Spaces:
Sleeping
Sleeping
File size: 12,928 Bytes
3571ce5 8cfd5bb 3571ce5 8cfd5bb 3571ce5 8cfd5bb 3571ce5 8cfd5bb 3571ce5 8cfd5bb 3571ce5 8cfd5bb 3571ce5 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 |
from format_input import detect_log_type
def detecting_types(chaine):
types = []
lignes = chaine.splitlines()
for l in lignes:
types.append(detect_log_type(l))
print('available types!')
print('TYPES!!! ', types)
return types
def descriptions(log_input):
description = ""
for log_type in detecting_types(log_input):
if log_type == "sophos":
description += """\n
- sourcetype: The type of source that generated the log entry.
- _raw: The raw log message as received.
- action: The action taken by the firewall.
- app: The application associated with the session.
- app_category: Category of the application.
- app_is_cloud: Indicates if the application is cloud-based.
- app_name: Name of the application.
- app_resolved_by: Method by which the application was identified.
- app_risk: Risk level of the application.
- app_technology: Technology type of the application.
- bytes: Total number of bytes transferred.
- bytes_in: Number of bytes received.
- bytes_out: Number of bytes sent.
- con_id: Connection ID.
- dest: Destination IP address.
- dest_mac: Destination MAC address.
- dest_port: Destination port.
- dest_zone: Destination zone.
- device_model: Model of the device.
- device_name: Name of the device.
- device_serial_id: Serial ID of the device.
- dst_country: Destination country.
- duration: Duration of the session.
- dvc: Device name.
- ether_type: Ethernet type.
- fw_rule_id: Firewall rule ID.
- fw_rule_type: Type of firewall rule.
- hb_status: Heartbeat status.
- host: Host IP address.
- in_display_interface: Display interface name.
- in_interface: Ingress interface.
- log_component: Log component.
- log_id: Log ID.
- log_occurrence: Number of occurrences of the log entry.
- log_subtype: Subtype of the log.
- log_type: Type of log.
- log_version: Version of the log format.
- nat_rule_id: NAT rule ID.
- packets: Total number of packets transferred.
- packets_in: Number of packets received.
- packets_out: Number of packets sent.
- protocol: Protocol used in the session.
- qualifier: Qualifier for the log entry.
- severity: Severity level of the event.
- src: Source IP address.
- src_country: Source country.
- src_interface: Source interface.
- src_mac: Source MAC address.
- src_port: Source port.
- src_zone: Source zone.
- timeendpos: End position of the timestamp in the raw log.
- timestamp: Timestamp of the event.
- timestartpos: Start position of the timestamp in the raw log.
- transport: Transport protocol used.
- _bkt: Bucket name where the event is stored in Splunk.
- _cd: Composite ID of the event.
- _indextime: Epoch time when the event was indexed.
- _kv: Key-value extraction indicator.
- _serial: Sequence number of the event.
- _si: Splunk indexer and index information.
- _sourcetype: Source type of the event data.
- _time: Timestamp when the event occurred.
"""
elif log_type == "azure-sign-in":
description += """\n
- Source Type: Type or category of the log.
- appDisplayName: The application name displayed in the Azure Portal.
- appId: The application identifier in Azure Active Directory.
- clientAppUsed: The legacy client used for sign-in activity.
- conditionalAccessStatus: The status of the conditional access policy triggered.
- correlationId: The identifier sent from the client when sign-in is initiated.
- createdDateTime: The date and time the sign-in was initiated in UTC.
- deviceDetail.browser: Browser details.
- deviceDetail.deviceId: Device ID.
- deviceDetail.displayName: Device display name.
- deviceDetail.isCompliant: Compliance status.
- deviceDetail.isManaged: Managed status.
- deviceDetail.operatingSystem: Operating system details.
- deviceDetail.trustType: Trust type.
- host: Tenant identifier.
- id: Sign-in activity identifier.
- ipAddress: Client IP address.
- isInteractive: Indicates whether a sign-in is interactive.
- location.city: City.
- location.countryOrRegion: Country or region.
- location.geoCoordinates.altitude: Altitude.
- location.geoCoordinates.latitude: Latitude.
- location.geoCoordinates.longitude: Longitude.
- location.state: State.
- resourceDisplayName: Resource display name.
- resourceId: Resource identifier.
- riskDetail: Reason behind the risk state.
- riskLevelAggregated: Aggregated risk level.
- riskLevelDuringSignIn: Risk level during sign-in.
- riskState: Risk state.
- status.additionalDetails: Additional status details.
- status.errorCode: Error code.
- status.failureReason: Failure reason.
- userDisplayName: User display name.
- userId: User identifier.
- userPrincipalName: User principal name.
- timestartpos: Byte position where the timestamp starts.
- timeendpos: Byte position where the timestamp ends.
- sourcetype: Audit
- host: Host name.
- id: Unique activity identifier.
- category: Category value.
- loggedByService: Service that logged the event.
- activityDateTime: Date and time the activity occurred.
- activityDisplayName: Human-readable name for the activity.
- Level: Message type.
- Actor: Name of the actor performing the operation.
- initiatedBy: Details of the initiator (app or user).
- Command: Description of the operation performed.
- operationType: Type of operation.
- result: Result of the activity.
- ResultStatus: Result status.
- resultReason: Cause of failure or timeout results.
- Target_DisplayName: Activity or operation name.
- Target_ObjectID: Unique identifier for the target object.
- Target_userPrincipalName: UPN of the target user.
- targetResources: Details about the target resources.
- additionalDetails: Key-value pairs of additional details.
- newValue: Value after the operation.
- oldValue: Value before the operation.
- modified_values: Difference between new and old value.
- timeendpos: Byte position where the timestamp ends.
- timestartpos: Byte position where the timestamp starts.
- value: Logged value.
- _bkt: Bucket ID in Splunk.
- _cd: Splunk internal ID.
- _indextime: Epoch time when the log was indexed.
- _serial: Serial number for the log entry.
- _si: Splunk indexer information.
- _sourcetype: Splunk sourcetype.
- _subsecond: Subsecond part of the timestamp.
- _time: Time the log was generated.
"""
elif log_type == "palo-alto":
description += """\n
- Receive Time: {Receive Time}
- Serial Number: {Serial Number}
- Type: SYSTEM
- Subtype: {Subtype}
- Generated Time: {Generated Time}
- Virtual System: {Virtual System}
- Event ID: {Event ID}
- Module: {Module} (only if Subtype is general)
- Severity: {Severity}
- Description: {Description}
- Sequence Number: {Sequence Number}
- Action Flags: {Action Flags}
- Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
- Virtual System Name: {Virtual System Name}
- Device Name: {Device Name}
- Receive Time: {Receive Time}
- Serial Number: {Serial Number}
- Type: USERID
- Subtype: {Subtype} (login, logout, register-tag, unregister-tag)
- Generated Time: {Generated Time}
- Virtual System: {Virtual System}
- Command: {Command}
- User: {User}
- Source IP: {Source IP}
- Data Source Name: {Data Source Name}
- Event ID: {Event ID}
- Repeat Count: {Repeat Count}
- Timeout: {Timeout}
- Source Port: {Source Port}
- Destination Port: {Destination Port}
- Sequence Number: {Sequence Number}
- Action Flags: {Action Flags}
- Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
- Virtual System Name: {Virtual System Name}
- Device Name: {Device Name}
- Virtual System ID: {Virtual System ID}
- Rule Name: {Rule Name}
- Source Zone: {Source Zone}
- Destination Zone: {Destination Zone}
- Source IP: {Source IP}
- Destination IP: {Destination IP}
- User: {User}
- Application: {Application}
- Virtual System: {Virtual System}
- Source Port: {Source Port}
- Destination Port: {Destination Port}
- Inbound Interface: {Inbound Interface}
- Outbound Interface: {Outbound Interface}
- Log Action: {Log Action}
- IP Protocol: {IP Protocol}
- Action: {Action}
- Rule Type: {Rule Type}
- Sequence Number: {Sequence Number}
- Repeat Count: {Repeat Count}
- Source Country: {Source Country}
- Destination Country: {Destination Country}
- NAT Source IP: {NAT Source IP}
- NAT Destination IP: {NAT Destination IP}
- NAT Source Port: {NAT Source Port}
- NAT Destination Port: {NAT Destination Port}
- Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
- Virtual System Name: {Virtual System Name}
- Device Name: {Device Name}
"""
elif log_type == "office365":
description += """\n
- CreationTime: The time the log was created.
- UserId: The ID of the user who performed the activity.
- Operation: The type of operation performed.
- Workload: The Office 365 service where the event occurred.
- ClientIP: The IP address of the device used.
- UserAgent: Information about the user's client or device.
- ResultStatus: The result status of the operation.
- LogonType: The type of logon used.
- Target: The target object that was accessed.
- Actor: The user who initiated the action.
- Action: The action performed.
- ItemName: The name of the item accessed.
- Source: The source of the log entry.
- Site: The site where the event occurred.
- WebId: The web ID where the event occurred.
- ListId: The list ID where the event occurred.
- CorrelationId: The correlation ID for troubleshooting.
- GroupId: The group ID associated with the event.
- SiteId: The site ID associated with the event.
- FileData: Metadata about the file involved.
- SiteUrl: The URL of the site where the event occurred.
- UserId: The ID of the user who performed the activity.
- UserType: The type of user (e.g., guest, member).
- SourceFileExtension: The file extension of the source file.
- SourceFileName: The name of the source file.
- UniqueFileId: The unique ID of the file.
- Timestamp: The time the event occurred.
- _bkt: The bucket ID for the event.
- _cd: The Splunk ID for the event.
- _indextime: The epoch time when the event was indexed.
- _serial: The serial number for the event.
- _si: The Splunk indexer information.
- _sourcetype: The source type of the event.
- _time: The time the event occurred.
"""
return description.strip()
|