vade: fix parsing of email.message_id (remove brackets)

Intake Parsers

Welcome to the Sekoia.io Intakes repository!

This repository contains all the community parsers of Sekoia.io. Parsers are fundamental parts of a cyber analysis and detection process. They extract useful information conveyed by events and make them understandable to decision-making processes. A poor quality parser does not allow informed decision making. Conversely, a good quality parser extracts and normalizes all the useful information present in an event to maximizes its decision making.

We have created this space to ensure the quality of our parsers and allow our users to participate in their development. Contact [email protected] for questions and feedback.

Example

name: my-intake
pipeline:
  - name: parsed_event
    external:
      name: json.parseJSON
  - name: network
    filter: '{{parsed_event.message.log_type == "network"}}'
  - name: file
    filter: '{{parsed_event.message.log_type == "file"}}'
stages:
  network:
    actions:
      - set:
          destination.ip: "{{parsed_event.message.traffic.target}}"
          source.ip: "{{parsed_event.message.traffic.source}}"
  file:
    actions:
      - set:
          file.name: "{{parsed_event.message.file_name | lower}}"

Documentation

Documentation along with tutorials and examples are available in the doc directory.

Organization

Intakes are organized in modules. Each module is associated with a category or a product vendor. An intake is made up of three directories:

the _meta directory contains all the intake metadata such as its description or the icons used for its integration into the public catalog of Sekoia.io,
the ingest directory contains the definition of the parser,
the events directory is optional and contains the definitions of smart-descriptions and lookup tables which adapt the processing and events display within Sekoia.io interfaces.

Contributing

You can click the Fork button in the upper-right area of the screen to create a copy of this repository in your GitHub account. This copy is called a fork. Make any changes you want in your fork, and when you are ready to send those changes to us, go to your fork and create a new pull request to let us know about it.

Once your pull request is created, a Sekoia.io reviewer will take responsibility for providing clear, actionable feedback. Once merged, your changes will be included in the next release to be deployed on Sekoia.io.

	pattern: "%{CLIENT}"
	custom_patterns:
	QUERY_FLAGS: "%{QUERY_FLAGS_RD:flags_rd}%{QUERY_FLAGS_EDNS:flags_edns}?%{QUERY_FLAGS_TCP:flags_tcp}?%{QUERY_FLAGS_DNSSEC:flags_dnssec}?%{QUERY_FLAGS_CD:flags_cd}?%{QUERY_FLAGS_DNS_SERVER_COOKIE}?%{QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER}?"
	QUERY_FLAGS_RD: '[\+\-]'
	QUERY_FLAGS_SIGNED: "S?"
	QUERY_FLAGS_EDNS: 'E(\(%{INT}\))?'
	QUERY_FLAGS_TCP: "T"
	QUERY_FLAGS_DNSSEC: "D"
	QUERY_FLAGS_CD: "C"
	QUERY_FLAGS_DNS_SERVER_COOKIE: "V"
	QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER: "K"
	CLIENT: 'client ?(%{DATA}) %{IP:src}#%{INT:spt} (%{DATA}): query: %{IPORHOST:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)'

sekoia-io / intake-formats Goto Github PK

intake-formats's Introduction

Intake Parsers

Example

Documentation

Organization

Contributing

intake-formats's People

Contributors

Stargazers

Watchers

Forkers

intake-formats's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs