Hugging Face's logo

Spaces:
karimaloulou
/
SOC-AI
Sleeping

App Files Community
karimaloulou commited on
Commit
3571ce5
·
verified ·
1 Parent(s): 37b0960

Update descriptions.py

Browse files
Files changed (1) hide show
  1. descriptions.py +246 -425
descriptions.py CHANGED
@@ -1,437 +1,258 @@
1
- from format_input import (
2
- detect_log_type,
3
- )
4
  def detecting_types(chaine):
5
  types = []
6
  lignes = chaine.splitlines()
7
  for l in lignes:
8
  types.append(detect_log_type(l))
9
- print ('available types!')
10
- print ('TYPES!!! ',types)
11
  return types
12
 
13
- # log_type = detect_log_type(log_input)
14
- def descriptions (log_input):
15
  for log_type in detecting_types(log_input):
16
  if log_type == "sophos":
17
- description += """ the columns from Sophos logs with their descriptions:
18
- sourcetype: The type of source that generated the log entry.
19
- _raw: The raw log message as received.
20
- action: The action taken by the firewall.
21
- app: The application associated with the session.
22
- app_category: Category of the application.
23
- app_is_cloud: Indicates if the application is cloud-based.
24
- app_name: Name of the application.
25
- app_resolved_by: Method by which the application was identified.
26
- app_risk: Risk level of the application.
27
- app_technology: Technology type of the application.
28
- bytes: Total number of bytes transferred.
29
- bytes_in: Number of bytes received.
30
- bytes_out: Number of bytes sent.
31
- con_id: Connection ID.
32
- dest: Destination IP address.
33
- dest_mac: Destination MAC address.
34
- dest_port: Destination port.
35
- dest_zone: Destination zone.
36
- device_model: Model of the device.
37
- device_name: Name of the device.
38
- device_serial_id: Serial ID of the device.
39
- dst_country: Destination country.
40
- duration: Duration of the session.
41
- dvc: Device name.
42
- ether_type: Ethernet type.
43
- fw_rule_id: Firewall rule ID.
44
- fw_rule_type: Type of firewall rule.
45
- hb_status: Heartbeat status.
46
- host: Host IP address.
47
- in_display_interface: Display interface name.
48
- in_interface: Ingress interface.
49
- log_component: Log component.
50
- log_id: Log ID.
51
- log_occurrence: Number of occurrences of the log entry.
52
- log_subtype: Subtype of the log.
53
- log_type: Type of log.
54
- log_version: Version of the log format.
55
- nat_rule_id: NAT rule ID.
56
- packets: Total number of packets transferred.
57
- packets_in: Number of packets received.
58
- packets_out: Number of packets sent.
59
- protocol: Protocol used in the session.
60
- qualifier: Qualifier for the log entry.
61
- severity: Severity level of the event.
62
- src: Source IP address.
63
- src_country: Source country.
64
- src_interface: Source interface.
65
- src_mac: Source MAC address.
66
- src_port: Source port.
67
- src_zone: Source zone.
68
- timeendpos: End position of the timestamp in the raw log.
69
- timestamp: Timestamp of the event.
70
- timestartpos: Start position of the timestamp in the raw log.
71
- transport: Transport protocol used.
72
- _bkt: Bucket name where the event is stored in Splunk.
73
- _cd: Composite ID of the event.
74
- _indextime: Epoch time when the event was indexed.
75
- _kv: Key-value extraction indicator.
76
- _serial: Sequence number of the event.
77
- _si: Splunk indexer and index information.
78
- _sourcetype: Source type of the event data.
79
- _time: Timestamp when the event occurred.
80
- """
81
  elif log_type == "azure-sign-in":
82
- description += """ the columns from Azure-sign-in logs with their descriptions:
83
- Source Type:
84
- Type or category of the log.
85
-
86
- Application Information:
87
- - appDisplayName: The application name displayed in the Azure Portal.
88
- - appId: The application identifier in Azure Active Directory.
89
- - clientAppUsed: The legacy client used for sign-in activity.
90
- - conditionalAccessStatus: The status of the conditional access policy triggered.
91
- - correlationId: The identifier sent from the client when sign-in is initiated.
92
- - createdDateTime: The date and time the sign-in was initiated in UTC.
93
-
94
- Device Details:
95
- - deviceDetail.browser: Browser details.
96
- - deviceDetail.deviceId: Device ID.
97
- - deviceDetail.displayName: Device display name.
98
- - deviceDetail.isCompliant: Compliance status.
99
- - deviceDetail.isManaged: Managed status.
100
- - deviceDetail.operatingSystem: Operating system details.
101
- - deviceDetail.trustType: Trust type.
102
-
103
- Host Information:
104
- - host: Tenant identifier.
105
- - id: Sign-in activity identifier.
106
- - ipAddress: Client IP address.
107
- - isInteractive: Indicates whether a sign-in is interactive.
108
-
109
- Location:
110
- - location.city: City.
111
- - location.countryOrRegion: Country or region.
112
- - location.geoCoordinates.altitude: Altitude.
113
- - location.geoCoordinates.latitude: Latitude.
114
- - location.geoCoordinates.longitude: Longitude.
115
- - location.state: State.
116
-
117
- Resource Information:
118
- - resourceDisplayName: Resource display name.
119
- - resourceId: Resource identifier.
120
-
121
- Risk Information:
122
- - riskDetail: Reason behind the risk state.
123
- - riskLevelAggregated: Aggregated risk level.
124
- - riskLevelDuringSignIn: Risk level during sign-in.
125
- - riskState: Risk state.
126
-
127
- Sign-In Status Details:
128
- - status.additionalDetails: Additional status details.
129
- - status.errorCode: Error code.
130
- - status.failureReason: Failure reason.
131
-
132
- User Information:
133
- - userDisplayName: User display name.
134
- - userId: User identifier.
135
- - userPrincipalName: User principal name.
136
-
137
- Splunk Fields:
138
- - timestartpos: Byte position where the timestamp starts.
139
- - timeendpos: Byte position where the timestamp ends.
140
-
141
- Audit Logs:
142
-
143
- General Information:
144
- - sourcetype: Audit
145
- - host: Host name.
146
- - id: Unique activity identifier.
147
- - category: Category value.
148
- - loggedByService: Service that logged the event.
149
-
150
- Activity Information:
151
- - activityDateTime: Date and time the activity occurred.
152
- - activityDisplayName: Human-readable name for the activity.
153
- - Level: Message type.
154
-
155
- Actor Information:
156
- - Actor: Name of the actor performing the operation.
157
- - initiatedBy: Details of the initiator (app or user).
158
-
159
- Operation Information:
160
- - Command: Description of the operation performed.
161
- - operationType: Type of operation.
162
- - result: Result of the activity.
163
- - ResultStatus: Result status.
164
- - resultReason: Cause of failure or timeout results.
165
-
166
- Target Information:
167
- - Target_DisplayName: Activity or operation name.
168
- - Target_ObjectID: Unique identifier for the target object.
169
- - Target_userPrincipalName: UPN of the target user.
170
- - targetResources: Details about the target resources.
171
-
172
- Additional Details:
173
- - additionalDetails: Key-value pairs of additional details.
174
-
175
- New and Old Values:
176
- - newValue: Value after the operation.
177
- - oldValue: Value before the operation.
178
- - modified_values: Difference between new and old value.
179
-
180
- Splunk-Specific Information:
181
- - timeendpos: Byte position where the timestamp ends.
182
- - timestartpos: Byte position where the timestamp starts.
183
- - value: Logged value.
184
- - _bkt: Bucket ID in Splunk.
185
- - _cd: Splunk internal ID.
186
- - _indextime: Epoch time when the log was indexed.
187
- - _serial: Serial number for the log entry.
188
- - _si: Splunk indexer information.
189
- - _sourcetype: Splunk sourcetype.
190
- - _subsecond: Subsecond part of the timestamp.
191
- - _time: Time the log was generated."""
192
  elif log_type == "palo-alto":
193
- description += """ the columns from Palo-alto logs with their descriptions:
194
- - Receive Time: {Receive Time}
195
- - Serial Number: {Serial Number}
196
- - Type: SYSTEM
197
- - Subtype: {Subtype}
198
- - Generated Time: {Generated Time}
199
- - Virtual System: {Virtual System}
200
- - Event ID: {Event ID}
201
- - Module: {Module} (only if Subtype is general)
202
- - Severity: {Severity}
203
- - Description: {Description}
204
- - Sequence Number: {Sequence Number}
205
- - Action Flags: {Action Flags}
206
- - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
207
- - Virtual System Name: {Virtual System Name}
208
- - Device Name: {Device Name}
209
- - Receive Time: {Receive Time}
210
- - Serial Number: {Serial Number}
211
- - Type: USERID
212
- - Subtype: {Subtype} (login, logout, register-tag, unregister-tag)
213
- - Generated Time: {Generated Time}
214
- - Virtual System: {Virtual System}
215
- - Command: {Command}
216
- - User: {User}
217
- - Source IP: {Source IP}
218
- - Data Source Name: {Data Source Name}
219
- - Event ID: {Event ID}
220
- - Repeat Count: {Repeat Count}
221
- - Timeout: {Timeout}
222
- - Source Port: {Source Port}
223
- - Destination Port: {Destination Port}
224
- - Sequence Number: {Sequence Number}
225
- - Action Flags: {Action Flags}
226
- - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
227
- - Virtual System Name: {Virtual System Name}
228
- - Device Name: {Device Name}
229
- - Virtual System ID: {Virtual System ID}
230
- - sourcetype: {sourcetype}
231
- - _raw: {raw log data}
232
- - action: {action}
233
- - action_flags: {action_flags}
234
- - action_source: {action_source}
235
- - app: {app}
236
- - bytes: {bytes}
237
- - bytes_in: {bytes_in}
238
- - bytes_out: {bytes_out}
239
- - client_ip: {client_ip}
240
- - dest_ip: {dest_ip}
241
- - dest_port: {dest_port}
242
- - dest_translated_ip: {dest_translated_ip}
243
- - dest_translated_port: {dest_translated_port}
244
- - dest_zone: {dest_zone}
245
- - duration: {duration}
246
- - protocol: {protocol}
247
- - receive_time: {receive_time}
248
- - rule: {rule}
249
- - sequence_number: {sequence_number}
250
- - src_ip: {src_ip}
251
- - src_port: {src_port}
252
- - src_translated_ip: {src_translated_ip}
253
- - src_translated_port: {src_translated_port}
254
- - src_zone: {src_zone}
255
- - start_time: {start_time}
256
- - Receive Time: {Receive Time}
257
- - Serial Number: {Serial Number}
258
- - Threat/Content Type: {Threat/Content Type}
259
- - Generate Time: {Generate Time}
260
- - Source Address: {Source Address}
261
- - Destination Address: {Destination Address}
262
- - NAT Source IP: {NAT Source IP}
263
- - NAT Destination IP: {NAT Destination IP}
264
- - Rule Name: {Rule Name}
265
- - Source User: {Source User}
266
- - Destination User: {Destination User}
267
- - Application: {Application}
268
- - Virtual System: {Virtual System}
269
- - Source Zone: {Source Zone}
270
- - Destination Zone: {Destination Zone}
271
- - Inbound Interface: {Inbound Interface}
272
- - Outbound Interface: {Outbound Interface}
273
- - Log Action: {Log Action}
274
- - Session ID: {Session ID}
275
- - Repeat Count: {Repeat Count}
276
- - Source Port: {Source Port}
277
- - Destination Port: {Destination Port}
278
- - NAT Source Port: {NAT Source Port}
279
- - NAT Destination Port: {NAT Destination Port}
280
- - Flags: {Flags}
281
- - IP Protocol: {IP Protocol}
282
- - Action: {Action}
283
- - URL/Filename: {URL/Filename}
284
- - Threat/Content Name: {Threat/Content Name}
285
- - Category: {Category}
286
- - Severity: {Severity}
287
- - Direction: {Direction}
288
- - Sequence Number: {Sequence Number}
289
- - Action Flags: {Action Flags}
290
- - Source Country: {Source Country}
291
- - Destination Country: {Destination Country}
292
- - Content Type: {Content Type}
293
- - PCAP ID: {PCAP ID}
294
- - File Digest: {File Digest}
295
- - Cloud: {Cloud}
296
- - URL Index: {URL Index}
297
- - User Agent: {User Agent}
298
- - File Type: {File Type}
299
- - X-Forwarded-For: {X-Forwarded-For}
300
- - Referer: {Referer}
301
- - Sender: {Sender}
302
- - Subject: {Subject}
303
- - Recipient: {Recipient}
304
- - Report ID: {Report ID}
305
- - Device Group Hierarchy: {Device Group Hierarchy}
306
- - Virtual System Name: {Virtual System Name}
307
- - Device Name: {Device Name}
308
- - Source VM UUID: {Source VM UUID}
309
- - Destination VM UUID: {Destination VM UUID}
310
- - HTTP Method: {HTTP Method}
311
- - Tunnel ID/IMSI: {Tunnel ID/IMSI}
312
- - Monitor Tag/IMEI: {Monitor Tag/IMEI}
313
- - Parent Session ID: {Parent Session ID}
314
- - Parent Session Start Time: {Parent Session Start Time}
315
- - Tunnel Type: {Tunnel Type}
316
- - Threat Category: {Threat Category}
317
- - Content Version: {Content Version}
318
- - SCTP Association ID: {SCTP Association ID}
319
- - Payload Protocol ID: {Payload Protocol ID}
320
- - HTTP Headers: {HTTP Headers}
321
- - URL Category List: {URL Category List}
322
- - Rule UUID: {Rule UUID}
323
- - HTTP/2 Connection: {HTTP/2 Connection}
324
- - Dynamic User Group Name: {Dynamic User Group Name}
325
- - XFF Address: {XFF Address}
326
- - Source Device Category: {Source Device Category}
327
- - Source Device Profile: {Source Device Profile}
328
- - Source Device Model: {Source Device Model}
329
- - Source Device Vendor: {Source Device Vendor}
330
- - Source Device OS Family: {Source Device OS Family}
331
- - Source Device OS Version: {Source Device OS Version}
332
- - Source Hostname: {Source Hostname}
333
- - Source MAC Address: {Source MAC Address}
334
- - Destination Device Category: {Destination Device Category}
335
- - Destination Device Profile: {Destination Device Profile}
336
- """
337
-
338
  elif log_type == "office365":
339
- description += """ the columns from Microsoft 365 logs with their descriptions:
340
-
341
- Sourcetype: The type or category of the log source, indicating the origin or format of the log data.
342
-
343
- _raw: The raw log message as received by the logging system, containing the complete unprocessed log entry.
344
-
345
- ChatThreadId: The unique identifier of a chat thread, used to group messages within the same conversation.
346
-
347
- CommunicationType: The type of communication, such as chat, call, or meeting.
348
-
349
- CreationTime: The timestamp when the log entry or event was created.
350
-
351
- Id: A unique identifier for the log entry or event.
352
-
353
- ItemName: The name of the item involved in the event, such as a message or file.
354
-
355
- MessageId: The unique identifier of a specific message.
356
-
357
- MessageVersion: The version of the message, indicating updates or edits.
358
-
359
- MessageVisibilityTime: The time when the message became visible to users.
360
-
361
- Operation: The specific operation or action that was performed (e.g., send, delete).
362
-
363
- OrganizationId: The unique identifier of the organization to which the event is related.
364
-
365
- ParticipantInfo.HasForeignTenantUsers: Indicates if the chat or communication includes users from foreign tenants.
366
-
367
- ParticipantInfo.HasGuestUsers: Indicates if the chat includes guest users.
368
-
369
- ParticipantInfo.HasOtherGuestUsers: Indicates if there are other guest users involved.
370
-
371
- ParticipantInfo.HasUnauthenticatedUsers: Indicates if there are unauthenticated users participating.
372
-
373
- ParticipantInfo.ParticipatingTenantIds{}: The IDs of tenants participating in the communication.
374
-
375
- RecordType: The type of record, often indicating the category of the log (e.g., message, call).
376
-
377
- ResourceTenantId: The tenant ID associated with the resource being accessed or modified.
378
-
379
- UserId: The unique identifier of the user involved in the event.
380
-
381
- UserKey: A key associated with the user, often used for authentication or identification.
382
-
383
- UserType: The type of user (e.g., member, guest).
384
-
385
- Version: The version of the log schema or format.
386
-
387
- Workload: The specific Microsoft service or workload related to the event (e.g., Teams, Exchange).
388
-
389
- App: The application involved in the event.
390
-
391
- Authentication_service: The authentication service used for the event.
392
-
393
- Command: The specific command executed as part of the event.
394
-
395
- Dest: The destination involved in the event.
396
-
397
- Dest_name: The name of the destination.
398
-
399
- Dvc: Device information related to the event.
400
-
401
- Host: The host or server where the event occurred.
402
-
403
- Record_type: Another field indicating the type of record.
404
-
405
- Result: The outcome or result of the operation (e.g., success, failure).
406
-
407
- Signature: A signature related to the event, often for verification purposes.
408
-
409
- Status: The status of the event or operation (e.g., completed, pending).
410
-
411
- Tenant_id: The unique identifier of the tenant where the event occurred.
412
-
413
- Timeendpos: The end time position of the event.
414
-
415
- Timestartpos: The start time position of the event.
416
-
417
- User: General information about the user involved in the event.
418
-
419
- User_id: The unique identifier of the user.
420
-
421
- User_type: The type of user (similar to UserType).
422
-
423
- Vendor_account: The account associated with the vendor.
424
-
425
- Vendor_product: The product associated with the vendor.
426
-
427
- _bkt: The bucket where the log data is stored.
428
-
429
- _cd: The cluster ID in a distributed system.
430
-
431
- _indextime: The time when the log entry was indexed.
432
-
433
- _serial: A serial number or sequence identifier for the log entry.
434
-
435
- _si: An array containing additional internal identifiers."""
436
-
437
- return list(set(description))
 
1
+ from format_input import detect_log_type
2
+
 
3
  def detecting_types(chaine):
4
  types = []
5
  lignes = chaine.splitlines()
6
  for l in lignes:
7
  types.append(detect_log_type(l))
8
+ print('available types!')
9
+ print('TYPES!!! ', types)
10
  return types
11
 
12
+ def descriptions(log_input):
13
+ description = ""
14
  for log_type in detecting_types(log_input):
15
  if log_type == "sophos":
16
+ description += """\n
17
+ - sourcetype: The type of source that generated the log entry.
18
+ - _raw: The raw log message as received.
19
+ - action: The action taken by the firewall.
20
+ - app: The application associated with the session.
21
+ - app_category: Category of the application.
22
+ - app_is_cloud: Indicates if the application is cloud-based.
23
+ - app_name: Name of the application.
24
+ - app_resolved_by: Method by which the application was identified.
25
+ - app_risk: Risk level of the application.
26
+ - app_technology: Technology type of the application.
27
+ - bytes: Total number of bytes transferred.
28
+ - bytes_in: Number of bytes received.
29
+ - bytes_out: Number of bytes sent.
30
+ - con_id: Connection ID.
31
+ - dest: Destination IP address.
32
+ - dest_mac: Destination MAC address.
33
+ - dest_port: Destination port.
34
+ - dest_zone: Destination zone.
35
+ - device_model: Model of the device.
36
+ - device_name: Name of the device.
37
+ - device_serial_id: Serial ID of the device.
38
+ - dst_country: Destination country.
39
+ - duration: Duration of the session.
40
+ - dvc: Device name.
41
+ - ether_type: Ethernet type.
42
+ - fw_rule_id: Firewall rule ID.
43
+ - fw_rule_type: Type of firewall rule.
44
+ - hb_status: Heartbeat status.
45
+ - host: Host IP address.
46
+ - in_display_interface: Display interface name.
47
+ - in_interface: Ingress interface.
48
+ - log_component: Log component.
49
+ - log_id: Log ID.
50
+ - log_occurrence: Number of occurrences of the log entry.
51
+ - log_subtype: Subtype of the log.
52
+ - log_type: Type of log.
53
+ - log_version: Version of the log format.
54
+ - nat_rule_id: NAT rule ID.
55
+ - packets: Total number of packets transferred.
56
+ - packets_in: Number of packets received.
57
+ - packets_out: Number of packets sent.
58
+ - protocol: Protocol used in the session.
59
+ - qualifier: Qualifier for the log entry.
60
+ - severity: Severity level of the event.
61
+ - src: Source IP address.
62
+ - src_country: Source country.
63
+ - src_interface: Source interface.
64
+ - src_mac: Source MAC address.
65
+ - src_port: Source port.
66
+ - src_zone: Source zone.
67
+ - timeendpos: End position of the timestamp in the raw log.
68
+ - timestamp: Timestamp of the event.
69
+ - timestartpos: Start position of the timestamp in the raw log.
70
+ - transport: Transport protocol used.
71
+ - _bkt: Bucket name where the event is stored in Splunk.
72
+ - _cd: Composite ID of the event.
73
+ - _indextime: Epoch time when the event was indexed.
74
+ - _kv: Key-value extraction indicator.
75
+ - _serial: Sequence number of the event.
76
+ - _si: Splunk indexer and index information.
77
+ - _sourcetype: Source type of the event data.
78
+ - _time: Timestamp when the event occurred.
79
+ """
80
  elif log_type == "azure-sign-in":
81
+ description += """\n
82
+ - Source Type: Type or category of the log.
83
+ - appDisplayName: The application name displayed in the Azure Portal.
84
+ - appId: The application identifier in Azure Active Directory.
85
+ - clientAppUsed: The legacy client used for sign-in activity.
86
+ - conditionalAccessStatus: The status of the conditional access policy triggered.
87
+ - correlationId: The identifier sent from the client when sign-in is initiated.
88
+ - createdDateTime: The date and time the sign-in was initiated in UTC.
89
+ - deviceDetail.browser: Browser details.
90
+ - deviceDetail.deviceId: Device ID.
91
+ - deviceDetail.displayName: Device display name.
92
+ - deviceDetail.isCompliant: Compliance status.
93
+ - deviceDetail.isManaged: Managed status.
94
+ - deviceDetail.operatingSystem: Operating system details.
95
+ - deviceDetail.trustType: Trust type.
96
+ - host: Tenant identifier.
97
+ - id: Sign-in activity identifier.
98
+ - ipAddress: Client IP address.
99
+ - isInteractive: Indicates whether a sign-in is interactive.
100
+ - location.city: City.
101
+ - location.countryOrRegion: Country or region.
102
+ - location.geoCoordinates.altitude: Altitude.
103
+ - location.geoCoordinates.latitude: Latitude.
104
+ - location.geoCoordinates.longitude: Longitude.
105
+ - location.state: State.
106
+ - resourceDisplayName: Resource display name.
107
+ - resourceId: Resource identifier.
108
+ - riskDetail: Reason behind the risk state.
109
+ - riskLevelAggregated: Aggregated risk level.
110
+ - riskLevelDuringSignIn: Risk level during sign-in.
111
+ - riskState: Risk state.
112
+ - status.additionalDetails: Additional status details.
113
+ - status.errorCode: Error code.
114
+ - status.failureReason: Failure reason.
115
+ - userDisplayName: User display name.
116
+ - userId: User identifier.
117
+ - userPrincipalName: User principal name.
118
+ - timestartpos: Byte position where the timestamp starts.
119
+ - timeendpos: Byte position where the timestamp ends.
120
+ - sourcetype: Audit
121
+ - host: Host name.
122
+ - id: Unique activity identifier.
123
+ - category: Category value.
124
+ - loggedByService: Service that logged the event.
125
+ - activityDateTime: Date and time the activity occurred.
126
+ - activityDisplayName: Human-readable name for the activity.
127
+ - Level: Message type.
128
+ - Actor: Name of the actor performing the operation.
129
+ - initiatedBy: Details of the initiator (app or user).
130
+ - Command: Description of the operation performed.
131
+ - operationType: Type of operation.
132
+ - result: Result of the activity.
133
+ - ResultStatus: Result status.
134
+ - resultReason: Cause of failure or timeout results.
135
+ - Target_DisplayName: Activity or operation name.
136
+ - Target_ObjectID: Unique identifier for the target object.
137
+ - Target_userPrincipalName: UPN of the target user.
138
+ - targetResources: Details about the target resources.
139
+ - additionalDetails: Key-value pairs of additional details.
140
+ - newValue: Value after the operation.
141
+ - oldValue: Value before the operation.
142
+ - modified_values: Difference between new and old value.
143
+ - timeendpos: Byte position where the timestamp ends.
144
+ - timestartpos: Byte position where the timestamp starts.
145
+ - value: Logged value.
146
+ - _bkt: Bucket ID in Splunk.
147
+ - _cd: Splunk internal ID.
148
+ - _indextime: Epoch time when the log was indexed.
149
+ - _serial: Serial number for the log entry.
150
+ - _si: Splunk indexer information.
151
+ - _sourcetype: Splunk sourcetype.
152
+ - _subsecond: Subsecond part of the timestamp.
153
+ - _time: Time the log was generated.
154
+ """
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
155
  elif log_type == "palo-alto":
156
+ description += """\n
157
+ - Receive Time: {Receive Time}
158
+ - Serial Number: {Serial Number}
159
+ - Type: SYSTEM
160
+ - Subtype: {Subtype}
161
+ - Generated Time: {Generated Time}
162
+ - Virtual System: {Virtual System}
163
+ - Event ID: {Event ID}
164
+ - Module: {Module} (only if Subtype is general)
165
+ - Severity: {Severity}
166
+ - Description: {Description}
167
+ - Sequence Number: {Sequence Number}
168
+ - Action Flags: {Action Flags}
169
+ - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
170
+ - Virtual System Name: {Virtual System Name}
171
+ - Device Name: {Device Name}
172
+ - Receive Time: {Receive Time}
173
+ - Serial Number: {Serial Number}
174
+ - Type: USERID
175
+ - Subtype: {Subtype} (login, logout, register-tag, unregister-tag)
176
+ - Generated Time: {Generated Time}
177
+ - Virtual System: {Virtual System}
178
+ - Command: {Command}
179
+ - User: {User}
180
+ - Source IP: {Source IP}
181
+ - Data Source Name: {Data Source Name}
182
+ - Event ID: {Event ID}
183
+ - Repeat Count: {Repeat Count}
184
+ - Timeout: {Timeout}
185
+ - Source Port: {Source Port}
186
+ - Destination Port: {Destination Port}
187
+ - Sequence Number: {Sequence Number}
188
+ - Action Flags: {Action Flags}
189
+ - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
190
+ - Virtual System Name: {Virtual System Name}
191
+ - Device Name: {Device Name}
192
+ - Virtual System ID: {Virtual System ID}
193
+ - Rule Name: {Rule Name}
194
+ - Source Zone: {Source Zone}
195
+ - Destination Zone: {Destination Zone}
196
+ - Source IP: {Source IP}
197
+ - Destination IP: {Destination IP}
198
+ - User: {User}
199
+ - Application: {Application}
200
+ - Virtual System: {Virtual System}
201
+ - Source Port: {Source Port}
202
+ - Destination Port: {Destination Port}
203
+ - Inbound Interface: {Inbound Interface}
204
+ - Outbound Interface: {Outbound Interface}
205
+ - Log Action: {Log Action}
206
+ - IP Protocol: {IP Protocol}
207
+ - Action: {Action}
208
+ - Rule Type: {Rule Type}
209
+ - Sequence Number: {Sequence Number}
210
+ - Repeat Count: {Repeat Count}
211
+ - Source Country: {Source Country}
212
+ - Destination Country: {Destination Country}
213
+ - NAT Source IP: {NAT Source IP}
214
+ - NAT Destination IP: {NAT Destination IP}
215
+ - NAT Source Port: {NAT Source Port}
216
+ - NAT Destination Port: {NAT Destination Port}
217
+ - Device Group Hierarchy Levels: {Device Group Hierarchy Levels}
218
+ - Virtual System Name: {Virtual System Name}
219
+ - Device Name: {Device Name}
220
+ """
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
221
  elif log_type == "office365":
222
+ description += """\n
223
+ - CreationTime: The time the log was created.
224
+ - UserId: The ID of the user who performed the activity.
225
+ - Operation: The type of operation performed.
226
+ - Workload: The Office 365 service where the event occurred.
227
+ - ClientIP: The IP address of the device used.
228
+ - UserAgent: Information about the user's client or device.
229
+ - ResultStatus: The result status of the operation.
230
+ - LogonType: The type of logon used.
231
+ - Target: The target object that was accessed.
232
+ - Actor: The user who initiated the action.
233
+ - Action: The action performed.
234
+ - ItemName: The name of the item accessed.
235
+ - Source: The source of the log entry.
236
+ - Site: The site where the event occurred.
237
+ - WebId: The web ID where the event occurred.
238
+ - ListId: The list ID where the event occurred.
239
+ - CorrelationId: The correlation ID for troubleshooting.
240
+ - GroupId: The group ID associated with the event.
241
+ - SiteId: The site ID associated with the event.
242
+ - FileData: Metadata about the file involved.
243
+ - SiteUrl: The URL of the site where the event occurred.
244
+ - UserId: The ID of the user who performed the activity.
245
+ - UserType: The type of user (e.g., guest, member).
246
+ - SourceFileExtension: The file extension of the source file.
247
+ - SourceFileName: The name of the source file.
248
+ - UniqueFileId: The unique ID of the file.
249
+ - Timestamp: The time the event occurred.
250
+ - _bkt: The bucket ID for the event.
251
+ - _cd: The Splunk ID for the event.
252
+ - _indextime: The epoch time when the event was indexed.
253
+ - _serial: The serial number for the event.
254
+ - _si: The Splunk indexer information.
255
+ - _sourcetype: The source type of the event.
256
+ - _time: The time the event occurred.
257
+ """
258
+ return description.strip()