from format_input import detect_log_type def detecting_types(chaine): types = [] lignes = chaine.splitlines() for l in lignes: types.append(detect_log_type(l)) print('available types!') print('TYPES!!! ', types) return types def descriptions(log_input): description = "" for log_type in detecting_types(log_input): if log_type == "sophos": description += """\n - sourcetype: The type of source that generated the log entry. - _raw: The raw log message as received. - action: The action taken by the firewall. - app: The application associated with the session. - app_category: Category of the application. - app_is_cloud: Indicates if the application is cloud-based. - app_name: Name of the application. - app_resolved_by: Method by which the application was identified. - app_risk: Risk level of the application. - app_technology: Technology type of the application. - bytes: Total number of bytes transferred. - bytes_in: Number of bytes received. - bytes_out: Number of bytes sent. - con_id: Connection ID. - dest: Destination IP address. - dest_mac: Destination MAC address. - dest_port: Destination port. - dest_zone: Destination zone. - device_model: Model of the device. - device_name: Name of the device. - device_serial_id: Serial ID of the device. - dst_country: Destination country. - duration: Duration of the session. - dvc: Device name. - ether_type: Ethernet type. - fw_rule_id: Firewall rule ID. - fw_rule_type: Type of firewall rule. - hb_status: Heartbeat status. - host: Host IP address. - in_display_interface: Display interface name. - in_interface: Ingress interface. - log_component: Log component. - log_id: Log ID. - log_occurrence: Number of occurrences of the log entry. - log_subtype: Subtype of the log. - log_type: Type of log. - log_version: Version of the log format. - nat_rule_id: NAT rule ID. - packets: Total number of packets transferred. - packets_in: Number of packets received. - packets_out: Number of packets sent. - protocol: Protocol used in the session. - qualifier: Qualifier for the log entry. - severity: Severity level of the event. - src: Source IP address. - src_country: Source country. - src_interface: Source interface. - src_mac: Source MAC address. - src_port: Source port. - src_zone: Source zone. - timeendpos: End position of the timestamp in the raw log. - timestamp: Timestamp of the event. - timestartpos: Start position of the timestamp in the raw log. - transport: Transport protocol used. - _bkt: Bucket name where the event is stored in Splunk. - _cd: Composite ID of the event. - _indextime: Epoch time when the event was indexed. - _kv: Key-value extraction indicator. - _serial: Sequence number of the event. - _si: Splunk indexer and index information. - _sourcetype: Source type of the event data. - _time: Timestamp when the event occurred. """ elif log_type == "azure-sign-in": description += """\n - Source Type: Type or category of the log. - appDisplayName: The application name displayed in the Azure Portal. - appId: The application identifier in Azure Active Directory. - clientAppUsed: The legacy client used for sign-in activity. - conditionalAccessStatus: The status of the conditional access policy triggered. - correlationId: The identifier sent from the client when sign-in is initiated. - createdDateTime: The date and time the sign-in was initiated in UTC. - deviceDetail.browser: Browser details. - deviceDetail.deviceId: Device ID. - deviceDetail.displayName: Device display name. - deviceDetail.isCompliant: Compliance status. - deviceDetail.isManaged: Managed status. - deviceDetail.operatingSystem: Operating system details. - deviceDetail.trustType: Trust type. - host: Tenant identifier. - id: Sign-in activity identifier. - ipAddress: Client IP address. - isInteractive: Indicates whether a sign-in is interactive. - location.city: City. - location.countryOrRegion: Country or region. - location.geoCoordinates.altitude: Altitude. - location.geoCoordinates.latitude: Latitude. - location.geoCoordinates.longitude: Longitude. - location.state: State. - resourceDisplayName: Resource display name. - resourceId: Resource identifier. - riskDetail: Reason behind the risk state. - riskLevelAggregated: Aggregated risk level. - riskLevelDuringSignIn: Risk level during sign-in. - riskState: Risk state. - status.additionalDetails: Additional status details. - status.errorCode: Error code. - status.failureReason: Failure reason. - userDisplayName: User display name. - userId: User identifier. - userPrincipalName: User principal name. - timestartpos: Byte position where the timestamp starts. - timeendpos: Byte position where the timestamp ends. - sourcetype: Audit - host: Host name. - id: Unique activity identifier. - category: Category value. - loggedByService: Service that logged the event. - activityDateTime: Date and time the activity occurred. - activityDisplayName: Human-readable name for the activity. - Level: Message type. - Actor: Name of the actor performing the operation. - initiatedBy: Details of the initiator (app or user). - Command: Description of the operation performed. - operationType: Type of operation. - result: Result of the activity. - ResultStatus: Result status. - resultReason: Cause of failure or timeout results. - Target_DisplayName: Activity or operation name. - Target_ObjectID: Unique identifier for the target object. - Target_userPrincipalName: UPN of the target user. - targetResources: Details about the target resources. - additionalDetails: Key-value pairs of additional details. - newValue: Value after the operation. - oldValue: Value before the operation. - modified_values: Difference between new and old value. - timeendpos: Byte position where the timestamp ends. - timestartpos: Byte position where the timestamp starts. - value: Logged value. - _bkt: Bucket ID in Splunk. - _cd: Splunk internal ID. - _indextime: Epoch time when the log was indexed. - _serial: Serial number for the log entry. - _si: Splunk indexer information. - _sourcetype: Splunk sourcetype. - _subsecond: Subsecond part of the timestamp. - _time: Time the log was generated. """ elif log_type == "palo-alto": description += """\n - Receive Time: {Receive Time} - Serial Number: {Serial Number} - Type: SYSTEM - Subtype: {Subtype} - Generated Time: {Generated Time} - Virtual System: {Virtual System} - Event ID: {Event ID} - Module: {Module} (only if Subtype is general) - Severity: {Severity} - Description: {Description} - Sequence Number: {Sequence Number} - Action Flags: {Action Flags} - Device Group Hierarchy Levels: {Device Group Hierarchy Levels} - Virtual System Name: {Virtual System Name} - Device Name: {Device Name} - Receive Time: {Receive Time} - Serial Number: {Serial Number} - Type: USERID - Subtype: {Subtype} (login, logout, register-tag, unregister-tag) - Generated Time: {Generated Time} - Virtual System: {Virtual System} - Command: {Command} - User: {User} - Source IP: {Source IP} - Data Source Name: {Data Source Name} - Event ID: {Event ID} - Repeat Count: {Repeat Count} - Timeout: {Timeout} - Source Port: {Source Port} - Destination Port: {Destination Port} - Sequence Number: {Sequence Number} - Action Flags: {Action Flags} - Device Group Hierarchy Levels: {Device Group Hierarchy Levels} - Virtual System Name: {Virtual System Name} - Device Name: {Device Name} - Virtual System ID: {Virtual System ID} - Rule Name: {Rule Name} - Source Zone: {Source Zone} - Destination Zone: {Destination Zone} - Source IP: {Source IP} - Destination IP: {Destination IP} - User: {User} - Application: {Application} - Virtual System: {Virtual System} - Source Port: {Source Port} - Destination Port: {Destination Port} - Inbound Interface: {Inbound Interface} - Outbound Interface: {Outbound Interface} - Log Action: {Log Action} - IP Protocol: {IP Protocol} - Action: {Action} - Rule Type: {Rule Type} - Sequence Number: {Sequence Number} - Repeat Count: {Repeat Count} - Source Country: {Source Country} - Destination Country: {Destination Country} - NAT Source IP: {NAT Source IP} - NAT Destination IP: {NAT Destination IP} - NAT Source Port: {NAT Source Port} - NAT Destination Port: {NAT Destination Port} - Device Group Hierarchy Levels: {Device Group Hierarchy Levels} - Virtual System Name: {Virtual System Name} - Device Name: {Device Name} """ elif log_type == "office365": description += """\n - CreationTime: The time the log was created. - UserId: The ID of the user who performed the activity. - Operation: The type of operation performed. - Workload: The Office 365 service where the event occurred. - ClientIP: The IP address of the device used. - UserAgent: Information about the user's client or device. - ResultStatus: The result status of the operation. - LogonType: The type of logon used. - Target: The target object that was accessed. - Actor: The user who initiated the action. - Action: The action performed. - ItemName: The name of the item accessed. - Source: The source of the log entry. - Site: The site where the event occurred. - WebId: The web ID where the event occurred. - ListId: The list ID where the event occurred. - CorrelationId: The correlation ID for troubleshooting. - GroupId: The group ID associated with the event. - SiteId: The site ID associated with the event. - FileData: Metadata about the file involved. - SiteUrl: The URL of the site where the event occurred. - UserId: The ID of the user who performed the activity. - UserType: The type of user (e.g., guest, member). - SourceFileExtension: The file extension of the source file. - SourceFileName: The name of the source file. - UniqueFileId: The unique ID of the file. - Timestamp: The time the event occurred. - _bkt: The bucket ID for the event. - _cd: The Splunk ID for the event. - _indextime: The epoch time when the event was indexed. - _serial: The serial number for the event. - _si: The Splunk indexer information. - _sourcetype: The source type of the event. - _time: The time the event occurred. """ return description.strip()