Hugging Face's logo

Spaces:
karimaloulou
/
SOC-AI
Sleeping

App Files Community
SOC-AI / descriptions.py
karimaloulou's picture
karimaloulou
Update descriptions.py
3571ce5 verified
raw
history blame
12.9 kB
from format_input import detect_log_type
def detecting_types(chaine):
types = []
lignes = chaine.splitlines()
for l in lignes:
types.append(detect_log_type(l))
print('available types!')
print('TYPES!!! ', types)
return types
def descriptions(log_input):
description = ""
for log_type in detecting_types(log_input):
if log_type == "sophos":
description += """\n
- sourcetype: The type of source that generated the log entry.
- _raw: The raw log message as received.
- action: The action taken by the firewall.
- app: The application associated with the session.
- app_category: Category of the application.
- app_is_cloud: Indicates if the application is cloud-based.
- app_name: Name of the application.
- app_resolved_by: Method by which the application was identified.
- app_risk: Risk level of the application.
- app_technology: Technology type of the application.
- bytes: Total number of bytes transferred.
- bytes_in: Number of bytes received.
- bytes_out: Number of bytes sent.
- con_id: Connection ID.
- dest: Destination IP address.
- dest_mac: Destination MAC address.
- dest_port: Destination port.
- dest_zone: Destination zone.
- device_model: Model of the device.
- device_name: Name of the device.
- device_serial_id: Serial ID of the device.
- dst_country: Destination country.
- duration: Duration of the session.
- dvc: Device name.
- ether_type: Ethernet type.
- fw_rule_id: Firewall rule ID.
- fw_rule_type: Type of firewall rule.
- hb_status: Heartbeat status.
- host: Host IP address.
- in_display_interface: Display interface name.
- in_interface: Ingress interface.
- log_component: Log component.
- log_id: Log ID.
- log_occurrence: Number of occurrences of the log entry.
- log_subtype: Subtype of the log.
- log_type: Type of log.
- log_version: Version of the log format.
- nat_rule_id: NAT rule ID.
- packets: Total number of packets transferred.
- packets_in: Number of packets received.
- packets_out: Number of packets sent.
- protocol: Protocol used in the session.
- qualifier: Qualifier for the log entry.
- severity: Severity level of the event.
- src: Source IP address.
- src_country: Source country.
- src_interface: Source interface.
- src_mac: Source MAC address.
- src_port: Source port.
- src_zone: Source zone.
- timeendpos: End position of the timestamp in the raw log.
- timestamp: Timestamp of the event.
- timestartpos: Start position of the timestamp in the raw log.
- transport: Transport protocol used.
- _bkt: Bucket name where the event is stored in Splunk.
- _cd: Composite ID of the event.
- _indextime: Epoch time when the event was indexed.
- _kv: Key-value extraction indicator.
- _serial: Sequence number of the event.
- _si: Splunk indexer and index information.
- _sourcetype: Source type of the event data.
- _time: Timestamp when the event occurred.
"""
elif log_type == "azure-sign-in":
description += """\n
- Source Type: Type or category of the log.
- appDisplayName: The application name displayed in the Azure Portal.
- appId: The application identifier in Azure Active Directory.
- clientAppUsed: The legacy client used for sign-in activity.
- conditionalAccessStatus: The status of the conditional access policy triggered.
- correlationId: The identifier sent from the client when sign-in is initiated.
- createdDateTime: The date and time the sign-in was initiated in UTC.
- deviceDetail.browser: Browser details.
- deviceDetail.deviceId: Device ID.
- deviceDetail.displayName: Device display name.
- deviceDetail.isCompliant: Compliance status.
- deviceDetail.isManaged: Managed status.
- deviceDetail.operatingSystem: Operating system details.
- deviceDetail.trustType: Trust type.
- host: Tenant identifier.
- id: Sign-in activity identifier.
- ipAddress: Client IP address.
- isInteractive: Indicates whether a sign-in is interactive.
- location.city: City.
- location.countryOrRegion: Country or region.
- location.geoCoordinates.altitude: Altitude.
- location.geoCoordinates.latitude: Latitude.
- location.geoCoordinates.longitude: Longitude.
- location.state: State.
- resourceDisplayName: Resource display name.
- resourceId: Resource identifier.
- riskDetail: Reason behind the risk state.
- riskLevelAggregated: Aggregated risk level.
- riskLevelDuringSignIn: Risk level during sign-in.
- riskState: Risk state.
- status.additionalDetails: Additional status details.
- status.errorCode: Error code.
- status.failureReason: Failure reason.
- userDisplayName: User display name.
- userId: User identifier.
- userPrincipalName: User principal name.
- timestartpos: Byte position where the timestamp starts.
- timeendpos: Byte position where the timestamp ends.
- sourcetype: Audit
- host: Host name.
- id: Unique activity identifier.
- category: Category value.
- loggedByService: Service that logged the event.
- activityDateTime: Date and time the activity occurred.
- activityDisplayName: Human-readable name for the activity.
- Level: Message type.
- Actor: Name of the actor performing the operation.
- initiatedBy: Details of the initiator (app or user).
- Command: Description of the operation performed.
- operationType: Type of operation.
- result: Result of the activity.
- ResultStatus: Result status.
- resultReason: Cause of failure or timeout results.
- Target_DisplayName: Activity or operation name.
- Target_ObjectID: Unique identifier for the target object.
- Target_userPrincipalName: UPN of the target user.
- targetResources: Details about the target resources.
- additionalDetails: Key-value pairs of additional details.
- newValue: Value after the operation.
- oldValue: Value before the operation.
- modified_values: Difference between new and old value.
- timeendpos: Byte position where the timestamp ends.
- timestartpos: Byte position where the timestamp starts.
- value: Logged value.
- _bkt: Bucket ID in Splunk.
- _cd: Splunk internal ID.
- _indextime: Epoch time when the log was indexed.
- _serial: Serial number for the log entry.
- _si: Splunk indexer information.
- _sourcetype: Splunk sourcetype.
- _subsecond: Subsecond part of the timestamp.
- _time: Time the log was generated.
"""
elif log_type == "palo-alto":
description += """\n
- Receive Time: {Receive Time}
- Serial Number: {Serial Number}
- Type: SYSTEM
- Subtype: {Subtype}
- Generated Time: {Generated Time}
- Virtual System: {Virtual System}
- Event ID: {Event ID}
- Module: {Module} (only if Subtype is general)
- Severity: {Severity}
- Description: {Description}
- Sequence Number: {Sequence Number}
- Action Flags: {Action Flags}
- Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
- Virtual System Name: {Virtual System Name}
- Device Name: {Device Name}
- Receive Time: {Receive Time}
- Serial Number: {Serial Number}
- Type: USERID
- Subtype: {Subtype} (login, logout, register-tag, unregister-tag)
- Generated Time: {Generated Time}
- Virtual System: {Virtual System}
- Command: {Command}
- User: {User}
- Source IP: {Source IP}
- Data Source Name: {Data Source Name}
- Event ID: {Event ID}
- Repeat Count: {Repeat Count}
- Timeout: {Timeout}
- Source Port: {Source Port}
- Destination Port: {Destination Port}
- Sequence Number: {Sequence Number}
- Action Flags: {Action Flags}
- Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
- Virtual System Name: {Virtual System Name}
- Device Name: {Device Name}
- Virtual System ID: {Virtual System ID}
- Rule Name: {Rule Name}
- Source Zone: {Source Zone}
- Destination Zone: {Destination Zone}
- Source IP: {Source IP}
- Destination IP: {Destination IP}
- User: {User}
- Application: {Application}
- Virtual System: {Virtual System}
- Source Port: {Source Port}
- Destination Port: {Destination Port}
- Inbound Interface: {Inbound Interface}
- Outbound Interface: {Outbound Interface}
- Log Action: {Log Action}
- IP Protocol: {IP Protocol}
- Action: {Action}
- Rule Type: {Rule Type}
- Sequence Number: {Sequence Number}
- Repeat Count: {Repeat Count}
- Source Country: {Source Country}
- Destination Country: {Destination Country}
- NAT Source IP: {NAT Source IP}
- NAT Destination IP: {NAT Destination IP}
- NAT Source Port: {NAT Source Port}
- NAT Destination Port: {NAT Destination Port}
- Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
- Virtual System Name: {Virtual System Name}
- Device Name: {Device Name}
"""
elif log_type == "office365":
description += """\n
- CreationTime: The time the log was created.
- UserId: The ID of the user who performed the activity.
- Operation: The type of operation performed.
- Workload: The Office 365 service where the event occurred.
- ClientIP: The IP address of the device used.
- UserAgent: Information about the user's client or device.
- ResultStatus: The result status of the operation.
- LogonType: The type of logon used.
- Target: The target object that was accessed.
- Actor: The user who initiated the action.
- Action: The action performed.
- ItemName: The name of the item accessed.
- Source: The source of the log entry.
- Site: The site where the event occurred.
- WebId: The web ID where the event occurred.
- ListId: The list ID where the event occurred.
- CorrelationId: The correlation ID for troubleshooting.
- GroupId: The group ID associated with the event.
- SiteId: The site ID associated with the event.
- FileData: Metadata about the file involved.
- SiteUrl: The URL of the site where the event occurred.
- UserId: The ID of the user who performed the activity.
- UserType: The type of user (e.g., guest, member).
- SourceFileExtension: The file extension of the source file.
- SourceFileName: The name of the source file.
- UniqueFileId: The unique ID of the file.
- Timestamp: The time the event occurred.
- _bkt: The bucket ID for the event.
- _cd: The Splunk ID for the event.
- _indextime: The epoch time when the event was indexed.
- _serial: The serial number for the event.
- _si: The Splunk indexer information.
- _sourcetype: The source type of the event.
- _time: The time the event occurred.
"""
return description.strip()