Strona główna Odkrywaj Pomoc
Zaloguj się
bat9go
/
Ycsecurity
kopia lustrzana https://github.com/yandex-cloud/yc-solution-library-for-security
Obserwuj 1
Polub 0
Forkuj 0
Pliki Problemy 0 Wiki
Gałąź: fix-typos
Gałęzie Tagi
Ycsecurity
/
auditlogs
/
export-auditlogs-to-ArcSight
/
arcsight_content
/
flex
/
yc.jsonparser.properties

yc.jsonparser.properties 4.1 KB
Bezpośredni odnośnik Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. #Yandex Cloud Cloud Trail JSON log parser
    2. 

  2. #Author: Rodion Chekharin rch@ast-security.ru
    3. 

  3. 

  4. trigger.node.location=/
    5. 

  5. token.count=22
    6. 

  6. 

  7. token[0].name=event_id
    8. 

  8. token[0].type=String
    9. 

  9. token[0].location=event_id
    10. 

  10. 

  11. token[1].name=event_type
    12. 

  12. token[1].type=String
    13. 

  13. token[1].location=event_type
    14. 

  14. 

  15. token[2].name=event_time
    16. 

  16. token[2].type=String
    17. 

  17. token[2].location=event_time
    18. 

  18. 

  19. token[3].name=authentication_subject_name
    20. 

  20. token[3].type=String
    21. 

  21. token[3].location=authentication//subject_name
    22. 

  22. 

  23. token[4].name=authentication_subject_id
    24. 

  24. token[4].type=String
    25. 

  25. token[4].location=authentication//subject_id
    26. 

  26. 

  27. token[5].name=authentication_subject_type
    28. 

  28. token[5].type=String
    29. 

  29. token[5].location=authentication//subject_type
    30. 

  30. 

  31. token[6].name=event_source
    32. 

  32. token[6].type=String
    33. 

  33. token[6].location=event_source
    34. 

  34. 

  35. token[7].name=event_status
    36. 

  36. token[7].type=String
    37. 

  37. token[7].location=event_status
    38. 

  38. 

  39. token[8].name=request_metadata_remote_address
    40. 

  40. token[8].type=String
    41. 

  41. token[8].location=request_metadata//remote_address
    42. 

  42. 

  43. token[9].name=request_metadata_user_agent
    44. 

  44. token[9].type=String
    45. 

  45. token[9].location=request_metadata//user_agent
    46. 

  46. 

  47. token[10].name=request_metadata_request_id
    48. 

  48. token[10].type=String
    49. 

  49. token[10].location=request_metadata//request_id
    50. 

  50. 

  51. token[11].name=details
    52. 

  52. token[11].type=String
    53. 

  53. token[11].format=__uri()
    54. 

  54. token[11].location=details
    55. 

  55. 

  56. token[12].name=authentication_authenticated
    57. 

  57. token[12].type=String
    58. 

  58. token[12].location=authentication//authenticated
    59. 

  59. 

  60. token[13].name=authorization_authorized
    61. 

  61. token[13].type=String
    62. 

  62. token[13].location=authorization//authorized
    63. 

  63. 

  64. token[14].name=resource_metadata
    65. 

  65. token[14].type=String
    66. 

  66. token[14].format=__uri()
    67. 

  67. token[14].location=resource_metadata
    68. 

  68. 

  69. token[15].name=rm_0_resource_type
    70. 

  70. token[15].type=String
    71. 

  71. token[15].location=resource_metadata//path[0]//resource_type
    72. 

  72. 

  73. token[16].name=rm_0_resource_id
    74. 

  74. token[16].type=String
    75. 

  75. token[16].location=resource_metadata//path[0]//resource_id
    76. 

  76. 

  77. token[17].name=rm_0_resource_name
    78. 

  78. token[17].type=String
    79. 

  79. token[17].location=resource_metadata//path[0]//resource_name
    80. 

  80. 

  81. 

  82. token[18].name=rm_1_resource_type
    83. 

  83. token[18].type=String
    84. 

  84. token[18].location=resource_metadata//path[1]//resource_type
    85. 

  85. 

  86. token[19].name=rm_1_resource_id
    87. 

  87. token[19].type=String
    88. 

  88. token[19].location=resource_metadata//path[1]//resource_id
    89. 

  89. 

  90. token[20].name=rm_1_resource_name
    91. 

  91. token[20].type=String
    92. 

  92. token[20].location=resource_metadata//path[1]//resource_name
    93. 

  93. 

  94. token[21].name=error_message
    95. 

  95. token[21].type=String
    96. 

  96. token[21].location=error//message
    97. 

  97. 

  98. 

  99. event.name=event_type
    100. 

  100. event.sourceUserName=authentication_subject_name
    101. 

  101. event.sourceUserId=authentication_subject_id
    102. 

  102. event.sourceUserPrivileges=authentication_subject_type
    103. 

  103. event.sourceServiceName=event_source
    104. 

  104. 

  105. 

  106. event.requestClientApplication=request_metadata_user_agent
    107. 

  107. event.sourceHostName=request_metadata_remote_address
    108. 

  108. event.requestContext=request_metadata_request_id
    109. 

  109. 

  110. event.deviceCustomString1=details
    111. 

  111. event.deviceCustomString1Label=__stringConstant("details")
    112. 

  112. 

  113. event.deviceCustomString2=resource_metadata
    114. 

  114. event.deviceCustomString2Label=__stringConstant("resource_metadata")
    115. 

  115. 

  116. event.deviceCustomString3=authentication_authenticated
    117. 

  117. event.deviceCustomString3Label=__stringConstant("authenticated")
    118. 

  118. 

  119. event.deviceCustomString4=authorization_authorized
    120. 

  120. event.deviceCustomString4Label=__stringConstant("authorized")
    121. 

  121. 

  122. event.deviceCustomString5=event_status
    123. 

  123. event.deviceCustomString5Label=__stringConstant("event_status")
    124. 

  124. 

  125. event.deviceCustomString6=error_message
    126. 

  126. event.deviceCustomString6Label=__stringConstant("error_message")
    127. 

  127. 

  128. event.fileName=rm_0_resource_name
    129. 

  129. event.filePath=rm_0_resource_id
    130. 

  130. event.fileType=rm_0_resource_type
    131. 

  131. 

  132. event.oldFileName=rm_1_resource_name
    133. 

  133. event.oldFilePath=rm_1_resource_id
    134. 

  134. event.oldFileType=rm_1_resource_type
    135. 

  135. 

  136. event.endTime=__parseMultipleTimeStamp(__regexTokenFindAndJoin(event_time,"(.*?)T(.*?)\\..*"," ","",""),"yyyy-MM-dd HH:mm:ss")
    137. 

  137. event.externalId=event_id
    138. 

  138. 

  139. event.flexString1=event_time
    140. 

  140. event.fileId=__regexTokenNoWarning(details,".*?/details/source_uri:\\"(.*?)\\?.*")
    141. 

  141. 

  142. event.deviceVendor=__stringConstant("Yandex Cloud")
    143. 

  143. event.deviceProduct=__stringConstant("Yandex Cloud")
    144.