN 1 WHEN RAW:method = 'DELETE' THEN 2 WHEN RAW:method = 'GET' THEN 3 WHEN RAW:method = 'HEAD' THEN 4 WHEN RAW:method = 'OPTIONS' THEN 5 WHEN RAW:method = 'POST' THEN 6 WHEN RAW:method = 'PUT' THEN 7 WHEN RAW:method = 'TRACE' THEN 8 WHEN RAW:method IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.session.uid | ```ORIG_SLUID::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```1::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(ID_ORIG_H, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(ID_ORIG_H, 'INET'):family::NUMBER``` | +| connection_info.session.uid | ```RESP_SLUID::VARCHAR``` | +| connection_info.uid | ```UID::VARCHAR``` | +| disposition | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```0::NUMBER``` | +| dst_endpoint.hostname | ```RESP_HOSTNAME::VARCHAR``` | +| dst_endpoint.ip | ```ID_RESP_H::VARCHAR``` | +| dst_endpoint.port | ```RAW['id.resp_p']::VARCHAR``` | +| dst_endpoint.uid | ```RESP_HUID::VARCHAR``` | +| http_cookies.is_http_only | ```IFF(RAW:cookie IS NOT NULL AND RAW:cookie ILIKE '%%httponly;%%', 'true', 'false')::BOOLEAN``` | +| http_cookies.is_secure | ```IFF(RAW:cookie IS NOT NULL AND RAW:cookie ILIKE '%%secure;%%', 'true', 'false')::BOOLEAN``` | +| http_cookies.name | ```RAW:cookie_vars::VARCHAR``` | +| http_cookies.path | ```REGEXP_SUBSTR(RAW:cookie, '\\$Path=([^;]+)')::VARCHAR``` | +| http_cookies.value | ```RAW:cookie::VARCHAR``` | +| http_request.http_method | ```CASE WHEN RAW:method = 'CONNECT' THEN 'CONNECT' WHEN RAW:method = 'DELETE' THEN 'DELETE' WHEN RAW:method = 'GET' THEN 'GET' WHEN RAW:method = 'HEAD' THEN 'HEAD' WHEN RAW:method = 'OPTIONS' THEN 'OPTIONS' WHEN RAW:method = 'POST' THEN 'POST' WHEN RAW:method = 'PUT' THEN 'PUT' WHEN RAW:method = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```RAW:request_body_len::NUMBER``` | +| http_request.referrer | ```RAW:referrer::VARCHAR``` | +| http_request.uid | ```ORIG_HUID::VARCHAR``` | +| http_request.url.hostname | ```RAW:host::VARCHAR``` | +| http_request.url.path | ```SPLIT_PART(REGEXP_REPLACE(RAW:uri, '^https?://[^/]+', ''), '?', 1)::VARCHAR``` | +| http_request.url.port | ```RAW['id.resp_p']::VARCHAR``` | +| http_request.url.query_string | ```SPLIT_PART(RAW:uri, '?', 2)::VARCHAR``` | +| http_request.url.scheme | ```REGEXP_SUBSTR(RAW:uri, '^([a-zA-Z]+)')::VARCHAR``` | +| http_request.url.url_string | ```RAW:uri::VARCHAR``` | +| http_request.user_agent | ```RAW:user_agent::VARCHAR``` | +| http_request.x_forwarded_for | ```RAW:proxied::VARCHAR``` | +| http_response.code | ```RAW:status_code::NUMBER``` | +| http_response.content_type | ```RAW:resp_mime_types::VARCHAR``` | +| http_response.length | ```RAW:response_body_len::NUMBER``` | +| http_response.status | ```RAW:status_msg::VARCHAR``` | +| http_status | ```RAW:status_code::NUMBER``` | +| metadata.event_code | ```METADATA_TYPE``` | +| metadata.product.name | ```'vectra-metadata-logs'``` | +| metadata.product.vendor_name | ```'vectra'``` | +| metadata.version | ```'1.1.0'``` | +| proxy.ip | ```REGEXP_SUBSTR(RAW:proxied, '([0-9]{1,3}\.){3}[0-9]{1,3}')::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```RAW:orig_hostname::VARCHAR``` | +| src_endpoint.ip | ```ID_ORIG_H::VARCHAR``` | +| src_endpoint.port | ```ID_ORIG_P::VARCHAR``` | +| src_endpoint.uid | ```ORIG_HUID::VARCHAR``` | +| status | ```CASE (CASE WHEN RAW:status_code ILIKE '2%%' THEN 1 WHEN RAW:status_code ILIKE '4%%' THEN 2 WHEN RAW:status_code ILIKE '5%%' THEN 2 WHEN RAW:status_code IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN RAW:status_code ILIKE '2%%' THEN 1 WHEN RAW:status_code ILIKE '4%%' THEN 2 WHEN RAW:status_code ILIKE '5%%' THEN 2 WHEN RAW:status_code IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| traffic.bytes | ```CAST(RAW:resp_ip_bytes AS NUMBER) + CAST(RAW:orig_ip_bytes AS NUMBER)::NUMBER``` | +| traffic.bytes_in | ```RAW:resp_ip_bytes::NUMBER``` | +| traffic.bytes_out | ```RAW:orig_ip_bytes::NUMBER``` | +| traffic.packets | ```CAST(RAW:resp_pkts AS NUMBER) + CAST(RAW:orig_pkts AS NUMBER)::NUMBER``` | +| traffic.packets_in | ```RAW:resp_pkts::NUMBER``` | +| traffic.packets_out | ```RAW:orig_pkts::NUMBER``` | +| type_name | ```CASE (CASE WHEN RAW:method = 'CONNECT' THEN 400201 WHEN RAW:method = 'DELETE' THEN 400202 WHEN RAW:method = 'GET' THEN 400203 WHEN RAW:method = 'HEAD' THEN 400204 WHEN RAW:method = 'OPTIONS' THEN 400205 WHEN RAW:method = 'POST' THEN 400206 WHEN RAW:method = 'PUT' THEN 400207 WHEN RAW:method = 'TRACE' THEN 400208 WHEN RAW:method IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN RAW:method = 'CONNECT' THEN 400201 WHEN RAW:method = 'DELETE' THEN 400202 WHEN RAW:method = 'GET' THEN 400203 WHEN RAW:method = 'HEAD' THEN 400204 WHEN RAW:method = 'OPTIONS' THEN 400205 WHEN RAW:method = 'POST' THEN 400206 WHEN RAW:method = 'PUT' THEN 400207 WHEN RAW:method = 'TRACE' THEN 400208 WHEN RAW:method IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/network_activity/README.md b/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/network_activity/README.md new file mode 100644 index 00000000..23e03c79 --- /dev/null +++ b/mappings/markdown/Vectra/1.1.0/vectra-metadata-logs/network_activity/README.md @@ -0,0 +1,53 @@ +# Event Dossier: Vectra Metadata Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `vectra` +* Product name: `vectra-metadata-logs` +* Event codes: `METADATA_TYPE = 'metadata_isession'` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```0::NUMBER``` | +| activity_id | ```CASE WHEN RAW:conn_state = 'S1' THEN 1 WHEN RAW:conn_state = 'RSTO' THEN 2 WHEN RAW:conn_state = 'RSTR' THEN 3 WHEN RAW:conn_state = 's2' THEN 4 WHEN RAW:conn_state = 'REJ' THEN 5 WHEN RAW:conn_state = 'OTH' THEN 6 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN RAW:conn_state = 'S1' THEN 1 WHEN RAW:conn_state = 'RSTO' THEN 2 WHEN RAW:conn_state = 'RSTR' THEN 3 WHEN RAW:conn_state = 's2' THEN 4 WHEN RAW:conn_state = 'REJ' THEN 5 WHEN RAW:conn_state = 'OTH' THEN 6 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```USERNAME::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```PROTO_NAME::VARCHAR``` | +| connection_info.protocol_num | ```PROTO::NUMBER``` | +| device.hostname | ```HOSTNAME::VARCHAR``` | +| dst_endpoint.domain | ```RESP_DOMAINS::VARCHAR``` | +| dst_endpoint.hostname | ```RESP_HOSTNAME::VARCHAR``` | +| dst_endpoint.ip | ```COALESCE(ID_RESP_H, ASSIGNED_IP)::VARCHAR``` | +| dst_endpoint.uid | ```RESP_HUID::VARCHAR``` | +| dst_endpoint.vlan_uid | ```RAW:resp_vlan_id::VARCHAR``` | +| metadata.event_code | ```METADATA_TYPE``` | +| metadata.product.name | ```'vectra-metadata-logs'``` | +| metadata.product.vendor_name | ```'vectra'``` | +| metadata.tenant_uid | ```UID::VARCHAR``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.hostname | ```ORIG_HOSTNAME::VARCHAR``` | +| src_endpoint.ip | ```ID_ORIG_H::VARCHAR``` | +| src_endpoint.mac | ```MAC::VARCHAR``` | +| src_endpoint.port | ```ID_ORIG_P::VARCHAR``` | +| src_endpoint.uid | ```ORIG_HUID::VARCHAR``` | +| src_endpoint.vlan_uid | ```RAW:orig_vlan_id::VARCHAR``` | +| start_time | ```date_part('epoch_milliseconds', EVENT_TIME::TIMESTAMP_LTZ)``` | +| start_time_dt | ```EVENT_TIME::TIMESTAMP_LTZ``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| tls.alert | ```TTLS::NUMBER``` | +| traffic.bytes_in | ```RAW:resp_ip_bytes::NUMBER``` | +| traffic.bytes_out | ```RAW:orig_ip_bytes::NUMBER``` | +| traffic.packets_in | ```RAW:resp_pkts::NUMBER``` | +| traffic.packets_out | ```RAW:orig_pkts::NUMBER``` | +| type_name | ```CASE (CASE WHEN RAW:conn_state = 'S1' THEN 400101 WHEN RAW:conn_state = 'RSTO' THEN 400102 WHEN RAW:conn_state = 'RSTR' THEN 400103 WHEN RAW:conn_state = 's2' THEN 400104 WHEN RAW:conn_state = 'REJ' THEN 400105 WHEN RAW:conn_state = 'OTH' THEN 400106 ELSE 400199 END) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```CASE WHEN RAW:conn_state = 'S1' THEN 400101 WHEN RAW:conn_state = 'RSTO' THEN 400102 WHEN RAW:conn_state = 'RSTR' THEN 400103 WHEN RAW:conn_state = 's2' THEN 400104 WHEN RAW:conn_state = 'REJ' THEN 400105 WHEN RAW:conn_state = 'OTH' THEN 400106 ELSE 400199 END``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Zeek/conn_log/README.md b/mappings/markdown/Zeek/1.0.0/conn_log/README.md similarity index 100% rename from mappings/markdown/Zeek/conn_log/README.md rename to mappings/markdown/Zeek/1.0.0/conn_log/README.md diff --git a/mappings/markdown/Zeek/conn_log/samples/conn_log.ocsf b/mappings/markdown/Zeek/1.0.0/conn_log/samples/conn_log.ocsf similarity index 100% rename from mappings/markdown/Zeek/conn_log/samples/conn_log.ocsf rename to mappings/markdown/Zeek/1.0.0/conn_log/samples/conn_log.ocsf diff --git a/mappings/markdown/Zeek/conn_log/samples/conn_log.raw b/mappings/markdown/Zeek/1.0.0/conn_log/samples/conn_log.raw similarity index 100% rename from mappings/markdown/Zeek/conn_log/samples/conn_log.raw rename to mappings/markdown/Zeek/1.0.0/conn_log/samples/conn_log.raw diff --git a/mappings/markdown/Zeek/dns_log/README.md b/mappings/markdown/Zeek/1.0.0/dns_log/README.md similarity index 100% rename from mappings/markdown/Zeek/dns_log/README.md rename to mappings/markdown/Zeek/1.0.0/dns_log/README.md diff --git a/mappings/markdown/Zeek/dns_log/samples/dns_log.ocsf b/mappings/markdown/Zeek/1.0.0/dns_log/samples/dns_log.ocsf similarity index 100% rename from mappings/markdown/Zeek/dns_log/samples/dns_log.ocsf rename to mappings/markdown/Zeek/1.0.0/dns_log/samples/dns_log.ocsf diff --git a/mappings/markdown/Zeek/dns_log/samples/dns_log.raw b/mappings/markdown/Zeek/1.0.0/dns_log/samples/dns_log.raw similarity index 100% rename from mappings/markdown/Zeek/dns_log/samples/dns_log.raw rename to mappings/markdown/Zeek/1.0.0/dns_log/samples/dns_log.raw diff --git a/mappings/markdown/Zeek/ssl_log/README.md b/mappings/markdown/Zeek/1.0.0/ssl_log/README.md similarity index 100% rename from mappings/markdown/Zeek/ssl_log/README.md rename to mappings/markdown/Zeek/1.0.0/ssl_log/README.md diff --git a/mappings/markdown/Zeek/ssl_log/samples/ssl_log.ocsf b/mappings/markdown/Zeek/1.0.0/ssl_log/samples/ssl_log.ocsf similarity index 100% rename from mappings/markdown/Zeek/ssl_log/samples/ssl_log.ocsf rename to mappings/markdown/Zeek/1.0.0/ssl_log/samples/ssl_log.ocsf diff --git a/mappings/markdown/Zeek/ssl_log/samples/ssl_log.raw b/mappings/markdown/Zeek/1.0.0/ssl_log/samples/ssl_log.raw similarity index 100% rename from mappings/markdown/Zeek/ssl_log/samples/ssl_log.raw rename to mappings/markdown/Zeek/1.0.0/ssl_log/samples/ssl_log.raw diff --git a/mappings/markdown/Zeek/1.1.0/zeek-conn-logs/network_activity/README.md b/mappings/markdown/Zeek/1.1.0/zeek-conn-logs/network_activity/README.md new file mode 100644 index 00000000..57a034d3 --- /dev/null +++ b/mappings/markdown/Zeek/1.1.0/zeek-conn-logs/network_activity/README.md @@ -0,0 +1,42 @@ +# Event Dossier: Zeek Conn Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `zeek` +* Product name: `zeek-conn-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN CONN_STATE is NULL THEN 0 WHEN CONN_STATE ILIKE '%%Connection established%%' THEN 1 WHEN CONN_STATE ILIKE '%%Connection attempt rejected%%' THEN 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN CONN_STATE is NULL THEN 0 WHEN CONN_STATE ILIKE '%%Connection established%%' THEN 1 WHEN CONN_STATE ILIKE '%%Connection attempt rejected%%' THEN 2 ELSE 99 END``` | +| activity_id | ```0::NUMBER``` | +| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| api.service.name | ```SERVICE::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```PROTO::VARCHAR``` | +| connection_info.protocol_num | ```CASE WHEN proto = 'tcp' THEN 6 WHEN proto = 'udp' THEN 17 WHEN proto = 'icmp' THEN 1 ELSE -1 END``` | +| connection_info.uid | ```UID::VARCHAR``` | +| dst_endpoint.ip | ```RESPONDER_HOST::VARCHAR``` | +| dst_endpoint.port | ```RESPONDER_PORT::VARCHAR``` | +| duration | ```(DURATION*1000)::NUMBER``` | +| metadata.product.name | ```'zeek-conn-logs'``` | +| metadata.product.vendor_name | ```'zeek'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.ip | ```ORIGINATOR_HOST::VARCHAR``` | +| src_endpoint.port | ```RESPONDER_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', ts::TIMESTAMP_LTZ)``` | +| time_dt | ```ts::TIMESTAMP_LTZ``` | +| traffic.bytes_in | ```RESPONDER_BYTES::NUMBER``` | +| traffic.bytes_out | ```ORIGINATOR_BYTES::NUMBER``` | +| traffic.packets_in | ```RESPONDER_PACKETS::NUMBER``` | +| traffic.packets_out | ```ORIGINATOR_PACKETS::NUMBER``` | +| type_name | ```CASE ('400100'::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```'400100'::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Zeek/1.1.0/zeek-dns-logs/dns_activity/README.md b/mappings/markdown/Zeek/1.1.0/zeek-dns-logs/dns_activity/README.md new file mode 100644 index 00000000..9a90a6b5 --- /dev/null +++ b/mappings/markdown/Zeek/1.1.0/zeek-dns-logs/dns_activity/README.md @@ -0,0 +1,42 @@ +# Event Dossier: Zeek Dns Logs to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `zeek` +* Product name: `zeek-dns-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN AUTHORITATIVE_ANSWER='TRUE' THEN 1 WHEN AUTHORITATIVE_ANSWER='FALSE' THEN 2 WHEN AUTHORITATIVE_ANSWER IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN AUTHORITATIVE_ANSWER='TRUE' THEN 1 WHEN AUTHORITATIVE_ANSWER='FALSE' THEN 2 WHEN AUTHORITATIVE_ANSWER IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN QUERY IS NOT NULL THEN 1 WHEN QUERY IS NULL AND QCLASS_NAME IS NOT NULL AND QTYPE_NAME IS NOT NULL THEN 2 WHEN QUERY IS NULL AND QCLASS_NAME IS NULL AND QTYPE_NAME IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN QUERY IS NOT NULL THEN 1 WHEN QUERY IS NULL AND QCLASS_NAME IS NOT NULL AND QTYPE_NAME IS NOT NULL THEN 2 WHEN QUERY IS NULL AND QCLASS_NAME IS NULL AND QTYPE_NAME IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| answers | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('rdata', ANSWERS[0]))::ARRAY``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| connection_info.protocol_name | ```PROTO::VARCHAR``` | +| dst_endpoint.ip | ```RESPONDER_HOST::VARCHAR``` | +| dst_endpoint.port | ```RESPONDER_PORT::VARCHAR``` | +| metadata.product.name | ```'zeek-dns-logs'``` | +| metadata.product.vendor_name | ```'zeek'``` | +| metadata.version | ```'1.1.0'``` | +| query.class | ```QCLASS_NAME::VARCHAR``` | +| query.hostname | ```QUERY::VARCHAR``` | +| query.type | ```QTYPE_NAME::VARCHAR``` | +| rcode | ```CASE (CASE WHEN RCODE_NAME='NOERROR' THEN 0 WHEN RCODE_NAME='FORMERROR' THEN 1 WHEN RCODE_NAME='SERVFAIL' THEN 2 WHEN RCODE_NAME='NXDOMAIN' THEN 100 WHEN RCODE_NAME='NOTIMP' THEN 4 WHEN RCODE_NAME='REFUSED' THEN 5 WHEN RCODE_NAME='YXDOMAIN' THEN 6 WHEN RCODE_NAME='YXRRSET' THEN 7 WHEN RCODE_NAME='NXRRSET' THEN 8 WHEN RCODE_NAME='NOTAUTH' THEN 9 WHEN RCODE_NAME='NOTZONE' THEN 10 WHEN RCODE_NAME='DSOTYPENI' THEN 11 WHEN RCODE_NAME='BADSIG_VERS' THEN 16 WHEN RCODE_NAME='BADKEY' THEN 17 WHEN RCODE_NAME='BADTIME' THEN 18 WHEN RCODE_NAME='BADMODE' THEN 19 WHEN RCODE_NAME='BADNAME' THEN 20 WHEN RCODE_NAME='BADALG' THEN 21 WHEN RCODE_NAME='BADTRUNC' THEN 22 WHEN RCODE_NAME='BADCOOKIE' THEN 23 WHEN RCODE_NAME='UNASSIGNED' THEN 24 WHEN RCODE_NAME='RESERVED' THEN 25 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```CASE WHEN RCODE_NAME='NOERROR' THEN 0 WHEN RCODE_NAME='FORMERROR' THEN 1 WHEN RCODE_NAME='SERVFAIL' THEN 2 WHEN RCODE_NAME='NXDOMAIN' THEN 100 WHEN RCODE_NAME='NOTIMP' THEN 4 WHEN RCODE_NAME='REFUSED' THEN 5 WHEN RCODE_NAME='YXDOMAIN' THEN 6 WHEN RCODE_NAME='YXRRSET' THEN 7 WHEN RCODE_NAME='NXRRSET' THEN 8 WHEN RCODE_NAME='NOTAUTH' THEN 9 WHEN RCODE_NAME='NOTZONE' THEN 10 WHEN RCODE_NAME='DSOTYPENI' THEN 11 WHEN RCODE_NAME='BADSIG_VERS' THEN 16 WHEN RCODE_NAME='BADKEY' THEN 17 WHEN RCODE_NAME='BADTIME' THEN 18 WHEN RCODE_NAME='BADMODE' THEN 19 WHEN RCODE_NAME='BADNAME' THEN 20 WHEN RCODE_NAME='BADALG' THEN 21 WHEN RCODE_NAME='BADTRUNC' THEN 22 WHEN RCODE_NAME='BADCOOKIE' THEN 23 WHEN RCODE_NAME='UNASSIGNED' THEN 24 WHEN RCODE_NAME='RESERVED' THEN 25 ELSE 99 END::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```ORIGINATOR_HOST::VARCHAR``` | +| src_endpoint.port | ```ORIGINATOR_PORT::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', ts::TIMESTAMP_LTZ)``` | +| time_dt | ```ts::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN QUERY IS NOT NULL THEN 400301 WHEN QUERY IS NULL AND QCLASS_NAME IS NOT NULL AND QTYPE_NAME IS NOT NULL THEN 400302 WHEN QUERY IS NULL AND QCLASS_NAME IS NULL AND QTYPE_NAME IS NULL THEN 400300 ELSE 400399 END::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```CASE WHEN QUERY IS NOT NULL THEN 400301 WHEN QUERY IS NULL AND QCLASS_NAME IS NOT NULL AND QTYPE_NAME IS NOT NULL THEN 400302 WHEN QUERY IS NULL AND QCLASS_NAME IS NULL AND QTYPE_NAME IS NULL THEN 400300 ELSE 400399 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Zscaler/1.1.0/zscaler-zia-dns/dns_activity/README.md b/mappings/markdown/Zscaler/1.1.0/zscaler-zia-dns/dns_activity/README.md new file mode 100644 index 00000000..f67531cd --- /dev/null +++ b/mappings/markdown/Zscaler/1.1.0/zscaler-zia-dns/dns_activity/README.md @@ -0,0 +1,43 @@ +# Event Dossier: Zscaler Zia Dns to OCSF class Dns Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `dns_activity` +* Vendor name: `zscaler` +* Product name: `zscaler-zia-dns` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN REQUEST_ACTION IS NULL THEN 0 WHEN REQUEST_ACTION = 'Allow' THEN 1 WHEN REQUEST_ACTION = 'Block' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN REQUEST_ACTION IS NULL THEN 0 WHEN REQUEST_ACTION = 'Allow' THEN 1 WHEN REQUEST_ACTION = 'Block' THEN 2 ELSE 99 END::NUMBER``` | +| activity_id | ```1::NUMBER``` | +| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```IFF(ILIKE(USER, '%@%.com'), USER, NULL)::VARCHAR``` | +| actor.user.name | ```DEVICE_OWNER::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'dns_activity'``` | +| class_uid | ```4003``` | +| device.location.city | ```SPLIT_PART(LOCATION, '->', 1)::VARCHAR``` | +| device.name | ```DEVICE_HOSTNAME::VARCHAR``` | +| dst_endpoint.ip | ```SRV_DESTINATION_IP::VARCHAR``` | +| dst_endpoint.port | ```SRV_DESTINATION_PORT::VARCHAR``` | +| duration | ```DURATION_MS::NUMBER``` | +| metadata.product.name | ```'zscaler-zia-dns'``` | +| metadata.product.vendor_name | ```'zscaler'``` | +| metadata.version | ```'1.1.0'``` | +| query.hostname | ```DNS_REQUEST::VARCHAR``` | +| query.type | ```DNS_REQUEST_TYPE::VARCHAR``` | +| rcode | ```CASE (IFF(REGEXP_LIKE(DNS_RESPONSE, '[A-Za-z]+'), CASE WHEN DNS_RESPONSE = 'NOERROR' THEN 0 WHEN DNS_RESPONSE = 'FORMERR' THEN 1 WHEN DNS_RESPONSE = 'SERVFAIL' THEN 2 WHEN DNS_RESPONSE = 'NXDOMAIN' THEN 3 WHEN DNS_RESPONSE = 'NOTIMP' THEN 4 WHEN DNS_RESPONSE = 'REFUSED' THEN 5 WHEN DNS_RESPONSE = 'YXDOMAIN' THEN 6 ELSE 99 END, 99)::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | +| rcode_id | ```IFF(REGEXP_LIKE(DNS_RESPONSE, '[A-Za-z]+'), CASE WHEN DNS_RESPONSE = 'NOERROR' THEN 0 WHEN DNS_RESPONSE = 'FORMERR' THEN 1 WHEN DNS_RESPONSE = 'SERVFAIL' THEN 2 WHEN DNS_RESPONSE = 'NXDOMAIN' THEN 3 WHEN DNS_RESPONSE = 'NOTIMP' THEN 4 WHEN DNS_RESPONSE = 'REFUSED' THEN 5 WHEN DNS_RESPONSE = 'YXDOMAIN' THEN 6 ELSE 99 END, 99)::NUMBER``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CLIENT_SOURCE_IP::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (400301::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | +| type_uid | ```400301::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Zscaler/1.1.0/zscaler-zia/http_activity/README.md b/mappings/markdown/Zscaler/1.1.0/zscaler-zia/http_activity/README.md new file mode 100644 index 00000000..ca1c68de --- /dev/null +++ b/mappings/markdown/Zscaler/1.1.0/zscaler-zia/http_activity/README.md @@ -0,0 +1,62 @@ +# Event Dossier: Zscaler Zia to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `zscaler` +* Product name: `zscaler-zia` +* Event codes: `protocol in ('HTTP', 'HTTPS')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION = 'Allowed' THEN 1 WHEN ACTION = 'Blocked' THEN 2 WHEN ACTION is not null THEN 99 ELSE 0 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION = 'Allowed' THEN 1 WHEN ACTION = 'Blocked' THEN 2 WHEN ACTION is not null THEN 99 ELSE 0 END``` | +| activity_id | ```CASE WHEN REQUEST_METHOD is null THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END``` | +| activity_name | ```CASE (CASE WHEN REQUEST_METHOD is null THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.email_addr | ```USER::VARCHAR``` | +| actor.user.name | ```USER::VARCHAR``` | +| api.operation | ```REQUEST_METHOD::VARCHAR``` | +| api.request.uid | ```EVENT_ID::VARCHAR``` | +| api.response.code | ```STATUS::NUMBER``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (2::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```2::NUMBER``` | +| device.hostname | ```DEVICE_HOSTNAME::VARCHAR``` | +| device.ip | ```CLIENT_IP::VARCHAR``` | +| dst_endpoint.hostname | ```HOSTNAME::VARCHAR``` | +| dst_endpoint.ip | ```SERVER_IP::VARCHAR``` | +| http_request.http_method | ```REQUEST_METHOD::VARCHAR``` | +| http_request.length | ```REQUEST_SIZE::NUMBER``` | +| http_request.referrer | ```REFERER_URL::VARCHAR``` | +| http_request.uid | ```EVENT_ID::VARCHAR``` | +| http_request.url.hostname | ```HOSTNAME::VARCHAR``` | +| http_request.url.path | ```iff(TRIM(TRIM(URL,HOSTNAME),':443') = '',null,TRIM(TRIM(URL,HOSTNAME),':443'))::VARCHAR``` | +| http_request.url.port | ```CASE WHEN contains(url,':443') THEN 443::VARCHAR END``` | +| http_request.url.query_string | ```iff(contains(url,'?'), SPLIT_PART(url,'?',-1)::VARCHAR,null)``` | +| http_request.url.url_string | ```URL::VARCHAR``` | +| http_request.user_agent | ```USER_AGENT::VARCHAR``` | +| http_request.version | ```REQUEST_VERSION::VARCHAR``` | +| http_response.code | ```STATUS::NUMBER``` | +| http_response.content_type | ```CONTENT_TYPE::VARCHAR``` | +| metadata.product.name | ```'zscaler-zia'``` | +| metadata.product.vendor_name | ```'zscaler'``` | +| metadata.version | ```'1.1.0'``` | +| src_endpoint.hostname | ```DEVICE_HOSTNAME::VARCHAR``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| src_endpoint.name | ```DEVICE_HOSTNAME::VARCHAR``` | +| status | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_detail | ```REASON::VARCHAR``` | +| status_id | ```99::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| traffic.bytes | ```RESPONSE_SIZE::NUMBER``` | +| traffic.bytes_in | ```RESPONSE_SIZE::NUMBER``` | +| traffic.bytes_out | ```REQUEST_SIZE::NUMBER``` | +| type_name | ```CASE (decode(REQUEST_METHOD, null, 400200, 'CONNECT' , 400201, 'DELETE',400202, 'GET',400203,'HEAD',400204,'OPTIONS',400205,'POST',400206,'PUT',400207,'TRACE',400208,400299)) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```decode(REQUEST_METHOD, null, 400200, 'CONNECT' , 400201, 'DELETE',400202, 'GET',400203,'HEAD',400204,'OPTIONS',400205,'POST',400206,'PUT',400207,'TRACE',400208,400299)``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/iboss/1.1.0/iboss-web-activity/http_activity/README.md b/mappings/markdown/iboss/1.1.0/iboss-web-activity/http_activity/README.md new file mode 100644 index 00000000..ad53bade --- /dev/null +++ b/mappings/markdown/iboss/1.1.0/iboss-web-activity/http_activity/README.md @@ -0,0 +1,61 @@ +# Event Dossier: Iboss Web Activity to OCSF class Http Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `http_activity` +* Vendor name: `iboss` +* Product name: `iboss-web-activity` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN SERVER_TO_CLIENT_ACTION = 'Allowed' THEN 1 WHEN SERVER_TO_CLIENT_ACTION = 'Blocked' THEN 2 WHEN SERVER_TO_CLIENT_ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN SERVER_TO_CLIENT_ACTION = 'Allowed' THEN 1 WHEN SERVER_TO_CLIENT_ACTION = 'Blocked' THEN 2 WHEN SERVER_TO_CLIENT_ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN CLIENT_TO_SERVER_METHOD = 'UNKNOWN' THEN 0 WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 1 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 2 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 3 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 4 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 5 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 6 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 7 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN CLIENT_TO_SERVER_METHOD = 'UNKNOWN' THEN 0 WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 1 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 2 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 3 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 4 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 5 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 6 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 7 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | +| actor.user.name | ```CLIENT_TO_SERVER_USERNAME::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'http_activity'``` | +| class_uid | ```4002``` | +| connection_info.direction | ```CASE (CASE WHEN DIRECTION = 0 THEN 0 WHEN DIRECTION = 1 THEN 1 WHEN DIRECTION = 2 THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | +| connection_info.direction_id | ```CASE WHEN DIRECTION = 0 THEN 0 WHEN DIRECTION = 1 THEN 1 WHEN DIRECTION = 2 THEN 2 ELSE 99 END::NUMBER``` | +| connection_info.protocol_ver | ```CASE (PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | +| connection_info.protocol_ver_id | ```PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER``` | +| disposition | ```CASE (CASE WHEN SERVER_TO_CLIENT_ACTION = 'Allowed' THEN 1 WHEN SERVER_TO_CLIENT_ACTION = 'Blocked' THEN 2 WHEN SERVER_TO_CLIENT_ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | +| disposition_id | ```CASE WHEN SERVER_TO_CLIENT_ACTION = 'Allowed' THEN 1 WHEN SERVER_TO_CLIENT_ACTION = 'Blocked' THEN 2 WHEN SERVER_TO_CLIENT_ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| dst_endpoint.ip | ```DESTINATION_IP::VARCHAR``` | +| duration | ```TIME_TAKEN::NUMBER``` | +| http_request.http_method | ```CASE WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 'CONNECT' WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 'DELETE' WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 'GET' WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 'HEAD' WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 'POST' WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 'PUT' WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | +| http_request.length | ```CLIENT_TO_SERVER_BYTES::NUMBER``` | +| http_request.referrer | ```CLIENT_TO_SERVER_REFERRER::VARCHAR``` | +| http_request.url.hostname | ```CLIENT_TO_SERVER_HOST::VARCHAR``` | +| http_request.url.path | ```CLIENT_TO_SERVER_URI_PATH::VARCHAR``` | +| http_request.url.port | ```RESPONSE_PATH::VARCHAR``` | +| http_request.url.query_string | ```CLIENT_TO_SERVER_URI_QUERY::VARCHAR``` | +| http_request.url.scheme | ```CLIENT_TO_SERVER_URI_SCHEME::VARCHAR``` | +| http_request.url.url_string | ```CLIENT_TO_SERVER_URI::VARCHAR``` | +| http_request.user_agent | ```CLIENT_TO_SERVER_USER_AGENT::VARCHAR``` | +| http_response.code | ```CLIENT_TO_SERVER_STATUS::NUMBER``` | +| http_response.content_type | ```RESPONSE_CONTENT_TYPE::VARCHAR``` | +| http_response.latency | ```TIME_TAKEN::NUMBER``` | +| http_response.length | ```SERVER_TO_CLIENT_BYTES::NUMBER``` | +| metadata.product.name | ```'iboss-web-activity'``` | +| metadata.product.vendor_name | ```'iboss'``` | +| metadata.version | ```'1.1.0'``` | +| proxy_endpoint.hostname | ```SERVER_COMPUTER_NAME::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` | +| status | ```CASE (CASE WHEN CLIENT_TO_SERVER_STATUS ILIKE '2%%' THEN 1 WHEN CLIENT_TO_SERVER_STATUS ILIKE '3%%' THEN 2 WHEN CLIENT_TO_SERVER_STATUS ILIKE '4%%' THEN 2 WHEN CLIENT_TO_SERVER_STATUS ILIKE '5%%' THEN 2 WHEN CLIENT_TO_SERVER_STATUS IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_id | ```CASE WHEN CLIENT_TO_SERVER_STATUS ILIKE '2%%' THEN 1 WHEN CLIENT_TO_SERVER_STATUS ILIKE '3%%' THEN 2 WHEN CLIENT_TO_SERVER_STATUS ILIKE '4%%' THEN 2 WHEN CLIENT_TO_SERVER_STATUS ILIKE '5%%' THEN 2 WHEN CLIENT_TO_SERVER_STATUS IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| traffic.bytes | ```TOTAL_BYTES::NUMBER``` | +| traffic.bytes_in | ```SERVER_TO_CLIENT_BYTES::NUMBER``` | +| traffic.bytes_out | ```CLIENT_TO_SERVER_BYTES::NUMBER``` | +| type_name | ```CASE (CASE WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 400201 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 400202 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 400203 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 400204 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 400205 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 400206 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 400207 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 400208 WHEN CLIENT_TO_SERVER_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` | +| type_uid | ```CASE WHEN CLIENT_TO_SERVER_METHOD = 'CONNECT' THEN 400201 WHEN CLIENT_TO_SERVER_METHOD = 'DELETE' THEN 400202 WHEN CLIENT_TO_SERVER_METHOD = 'GET' THEN 400203 WHEN CLIENT_TO_SERVER_METHOD = 'HEAD' THEN 400204 WHEN CLIENT_TO_SERVER_METHOD = 'OPTIONS' THEN 400205 WHEN CLIENT_TO_SERVER_METHOD = 'POST' THEN 400206 WHEN CLIENT_TO_SERVER_METHOD = 'PUT' THEN 400207 WHEN CLIENT_TO_SERVER_METHOD = 'TRACE' THEN 400208 WHEN CLIENT_TO_SERVER_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/osquery/1.1.0/osquery-logs/network_activity/README.md b/mappings/markdown/osquery/1.1.0/osquery-logs/network_activity/README.md new file mode 100644 index 00000000..a66c71a5 --- /dev/null +++ b/mappings/markdown/osquery/1.1.0/osquery-logs/network_activity/README.md @@ -0,0 +1,47 @@ +# Event Dossier: Osquery Logs to OCSF class Network Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `network_activity` +* Vendor name: `osquery` +* Product name: `osquery-logs` +* Event codes: `All` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```99::NUMBER``` | +| activity_id | ```(CASE WHEN EVENT_TYPE IS NULL THEN 0 ELSE 99 END)::NUMBER``` | +| activity_name | ```CASE ((CASE WHEN EVENT_TYPE IS NULL THEN 0 ELSE 99 END)::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ``` COMMAND_LINE::VARCHAR``` | +| actor.process.file.name | ```COLUMNS:name::VARCHAR``` | +| actor.process.file.path | ```PATH::VARCHAR``` | +| actor.process.parent_process.file.name | ```COLUMNS:parentname::VARCHAR``` | +| actor.process.parent_process.file.path | ```COLUMNS:parentpath::VARCHAR``` | +| actor.process.parent_process.pid | ```COLUMNS:parentid::NUMBER``` | +| actor.process.pid | ```COLUMNS:pid::NUMBER``` | +| actor.process.user.name | ```COALESCE(USER, COLUMNS:username)::VARCHAR``` | +| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | +| category_uid | ```4::NUMBER``` | +| class_name | ```'network_activity'``` | +| class_uid | ```4001``` | +| connection_info.protocol_name | ```CASE WHEN IFF(LEN(COLUMNS:protocol)>=1,COLUMNS:protocol,NULL)::NUMBER = 0 THEN 'HOPOPT' WHEN IFF(LEN(COLUMNS:protocol)>=1,COLUMNS:protocol,NULL)::NUMBER = 17 THEN 'UDP' WHEN IFF(LEN(COLUMNS:protocol)>=1,COLUMNS:protocol,NULL)::NUMBER = 3 THEN 'GGP' WHEN IFF(LEN(COLUMNS:protocol)>=1,COLUMNS:protocol,NULL)::NUMBER = 2 THEN 'IGMP' WHEN IFF(LEN(COLUMNS:protocol)>=1,COLUMNS:protocol,NULL)::NUMBER = 1 THEN 'ICMP' WHEN IFF(LEN(COLUMNS:protocol)>=1,COLUMNS:protocol,NULL)::NUMBER = 6 THEN 'TCP' ELSE NULL::VARCHAR END``` | +| connection_info.protocol_num | ```IFF(LEN(COLUMNS:protocol)>=1,COLUMNS:protocol,NULL)::NUMBER``` | +| count | ```COUNTER::NUMBER``` | +| device.hostname | ```COALESCE(HOST, HOST_IDENTIFIER)::VARCHAR``` | +| dst_endpoint.ip | ```COLUMNS:remote_address::VARCHAR``` | +| dst_endpoint.port | ```COLUMNS:remote_port::VARCHAR``` | +| metadata.product.name | ```'osquery-logs'``` | +| metadata.product.vendor_name | ```'osquery'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.ip | ```COLUMNS:local_address::VARCHAR``` | +| src_endpoint.port | ```COLUMNS:local_port::VARCHAR``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((4001*100 + (CASE WHEN EVENT_TYPE IS NULL THEN 0 ELSE 99 END)::NUMBER)::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | +| type_uid | ```(4001*100 + (CASE WHEN EVENT_TYPE IS NULL THEN 0 ELSE 99 END)::NUMBER)::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/osquery/1.1.0/osquery-logs/process_activity/README.md b/mappings/markdown/osquery/1.1.0/osquery-logs/process_activity/README.md new file mode 100644 index 00000000..c1d1db14 --- /dev/null +++ b/mappings/markdown/osquery/1.1.0/osquery-logs/process_activity/README.md @@ -0,0 +1,41 @@ +# Event Dossier: Osquery Logs to OCSF class Process Activity + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `process_activity` +* Vendor name: `osquery` +* Product name: `osquery-logs` +* Event codes: `EVENT_TYPE ILIKE ANY ('%process%', '%Process%')` +--- + +| OCSF | RAW | +| --- | --- | +| action | ```CASE (CASE WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | +| action_id | ```CASE WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_id | ```CASE WHEN EVENT_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Launch' WHEN 2 THEN 'Terminate' WHEN 3 THEN 'Open' WHEN 4 THEN 'Inject' WHEN 5 THEN 'Set User ID' WHEN 99 THEN 'Other' END``` | +| actor.process.cmd_line | ```COALESCE(COMMAND_LINE, COLUMNS:cmdline)::VARCHAR``` | +| actor.process.file.name | ```COLUMNS:name::VARCHAR``` | +| actor.process.file.path | ```COALESCE(COLUMNS:path, COLUMNS:child_path)::VARCHAR``` | +| actor.process.name | ```COLUMNS:child_process::VARCHAR``` | +| actor.process.parent_process.file.path | ```COLUMNS:parent_path::VARCHAR``` | +| actor.process.parent_process.name | ```COLUMNS:parent_process::VARCHAR``` | +| actor.process.parent_process.pid | ```COLUMNS:parent_pid::NUMBER``` | +| actor.process.pid | ```COALESCE(COLUMNS:pid, COLUMNS:child_pid)::NUMBER``` | +| actor.process.uid | ```COLUMNS:uid::VARCHAR``` | +| actor.process.user.name | ```COALESCE(USER, COLUMNS:username)::VARCHAR``` | +| category_name | ```CASE (1::NUMBER) WHEN 1 THEN 'System Activity' END``` | +| category_uid | ```1::NUMBER``` | +| class_name | ```'process_activity'``` | +| class_uid | ```1007``` | +| metadata.product.name | ```'osquery-logs'``` | +| metadata.product.vendor_name | ```'osquery'``` | +| metadata.version | ```'1.1.0'``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE (CASE WHEN EVENT_TYPE IS NULL THEN 100700 ELSE 100799 END::NUMBER) WHEN 100700 THEN 'Process Activity: Unknown' WHEN 100701 THEN 'Process Activity: Launch' WHEN 100702 THEN 'Process Activity: Terminate' WHEN 100703 THEN 'Process Activity: Open' WHEN 100704 THEN 'Process Activity: Inject' WHEN 100705 THEN 'Process Activity: Set User ID' WHEN 100799 THEN 'Process Activity: Other' END``` | +| type_uid | ```CASE WHEN EVENT_TYPE IS NULL THEN 100700 ELSE 100799 END::NUMBER``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ From 0497a8a3627ddf8f26f6c385ccfaa6a9865ce555 Mon Sep 17 00:00:00 2001 From: Omer Gull Date: Tue, 7 May 2024 17:41:34 +0300 Subject: [PATCH 2/3] Added new mappings and created some versioned folder for previous existing mappings --- .../aws-cloudtrail/authentication/README.md | 79 ------------------- .../network_activity/README.md | 51 ------------ .../AWS/1.1.0/aws-waf/http_activity/README.md | 54 ------------- .../dns_activity/README.md | 47 ----------- 4 files changed, 231 deletions(-) delete mode 100644 mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md delete mode 100644 mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md delete mode 100644 mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md delete mode 100644 mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md diff --git a/mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md b/mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md deleted file mode 100644 index d358b99b..00000000 --- a/mappings/markdown/AWS/1.1.0/aws-cloudtrail/authentication/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Event Dossier: Aws Cloudtrail to OCSF class Authentication - -## wip: provided mapping files are not validated against schema server yet so required fields might be missing ---- -* Class name: `authentication` -* Vendor name: `aws` -* Product name: `aws-cloudtrail` -* Event codes: `EVENT_NAME in ('ConsoleLogin', 'AssumeRoleWithSAML')` ---- - -| OCSF | RAW | -| --- | --- | -| activity_id | ```1::NUMBER``` | -| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | -| actor.authorizations | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT_KEEP_NULL('decision', CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN CASE WHEN RESPONSE_ELEMENTS:ConsoleLogin = 'Success' THEN 'allowed' ELSE 'denied' END WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN CASE WHEN RESPONSE_ELEMENTS:credentials:accessKeyId IS NOT NULL THEN 'allowed' ELSE 'denied' END END))``` | -| actor.session.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | -| actor.session.is_mfa | ```CASE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'No' THEN FALSE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'Yes' THEN TRUE ELSE NULL::BOOLEAN END``` | -| actor.user.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | -| actor.user.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | -| actor.user.email_addr | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' and CONTAINS(USER_IDENTITY:arn, '/') THEN SPLIT_PART(USER_IDENTITY:arn, '/', -1) WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN REQUEST_PARAMETERS:roleSessionName::VARCHAR END``` | -| actor.user.name | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_SESSION_CONTEXT_SESSION_ISSUER_USER_NAME::VARCHAR ELSE USER_IDENTITY_USER_NAME::VARCHAR END``` | -| actor.user.org.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | -| actor.user.uid | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_ARN::VARCHAR ELSE RESOURCES[0]:ARN::VARCHAR END``` | -| api.response.code | ```ERROR_CODE::NUMBER``` | -| api.response.error | ```ERROR_CODE::VARCHAR``` | -| api.response.error_message | ```ERROR_MESSAGE::VARCHAR``` | -| api.service.name | ```EVENT_SOURCE::VARCHAR``` | -| api.service.uid | ```EVENT_SOURCE::VARCHAR``` | -| api.service.version | ```EVENT_VERSION::VARCHAR``` | -| api.version | ```EVENT_VERSION::VARCHAR``` | -| auth_protocol | ```CASE (CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN '99'::NUMBER WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN '5'::NUMBER END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` | -| auth_protocol_id | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN '99'::NUMBER WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN '5'::NUMBER END``` | -| category_name | ```CASE ('3'::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | -| category_uid | ```'3'::NUMBER``` | -| class_name | ```'authentication'``` | -| class_uid | ```3002``` | -| cloud.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | -| cloud.org.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | -| cloud.provider | ```'AWS'::VARCHAR``` | -| cloud.region | ```AWS_REGION::VARCHAR``` | -| dst_endpoint.domain | ```'amazonaws.com'::VARCHAR``` | -| dst_endpoint.hostname | ```EVENT_SOURCE::VARCHAR``` | -| dst_endpoint.name | ```EVENT_SOURCE::VARCHAR``` | -| dst_endpoint.type | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | -| dst_endpoint.type_id | ```1::NUMBER``` | -| http_request.user_agent | ```USER_AGENT::VARCHAR``` | -| is_mfa | ```CASE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'No' THEN FALSE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'Yes' THEN TRUE ELSE NULL::BOOLEAN END``` | -| is_remote | ```TRUE::BOOLEAN``` | -| metadata.event_code | ```event_name``` | -| metadata.product.name | ```'aws-cloudtrail'``` | -| metadata.product.vendor_name | ```'aws'``` | -| metadata.version | ```'1.1.0'``` | -| service.name | ```EVENT_SOURCE::VARCHAR``` | -| service.uid | ```EVENT_SOURCE::VARCHAR``` | -| service.version | ```EVENT_VERSION::VARCHAR``` | -| session.created_time | ```date_part('epoch_milliseconds', USER_IDENTITY_SESSION_CONTEXT_ATTRIBUTES_CREATION_DATE::TIMESTAMP_LTZ)``` | -| session.created_time_dt | ```USER_IDENTITY_SESSION_CONTEXT_ATTRIBUTES_CREATION_DATE::TIMESTAMP_LTZ``` | -| session.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | -| session.is_mfa | ```CASE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'No' THEN FALSE WHEN ADDITIONAL_EVENT_DATA:MFAUsed = 'Yes' THEN TRUE ELSE NULL::BOOLEAN END``` | -| session.issuer | ```USER_IDENTITY_SESSION_CONTEXT_SESSION_ISSUER_ARN::VARCHAR``` | -| src_endpoint.ip | ```SOURCE_IP_ADDRESS::VARCHAR``` | -| status | ```CASE (CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN CASE WHEN RESPONSE_ELEMENTS:ConsoleLogin = '1'::NUMBER THEN '1'::number ELSE '2'::number END WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN CASE WHEN RESPONSE_ELEMENTS:credentials:accessKeyId IS NOT NULL THEN '1'::number ELSE '2'::number END END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | -| status_code | ```ERROR_CODE::VARCHAR``` | -| status_detail | ```ERROR_MESSAGE::VARCHAR``` | -| status_id | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' THEN CASE WHEN RESPONSE_ELEMENTS:ConsoleLogin = '1'::NUMBER THEN '1'::number ELSE '2'::number END WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN CASE WHEN RESPONSE_ELEMENTS:credentials:accessKeyId IS NOT NULL THEN '1'::number ELSE '2'::number END END``` | -| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | -| time_dt | ```event_time::TIMESTAMP_LTZ``` | -| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | -| type_uid | ```300201::NUMBER``` | -| user.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | -| user.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` | -| user.email_addr | ```CASE WHEN EVENT_NAME = 'ConsoleLogin' and CONTAINS(USER_IDENTITY:arn, '/') THEN SPLIT_PART(USER_IDENTITY:arn, '/', -1) WHEN EVENT_NAME = 'AssumeRoleWithSAML' THEN REQUEST_PARAMETERS:roleSessionName::VARCHAR END``` | -| user.name | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_SESSION_CONTEXT_SESSION_ISSUER_USER_NAME::VARCHAR ELSE USER_IDENTITY_USER_NAME::VARCHAR END``` | -| user.org.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` | -| user.type | ```CASE (case when USER_IDENTITY_TYPE = 'Unknown' then 0 when USER_IDENTITY_TYPE in ('IAMUser', 'SAMLUser', 'WebIdentityUser') then 1 when USER_IDENTITY_TYPE = 'Root' then 2 else 99 end) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` | -| user.type_id | ```case when USER_IDENTITY_TYPE = 'Unknown' then 0 when USER_IDENTITY_TYPE in ('IAMUser', 'SAMLUser', 'WebIdentityUser') then 1 when USER_IDENTITY_TYPE = 'Root' then 2 else 99 end``` | -| user.uid | ```CASE EVENT_NAME WHEN 'ConsoleLogin' THEN USER_IDENTITY_ARN::VARCHAR ELSE RESOURCES[0]:ARN::VARCHAR END``` | - -Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md b/mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md deleted file mode 100644 index 33aaf51a..00000000 --- a/mappings/markdown/AWS/1.1.0/aws-vpc-flow-logs/network_activity/README.md +++ /dev/null @@ -1,51 +0,0 @@ -# Event Dossier: Aws Vpc Flow Logs to OCSF class Network Activity - -## wip: provided mapping files are not validated against schema server yet so required fields might be missing ---- -* Class name: `network_activity` -* Vendor name: `aws` -* Product name: `aws-vpc-flow-logs` -* Event codes: `All` ---- - -| OCSF | RAW | -| --- | --- | -| action | ```CASE (CASE WHEN ACTION = 'Block' then 2 WHEN ACTION = 'ACCEPT' then 1 WHEN ACTION is null then 0 ELSE 99 END::int::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | -| action_id | ```CASE WHEN ACTION = 'Block' then 2 WHEN ACTION = 'ACCEPT' then 1 WHEN ACTION is null then 0 ELSE 99 END::int::NUMBER``` | -| activity_id | ```0::NUMBER``` | -| activity_name | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Open' WHEN 2 THEN 'Close' WHEN 3 THEN 'Reset' WHEN 4 THEN 'Fail' WHEN 5 THEN 'Refuse' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | -| actor.user.account.uid | ```ACCOUNT_ID::VARCHAR``` | -| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | -| category_uid | ```4::NUMBER``` | -| class_name | ```'network_activity'``` | -| class_uid | ```4001``` | -| cloud.region | ```REGION::VARCHAR``` | -| connection_info.direction | ```CASE (CASE FLOW_DIRECTION WHEN 'ingress' THEN 1::NUMBER WHEN 'egress' THEN 2::NUMBER ELSE 0::NUMBER END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | -| connection_info.direction_id | ```CASE FLOW_DIRECTION WHEN 'ingress' THEN 1::NUMBER WHEN 'egress' THEN 2::NUMBER ELSE 0::NUMBER END``` | -| connection_info.protocol_num | ```IANA_PROTOCOL_NUMBER::NUMBER``` | -| connection_info.protocol_ver | ```CASE (CASE TRAFFIC_TYPE WHEN 'IPv4' THEN 4::NUMBER WHEN 'IPv6' THEN 6 ELSE 0 END) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | -| connection_info.protocol_ver_id | ```CASE TRAFFIC_TYPE WHEN 'IPv4' THEN 4::NUMBER WHEN 'IPv6' THEN 6 ELSE 0 END``` | -| connection_info.tcp_flags | ```TCP_FLAGS::NUMBER``` | -| device.instance_uid | ```INSTANCE_ID::VARCHAR``` | -| device.interface_uid | ```INTERFACE_ID::VARCHAR``` | -| device.subnet_uid | ```SUBNET_ID::VARCHAR``` | -| device.vpc_uid | ```VPC_ID::VARCHAR``` | -| dst_endpoint.ip | ```DESTINATION_ADDRESS::VARCHAR``` | -| dst_endpoint.port | ```DESTINATION_PORT::VARCHAR``` | -| end_time | ```date_part('epoch_milliseconds', END_TIME::TIMESTAMP_LTZ)``` | -| end_time_dt | ```END_TIME::TIMESTAMP_LTZ``` | -| metadata.product.name | ```'aws-vpc-flow-logs'``` | -| metadata.product.vendor_name | ```'aws'``` | -| metadata.version | ```'1.1.0'``` | -| severity | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | -| severity_id | ```1::NUMBER``` | -| src_endpoint.ip | ```SOURCE_ADDRESS::VARCHAR``` | -| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | -| time | ```date_part('epoch_milliseconds', start_time::TIMESTAMP_LTZ)``` | -| time_dt | ```start_time::TIMESTAMP_LTZ``` | -| traffic.bytes_out | ```TOTAL_BYTES_TRANSFERRED::NUMBER``` | -| traffic.packets_out | ```TOTAL_PACKETS_TRANSFERRED::NUMBER``` | -| type_name | ```CASE (400100::NUMBER) WHEN 400100 THEN 'Network Activity: Unknown' WHEN 400101 THEN 'Network Activity: Open' WHEN 400102 THEN 'Network Activity: Close' WHEN 400103 THEN 'Network Activity: Reset' WHEN 400104 THEN 'Network Activity: Fail' WHEN 400105 THEN 'Network Activity: Refuse' WHEN 400106 THEN 'Network Activity: Traffic' WHEN 400199 THEN 'Network Activity: Other' END``` | -| type_uid | ```400100::NUMBER``` | - -Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md b/mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md deleted file mode 100644 index b0a23185..00000000 --- a/mappings/markdown/AWS/1.1.0/aws-waf/http_activity/README.md +++ /dev/null @@ -1,54 +0,0 @@ -# Event Dossier: Aws Waf to OCSF class Http Activity - -## wip: provided mapping files are not validated against schema server yet so required fields might be missing ---- -* Class name: `http_activity` -* Vendor name: `aws` -* Product name: `aws-waf` -* Event codes: `All` ---- - -| OCSF | RAW | -| --- | --- | -| action | ```CASE (CASE WHEN ACTION = 'ALLOW' THEN 1 WHEN ACTION = 'BLOCK' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | -| action_id | ```CASE WHEN ACTION = 'ALLOW' THEN 1 WHEN ACTION = 'BLOCK' THEN 2 WHEN ACTION IS NULL THEN 0 ELSE 99 END::NUMBER``` | -| activity_id | ```CASE WHEN HTTP_REQUEST_HTTP_METHOD = 'CONNECT' THEN 1 WHEN HTTP_REQUEST_HTTP_METHOD = 'DELETE' THEN 2 WHEN HTTP_REQUEST_HTTP_METHOD = 'GET' THEN 3 WHEN HTTP_REQUEST_HTTP_METHOD = 'HEAD' THEN 4 WHEN HTTP_REQUEST_HTTP_METHOD = 'OPTIONS' THEN 5 WHEN HTTP_REQUEST_HTTP_METHOD = 'POST' THEN 6 WHEN HTTP_REQUEST_HTTP_METHOD = 'PUT' THEN 7 WHEN HTTP_REQUEST_HTTP_METHOD = 'TRACE' THEN 8 WHEN HTTP_REQUEST_HTTP_METHOD = NULL THEN 0 ELSE 99 END::NUMBER``` | -| activity_name | ```CASE (CASE WHEN HTTP_REQUEST_HTTP_METHOD = 'CONNECT' THEN 1 WHEN HTTP_REQUEST_HTTP_METHOD = 'DELETE' THEN 2 WHEN HTTP_REQUEST_HTTP_METHOD = 'GET' THEN 3 WHEN HTTP_REQUEST_HTTP_METHOD = 'HEAD' THEN 4 WHEN HTTP_REQUEST_HTTP_METHOD = 'OPTIONS' THEN 5 WHEN HTTP_REQUEST_HTTP_METHOD = 'POST' THEN 6 WHEN HTTP_REQUEST_HTTP_METHOD = 'PUT' THEN 7 WHEN HTTP_REQUEST_HTTP_METHOD = 'TRACE' THEN 8 WHEN HTTP_REQUEST_HTTP_METHOD = NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` | -| class_name | ```'http_activity'``` | -| class_uid | ```4002``` | -| cloud.provider | ```'AWS'::VARCHAR``` | -| connection_info.boundary | ```CASE (5::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Localhost' WHEN 10 THEN 'Gateway VPC' WHEN 11 THEN 'Internet Gateway' WHEN 2 THEN 'Internal' WHEN 3 THEN 'External' WHEN 4 THEN 'Same VPC' WHEN 5 THEN 'Internet/VPC Gateway' WHEN 6 THEN 'Virtual Private Gateway' WHEN 7 THEN 'Intra-region VPC' WHEN 8 THEN 'Inter-region VPC' WHEN 9 THEN 'Local Gateway' WHEN 99 THEN 'Other' END``` | -| connection_info.boundary_id | ```5::NUMBER``` | -| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` | -| connection_info.direction_id | ```1::NUMBER``` | -| connection_info.protocol_ver | ```CASE (PARSE_IP(HTTP_REQUEST_CLIENT_IP, 'INET'):family::NUMBER::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` | -| connection_info.protocol_ver_id | ```PARSE_IP(HTTP_REQUEST_CLIENT_IP, 'INET'):family::NUMBER::NUMBER``` | -| connection_info.uid | ```HTTP_REQUEST_REQUEST_ID::VARCHAR``` | -| dst_endpoint.hostname | ```HTTP_REQUEST_HEADERS:host::VARCHAR``` | -| firewall_rule.match_details | ```TERMINATING_RULE_MATCH_DETAILS::VARCHAR``` | -| firewall_rule.rate_limit | ```RATE_BASED_RULE_LIST[0]:maxRateAllowed::NUMBER``` | -| firewall_rule.type | ```TERMINATING_RULE_TYPE::VARCHAR``` | -| firewall_rule.uid | ```TERMINATING_RULE_ID::VARCHAR``` | -| http_cookies.value | ```HTTP_REQUEST_HEADERS:cookie::VARCHAR``` | -| http_request.args | ```HTTP_REQUEST_ARGS::VARCHAR``` | -| http_request.http_method | ```CASE WHEN HTTP_REQUEST_HTTP_METHOD = 'CONNECT' THEN 'CONNECT' WHEN HTTP_REQUEST_HTTP_METHOD = 'DELETE' THEN 'DELETE' WHEN HTTP_REQUEST_HTTP_METHOD = 'GET' THEN 'GET' WHEN HTTP_REQUEST_HTTP_METHOD = 'HEAD' THEN 'HEAD' WHEN HTTP_REQUEST_HTTP_METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN HTTP_REQUEST_HTTP_METHOD = 'POST' THEN 'POST' WHEN HTTP_REQUEST_HTTP_METHOD = 'PUT' THEN 'PUT' WHEN HTTP_REQUEST_HTTP_METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` | -| http_request.referrer | ```HTTP_REQUEST_HEADERS:referer::VARCHAR``` | -| http_request.uid | ```HTTP_REQUEST_REQUEST_ID::VARCHAR``` | -| http_request.url.hostname | ```HTTP_REQUEST_HEADERS:host::VARCHAR``` | -| http_request.url.path | ```HTTP_REQUEST_URI::VARCHAR``` | -| http_request.url.query_string | ```HTTP_REQUEST_ARGS::VARCHAR``` | -| http_request.user_agent | ```HTTP_REQUEST_HEADERS:"user-agent"::VARCHAR``` | -| http_request.version | ```HTTP_REQUEST_HTTP_VERSION::VARCHAR``` | -| metadata.product.name | ```'aws-waf'``` | -| metadata.product.vendor_name | ```'aws'``` | -| metadata.version | ```'1.1.0'``` | -| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | -| severity_id | ```0::NUMBER``` | -| src_endpoint.ip | ```HTTP_REQUEST_CLIENT_IP::VARCHAR``` | -| src_endpoint.location.country | ```HTTP_REQUEST_COUNTRY::VARCHAR``` | -| src_endpoint.name | ```HTTP_SOURCE_NAME::VARCHAR``` | -| src_endpoint.uid | ```HTTP_SOURCE_ID::VARCHAR``` | -| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | -| time_dt | ```event_time::TIMESTAMP_LTZ``` | - -Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md b/mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md deleted file mode 100644 index 4295c1f2..00000000 --- a/mappings/markdown/AWS/1.1.0/route53-resolver-query-logs/dns_activity/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Event Dossier: Route53 Resolver Query Logs to OCSF class Dns Activity - -## wip: provided mapping files are not validated against schema server yet so required fields might be missing ---- -* Class name: `dns_activity` -* Vendor name: `aws` -* Product name: `route53-resolver-query-logs` -* Event codes: `All` ---- - -| OCSF | RAW | -| --- | --- | -| action | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` | -| action_id | ```99::NUMBER``` | -| activity_id | ```1::NUMBER``` | -| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Query' WHEN 2 THEN 'Response' WHEN 6 THEN 'Traffic' WHEN 99 THEN 'Other' END``` | -| answers | ```RAW:answers::ARRAY``` | -| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` | -| category_uid | ```4::NUMBER``` | -| class_name | ```'dns_activity'``` | -| class_uid | ```4003``` | -| cloud.account.uid | ```ACCOUNT_ID::VARCHAR``` | -| cloud.region | ```REGION::VARCHAR``` | -| connection_info.protocol_name | ```LOWER(TRANSPORT)::VARCHAR``` | -| connection_info.protocol_num | ```CASE WHEN TRANSPORT = 'TCP' THEN 6 WHEN TRANSPORT = 'UDP' THEN 17 ELSE -1 END::NUMBER``` | -| disposition | ```CASE (99::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` | -| disposition_id | ```99::NUMBER``` | -| firewall_rule.name | ```FIREWALL_RULE_ACTION::VARCHAR``` | -| metadata.product.name | ```'route53-resolver-query-logs'``` | -| metadata.product.vendor_name | ```'aws'``` | -| metadata.version | ```'1.1.0'``` | -| query.class | ```QUERY_CLASS::VARCHAR``` | -| query.hostname | ```QUERY_NAME::VARCHAR``` | -| query.type | ```QUERY_TYPE::VARCHAR``` | -| rcode | ```CASE (CASE WHEN RETURN_CODE = 'NOERROR' THEN 0 WHEN RETURN_CODE = 'SERVFAIL' THEN 2 WHEN RETURN_CODE = 'NXDOMAIN' THEN 3 ELSE 99 END::NUMBER) WHEN 0 THEN 'NoError' WHEN 1 THEN 'FormError' WHEN 10 THEN 'NotZone' WHEN 11 THEN 'DSOTYPENI' WHEN 16 THEN 'BADSIG_VERS' WHEN 17 THEN 'BADKEY' WHEN 18 THEN 'BADTIME' WHEN 19 THEN 'BADMODE' WHEN 2 THEN 'ServError' WHEN 20 THEN 'BADNAME' WHEN 21 THEN 'BADALG' WHEN 22 THEN 'BADTRUNC' WHEN 23 THEN 'BADCOOKIE' WHEN 24 THEN 'Unassigned' WHEN 25 THEN 'Reserved' WHEN 3 THEN 'NXDomain' WHEN 4 THEN 'NotImp' WHEN 5 THEN 'Refused' WHEN 6 THEN 'YXDomain' WHEN 7 THEN 'YXRRSet' WHEN 8 THEN 'NXRRSet' WHEN 9 THEN 'NotAuth' WHEN 99 THEN 'Other' END``` | -| rcode_id | ```CASE WHEN RETURN_CODE = 'NOERROR' THEN 0 WHEN RETURN_CODE = 'SERVFAIL' THEN 2 WHEN RETURN_CODE = 'NXDOMAIN' THEN 3 ELSE 99 END::NUMBER``` | -| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | -| severity_id | ```0::NUMBER``` | -| src_endpoint.instance_uid | ```SOURCE_IDS_INSTANCE_ID::VARCHAR``` | -| src_endpoint.ip | ```SOURCE_ADDRESS::VARCHAR``` | -| src_endpoint.port | ```SOURCE_PORT::VARCHAR``` | -| time | ```date_part('epoch_milliseconds', query_timestamp::TIMESTAMP_LTZ)``` | -| time_dt | ```query_timestamp::TIMESTAMP_LTZ``` | -| type_name | ```CASE (400301::NUMBER) WHEN 400300 THEN 'DNS Activity: Unknown' WHEN 400301 THEN 'DNS Activity: Query' WHEN 400302 THEN 'DNS Activity: Response' WHEN 400306 THEN 'DNS Activity: Traffic' WHEN 400399 THEN 'DNS Activity: Other' END``` | -| type_uid | ```400301::NUMBER``` | - -Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ From 9483365c2943dfd6cf89a2044617f974aa30b507 Mon Sep 17 00:00:00 2001 From: Omer Gull Date: Sat, 25 May 2024 17:29:08 +0300 Subject: [PATCH 3/3] Fixed Cisco-duo: brandikuritz comments --- .../authentication/README.md | 53 +++++++++++++++++++ .../authentication/README.md | 50 ----------------- 2 files changed, 53 insertions(+), 50 deletions(-) create mode 100644 mappings/markdown/Cisco/Duo/1.1.0/duo-authentication-logs/authentication/README.md delete mode 100644 mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md diff --git a/mappings/markdown/Cisco/Duo/1.1.0/duo-authentication-logs/authentication/README.md b/mappings/markdown/Cisco/Duo/1.1.0/duo-authentication-logs/authentication/README.md new file mode 100644 index 00000000..99e83160 --- /dev/null +++ b/mappings/markdown/Cisco/Duo/1.1.0/duo-authentication-logs/authentication/README.md @@ -0,0 +1,53 @@ +# Event Dossier: Duo Authentication Logs to OCSF class Authentication + +## wip: provided mapping files are not validated against schema server yet so required fields might be missing +--- +* Class name: `authentication` +* Vendor name: `duo` +* Product name: `duo-authentication-logs` +* Event codes: `EVENT_TYPE = 'authentication'` +--- + +| OCSF | RAW | +|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| activity_id | ```CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER``` | +| activity_name | ```CASE (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | +| actor.app_uid | ```APPLICATION_KEY``` | +| actor.app_name | ```APPLICATION_NAME``` | +| auth_protocol | ```FACTOR``` | +| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | +| category_uid | ```3::NUMBER``` | +| class_name | ```'authentication'``` | +| class_uid | ```3002``` | +| device.hostname | ```ACCESS_DEVICE_HOSTNAME::VARCHAR``` | +| device.ip | ```ACCESS_DEVICE_IP::VARCHAR``` | +| device.location.city | ```AUTH_DEVICE_LOCATION:city::VARCHAR``` | +| device.location.country | ```AUTH_DEVICE_LOCATION:country::VARCHAR``` | +| device.os.name | ```ACCESS_DEVICE_OS::VARCHAR``` | +| device.os.version | ```CONCAT(ACCESS_DEVICE_OS, ' ', RAW:access_device:os_version)::VARCHAR``` | +| device.type | ```CASE (CASE WHEN ACCESS_DEVICE_BROWSER IS NULL THEN 0 ELSE 8 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | +| device.type_id | ```CASE WHEN ACCESS_DEVICE_BROWSER IS NULL THEN 0 ELSE 8 END::NUMBER``` | +| device.uid | ```ACCESS_DEVICE_EPKEY::VARCHAR``` | +| is_mfa | ```IFF(FACTOR IS NULL OR FACTOR = 'not_available', false, true)::BOOLEAN``` | +| metadata.event_code | ```event_type``` | +| metadata.product.name | ```'duo-authentication-logs'``` | +| metadata.product.vendor_name | ```'cisco'``` | +| metadata.version | ```'1.1.0'``` | +| service.name | ```APPLICATION_NAME::VARCHAR``` | +| service.uid | ```APPLICATION_KEY::VARCHAR``` | +| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | +| severity_id | ```0::NUMBER``` | +| src_endpoint.hostname | ```HOST::VARCHAR``` | +| status | ```CASE (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | +| status_detail | ```REASON::VARCHAR``` | +| status_id | ```CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER``` | +| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | +| time_dt | ```event_time::TIMESTAMP_LTZ``` | +| type_name | ```CASE ((300200 + (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END))::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | +| type_uid | ```(300200 + (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END))::NUMBER``` | +| user.email_addr | ```EMAIL::VARCHAR``` | +| user.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('name', USER_GROUPS[0]))::VARIANT``` | +| user.name | ```USER_NAME::VARCHAR``` | +| user.uid | ```USER_KEY::VARCHAR``` | + +Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤ diff --git a/mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md b/mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md deleted file mode 100644 index ffcbf4c6..00000000 --- a/mappings/markdown/Duo/1.1.0/duo-authentication-logs/authentication/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Event Dossier: Duo Authentication Logs to OCSF class Authentication - -## wip: provided mapping files are not validated against schema server yet so required fields might be missing ---- -* Class name: `authentication` -* Vendor name: `duo` -* Product name: `duo-authentication-logs` -* Event codes: `EVENT_TYPE = 'authentication'` ---- - -| OCSF | RAW | -| --- | --- | -| activity_id | ```CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER``` | -| activity_name | ```CASE (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` | -| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` | -| category_uid | ```3::NUMBER``` | -| class_name | ```'authentication'``` | -| class_uid | ```3002``` | -| device.hostname | ```ACCESS_DEVICE_HOSTNAME::VARCHAR``` | -| device.ip | ```ACCESS_DEVICE_IP::VARCHAR``` | -| device.location.city | ```AUTH_DEVICE_LOCATION:city::VARCHAR``` | -| device.location.country | ```AUTH_DEVICE_LOCATION:country::VARCHAR``` | -| device.os.name | ```ACCESS_DEVICE_OS::VARCHAR``` | -| device.os.version | ```CONCAT(ACCESS_DEVICE_OS, ' ', RAW:access_device:os_version)::VARCHAR``` | -| device.type | ```CASE (CASE WHEN ACCESS_DEVICE_BROWSER IS NULL THEN 0 ELSE 8 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Server' WHEN 10 THEN 'Switch' WHEN 11 THEN 'Hub' WHEN 2 THEN 'Desktop' WHEN 3 THEN 'Laptop' WHEN 4 THEN 'Tablet' WHEN 5 THEN 'Mobile' WHEN 6 THEN 'Virtual' WHEN 7 THEN 'IOT' WHEN 8 THEN 'Browser' WHEN 9 THEN 'Firewall' WHEN 99 THEN 'Other' END``` | -| device.type_id | ```CASE WHEN ACCESS_DEVICE_BROWSER IS NULL THEN 0 ELSE 8 END::NUMBER``` | -| device.uid | ```ACCESS_DEVICE_EPKEY::VARCHAR``` | -| is_mfa | ```IFF(FACTOR IS NULL OR FACTOR = 'not_available', false, true)::BOOLEAN``` | -| metadata.event_code | ```event_type``` | -| metadata.product.name | ```'duo-authentication-logs'``` | -| metadata.product.vendor_name | ```'duo'``` | -| metadata.version | ```'1.1.0'``` | -| service.name | ```APPLICATION_NAME::VARCHAR``` | -| service.uid | ```APPLICATION_KEY::VARCHAR``` | -| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` | -| severity_id | ```0::NUMBER``` | -| src_endpoint.hostname | ```HOST::VARCHAR``` | -| status | ```CASE (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` | -| status_detail | ```REASON::VARCHAR``` | -| status_id | ```CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END::NUMBER``` | -| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` | -| time_dt | ```event_time::TIMESTAMP_LTZ``` | -| type_name | ```CASE ((300200 + (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END))::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` | -| type_uid | ```(300200 + (CASE WHEN RESULT IS NULL THEN 0 WHEN RESULT = 'success' THEN 1 WHEN RESULT = 'denied' THEN 2 ELSE 99 END))::NUMBER``` | -| user.email_addr | ```EMAIL::VARCHAR``` | -| user.groups | ```ARRAY_CONSTRUCT(OBJECT_CONSTRUCT('name', USER_GROUPS[0]))::VARIANT``` | -| user.name | ```USER_NAME::VARCHAR``` | -| user.uid | ```USER_KEY::VARCHAR``` | - -Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤