All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.graylog.plugins.cef.parser.CEFMapping Maven / Gradle / Ivy

There is a newer version: 6.1.4
Show newest version
/*
 * Copyright (C) 2020 Graylog, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the Server Side Public License, version 1,
 * as published by MongoDB, Inc.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * Server Side Public License for more details.
 *
 * You should have received a copy of the Server Side Public License
 * along with this program. If not, see
 * .
 */
package org.graylog.plugins.cef.parser;

import com.google.common.collect.ImmutableMap;
import org.joda.time.DateTime;

import javax.annotation.Nullable;
import java.math.BigInteger;
import java.util.function.Function;

@SuppressWarnings("unused")
public enum CEFMapping {
    // CEF Key Names For Event Producers
    act("act", "deviceAction", CEFMapping::convertString),
    app("app", "applicationProtocol", CEFMapping::convertString),
    c6a1("c6a1", "deviceCustomIPv6Address1", CEFMapping::convertIPv6Address),
    c6a1Label("c6a1Label", "deviceCustomIPv6Address1Label", CEFMapping::convertString),
    c6a2("c6a2", "deviceCustomIPv6Address2", CEFMapping::convertIPv6Address),
    c6a2Label("c6a2Label", "deviceCustomIPv6Address2Label", CEFMapping::convertString),
    c6a3("c6a3", "deviceCustomIPv6Address3", CEFMapping::convertIPv6Address),
    c6a3Label("c6a3Label", "deviceCustomIPv6Address3Label", CEFMapping::convertString),
    c6a4("c6a4", "deviceCustomIPv6Address4", CEFMapping::convertIPv6Address),
    c6a4Label("c6a4Label", "deviceCustomIPv6Address4Label", CEFMapping::convertString),
    cfp1("cfp1", "deviceCustomFloatingPoint1", CEFMapping::convertFloat),
    cfp1Label("cfp1Label", "deviceCustomFloatingPoint1Label", CEFMapping::convertString),
    cfp2("cfp2", "deviceCustomFloatingPoint2", CEFMapping::convertFloat),
    cfp2Label("cfp2Label", "deviceCustomFloatingPoint2Label", CEFMapping::convertString),
    cfp3("cfp3", "deviceCustomFloatingPoint3", CEFMapping::convertFloat),
    cfp3Label("cfp3Label", "deviceCustomFloatingPoint3Label", CEFMapping::convertString),
    cfp4("cfp4", "deviceCustomFloatingPoint4", CEFMapping::convertFloat),
    cfp4Label("cfp4Label", "deviceCustomFloatingPoint4Label", CEFMapping::convertString),
    cn1("cn1", "deviceCustomNumber1", CEFMapping::convertBigInteger),
    cn1Label("cn1Label", "deviceCustomNumber1Label", CEFMapping::convertString),
    cn2("cn2", "deviceCustomNumber2", CEFMapping::convertBigInteger),
    cn2Label("cn2Label", "deviceCustomNumber2Label", CEFMapping::convertString),
    cn3("cn3", "deviceCustomNumber3", CEFMapping::convertBigInteger),
    cn3Label("cn3Label", "deviceCustomNumber3Label", CEFMapping::convertString),
    cn4("cn4", "deviceCustomNumber4", CEFMapping::convertBigInteger),
    cn4Label("cn4Label", "deviceCustomNumber4Label", CEFMapping::convertString),
    cnt("cnt", "baseEventCount", CEFMapping::convertBigInteger),
    cs1("cs1", "deviceCustomString1", CEFMapping::convertString),
    cs1Label("cs1Label", "deviceCustomString1Label", CEFMapping::convertString),
    cs2("cs2", "deviceCustomString2", CEFMapping::convertString),
    cs2Label("cs2Label", "deviceCustomString2Label", CEFMapping::convertString),
    cs3("cs3", "deviceCustomString3", CEFMapping::convertString),
    cs3Label("cs3Label", "deviceCustomString3Label", CEFMapping::convertString),
    cs4("cs4", "deviceCustomString4", CEFMapping::convertString),
    cs4Label("cs4Label", "deviceCustomString4Label", CEFMapping::convertString),
    cs5("cs5", "deviceCustomString5", CEFMapping::convertString),
    cs5Label("cs5Label", "deviceCustomString5Label", CEFMapping::convertString),
    cs6("cs6", "deviceCustomString6", CEFMapping::convertString),
    cs6Label("cs6Label", "deviceCustomString6Label", CEFMapping::convertString),
    destinationDnsDomain("destinationDnsDomain", "destinationDnsDomain", CEFMapping::convertString),
    destinationServiceName("destinationServiceName", "destinationServiceName", CEFMapping::convertString),
    destinationTranslatedAddress("destinationTranslatedAddress", "destinationTranslatedAddress", CEFMapping::convertIPv4Address),
    destinationTranslatedPort("destinationTranslatedPort", "destinationTranslatedPort", CEFMapping::convertBigInteger),
    deviceCustomDate1("deviceCustomDate1", "deviceCustomDate1", CEFMapping::convertTimestamp),
    deviceCustomDate1Label("deviceCustomDate1Label", "deviceCustomDate1Label", CEFMapping::convertString),
    deviceCustomDate2("deviceCustomDate2", "deviceCustomDate2", CEFMapping::convertTimestamp),
    deviceCustomDate2Label("deviceCustomDate2Label", "deviceCustomDate2Label", CEFMapping::convertString),
    deviceDirection("deviceDirection", "deviceDirection", CEFMapping::convertDirection),
    deviceDnsDomain("deviceDnsDomain", "deviceDnsDomain", CEFMapping::convertString),
    deviceExternalId("deviceExternalId", "deviceExternalId", CEFMapping::convertString),
    deviceFacility("deviceFacility", "deviceFacility", CEFMapping::convertString),
    deviceInboundInterface("deviceInboundInterface", "deviceInboundInterface", CEFMapping::convertString),
    deviceNtDomain("deviceNtDomain", "deviceNtDomain", CEFMapping::convertString),
    DeviceOutboundInterface("deviceOutboundInterface", "deviceOutboundInterface", CEFMapping::convertString),
    DevicePayloadId("devicePayloadId", "devicePayloadId", CEFMapping::convertString),
    deviceProcessName("deviceProcessName", "deviceProcessName", CEFMapping::convertString),
    deviceTranslatedAddress("deviceTranslatedAddress", "deviceTranslatedAddress", CEFMapping::convertIPv4Address),
    dhost("dhost", "destinationHostName", CEFMapping::convertString),
    dmac("dmac", "destinationMacAddress", CEFMapping::convertMacAddress),
    dntdom("dntdom", "destinationNtDomain", CEFMapping::convertString),
    dpid("dpid", "destinationProcessId", CEFMapping::convertBigInteger),
    dpriv("dpriv", "destinationUserPrivileges", CEFMapping::convertString),
    dproc("dproc", "destinationProcessName", CEFMapping::convertString),
    dpt("dpt", "destinationPort", CEFMapping::convertBigInteger),
    dst("dst", "destinationAddress", CEFMapping::convertIPv4Address),
    dtz("dtz", "deviceTimeZone", CEFMapping::convertString),
    duid("duid", "destinationUserId", CEFMapping::convertString),
    duser("duser", "destinationUserName", CEFMapping::convertString),
    dvc("dvc", "deviceAddress", CEFMapping::convertIPv4Address),
    dvchost("dvchost", "deviceHostName", CEFMapping::convertString),
    dvcmac("dvcmac", "deviceMacAddress", CEFMapping::convertMacAddress),
    dvcpid("dvcpid", "deviceProcessId", CEFMapping::convertBigInteger),
    end("end", "endTime", CEFMapping::convertTimestamp),
    externalId("externalId", "externalId", CEFMapping::convertString),
    fileCreateTime("fileCreateTime", "fileCreateTime", CEFMapping::convertTimestamp),
    fileHash("fileHash", "fileHash", CEFMapping::convertString),
    fileId("fileId", "fileId", CEFMapping::convertString),
    fileModificationTime("fileModificationTime", "fileModificationTime", CEFMapping::convertTimestamp),
    filePath("filePath", "filePath", CEFMapping::convertString),
    filePermission("filePermission", "filePermission", CEFMapping::convertString),
    fileType("fileType", "fileType", CEFMapping::convertString),
    flexDate1("flexDate1", "flexDate1", CEFMapping::convertTimestamp),
    flexDate1Label("flexDate1Label", "flexDate1Label", CEFMapping::convertString),
    flexDate2("flexDate2", "flexDate2", CEFMapping::convertTimestamp),
    flexDate2Label("flexDate2Label", "flexDate2Label", CEFMapping::convertString),
    flexDate3("flexDate3", "flexDate3", CEFMapping::convertTimestamp),
    flexDate3Label("flexDate3Label", "flexDate3Label", CEFMapping::convertString),
    flexDate4("flexDate4", "flexDate4", CEFMapping::convertTimestamp),
    flexDate4Label("flexDate4Label", "flexDate4Label", CEFMapping::convertString),
    flexString1("flexString1", "flexString1", CEFMapping::convertString),
    flexString1Label("flexString1Label", "flexString1Label", CEFMapping::convertString),
    flexString2("flexString2", "flexString2", CEFMapping::convertString),
    flexString2Label("flexString2Label", "flexString2Label", CEFMapping::convertString),
    flexString3("flexString3", "flexString3", CEFMapping::convertString),
    flexString3Label("flexString3Label", "flexString3Label", CEFMapping::convertString),
    flexString4("flexString4", "flexString4", CEFMapping::convertString),
    flexString4Label("flexString4Label", "flexString4Label", CEFMapping::convertString),
    flexNumber1("flexNumber1", "flexNumber1", CEFMapping::convertLong),
    flexNumber1Label("flexNumber1Label", "flexNumber1Label", CEFMapping::convertString),
    flexNumber2("flexNumber2", "flexNumber2", CEFMapping::convertLong),
    flexNumber2Label("flexNumber2Label", "flexNumber2Label", CEFMapping::convertString),
    flexNumber3("flexNumber3", "flexNumber3", CEFMapping::convertLong),
    flexNumber3Label("flexNumber3Label", "flexNumber3Label", CEFMapping::convertString),
    flexNumber4("flexNumber4", "flexNumber4", CEFMapping::convertLong),
    flexNumber4Label("flexNumber4Label", "flexNumber4Label", CEFMapping::convertString),
    fname("fname", "filename", CEFMapping::convertString),
    fsize("fsize", "fileSize", CEFMapping::convertBigInteger),
    in("in", "bytesIn", CEFMapping::convertBigInteger),
    msg("msg", "message", CEFMapping::convertString),
    oldFileCreateTime("oldFileCreateTime", "oldFileCreateTime", CEFMapping::convertTimestamp),
    oldFileHash("oldFileHash", "oldFileHash", CEFMapping::convertString),
    oldFileId("oldFileId", "oldFileId", CEFMapping::convertString),
    oldFileModificationTime("oldFileModificationTime", "oldFileModificationTime", CEFMapping::convertTimestamp),
    oldFileName("oldFileName", "oldFileName", CEFMapping::convertString),
    oldFilePath("oldFilePath", "oldFilePath", CEFMapping::convertString),
    oldFilePermission("oldFilePermission", "oldFilePermission", CEFMapping::convertString),
    oldFileSize("oldFileSize", "oldFileSize", CEFMapping::convertBigInteger),
    oldFileType("oldFileType", "oldFileType", CEFMapping::convertString),
    out("out", "bytesOut", CEFMapping::convertBigInteger),
    outcome("outcome", "eventOutcome", CEFMapping::convertString),
    proto("proto", "transportProtocol", CEFMapping::convertString),
    reason("reason", "reason", CEFMapping::convertString),
    request("request", "requestUrl", CEFMapping::convertString),
    requestClientApplication("requestClientApplication", "requestClientApplication", CEFMapping::convertString),
    requestContext("requestContext", "requestContext", CEFMapping::convertString),
    requestCookies("requestCookies", "requestCookies", CEFMapping::convertString),
    requestMethod("requestMethod", "requestMethod", CEFMapping::convertString),
    rt("rt", "deviceReceiptTime", CEFMapping::convertTimestamp),
    shost("shost", "sourceHostName", CEFMapping::convertString),
    smac("smac", "sourceMacAddress", CEFMapping::convertMacAddress),
    sntdom("sntdom", "sourceNtDomain", CEFMapping::convertString),
    sourceDnsDomain("sourceDnsDomain", "sourceDnsDomain", CEFMapping::convertString),
    sourceServiceName("sourceServiceName", "sourceServiceName", CEFMapping::convertString),
    sourceTranslatedAddress("sourceTranslatedAddress", "sourceTranslatedAddress", CEFMapping::convertIPv4Address),
    sourceTranslatedPort("sourceTranslatedPort", "sourceTranslatedPort", CEFMapping::convertBigInteger),
    spid("spid", "sourceProcessId", CEFMapping::convertBigInteger),
    spriv("spriv", "sourceUserPrivileges", CEFMapping::convertString),
    sproc("sproc", "sourceProcessName", CEFMapping::convertString),
    spt("spt", "sourcePort", CEFMapping::convertBigInteger),
    src("src", "sourceAddress", CEFMapping::convertIPv4Address),
    start("start", "startTime", CEFMapping::convertTimestamp),
    suid("suid", "sourceUserId", CEFMapping::convertString),
    suser("suser", "sourceUserName", CEFMapping::convertString),
    type("type", "type", CEFMapping::convertType),

    // CEF Key Names for Event Consumers
    agentDnsDomain("agentDnsDomain", "agentDnsDomain", CEFMapping::convertString),
    agentNtDomain("agentNtDomain", "agentNtDomain", CEFMapping::convertString),
    agentTranslatedAddress("agentTranslatedAddress", "agentTranslatedAddress", CEFMapping::convertIPAddress),
    agentTranslatedZoneExternalID("agentTranslatedZoneExternalID", "agentTranslatedZoneExternalID", CEFMapping::convertString),
    agentTranslatedZoneURI("agentTranslatedZoneURI", "agentTranslatedZoneURI", CEFMapping::convertString),
    agentZoneExternalID("agentZoneExternalID", "agentZoneExternalID", CEFMapping::convertString),
    agentZoneURI("agentZoneURI", "agentZoneURI", CEFMapping::convertString),
    agt("agt", "agentAddress", CEFMapping::convertIPAddress),
    ahost("ahost", "agentHostName", CEFMapping::convertString),
    aid("aid", "agentId", CEFMapping::convertString),
    amac("amac", "agentMacAddress", CEFMapping::convertMacAddress),
    art("art", "agentReceiptTime", CEFMapping::convertTimestamp),
    at("at", "agentType", CEFMapping::convertString),
    atz("atz", "agentTimeZone", CEFMapping::convertString),
    av("av", "agentVersion", CEFMapping::convertString),
    cat("cat", "deviceEventCategory", CEFMapping::convertString),
    customerExternalID("customerExternalID", "customerExternalID", CEFMapping::convertString),
    customerURI("customerURI", "customerURI", CEFMapping::convertString),
    destinationTranslatedZoneExternalID("destinationTranslatedZoneExternalID", "destinationTranslatedZoneExternalID", CEFMapping::convertString),
    destinationTranslatedZoneURI("destinationTranslatedZoneURI", "destinationTranslatedZoneURI", CEFMapping::convertString),
    destinationZoneExternalID("destinationZoneExternalID", "destinationZoneExternalID", CEFMapping::convertString),
    destinationZoneURI("destinationZoneURI", "destinationZoneURI", CEFMapping::convertString),
    deviceTranslatedZoneExternalID("deviceTranslatedZoneExternalID", "deviceTranslatedZoneExternalID", CEFMapping::convertString),
    deviceTranslatedZoneURI("deviceTranslatedZoneURI", "deviceTranslatedZoneURI", CEFMapping::convertString),
    deviceZoneExternalID("deviceZoneExternalID", "deviceZoneExternalID", CEFMapping::convertString),
    deviceZoneURI("deviceZoneURI", "deviceZoneURI", CEFMapping::convertString),
    dlat("dlat", "destinationGeoLatitude", CEFMapping::convertDouble),
    dlong("dlong", "destinationGeoLongitude", CEFMapping::convertDouble),
    eventId("eventId", "eventId", CEFMapping::convertLong),
    rawEvent("rawEvent", "rawEvent", CEFMapping::convertString),
    slat("slat", "sourceGeoLatitude", CEFMapping::convertDouble),
    slong("slong", "sourceGeoLongitude", CEFMapping::convertDouble),
    sourceTranslatedZoneExternalID("sourceTranslatedZoneExternalID", "sourceTranslatedZoneExternalID", CEFMapping::convertString),
    sourceTranslatedZoneURI("sourceTranslatedZoneURI", "sourceTranslatedZoneURI", CEFMapping::convertString),
    sourceZoneExternalID("sourceZoneExternalID", "sourceZoneExternalID", CEFMapping::convertString),
    sourceZoneURI("sourceZoneURI", "sourceZoneURI", CEFMapping::convertString);

    // Lookup tables for faster access
    private static final ImmutableMap KEY_NAMES;
    private static final ImmutableMap FULL_NAMES;

    static {
        final ImmutableMap.Builder keyNamesBuilder = ImmutableMap.builder();
        final ImmutableMap.Builder fullNamesBuilder = ImmutableMap.builder();
        for (CEFMapping cefMapping : values()) {
            keyNamesBuilder.put(cefMapping.keyName, cefMapping);
            fullNamesBuilder.put(cefMapping.fullName, cefMapping);
        }
        KEY_NAMES = keyNamesBuilder.build();
        FULL_NAMES = fullNamesBuilder.build();
    }

    private static String convertString(String s) {
        return s;
    }

    private static Float convertFloat(String s) {
        return Float.parseFloat(s);
    }

    private static Double convertDouble(String s) {
        return Double.parseDouble(s);
    }

    private static Long convertLong(String s) {
        return Long.parseLong(s);
    }

    private static BigInteger convertBigInteger(String s) {
        return new BigInteger(s);
    }

    private static Integer convertInteger(String s) {
        return Integer.parseInt(s);
    }

    private static Object convertTimestamp(String s) {
        final DateTime dateTime = CEFTimestampParser.parse(s);
        return dateTime == null ? s : dateTime;
    }

    private static String convertIPv4Address(String s) {
        return s;
    }

    private static String convertIPv6Address(String s) {
        return s;
    }

    private static String convertIPAddress(String s) {
        return s;
    }

    private static String convertMacAddress(String s) {
        return s;
    }

    private static Integer convertType(String s) {
        return convertInteger(s);
    }

    private static Integer convertDirection(String s) {
        return convertInteger(s);
    }

    @Nullable
    public static CEFMapping forKeyName(String keyName) {
        return KEY_NAMES.get(keyName);
    }

    @Nullable
    public static CEFMapping forFullName(String fullName) {
        return FULL_NAMES.get(fullName);
    }

    private final String keyName;
    private final String fullName;
    private final Function converter;

    CEFMapping(String keyName, String fullName, Function converter) {
        this.keyName = keyName;
        this.fullName = fullName;
        this.converter = converter;
    }

    public String getKeyName() {
        return keyName;
    }

    public String getFullName() {
        return fullName;
    }

    public Function getConverter() {
        return converter;
    }

    public Object convert(String s) {
        return converter.apply(s);
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy