Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP - Markdown Mappings by Hunters #64

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

WIP - Markdown Mappings by Hunters #64

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
af0c024
Added new mappings and created some versioned folder for previous exi…
OmerGull May 7, 2024
0497a8a
Added new mappings and created some versioned folder for previous exi…
OmerGull May 7, 2024
9483365
Fixed Cisco-duo: brandikuritz comments
OmerGull May 25, 2024
0523ecc
Merge branch 'main' into hunters/05_07_24-mappings
floydtree Jul 29, 2024
1ee1039
Merge branch 'main' into hunters/05_07_24-mappings
pagbabian-splunk Aug 1, 2024
e310d13
Merge branch 'main' into hunters/05_07_24-mappings
floydtree Aug 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions mappings/markdown/Alibaba Cloud/1.1.0/alibaba-actiontrail/authentication/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Event Dossier: Alibaba Actiontrail to OCSF class Authentication

## wip: provided mapping files are not validated against schema server yet so required fields might be missing
---
* Class name: `authentication`
* Vendor name: `alibaba`
* Product name: `alibaba-actiontrail`
* Event codes: `EVENT_NAME = 'ConsoleSignin'`
---

| OCSF | RAW |
| --- | --- |
| activity_id | ```1::NUMBER``` |
| activity_name | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Logon' WHEN 2 THEN 'Logoff' WHEN 3 THEN 'Authentication Ticket' WHEN 4 THEN 'Service Ticket Request' WHEN 5 THEN 'Service Ticket Renew' WHEN 99 THEN 'Other' END``` |
| actor.user.account.uid | ```RECIPIENT_ACCOUNT_ID::VARCHAR``` |
| api.response.error | ```ERROR_CODE::VARCHAR``` |
| api.response.error_message | ```ERROR_MESSAGE::VARCHAR``` |
| auth_protocol | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'NTLM' WHEN 10 THEN 'RADIUS' WHEN 2 THEN 'Kerberos' WHEN 3 THEN 'Digest' WHEN 4 THEN 'OpenID' WHEN 5 THEN 'SAML' WHEN 6 THEN 'OAUTH 2.0' WHEN 7 THEN 'PAP' WHEN 8 THEN 'CHAP' WHEN 9 THEN 'EAP' WHEN 99 THEN 'Other' END``` |
| auth_protocol_id | ```0::NUMBER``` |
| category_name | ```CASE (3::NUMBER) WHEN 3 THEN 'Identity & Access Management' END``` |
| category_uid | ```3::NUMBER``` |
| class_name | ```'authentication'``` |
| class_uid | ```3002``` |
| cloud.provider | ```'Alibaba'::VARCHAR``` |
| cloud.region | ```ACS_REGION::VARCHAR``` |
| dst_endpoint.hostname | ```EVENT_SOURCE::VARCHAR``` |
| enrichments.name | ```EVENT_NAME::VARCHAR``` |
| http_request.length | ```REQUEST_PARAMETERS_LENGTH::NUMBER``` |
| http_request.uid | ```REQUEST_ID::VARCHAR``` |
| http_request.url.query_string | ```SPLIT_PART(ADDITIONAL_EVENT_DATA:callbackUrl, '?', 2)::VARCHAR``` |
| http_request.url.scheme | ```REGEXP_SUBSTR(ADDITIONAL_EVENT_DATA:callbackUrl, '^([a-zA-Z]+)')::VARCHAR``` |
| http_request.url.url_string | ```ADDITIONAL_EVENT_DATA:callbackUrl::VARCHAR``` |
| http_request.user_agent | ```USER_AGENT::VARCHAR``` |
| is_cleartext | ```IFF(REGEXP_SUBSTR(ADDITIONAL_EVENT_DATA:callbackUrl, '^([a-zA-Z]+)') != 'https', 'true', 'false')::BOOLEAN``` |
| is_mfa | ```USER_IDENTITY_SESSION_CONTEXT_ATTRIBUTES:mfaAuthenticated::BOOLEAN``` |
| logon_type | ```CASE (3::NUMBER) WHEN 0 THEN 'System' WHEN 10 THEN 'Remote Interactive' WHEN 11 THEN 'Cached Interactive' WHEN 12 THEN 'Cached Remote Interactive' WHEN 13 THEN 'Cached Unlock' WHEN 2 THEN 'Interactive' WHEN 3 THEN 'Network' WHEN 4 THEN 'Batch' WHEN 5 THEN 'OS Service' WHEN 7 THEN 'Unlock' WHEN 8 THEN 'Network Cleartext' WHEN 9 THEN 'New Credentials' WHEN 99 THEN 'Other' END``` |
| logon_type_id | ```3::NUMBER``` |
| metadata.event_code | ```event_type``` |
| metadata.product.name | ```'alibaba-actiontrail'``` |
| metadata.product.vendor_name | ```'alibaba'``` |
| metadata.version | ```'1.1.0'``` |
| service.name | ```SERVICE_NAME::VARCHAR``` |
| service.version | ```EVENT_VERSION::VARCHAR``` |
| session.is_mfa | ```ADDITIONAL_EVENT_DATA:mfaChecked::BOOLEAN``` |
| session.uid | ```EVENT_ID::VARCHAR``` |
| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` |
| severity_id | ```0::NUMBER``` |
| src_endpoint.ip | ```SOURCE_IP_ADDRESS::VARCHAR``` |
| src_endpoint.vpc_uid | ```REQUEST_PARAMETERS_CLIENT_VPC_ID::VARCHAR``` |
| status | ```CASE (CASE WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NULL THEN 1 WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NOT NULL THEN 2 WHEN ERROR_CODE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` |
| status_id | ```CASE WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NULL THEN 1 WHEN COALESCE(ERROR_CODE, ERROR_MESSAGE) IS NOT NULL THEN 2 WHEN ERROR_CODE IS NULL THEN 0 ELSE 99 END::NUMBER``` |
| time | ```date_part('epoch_milliseconds', event_time::TIMESTAMP_LTZ)``` |
| time_dt | ```event_time::TIMESTAMP_LTZ``` |
| type_name | ```CASE (300201::NUMBER) WHEN 300200 THEN 'Authentication: Unknown' WHEN 300201 THEN 'Authentication: Logon' WHEN 300202 THEN 'Authentication: Logoff' WHEN 300203 THEN 'Authentication: Authentication Ticket' WHEN 300204 THEN 'Authentication: Service Ticket Request' WHEN 300205 THEN 'Authentication: Service Ticket Renew' WHEN 300299 THEN 'Authentication: Other' END``` |
| type_uid | ```300201::NUMBER``` |
| user.account.uid | ```USER_IDENTITY_ACCOUNT_ID::VARCHAR``` |
| user.credential_uid | ```USER_IDENTITY_ACCESS_KEY_ID::VARCHAR``` |
| user.name | ```USER_IDENTITY_USER_NAME::VARCHAR``` |
| user.type | ```CASE (CASE WHEN USER_IDENTITY_TYPE = 'ram-user' THEN 1 WHEN USER_IDENTITY_TYPE = 'root-account' THEN 2 WHEN USER_IDENTITY_TYPE = 'system' THEN 3 WHEN USER_IDENTITY_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'User' WHEN 2 THEN 'Admin' WHEN 3 THEN 'System' WHEN 99 THEN 'Other' END``` |
| user.type_id | ```CASE WHEN USER_IDENTITY_TYPE = 'ram-user' THEN 1 WHEN USER_IDENTITY_TYPE = 'root-account' THEN 2 WHEN USER_IDENTITY_TYPE = 'system' THEN 3 WHEN USER_IDENTITY_TYPE IS NULL THEN 0 ELSE 99 END::NUMBER``` |
| user.uid_alt | ```USER_IDENTITY_PRINCIPAL_ID::VARCHAR``` |

Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤
59 changes: 59 additions & 0 deletions mappings/markdown/Alibaba Cloud/1.1.0/alibaba-slb-logs/http_activity/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Event Dossier: Alibaba Slb Logs to OCSF class Http Activity

## wip: provided mapping files are not validated against schema server yet so required fields might be missing
---
* Class name: `http_activity`
* Vendor name: `alibaba`
* Product name: `alibaba-slb-logs`
* Event codes: `All`
---

| OCSF | RAW |
| --- | --- |
| action | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` |
| action_id | ```0::NUMBER``` |
| activity_id | ```CASE WHEN REQUEST_METHOD = 'UNKNOWN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER``` |
| activity_name | ```CASE (CASE WHEN REQUEST_METHOD = 'UNKNOWN' THEN 0 WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` |
| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` |
| category_uid | ```4::NUMBER``` |
| class_name | ```'http_activity'``` |
| class_uid | ```4002``` |
| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` |
| connection_info.direction_id | ```1::NUMBER``` |
| connection_info.protocol_ver | ```CASE (PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER) WHEN 0 THEN 'Unknown' WHEN 4 THEN 'Internet Protocol version 4 (IPv4)' WHEN 6 THEN 'Internet Protocol version 6 (IPv6)' WHEN 99 THEN 'Other' END``` |
| connection_info.protocol_ver_id | ```PARSE_IP(CLIENT_IP, 'INET'):family::NUMBER``` |
| dst_endpoint.ip | ```VIP_ADDR::VARCHAR``` |
| dst_endpoint.port | ```SLB_VPORT::VARCHAR``` |
| duration | ```TCPINFO_RTT::NUMBER``` |
| http_request.http_method | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 'CONNECT' WHEN REQUEST_METHOD = 'DELETE' THEN 'DELETE' WHEN REQUEST_METHOD = 'GET' THEN 'GET' WHEN REQUEST_METHOD = 'HEAD' THEN 'HEAD' WHEN REQUEST_METHOD = 'OPTIONS' THEN 'OPTIONS' WHEN REQUEST_METHOD = 'POST' THEN 'POST' WHEN REQUEST_METHOD = 'PUT' THEN 'PUT' WHEN REQUEST_METHOD = 'TRACE' THEN 'TRACE' ELSE NULL END::VARCHAR``` |
| http_request.length | ```REQUEST_LENGTH::NUMBER``` |
| http_request.referrer | ```HTTP_REFERER::VARCHAR``` |
| http_request.url.hostname | ```HTTP_HOST::VARCHAR``` |
| http_request.url.path | ```REQUEST_URI::VARCHAR``` |
| http_request.url.scheme | ```SCHEME::VARCHAR``` |
| http_request.user_agent | ```HTTP_USER_AGENT::VARCHAR``` |
| http_request.version | ```SERVER_PROTOCOL::VARCHAR``` |
| http_request.x_forwarded_for | ```HTTP_X_FORWARDED_FOR::VARCHAR``` |
| http_response.code | ```STATUS::NUMBER``` |
| load_balancer.code | ```UPSTREAM_STATUS::NUMBER``` |
| load_balancer.uid | ```SLBID::VARCHAR``` |
| metadata.product.name | ```'alibaba-slb-logs'``` |
| metadata.product.vendor_name | ```'alibaba'``` |
| metadata.version | ```'1.1.0'``` |
| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` |
| severity_id | ```0::NUMBER``` |
| src_endpoint.ip | ```CLIENT_IP::VARCHAR``` |
| src_endpoint.port | ```CLIENT_PORT::VARCHAR``` |
| status | ```CASE (CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '3%%' THEN 2 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` |
| status_id | ```CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '3%%' THEN 2 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END::NUMBER``` |
| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` |
| time_dt | ```time::TIMESTAMP_LTZ``` |
| tls.cipher | ```SSL_CIPHER::VARCHAR``` |
| tls.version | ```SSL_PROTOCOL::VARCHAR``` |
| traffic.bytes | ```(COALESCE(REQUEST_LENGTH, 0) + COALESCE(BODY_BYTES_SENT, 0))::NUMBER``` |
| traffic.bytes_in | ```REQUEST_LENGTH::NUMBER``` |
| traffic.bytes_out | ```BODY_BYTES_SENT::NUMBER``` |
| type_name | ```CASE (CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` |
| type_uid | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` |

Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤
62 changes: 62 additions & 0 deletions mappings/markdown/Alibaba Cloud/1.1.0/alibaba-waf/http_activity/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Event Dossier: Alibaba Waf to OCSF class Http Activity

## wip: provided mapping files are not validated against schema server yet so required fields might be missing
---
* Class name: `http_activity`
* Vendor name: `alibaba`
* Product name: `alibaba-waf`
* Event codes: `All`
---

| OCSF | RAW |
| --- | --- |
| action | ```CASE (CASE WHEN RAW:final_action::VARCHAR IS NULL THEN 1 WHEN RAW:final_action::VARCHAR = 'Block' THEN 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 2 THEN 'Denied' WHEN 99 THEN 'Other' END``` |
| action_id | ```CASE WHEN RAW:final_action::VARCHAR IS NULL THEN 1 WHEN RAW:final_action::VARCHAR = 'Block' THEN 2 ELSE 99 END``` |
| activity_id | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 WHEN REQUEST_METHOD IS NULL THEN 0 ELSE 99 END::NUMBER``` |
| activity_name | ```CASE (CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 1 WHEN REQUEST_METHOD = 'DELETE' THEN 2 WHEN REQUEST_METHOD = 'GET' THEN 3 WHEN REQUEST_METHOD = 'HEAD' THEN 4 WHEN REQUEST_METHOD = 'OPTIONS' THEN 5 WHEN REQUEST_METHOD = 'POST' THEN 6 WHEN REQUEST_METHOD = 'PUT' THEN 7 WHEN REQUEST_METHOD = 'TRACE' THEN 8 WHEN REQUEST_METHOD IS NULL THEN 0 ELSE 99 END::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Connect' WHEN 2 THEN 'Delete' WHEN 3 THEN 'Get' WHEN 4 THEN 'Head' WHEN 5 THEN 'Options' WHEN 6 THEN 'Post' WHEN 7 THEN 'Put' WHEN 8 THEN 'Trace' WHEN 99 THEN 'Other' END``` |
| actor.user.uid | ```USER_ID::VARCHAR``` |
| category_name | ```CASE (4::NUMBER) WHEN 4 THEN 'Network Activity' END``` |
| category_uid | ```4::NUMBER``` |
| class_name | ```'http_activity'``` |
| class_uid | ```4002``` |
| cloud.provider | ```'Alibaba'::VARCHAR``` |
| cloud.region | ```REGION::VARCHAR``` |
| connection_info.direction | ```CASE (1::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Inbound' WHEN 2 THEN 'Outbound' WHEN 3 THEN 'Lateral' WHEN 99 THEN 'Other' END``` |
| connection_info.direction_id | ```1::NUMBER``` |
| disposition | ```CASE (CASE WHEN RAW:final_action IS NULL THEN 1 WHEN RAW:final_action = 'Block' THEN 2 ELSE 99 END :: NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Allowed' WHEN 10 THEN 'Exonerated' WHEN 11 THEN 'Corrected' WHEN 12 THEN 'Partially Corrected' WHEN 13 THEN 'Uncorrected' WHEN 14 THEN 'Delayed' WHEN 15 THEN 'Detected' WHEN 16 THEN 'No Action' WHEN 17 THEN 'Logged' WHEN 18 THEN 'Tagged' WHEN 19 THEN 'Alert' WHEN 2 THEN 'Blocked' WHEN 20 THEN 'Count' WHEN 21 THEN 'Reset' WHEN 22 THEN 'Captcha' WHEN 23 THEN 'Challenge' WHEN 24 THEN 'Access Revoked' WHEN 25 THEN 'Rejected' WHEN 26 THEN 'Unauthorized' WHEN 27 THEN 'Error' WHEN 3 THEN 'Quarantined' WHEN 4 THEN 'Isolated' WHEN 5 THEN 'Deleted' WHEN 6 THEN 'Dropped' WHEN 7 THEN 'Custom Action' WHEN 8 THEN 'Approved' WHEN 9 THEN 'Restored' WHEN 99 THEN 'Other' END``` |
| disposition_id | ```CASE WHEN RAW:final_action IS NULL THEN 1 WHEN RAW:final_action = 'Block' THEN 2 ELSE 99 END :: NUMBER``` |
| dst_endpoint.hostname | ```HOST::VARCHAR``` |
| dst_endpoint.ip | ```REMOTE_ADDR::VARCHAR``` |
| dst_endpoint.port | ```REMOTE_PORT::VARCHAR``` |
| duration | ```REQUEST_TIME_MSEC::NUMBER``` |
| http_cookies.value | ```HTTP_COOKIE::VARCHAR``` |
| http_request.http_method | ```REQUEST_METHOD::VARCHAR``` |
| http_request.length | ```REQUEST_LENGTH::NUMBER``` |
| http_request.referrer | ```HTTP_REFERER::VARCHAR``` |
| http_request.url.hostname | ```HOST::VARCHAR``` |
| http_request.url.path | ```REQUEST_PATH::VARCHAR``` |
| http_request.url.query_string | ```QUERYSTRING::VARCHAR``` |
| http_request.url.scheme | ```SERVER_PROTOCOL::VARCHAR``` |
| http_request.user_agent | ```HTTP_USER_AGENT::VARCHAR``` |
| http_request.version | ```SERVER_PROTOCOL::VARCHAR``` |
| http_request.x_forwarded_for | ```HTTP_X_FORWARDED_FOR::VARCHAR``` |
| http_response.status | ```STATUS::VARCHAR``` |
| metadata.product.name | ```'alibaba-waf'``` |
| metadata.product.vendor_name | ```'alibaba'``` |
| metadata.version | ```'1.1.0'``` |
| severity | ```CASE (0::NUMBER) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Informational' WHEN 2 THEN 'Low' WHEN 3 THEN 'Medium' WHEN 4 THEN 'High' WHEN 5 THEN 'Critical' WHEN 6 THEN 'Fatal' WHEN 99 THEN 'Other' END``` |
| severity_id | ```0::NUMBER``` |
| src_endpoint.ip | ```REAL_CLIENT_IP::VARCHAR``` |
| start_time | ```date_part('epoch_milliseconds', TIME::TIMESTAMP_LTZ)``` |
| start_time_dt | ```TIME::TIMESTAMP_LTZ``` |
| status | ```CASE (CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END) WHEN 0 THEN 'Unknown' WHEN 1 THEN 'Success' WHEN 2 THEN 'Failure' WHEN 99 THEN 'Other' END``` |
| status_id | ```CASE WHEN STATUS ILIKE '2%%' THEN 1 WHEN STATUS ILIKE '4%%' THEN 2 WHEN STATUS ILIKE '5%%' THEN 2 ELSE 99 END``` |
| time | ```date_part('epoch_milliseconds', time::TIMESTAMP_LTZ)``` |
| time_dt | ```time::TIMESTAMP_LTZ``` |
| tls.cipher | ```SSL_CIPHER::VARCHAR``` |
| tls.version | ```SSL_PROTOCOL::VARCHAR``` |
| traffic.bytes_out | ```BODY_BYTES_SENT::NUMBER``` |
| type_name | ```CASE (CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER) WHEN 400200 THEN 'HTTP Activity: Unknown' WHEN 400201 THEN 'HTTP Activity: Connect' WHEN 400202 THEN 'HTTP Activity: Delete' WHEN 400203 THEN 'HTTP Activity: Get' WHEN 400204 THEN 'HTTP Activity: Head' WHEN 400205 THEN 'HTTP Activity: Options' WHEN 400206 THEN 'HTTP Activity: Post' WHEN 400207 THEN 'HTTP Activity: Put' WHEN 400208 THEN 'HTTP Activity: Trace' WHEN 400299 THEN 'HTTP Activity: Other' END``` |
| type_uid | ```CASE WHEN REQUEST_METHOD = 'CONNECT' THEN 400201 WHEN REQUEST_METHOD = 'DELETE' THEN 400202 WHEN REQUEST_METHOD = 'GET' THEN 400203 WHEN REQUEST_METHOD = 'HEAD' THEN 400204 WHEN REQUEST_METHOD = 'OPTIONS' THEN 400205 WHEN REQUEST_METHOD = 'POST' THEN 400206 WHEN REQUEST_METHOD = 'PUT' THEN 400207 WHEN REQUEST_METHOD = 'TRACE' THEN 400208 WHEN REQUEST_METHOD IS NULL THEN 400200 ELSE 400299 END::NUMBER``` |

Contributed to the OCSF community by [Hunters](https://www.hunters.security/) with ❤
Loading