diff --git a/pipelines/community/transform_ocsf/agent_metrics_logs/metadata.yaml b/pipelines/community/transform_ocsf/agent_metrics_logs/metadata.yaml index ff0ef69..1af157d 100644 --- a/pipelines/community/transform_ocsf/agent_metrics_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/agent_metrics_logs/metadata.yaml @@ -13,6 +13,8 @@ metadata_details: format: json ocsf_version: 1.3.0 ingestion_method: "Observo OCSFSerializer (Lua-based transform)" + ingest_mode: "Other - {Explain: SentinelOne agent self-reported telemetry}" + auth_type: "N/A" ocsf_mapping: class_uid: 5001 class_name: "Device Inventory Info" diff --git a/pipelines/community/transform_ocsf/akamai_cdn/metadata.yaml b/pipelines/community/transform_ocsf/akamai_cdn/metadata.yaml index 4da1911..cdd11ac 100644 --- a/pipelines/community/transform_ocsf/akamai_cdn/metadata.yaml +++ b/pipelines/community/transform_ocsf/akamai_cdn/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"2026-04-20T02:26:52Z AkamaiCDN streamId=\\\"stream-735\\\" cp=\\\"87876\\\ \" reqId=\\\"tsuzt53unx\\\" statusCode=304 cliIP=\\\"176.105.197.188\\\" reqHost=\\\"img.example.com\\\ \" reqMethod=\\\"GET\\\" reqPath=\\\"/js/app.js\\\" bytes=525284 cacheStatus=\\\"TCP_MISS\\\" turnAroundTimeMSec=331\ diff --git a/pipelines/community/transform_ocsf/akamai_dns/metadata.yaml b/pipelines/community/transform_ocsf/akamai_dns/metadata.yaml index b23976b..14e8c21 100644 --- a/pipelines/community/transform_ocsf/akamai_dns/metadata.yaml +++ b/pipelines/community/transform_ocsf/akamai_dns/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"2026-04-19T19:07:52Z AkamaiDNS streamId=\\\"dns-662\\\" cliIP=\\\"4.61.218.110\\\ \" resolverIP=\\\"8.8.8.8\\\" domain=\\\"app.example.net\\\" recordType=\\\"AAAA\\\" responseCode=\\\ \"REFUSED\\\" answer=\\\"\\\" edge=\\\"edge-nyc\\\" ttl=0 bytes=64\"\n}" diff --git a/pipelines/community/transform_ocsf/akamai_general/metadata.yaml b/pipelines/community/transform_ocsf/akamai_general/metadata.yaml index 24c8adb..844acb0 100644 --- a/pipelines/community/transform_ocsf/akamai_general/metadata.yaml +++ b/pipelines/community/transform_ocsf/akamai_general/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"2026-04-19T09:18:52Z AkamaiSecurity clientIP=\\\"144.165.201.238\\\"\ \ host=\\\"blog.example.com\\\" path=\\\"/login\\\" ruleId=\\\"925798\\\" attackType=\\\"Command_Injection\\\ \" action=\\\"rate_limited\\\" httpMethod=\\\"HEAD\\\" status=400 userAgent=\\\"Googlebot/2.1\\\"\ diff --git a/pipelines/community/transform_ocsf/akamai_sitedefender/metadata.yaml b/pipelines/community/transform_ocsf/akamai_sitedefender/metadata.yaml index d942db1..b54fce2 100644 --- a/pipelines/community/transform_ocsf/akamai_sitedefender/metadata.yaml +++ b/pipelines/community/transform_ocsf/akamai_sitedefender/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"type\": \"akamai_siem\",\n \"attackData\": {\n \"clientIP\": \"198.51.100.2\"\ ,\n \"configId\": \"20933\",\n \"policyId\": \"p_10245\",\n \"rules\": []\n },\n \"httpMessage\"\ : {\n \"method\": \"DELETE\",\n \"host\": \"api.example.com\",\n \"path\": \"/search\",\n\ diff --git a/pipelines/community/transform_ocsf/apache_http_logs/metadata.yaml b/pipelines/community/transform_ocsf/apache_http_logs/metadata.yaml index d95e32e..6079757 100644 --- a/pipelines/community/transform_ocsf/apache_http_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/apache_http_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: file-based agent ingestion (Apache access/error log)}" + auth_type: "N/A" sample_record: "{\n \"raw\": \"10.29.72.231 - - [20/Apr/2026:03:40:52 +0000] \\\"HEAD /settings HTTP/1.1\\\ \" 200 5305\"\n}" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events diff --git a/pipelines/community/transform_ocsf/aws_cloudtrail/metadata.yaml b/pipelines/community/transform_ocsf/aws_cloudtrail/metadata.yaml index c987822..f03dbf8 100644 --- a/pipelines/community/transform_ocsf/aws_cloudtrail/metadata.yaml +++ b/pipelines/community/transform_ocsf/aws_cloudtrail/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: object store (S3) with SQS/SNS notifications}" + auth_type: "IAM Role" sample_record: "{\n \"eventCategory\": \"Management\",\n \"eventName\": \"CreateUser\",\n \"eventSource\"\ : \"iam.amazonaws.com\",\n \"eventTime\": \"2026-04-20T03:40:52Z\",\n \"eventVersion\": \"1.09\"\ ,\n \"eventID\": \"4ad68099-cad0-4172-8711-dd15c4d352c9\",\n \"eventType\": \"AwsApiCall\",\n \"\ diff --git a/pipelines/community/transform_ocsf/aws_elasticloadbalancer_logs/metadata.yaml b/pipelines/community/transform_ocsf/aws_elasticloadbalancer_logs/metadata.yaml index 34aaaa8..80c3759 100644 --- a/pipelines/community/transform_ocsf/aws_elasticloadbalancer_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/aws_elasticloadbalancer_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: object store (S3) for ELB access logs}" + auth_type: "IAM Role" sample_record: "{\n \"type\": \"https\",\n \"time\": \"2026-04-20T03:40:52.700664Z\",\n \"alb\":\ \ \"corporate-alb-3\",\n \"client_ip\": \"192.168.10.200\",\n \"client_port\": 41655,\n \"backend_ip\"\ : \"172.16.1.50\",\n \"backend_port\": 443,\n \"request_processing_time\": 0.029082,\n \"backend_processing_time\"\ diff --git a/pipelines/community/transform_ocsf/aws_guardduty/metadata.yaml b/pipelines/community/transform_ocsf/aws_guardduty/metadata.yaml index 2cdeedc..92883b6 100644 --- a/pipelines/community/transform_ocsf/aws_guardduty/metadata.yaml +++ b/pipelines/community/transform_ocsf/aws_guardduty/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: AWS EventBridge or S3 export of GuardDuty findings}" + auth_type: "IAM Role" sample_record: "{\n \"schemaVersion\": \"2.0\",\n \"accountId\": \"222708836859\",\n \"region\":\ \ \"us-east-1\",\n \"partition\": \"aws\",\n \"id\": \"8db850b8-f1b1-4dfd-8676-efd7b4e8ee85\",\n\ \ \"arn\": \"arn:aws:guardduty:us-east-1::84378c5c8013403891eb51ada1b2a47b:detector/84378c5c8013403891eb51ada1b2a47b/finding/8db850b8-f1b1-4dfd-8676-efd7b4e8ee85\"\ diff --git a/pipelines/community/transform_ocsf/aws_guardduty_logs/metadata.yaml b/pipelines/community/transform_ocsf/aws_guardduty_logs/metadata.yaml index 965d065..970b507 100644 --- a/pipelines/community/transform_ocsf/aws_guardduty_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/aws_guardduty_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: AWS EventBridge or S3 export of GuardDuty findings}" + auth_type: "IAM Role" sample_record: "{\n \"schemaVersion\": \"2.0\",\n \"accountId\": \"200759122295\",\n \"region\":\ \ \"ap-south-1\",\n \"partition\": \"aws\",\n \"id\": \"eb19bf82-4550-40d2-a0b8-ae97533cc0f2\",\n\ \ \"arn\": \"arn:aws:guardduty:ap-south-1::e5485011576b45629ceb37d38e001440:detector/e5485011576b45629ceb37d38e001440/finding/eb19bf82-4550-40d2-a0b8-ae97533cc0f2\"\ diff --git a/pipelines/community/transform_ocsf/aws_vpc_dns_logs/metadata.yaml b/pipelines/community/transform_ocsf/aws_vpc_dns_logs/metadata.yaml index 103c155..6590625 100644 --- a/pipelines/community/transform_ocsf/aws_vpc_dns_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/aws_vpc_dns_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Route 53 Resolver Query Logs to S3 or CloudWatch Logs}" + auth_type: "IAM Role" sample_record: "{\n \"version\": \"1.100000\",\n \"account_id\": \"213644108138\",\n \"interface_id\"\ : \"eni-02daa7e2\",\n \"srcaddr\": \"10.101.151.110\",\n \"dstaddr\": \"169.254.169.253\",\n \"\ srcport\": 49709,\n \"dstport\": 53,\n \"protocol\": 17,\n \"packets\": 1,\n \"bytes\": 503,\n\ diff --git a/pipelines/community/transform_ocsf/aws_vpc_flow/metadata.yaml b/pipelines/community/transform_ocsf/aws_vpc_flow/metadata.yaml index 6a829fa..8eff2a7 100644 --- a/pipelines/community/transform_ocsf/aws_vpc_flow/metadata.yaml +++ b/pipelines/community/transform_ocsf/aws_vpc_flow/metadata.yaml @@ -13,6 +13,8 @@ metadata_details: format: json ocsf_version: 1.3.0 ingestion_method: "Observo OCSFSerializer (Lua-based transform)" + ingest_mode: "Other - {Explain: VPC Flow Logs to S3 or CloudWatch Logs}" + auth_type: "IAM Role" ocsf_mapping: class_uid: 4001 class_name: "Network Activity" diff --git a/pipelines/community/transform_ocsf/aws_waf/metadata.yaml b/pipelines/community/transform_ocsf/aws_waf/metadata.yaml index 7d586a9..d349bf8 100644 --- a/pipelines/community/transform_ocsf/aws_waf/metadata.yaml +++ b/pipelines/community/transform_ocsf/aws_waf/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: AWS WAF logs to Kinesis Data Firehose or S3}" + auth_type: "IAM Role" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52Z\",\n \"formatVersion\": \"1.0\",\n \"webaclId\"\ : \"arn:aws:wafv2:us-east-1:757912648842:regional/webacl/ExampleWebACL-1711\",\n \"ruleGroupId\"\ : \"XSSRules\",\n \"terminatingRuleType\": \"RATE_BASED\",\n \"action\": \"CAPTCHA\",\n \"httpRequest\"\ diff --git a/pipelines/community/transform_ocsf/axonius_asset_logs/metadata.yaml b/pipelines/community/transform_ocsf/axonius_asset_logs/metadata.yaml index 9026172..7660269 100644 --- a/pipelines/community/transform_ocsf/axonius_asset_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/axonius_asset_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"raw\": \"<134>Apr 20 03:37:46 armis-sensor armis - - .{\\\"id\\\":\\\"a0ab8edf-ecb9-41a5-a27b-ad2dfa00ca48\\\ \",\\\"type\\\":\\\"DeviceRiskChange\\\",\\\"_time\\\":\\\"2026-04-20T03:37:46.021342+00:00Z\\\",\\\ \"time\\\":1776656266,\\\"description\\\":\\\"Device risk score changed significantly\\\",\\\"severity\\\ diff --git a/pipelines/community/transform_ocsf/azure_ad/metadata.yaml b/pipelines/community/transform_ocsf/azure_ad/metadata.yaml index e99248c..f851db1 100644 --- a/pipelines/community/transform_ocsf/azure_ad/metadata.yaml +++ b/pipelines/community/transform_ocsf/azure_ad/metadata.yaml @@ -13,6 +13,8 @@ metadata_details: format: json ocsf_version: 1.3.0 ingestion_method: "Observo OCSFSerializer (Lua-based transform)" + ingest_mode: "API Call" + auth_type: "OAuth" ocsf_mapping: class_uid: 3001 class_name: "Account Change" diff --git a/pipelines/community/transform_ocsf/azure_logs/metadata.yaml b/pipelines/community/transform_ocsf/azure_logs/metadata.yaml index 6e8d784..fd6701e 100644 --- a/pipelines/community/transform_ocsf/azure_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/azure_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Azure Monitor / Event Hub stream}" + auth_type: "OAuth" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/azure_nsg_flow_logs/metadata.yaml b/pipelines/community/transform_ocsf/azure_nsg_flow_logs/metadata.yaml index 763637c..c85d75d 100644 --- a/pipelines/community/transform_ocsf/azure_nsg_flow_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/azure_nsg_flow_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: object store (Azure Storage Account / Blob) for NSG flow logs}" + auth_type: "OAuth" sample_record: "{\n \"version\": \"2\",\n \"account_id\": \"913435035175\",\n \"interface_id\": \"\ eni-c8ab934f27224e7db\",\n \"srcaddr\": \"10.35.164.23\",\n \"dstaddr\": \"203.0.113.1\",\n \"\ srcport\": 62807,\n \"dstport\": 3389,\n \"protocol\": 6,\n \"packets\": 214,\n \"bytes\": 23679,\n\ diff --git a/pipelines/community/transform_ocsf/azure_platform/metadata.yaml b/pipelines/community/transform_ocsf/azure_platform/metadata.yaml index 6a91e32..460b0d2 100644 --- a/pipelines/community/transform_ocsf/azure_platform/metadata.yaml +++ b/pipelines/community/transform_ocsf/azure_platform/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Azure Event Hub for Activity Log delivery}" + auth_type: "OAuth" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52.962457Z\",\n \"vendor\": \"Microsoft\",\n\ \ \"product\": \"Azure Ad Logs\",\n \"version\": \"1.0\",\n \"event_type\": \"security_event\"\ ,\n \"message\": \"Sample Microsoft Azure Ad Logs event at 2026-04-20T03:40:52.962457Z\",\n \"severity\"\ diff --git a/pipelines/community/transform_ocsf/barracuda_firewall_logs_latest/metadata.yaml b/pipelines/community/transform_ocsf/barracuda_firewall_logs_latest/metadata.yaml index 94f07a6..c8cd6ea 100644 --- a/pipelines/community/transform_ocsf/barracuda_firewall_logs_latest/metadata.yaml +++ b/pipelines/community/transform_ocsf/barracuda_firewall_logs_latest/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/beyondtrust_passwordsafe_logs/metadata.yaml b/pipelines/community/transform_ocsf/beyondtrust_passwordsafe_logs/metadata.yaml index bca0705..dcc588f 100644 --- a/pipelines/community/transform_ocsf/beyondtrust_passwordsafe_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/beyondtrust_passwordsafe_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"2026-04-20 03:36:32 10.0.0.150 {\\\"EventTime\\\":\\\"2026-04-20T03:36:32.710887Z\\\ \",\\\"EventType\\\":\\\"UserLogout\\\",\\\"EventId\\\":\\\"e8b5e243-6e4a-48e1-a38b-93ee87daba95\\\ \",\\\"UserId\\\":\\\"svc_backup\\\",\\\"UserName\\\":\\\"Service Account\\\",\\\"UserDisplayName\\\ diff --git a/pipelines/community/transform_ocsf/cisco_asa_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_asa_logs/metadata.yaml index ef0e0c1..ffe4c6e 100644 --- a/pipelines/community/transform_ocsf/cisco_asa_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_asa_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"<166>Apr 20 2026 03:40:52 asa-demo : %ASA-6-302015: Built outbound TCP\ \ connection 441011 for inside:192.0.2.10/21946 (192.0.2.10/21946) to outside:203.0.113.5/443 (203.0.113.5/443)\"\ \n}" diff --git a/pipelines/community/transform_ocsf/cisco_combo_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_combo_logs/metadata.yaml index 35ac798..7492eb5 100644 --- a/pipelines/community/transform_ocsf/cisco_combo_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_combo_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T14:09:53.030684+00:00\",\n \"hostname\": \"router-29\"\ ,\n \"device_ip\": \"30.133.137.140\",\n \"facility\": \"LOCAL4\",\n \"severity\": \"info\",\n\ \ \"mnemonic\": \"STATE\",\n \"facility_mnemonic\": \"TRACKING\",\n \"sequence_number\": 342870,\n\ diff --git a/pipelines/community/transform_ocsf/cisco_duo/metadata.yaml b/pipelines/community/transform_ocsf/cisco_duo/metadata.yaml index ae2be8e..7404e84 100644 --- a/pipelines/community/transform_ocsf/cisco_duo/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_duo/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52Z\",\n \"time\": 1776656452716,\n \"class_uid\"\ : 3002,\n \"class_name\": \"Authentication\",\n \"category_uid\": 3,\n \"category_name\": \"Identity\ \ & Access Management\",\n \"activity_id\": 1,\n \"activity_name\": \"Logon\",\n \"type_uid\":\ diff --git a/pipelines/community/transform_ocsf/cisco_firewall/metadata.yaml b/pipelines/community/transform_ocsf/cisco_firewall/metadata.yaml index 9d63208..2273658 100644 --- a/pipelines/community/transform_ocsf/cisco_firewall/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_firewall/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"<165>Apr 20 03:40:52 ftd-241 : FTD-1-430003: SrcIP: 192.168.110.231,\ \ DstIP: 203.0.113.236, ConnectionDuration: 1292, InitiatorBytes: 44088, ResponderBytes: 19778\",\n\ \ \"timestamp\": \"2026-04-20T03:40:52.719548Z\",\n \"vendor\": \"Cisco\",\n \"product\": \"Firewall\ diff --git a/pipelines/community/transform_ocsf/cisco_fmc_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_fmc_logs/metadata.yaml index 3b5f84d..3dee763 100644 --- a/pipelines/community/transform_ocsf/cisco_fmc_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_fmc_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:32:52.723426+00:00\",\n \"event_id\": 9448853,\n\ \ \"event_type\": \"DNS\",\n \"event_subtype\": \"DNS_EVENT\",\n \"severity\": \"Info\",\n \"\ action\": \"Drop\",\n \"device_name\": \"ENTERPRISE-FTD-SECURITY-1\",\n \"device_ip\": \"86.29.233.254\"\ diff --git a/pipelines/community/transform_ocsf/cisco_ios_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_ios_logs/metadata.yaml index f553091..2c3744f 100644 --- a/pipelines/community/transform_ocsf/cisco_ios_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_ios_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T15:49:52.728587+00:00\",\n \"hostname\": \"switch-2\"\ ,\n \"device_ip\": \"49.78.43.47\",\n \"facility\": \"LOCAL4\",\n \"severity\": \"warning\",\n\ \ \"mnemonic\": \"THRESHOLD_VIOLATION\",\n \"facility_mnemonic\": \"SFF8472\",\n \"sequence_number\"\ diff --git a/pipelines/community/transform_ocsf/cisco_ironport/metadata.yaml b/pipelines/community/transform_ocsf/cisco_ironport/metadata.yaml index 8361472..d6d1ac4 100644 --- a/pipelines/community/transform_ocsf/cisco_ironport/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_ironport/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:30:52Z\",\n \"hostname\": \"VOYAGER-ESA-PROD\"\ ,\n \"facility\": \"mail\",\n \"severity\": \"warn\",\n \"message_id\": \"1307521\",\n \"from_address\"\ : \"miles.obrien@ferengi-commerce.net\",\n \"to_address\": \"miles.obrien@starfleet.corp\",\n \"\ diff --git a/pipelines/community/transform_ocsf/cisco_isa3000_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_isa3000_logs/metadata.yaml index c730ffc..b11ee47 100644 --- a/pipelines/community/transform_ocsf/cisco_isa3000_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_isa3000_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T19:28:52.737044+00:00\",\n \"hostname\": \"ISA3000-4\"\ ,\n \"device_ip\": \"192.168.5.42\",\n \"event_type\": \"MODBUS\",\n \"action\": \"READ_COILS\"\ ,\n \"severity\": \"INFO\",\n \"message_id\": \"ISA-489417\",\n \"source_ip\": \"10.90.203.8\"\ diff --git a/pipelines/community/transform_ocsf/cisco_ise_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_ise_logs/metadata.yaml index 092b770..57b483d 100644 --- a/pipelines/community/transform_ocsf/cisco_ise_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_ise_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"EventTimestamp\": \"2026-04-19T19:51:52.742714+00:00\",\n \"MessageCode\": \"\ 5400\",\n \"ACSServer\": \"ise-psn-1\",\n \"AccessService\": \"Guest Access\",\n \"UserName\":\ \ \"user94@company.com\",\n \"IdentityGroup\": \"Executives\",\n \"NetworkDeviceName\": \"nad-switch-2\"\ diff --git a/pipelines/community/transform_ocsf/cisco_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_logs/metadata.yaml index 5b0055e..3ecb095 100644 --- a/pipelines/community/transform_ocsf/cisco_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T19:27:52.744586+00:00\",\n \"hostname\": \"firewall-22\"\ ,\n \"device_ip\": \"73.247.139.85\",\n \"facility\": \"LOCAL1\",\n \"severity\": \"info\",\n \ \ \"mnemonic\": \"UPDOWN\",\n \"facility_mnemonic\": \"LINK\",\n \"sequence_number\": 940259,\n\ diff --git a/pipelines/community/transform_ocsf/cisco_meraki/metadata.yaml b/pipelines/community/transform_ocsf/cisco_meraki/metadata.yaml index 9ea60d7..5cb0945 100644 --- a/pipelines/community/transform_ocsf/cisco_meraki/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_meraki/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52Z\",\n \"syslog_priority\": 135,\n \"unix_timestamp\"\ : 1776656452,\n \"hostname\": \"meraki-mx64\",\n \"log_type\": \"ip_flow\",\n \"src_ip\": \"10.0.84.250\"\ ,\n \"dst_ip\": \"93.184.150.1\",\n \"protocol\": \"icmp\",\n \"src_port\": 17356,\n \"dst_port\"\ diff --git a/pipelines/community/transform_ocsf/cisco_meraki_flow_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_meraki_flow_logs/metadata.yaml index 11fe36a..a7631d4 100644 --- a/pipelines/community/transform_ocsf/cisco_meraki_flow_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_meraki_flow_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52.751732Z\",\n \"vendor\": \"Cisco\",\n \"\ product\": \"Meraki Flow Logs\",\n \"version\": \"1.0\",\n \"event_type\": \"security_event\",\n\ \ \"message\": \"Sample Cisco Meraki Flow Logs event at 2026-04-20T03:40:52.751732Z\",\n \"severity\"\ diff --git a/pipelines/community/transform_ocsf/cisco_meraki_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_meraki_logs/metadata.yaml index 27d6042..59d2fd3 100644 --- a/pipelines/community/transform_ocsf/cisco_meraki_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_meraki_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52Z\",\n \"syslog_priority\": 135,\n \"unix_timestamp\"\ : 1776656452,\n \"hostname\": \"meraki-mx64\",\n \"log_type\": \"vpn_firewall\",\n \"src_ip\":\ \ \"10.0.34.12\",\n \"dst_ip\": \"93.184.232.81\",\n \"protocol\": \"tcp\",\n \"src_port\": 64270,\n\ diff --git a/pipelines/community/transform_ocsf/cisco_networks_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_networks_logs/metadata.yaml index 2572d7c..a40f4f5 100644 --- a/pipelines/community/transform_ocsf/cisco_networks_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_networks_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T23:56:52.753336+00:00\",\n \"hostname\": \"asa-43\"\ ,\n \"device_ip\": \"187.202.143.67\",\n \"facility\": \"LOCAL3\",\n \"severity\": \"info\",\n\ \ \"mnemonic\": \"SUCCESS\",\n \"facility_mnemonic\": \"SEC_LOGIN\",\n \"sequence_number\": 150664,\n\ diff --git a/pipelines/community/transform_ocsf/cisco_umbrella_logs/metadata.yaml b/pipelines/community/transform_ocsf/cisco_umbrella_logs/metadata.yaml index f333c99..c11429a 100644 --- a/pipelines/community/transform_ocsf/cisco_umbrella_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cisco_umbrella_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Cisco Umbrella S3 log export or HTTPS API}" + auth_type: "IAM Role" sample_record: "{\n \"raw\": \"\\\"2026-04-20 03:40:52\\\",\\\"Finance\\u2011Dept\\\",\\\"10.0.1.55\\\ \",\\\"8.8.8.8\\\",\\\"93.184.216.34\\\",\\\"text/html\\\",\\\"Allowed\\\",\\\"http://example.com/pdf\\\ \",\\\"http://ref.example.com\\\",\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\\\",\\\"302\\\",\\\ diff --git a/pipelines/community/transform_ocsf/citrix_netscaler_logs/metadata.yaml b/pipelines/community/transform_ocsf/citrix_netscaler_logs/metadata.yaml index 1255c3a..2638042 100644 --- a/pipelines/community/transform_ocsf/citrix_netscaler_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/citrix_netscaler_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"timestamp=2026-04-20T03:40:53.033780+00:00,hostname=f5-bigip-1,device_ip=212.126.91.220,module=APM,event_type=SESSION_TERMINATED,severity=INFO,facility=LOCAL0,priority=21,slot=1.1,tmm=2,virtual_server=vs_api_5,pool=pool_web_4,client_ip=5.208.9.191,server_ip=10.29.4.69,client_port=49852,server_port=8443,protocol=HTTP,username=user84,session_id=sess_942865417,access_profile=ap_portal,authentication_method=RADIUS,virtual_server_name=/Common/vs_portal,client_type=VPN\ \ Client,geo_location=CA,bytes_in=7321,bytes_out=92900,packets_in=664,packets_out=883,class_uid=4001,class_name=Network\ \ Activity,category_uid=4,category_name=Network Activity,activity_id=6,activity_name=Traffic,type_uid=400106,severity_id=1,status_id=2\"\ diff --git a/pipelines/community/transform_ocsf/cloudflare_general_logs/metadata.yaml b/pipelines/community/transform_ocsf/cloudflare_general_logs/metadata.yaml index 85cbdb3..61e4a98 100644 --- a/pipelines/community/transform_ocsf/cloudflare_general_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cloudflare_general_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"Datetime\": 1776656032763,\n \"ZoneID\": 581915883679421473,\n \"ZoneName\"\ : \"starfleet.corp\",\n \"ClientIP\": \"121.81.128.32\",\n \"ClientRequestHost\": \"enterprise.starfleet.corp\"\ ,\n \"ClientRequestMethod\": \"POST\",\n \"ClientRequestURI\": \"/bridge/admin\",\n \"ClientRequestUserAgent\"\ diff --git a/pipelines/community/transform_ocsf/cloudflare_inc_waf_lastest/metadata.yaml b/pipelines/community/transform_ocsf/cloudflare_inc_waf_lastest/metadata.yaml index 75373f2..6420b81 100644 --- a/pipelines/community/transform_ocsf/cloudflare_inc_waf_lastest/metadata.yaml +++ b/pipelines/community/transform_ocsf/cloudflare_inc_waf_lastest/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"raw\": \"json.Timestamp = \\\"2026-04-20T03:40:52.784493+00:00Z\\\";\\njson.CreatedAt\ \ = \\\"2026-04-20T03:40:52.784493+00:00Z\\\";\\njson.EdgeStartTimestamp = 1776656452784493056;\\\ njson.ClientIP = \\\"201.186.209.153\\\";\\njson.ClientRequestHost = \\\"example-2.com\\\";\\njson.ClientRequestMethod\ diff --git a/pipelines/community/transform_ocsf/cloudflare_logs/metadata.yaml b/pipelines/community/transform_ocsf/cloudflare_logs/metadata.yaml index 775df72..e9288fb 100644 --- a/pipelines/community/transform_ocsf/cloudflare_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cloudflare_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"raw\": \"json.Timestamp = \\\"2026-04-20T03:40:52.785589+00:00Z\\\";\\njson.CreatedAt\ \ = \\\"2026-04-20T03:40:52.785589+00:00Z\\\";\\njson.EdgeStartTimestamp = 1776656452785588992;\\\ njson.ClientIP = \\\"96.118.8.64\\\";\\njson.ClientRequestHost = \\\"example-1.com\\\";\\njson.ClientRequestMethod\ diff --git a/pipelines/community/transform_ocsf/cloudflare_waf_logs/metadata.yaml b/pipelines/community/transform_ocsf/cloudflare_waf_logs/metadata.yaml index 1e1311f..4e15893 100644 --- a/pipelines/community/transform_ocsf/cloudflare_waf_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/cloudflare_waf_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"raw\": \"json.Timestamp = \\\"2026-04-20T03:40:52.786384+00:00Z\\\";\\njson.CreatedAt\ \ = \\\"2026-04-20T03:40:52.786384+00:00Z\\\";\\njson.EdgeStartTimestamp = 1776656452786384128;\\\ njson.ClientIP = \\\"155.201.237.245\\\";\\njson.ClientRequestHost = \\\"example-6.com\\\";\\njson.ClientRequestMethod\ diff --git a/pipelines/community/transform_ocsf/confluent_kafka_logs/metadata.yaml b/pipelines/community/transform_ocsf/confluent_kafka_logs/metadata.yaml index 5d4419c..4d65735 100644 --- a/pipelines/community/transform_ocsf/confluent_kafka_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/confluent_kafka_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Kafka topic consumption (SASL/PLAIN or SASL/SCRAM auth)}" + auth_type: "Other - {Explain: Kafka SASL credentials}" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/crowdstrike_detections/metadata.yaml b/pipelines/community/transform_ocsf/crowdstrike_detections/metadata.yaml index 7308964..e346113 100644 --- a/pipelines/community/transform_ocsf/crowdstrike_detections/metadata.yaml +++ b/pipelines/community/transform_ocsf/crowdstrike_detections/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"raw\": \"CEF:0|CrowdStrike|Falcon|6.35.15406.0|3608|Credential Theft Attempt|10|rt=1776656452895\ \ start=1776654466922 end=0 dvchost=SECURITY-STATION duser=Administrator suid=S-1-5-21-847010317-217708099-7006-3433\ \ externalId=ldt:5fbcfb67f42e9543:658148767982 msg=Suspicious_activity_detected:_Credential_Theft_Attempt\ diff --git a/pipelines/community/transform_ocsf/crowdstrike_endpoint/metadata.yaml b/pipelines/community/transform_ocsf/crowdstrike_endpoint/metadata.yaml index 661414f..7550f9c 100644 --- a/pipelines/community/transform_ocsf/crowdstrike_endpoint/metadata.yaml +++ b/pipelines/community/transform_ocsf/crowdstrike_endpoint/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"CEF:0|CrowdStrike|Falcon|6.35.15406.0|1324|File System Activity|3|rt=1776656453036\ \ start=1776652942364 end=0 dvchost=SICKBAY-TERMINAL duser=worf.security suid=S-1-5-21-912496410-812889875-9194-2536\ \ externalId=ldt:909f9215a1570192:646268400963 msg=Suspicious_activity_detected:_File_System_Activity\ diff --git a/pipelines/community/transform_ocsf/crowdstrike_logs/metadata.yaml b/pipelines/community/transform_ocsf/crowdstrike_logs/metadata.yaml index 4ca73ed..61dffdb 100644 --- a/pipelines/community/transform_ocsf/crowdstrike_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/crowdstrike_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"raw\": \"CEF:0|CrowdStrike|Falcon|6.35.15406.0|8551|Credential Theft Attempt|10|rt=1776656452791\ \ start=1776655836576 end=0 dvchost=READY-ROOM-PC duser=Administrator suid=S-1-5-21-842710148-170434691-4718-7205\ \ externalId=ldt:1fe57273b08765ca:330177746533 msg=Suspicious_activity_detected:_Credential_Theft_Attempt\ diff --git a/pipelines/community/transform_ocsf/cyberark_conjur/metadata.yaml b/pipelines/community/transform_ocsf/cyberark_conjur/metadata.yaml index 89e0d66..de555e3 100644 --- a/pipelines/community/transform_ocsf/cyberark_conjur/metadata.yaml +++ b/pipelines/community/transform_ocsf/cyberark_conjur/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T04:07:52Z\",\n \"hostname\": \"conjur-standby\",\n\ \ \"facility\": \"local0\",\n \"severity\": \"warn\",\n \"priority\": 130,\n \"process_id\": 5327,\n\ \ \"operation\": \"create\",\n \"result\": \"failure\",\n \"role\": \"admin:user:sysadmin\",\n\ diff --git a/pipelines/community/transform_ocsf/darktrace/metadata.yaml b/pipelines/community/transform_ocsf/darktrace/metadata.yaml index 307def0..e025630 100644 --- a/pipelines/community/transform_ocsf/darktrace/metadata.yaml +++ b/pipelines/community/transform_ocsf/darktrace/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"time\": 1776656452626,\n \"creationTime\": 1776656333626,\n \"model\": {\n\ \ \"name\": \"Anomalous File / Internet Facing System File Download\",\n \"description\": \"\ An internet-facing system has downloaded an unusual file type\",\n \"id\": 861,\n \"version\"\ diff --git a/pipelines/community/transform_ocsf/darktrace_darktrace_logs/metadata.yaml b/pipelines/community/transform_ocsf/darktrace_darktrace_logs/metadata.yaml index 9ea88a1..a5ee75f 100644 --- a/pipelines/community/transform_ocsf/darktrace_darktrace_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/darktrace_darktrace_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"time\": 1776656453039,\n \"creationTime\": 1776656158039,\n \"model\": {\n\ \ \"name\": \"Device / Large Number of Model Breaches\",\n \"description\": \"Multiple anomalous\ \ behaviors detected from a single device in a short time period\",\n \"id\": 251,\n \"version\"\ diff --git a/pipelines/community/transform_ocsf/dhcp_logs/metadata.yaml b/pipelines/community/transform_ocsf/dhcp_logs/metadata.yaml index 398d300..f62f771 100644 --- a/pipelines/community/transform_ocsf/dhcp_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/dhcp_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:27:45Z\",\n \"process\": \"dhcpd\",\n \"process_id\"\ : 711,\n \"dhcp_message_type\": \"DHCPRELEASE\",\n \"client_mac\": \"d8:fd:59:f2:49:ed\",\n \"\ client_ip\": \"192.168.1.200\",\n \"interface\": \"eth0\",\n \"client_hostname\": \"tablet01\",\n\ diff --git a/pipelines/community/transform_ocsf/dns_general_logs/metadata.yaml b/pipelines/community/transform_ocsf/dns_general_logs/metadata.yaml index 99794ea..921418c 100644 --- a/pipelines/community/transform_ocsf/dns_general_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/dns_general_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:15:24.059Z\",\n \"log_level\": \"info\",\n \"\ log_type\": \"queries\",\n \"client_uid\": \"0x7f03630d15\",\n \"client_ip\": \"192.0.2.63\",\n\ \ \"client_port\": 55015,\n \"query_hostname\": \"mail.example.org\",\n \"query_name\": \"mail.example.org\"\ diff --git a/pipelines/community/transform_ocsf/dns_ocsf_logs/metadata.yaml b/pipelines/community/transform_ocsf/dns_ocsf_logs/metadata.yaml index fb7bbc9..5188c6e 100644 --- a/pipelines/community/transform_ocsf/dns_ocsf_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/dns_ocsf_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T02:59:21.063Z\",\n \"log_level\": \"info\",\n \"\ log_type\": \"queries\",\n \"client_uid\": \"0x7f0221d1a9\",\n \"client_ip\": \"10.155.105.73\"\ ,\n \"client_port\": 31890,\n \"query_hostname\": \"mail.example.org\",\n \"query_name\": \"mail.example.org\"\ diff --git a/pipelines/community/transform_ocsf/f5_networks_logs/metadata.yaml b/pipelines/community/transform_ocsf/f5_networks_logs/metadata.yaml index c20ec6f..2260391 100644 --- a/pipelines/community/transform_ocsf/f5_networks_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/f5_networks_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"timestamp=2026-04-20T03:40:52.806301+00:00,hostname=f5-bigip-7,device_ip=193.212.102.47,module=ASM,event_type=XSS_ATTACK_DETECTED,severity=CRITICAL,facility=LOCAL0,priority=21,slot=1.2,tmm=3,virtual_server=vs_web_4,pool=pool_app_3,client_ip=11.5.143.204,server_ip=10.84.188.228,client_port=52965,server_port=8080,protocol=TCP,http_method=OPTIONS,uri=/login,user_agent=Mozilla/5.0\ \ (Windows NT 10.0; Win64; x64) AppleWebKit/537.36,attack_type=Cross-Site Scripting,signature_id=262889494,policy_name=asm_policy_1,violation_rating=1,request_status=alerted,support_id=5094746301607916,class_uid=4001,class_name=Network\ \ Activity,category_uid=4,category_name=Network Activity,activity_id=6,activity_name=Traffic,type_uid=400106,severity_id=5,status_id=2\"\ diff --git a/pipelines/community/transform_ocsf/forcepoint_forcepoint_logs/metadata.yaml b/pipelines/community/transform_ocsf/forcepoint_forcepoint_logs/metadata.yaml index 03ce326..d86f299 100644 --- a/pipelines/community/transform_ocsf/forcepoint_forcepoint_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/forcepoint_forcepoint_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"2026-04-20T03:37:12.084+00:00 CEF:0|Forcepoint|NGFW|6.8.1|1004|Cross-Site\ \ Scripting|7|act=Permit app=SSH deviceDirection=0 rt=1776656232084 src=192.168.221.32 spt=63396 dst=172.24.219.188\ \ dpt=37440 proto=AH request=/content/v1/ requestMethod=PUT cs1=cloudflare.com/cdn cs1Label=URL cs2=Go-http-client/2.0\ diff --git a/pipelines/community/transform_ocsf/fortigate_logs/metadata.yaml b/pipelines/community/transform_ocsf/fortigate_logs/metadata.yaml index 8609721..f8a56a4 100644 --- a/pipelines/community/transform_ocsf/fortigate_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/fortigate_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"devname=FortiGate-40F devid=FGT40FTK23099XSK logid=0001000014 identifier=3\ \ type=traffic subtype=local level=notice vd=root srcip=44.221.84.105 dstip=70.48.255.88 srcintf=wan\ \ srcintfrole=wan dstintf=root dstintfrole=undefined srccountry=Japan dstcountry=Canada sessionid=11109808\ diff --git a/pipelines/community/transform_ocsf/fortimanager_logs/metadata.yaml b/pipelines/community/transform_ocsf/fortimanager_logs/metadata.yaml index 6f2317f..9a7d778 100644 --- a/pipelines/community/transform_ocsf/fortimanager_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/fortimanager_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"2026-04-20 03:40:52 FortiManager-15 FortiManager: user=admin ui=SSH\ \ action=logout status=failed reason='Session timeout' srcip=192.168.168.119\",\n \"timestamp\":\ \ \"2026-04-20T03:40:52.825394Z\",\n \"vendor\": \"Fortinet\",\n \"product\": \"FortiManager\",\n\ diff --git a/pipelines/community/transform_ocsf/fortinet_fortigate/metadata.yaml b/pipelines/community/transform_ocsf/fortinet_fortigate/metadata.yaml index f267173..3fd9fef 100644 --- a/pipelines/community/transform_ocsf/fortinet_fortigate/metadata.yaml +++ b/pipelines/community/transform_ocsf/fortinet_fortigate/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"devname=FortiGate-40F devid=FGT40FTK23099XSK logid=0001000014 identifier=3\ \ type=traffic subtype=local level=notice vd=root srcip=44.221.84.105 dstip=70.48.255.88 srcintf=wan\ \ srcintfrole=wan dstintf=root dstintfrole=undefined srccountry=Japan dstcountry=Canada sessionid=11109808\ diff --git a/pipelines/community/transform_ocsf/fortinet_fortigate_candidate_logs/metadata.yaml b/pipelines/community/transform_ocsf/fortinet_fortigate_candidate_logs/metadata.yaml index fadce36..7f6b7f7 100644 --- a/pipelines/community/transform_ocsf/fortinet_fortigate_candidate_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/fortinet_fortigate_candidate_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"devname=FortiGate-40F devid=FGT40FTK23099XSK logid=0001000014 identifier=3\ \ type=traffic subtype=local level=notice vd=root srcip=44.221.84.105 dstip=70.48.255.88 srcintf=wan\ \ srcintfrole=wan dstintf=root dstintfrole=undefined srccountry=Japan dstcountry=Canada sessionid=11109808\ diff --git a/pipelines/community/transform_ocsf/fortinet_logs/metadata.yaml b/pipelines/community/transform_ocsf/fortinet_logs/metadata.yaml index a20e292..8aa43e4 100644 --- a/pipelines/community/transform_ocsf/fortinet_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/fortinet_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"devname=FortiGate-40F devid=FGT40FTK23099XSK logid=0001000014 identifier=3\ \ type=traffic subtype=local level=notice vd=root srcip=44.221.84.105 dstip=70.48.255.88 srcintf=wan\ \ srcintfrole=wan dstintf=root dstintfrole=undefined srccountry=Japan dstcountry=Canada sessionid=11109808\ diff --git a/pipelines/community/transform_ocsf/gcp_audit_logs/metadata.yaml b/pipelines/community/transform_ocsf/gcp_audit_logs/metadata.yaml index 25ebe20..8ff5000 100644 --- a/pipelines/community/transform_ocsf/gcp_audit_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/gcp_audit_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2026-04-20T03:32:52.967234+00:00\"\ ,\n \"uniqueQualifier\": \"4878542320735016189\",\n \"applicationName\": \"admin\",\n \"\ customerId\": \"C01NCC1701\"\n },\n \"etag\": \"\\\"d27c1b97272840a9b0d1738ada53d081\\\"\",\n \"\ diff --git a/pipelines/community/transform_ocsf/gcp_vpc_flow/metadata.yaml b/pipelines/community/transform_ocsf/gcp_vpc_flow/metadata.yaml index 17d01e8..614d602 100644 --- a/pipelines/community/transform_ocsf/gcp_vpc_flow/metadata.yaml +++ b/pipelines/community/transform_ocsf/gcp_vpc_flow/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"version\": \"2\",\n \"account_id\": \"553764420113\",\n \"interface_id\": \"\ eni-e2fcf5956b6b44d98\",\n \"srcaddr\": \"10.4.18.225\",\n \"dstaddr\": \"203.0.113.235\",\n \"\ srcport\": 25967,\n \"dstport\": 22,\n \"protocol\": 6,\n \"packets\": 331,\n \"bytes\": 29919,\n\ diff --git a/pipelines/community/transform_ocsf/generic_access_logs/metadata.yaml b/pipelines/community/transform_ocsf/generic_access_logs/metadata.yaml index 68a2ed8..2d1fedd 100644 --- a/pipelines/community/transform_ocsf/generic_access_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/generic_access_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: generic web/access log; varies by deployment}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/github_audit_logs/metadata.yaml b/pipelines/community/transform_ocsf/github_audit_logs/metadata.yaml index f8c35ea..ea1dda8 100644 --- a/pipelines/community/transform_ocsf/github_audit_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/github_audit_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "Bearer Token" sample_record: "{\n \"timestamp\": \"2026-04-19T05:01:52Z\",\n \"actor\": \"security-scanner\",\n\ \ \"org\": \"tech-startup\",\n \"repository\": \"tech-startup/org-settings\",\n \"action\": \"\ org.update_member\",\n \"outcome\": \"unknown\",\n \"description\": \"Organization tech-startup\ diff --git a/pipelines/community/transform_ocsf/google_cloud_dns_logs/metadata.yaml b/pipelines/community/transform_ocsf/google_cloud_dns_logs/metadata.yaml index 791d18f..addb535 100644 --- a/pipelines/community/transform_ocsf/google_cloud_dns_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/google_cloud_dns_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"timestamp\": \"2026-04-19T20:44:52.830848+00:00Z\",\n \"insertId\": \"dns_8727507036194133\"\ ,\n \"resource\": {\n \"type\": \"gce_instance\",\n \"labels\": {\n \"project_id\": \"\ prod-web-123456\",\n \"instance_id\": \"8191962455090388534\",\n \"zone\": \"europe-west1-a\"\ diff --git a/pipelines/community/transform_ocsf/google_workspace_logs/metadata.yaml b/pipelines/community/transform_ocsf/google_workspace_logs/metadata.yaml index 11f5eaf..2a23898 100644 --- a/pipelines/community/transform_ocsf/google_workspace_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/google_workspace_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"kind\": \"admin#reports#activity\",\n \"id\": {\n \"time\": \"2026-04-20T03:38:52.910326+00:00\"\ ,\n \"uniqueQualifier\": \"6193158269834325158\",\n \"applicationName\": \"drive\",\n \"\ customerId\": \"C01NCC1701\"\n },\n \"etag\": \"\\\"ff756faf734e47b3abb4f69fcc7f1d15\\\"\",\n \"\ diff --git a/pipelines/community/transform_ocsf/haproxy_loadbalancer_logs/metadata.yaml b/pipelines/community/transform_ocsf/haproxy_loadbalancer_logs/metadata.yaml index 98425a1..0cf94be 100644 --- a/pipelines/community/transform_ocsf/haproxy_loadbalancer_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/haproxy_loadbalancer_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"type\": \"https\",\n \"time\": \"2026-04-20T03:40:53.097203Z\",\n \"alb\":\ \ \"corporate-alb-1\",\n \"client_ip\": \"192.168.10.200\",\n \"client_port\": 55828,\n \"backend_ip\"\ : \"10.0.0.102\",\n \"backend_port\": 8443,\n \"request_processing_time\": 0.047649,\n \"backend_processing_time\"\ diff --git a/pipelines/community/transform_ocsf/hashicorp_hcp_vault_logs/metadata.yaml b/pipelines/community/transform_ocsf/hashicorp_hcp_vault_logs/metadata.yaml index e3beb3b..3c3d60c 100644 --- a/pipelines/community/transform_ocsf/hashicorp_hcp_vault_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/hashicorp_hcp_vault_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "Bearer Token" sample_record: "{\n \"time\": \"2026-04-20T03:40:23.836066Z\",\n \"type\": \"response\",\n \"auth\"\ : {\n \"client_token\": \"hvs.ef6fdebc711945e6bb9fdc3668156e5f\",\n \"accessor\": \"acc_dce24dcee39a40b7\"\ ,\n \"display_name\": \"app-server-01\",\n \"policies\": [\n \"monitoring\"\n ],\n \ diff --git a/pipelines/community/transform_ocsf/iis_w3c/metadata.yaml b/pipelines/community/transform_ocsf/iis_w3c/metadata.yaml index 1c95164..37cb249 100644 --- a/pipelines/community/transform_ocsf/iis_w3c/metadata.yaml +++ b/pipelines/community/transform_ocsf/iis_w3c/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: agent-based file ingestion (W3C extended log format)}" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T22:31:52Z\",\n \"date\": \"2026-04-19\",\n \"time\"\ : \"22:31:52\",\n \"client_ip\": \"50.114.195.96\",\n \"username\": \"admin\",\n \"sitename\":\ \ \"api.contoso.com\",\n \"computername\": \"WEB02\",\n \"server_ip\": \"192.0.2.92\",\n \"server_port\"\ diff --git a/pipelines/community/transform_ocsf/imperva_waf_logs/metadata.yaml b/pipelines/community/transform_ocsf/imperva_waf_logs/metadata.yaml index da9a20b..265d292 100644 --- a/pipelines/community/transform_ocsf/imperva_waf_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/imperva_waf_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T16:05:52.845295+00:00\",\n \"eventId\": \"imp_2382007818\"\ ,\n \"clientIP\": \"108.255.195.205\",\n \"serverIP\": \"10.105.216.185\",\n \"httpMethod\": \"\ GET\",\n \"uri\": \"/admin/config.php\",\n \"userAgent\": \"curl/7.68.0\",\n \"referer\": \"https://example.com/\"\ diff --git a/pipelines/community/transform_ocsf/incapsula_incapsula_logs/metadata.yaml b/pipelines/community/transform_ocsf/incapsula_incapsula_logs/metadata.yaml index 984ccb7..b32cf29 100644 --- a/pipelines/community/transform_ocsf/incapsula_incapsula_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/incapsula_incapsula_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"timestamp\": \"2026-04-20T01:19:53.112882+00:00\",\n \"log_id\": \"inc_6968672632\"\ ,\n \"account_id\": \"843279\",\n \"site_id\": \"82975751\",\n \"request_id\": \"8761827421665422\"\ ,\n \"client_ip\": \"187.40.132.184\",\n \"client_country\": \"IT\",\n \"client_country_code\"\ diff --git a/pipelines/community/transform_ocsf/infoblox_logs/metadata.yaml b/pipelines/community/transform_ocsf/infoblox_logs/metadata.yaml index 9278843..9254f36 100644 --- a/pipelines/community/transform_ocsf/infoblox_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/infoblox_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"20-Apr-2026 03:40:53.222 infoblox-80 named[6886]: client 192.168.75.63#39479:\ \ query: example.com IN MX +E (10.0.10.3)\",\n \"timestamp\": \"2026-04-20T03:40:53.222593Z\",\n\ \ \"vendor\": \"Infoblox\",\n \"product\": \"DDI\",\n \"event_type\": \"DNS_QUERY\",\n \"service\"\ diff --git a/pipelines/community/transform_ocsf/inngate_gateway_logs/metadata.yaml b/pipelines/community/transform_ocsf/inngate_gateway_logs/metadata.yaml index 0178e89..efcb620 100644 --- a/pipelines/community/transform_ocsf/inngate_gateway_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/inngate_gateway_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: unknown vendor; assume generic syslog/file}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/jruby_application_logs/metadata.yaml b/pipelines/community/transform_ocsf/jruby_application_logs/metadata.yaml index 0d0a2a7..a426bf6 100644 --- a/pipelines/community/transform_ocsf/jruby_application_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/jruby_application_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: file-based agent ingestion of application logs}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/json_generic_logs/metadata.yaml b/pipelines/community/transform_ocsf/json_generic_logs/metadata.yaml index 9229258..efd6684 100644 --- a/pipelines/community/transform_ocsf/json_generic_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/json_generic_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: generic JSON; varies by deployment}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/json_nested_kv_logs/metadata.yaml b/pipelines/community/transform_ocsf/json_nested_kv_logs/metadata.yaml index fa4b21d..701f55f 100644 --- a/pipelines/community/transform_ocsf/json_nested_kv_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/json_nested_kv_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: generic nested-JSON / KV; varies}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/juniper_logs/metadata.yaml b/pipelines/community/transform_ocsf/juniper_logs/metadata.yaml index 8701a1c..76aaf82 100644 --- a/pipelines/community/transform_ocsf/juniper_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/juniper_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T15:41:53.123963+00:00\",\n \"hostname\": \"srx-9\"\ ,\n \"device_type\": \"SRX\",\n \"device_ip\": \"109.152.148.91\",\n \"facility\": \"daemon\",\n\ \ \"severity\": \"error\",\n \"tag\": \"kmd\",\n \"process_name\": \"dcd\",\n \"process_id\":\ diff --git a/pipelines/community/transform_ocsf/leef_template_logs/metadata.yaml b/pipelines/community/transform_ocsf/leef_template_logs/metadata.yaml index f56805e..bcb0694 100644 --- a/pipelines/community/transform_ocsf/leef_template_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/leef_template_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/linux_auth/metadata.yaml b/pipelines/community/transform_ocsf/linux_auth/metadata.yaml index 4beb176..7337fca 100644 --- a/pipelines/community/transform_ocsf/linux_auth/metadata.yaml +++ b/pipelines/community/transform_ocsf/linux_auth/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T09:35:52Z\",\n \"hostname\": \"web01\",\n \"facility\"\ : \"auth\",\n \"severity\": \"warning\",\n \"process_name\": \"su\",\n \"process_id\": 30423,\n\ \ \"username\": \"centos\",\n \"src_ip\": \"93.196.223.221\",\n \"src_port\": 36553,\n \"auth_method\"\ diff --git a/pipelines/community/transform_ocsf/log4shell_detection_logs/metadata.yaml b/pipelines/community/transform_ocsf/log4shell_detection_logs/metadata.yaml index bd4b4d0..24e67c9 100644 --- a/pipelines/community/transform_ocsf/log4shell_detection_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/log4shell_detection_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: detection-specific output; varies}" + auth_type: "N/A" sample_record: "{\n \"raw\": \"10.142.170.197 - - [20/Apr/2026:03:40:53 +0000] \\\"PUT /products HTTP/1.1\\\ \" 200 6956\"\n}" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events diff --git a/pipelines/community/transform_ocsf/m365_audit_logs/metadata.yaml b/pipelines/community/transform_ocsf/m365_audit_logs/metadata.yaml index 473afd4..e60c538 100644 --- a/pipelines/community/transform_ocsf/m365_audit_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/m365_audit_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"id\": \"1adb9476-8624-4ea2-a494-b8410823ce41\",\n \"azureSubscriptionId\": \"\ f988569b-80ef-4275-9c88-ddfa3ca612c9\",\n \"azureTenantId\": \"fb54f81f-6cf4-4e13-8625-ce8e66808fd1\"\ ,\n \"activityGroupName\": \"Suspicious SharePoint file activity\",\n \"assignedTo\": \"soc_analyst\"\ diff --git a/pipelines/community/transform_ocsf/mail_server_logs/metadata.yaml b/pipelines/community/transform_ocsf/mail_server_logs/metadata.yaml index cb3a741..ff7b3a9 100644 --- a/pipelines/community/transform_ocsf/mail_server_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/mail_server_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: generic mail server (postfix=syslog, others=file)}" + auth_type: "N/A" sample_record: "{\n \"GUID\": \"115dda27-45c9-427b-8900-89894e9f7927\",\n \"QID\": \"Q368233\",\n\ \ \"id\": \"ae1de9b1-923d-4ca0-bbda-92ccc32734ae\",\n \"messageID\": \"<872dea14-8a15-4202-b47b-c5d39f4de5b2@enterprise.starfleet>\"\ ,\n \"messageTime\": \"2026-04-20T03:36:32.127Z\",\n \"messageSize\": 500297,\n \"subject\": \"\ diff --git a/pipelines/community/transform_ocsf/managedengine_ad_audit_plus/metadata.yaml b/pipelines/community/transform_ocsf/managedengine_ad_audit_plus/metadata.yaml index 7e2bdd1..f5a90f2 100644 --- a/pipelines/community/transform_ocsf/managedengine_ad_audit_plus/metadata.yaml +++ b/pipelines/community/transform_ocsf/managedengine_ad_audit_plus/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52.852521Z\",\n \"vendor\": \"Manageengine\"\ ,\n \"product\": \"Adauditplus Logs\",\n \"version\": \"1.0\",\n \"event_type\": \"security_event\"\ ,\n \"message\": \"Sample Manageengine Adauditplus Logs event at 2026-04-20T03:40:52.852521Z\",\n\ diff --git a/pipelines/community/transform_ocsf/manageengine_adauditplus_logs/metadata.yaml b/pipelines/community/transform_ocsf/manageengine_adauditplus_logs/metadata.yaml index 95907aa..bdd5e6b 100644 --- a/pipelines/community/transform_ocsf/manageengine_adauditplus_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/manageengine_adauditplus_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52.853419Z\",\n \"vendor\": \"Manageengine\"\ ,\n \"product\": \"Adauditplus Logs\",\n \"version\": \"1.0\",\n \"event_type\": \"security_event\"\ ,\n \"message\": \"Sample Manageengine Adauditplus Logs event at 2026-04-20T03:40:52.853419Z\",\n\ diff --git a/pipelines/community/transform_ocsf/manageengine_general_logs/metadata.yaml b/pipelines/community/transform_ocsf/manageengine_general_logs/metadata.yaml index 5201a22..fc051d5 100644 --- a/pipelines/community/transform_ocsf/manageengine_general_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/manageengine_general_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-19T09:38:52.858366+00:00\",\n \"event_id\": \"ME-218871\"\ ,\n \"product\": \"ADSelfService Plus\",\n \"event_category\": \"USER_MANAGEMENT\",\n \"action\"\ : \"ACCOUNT_UNLOCKED\",\n \"severity\": \"INFO\",\n \"description\": \"Account Unlocked event occurred\"\ diff --git a/pipelines/community/transform_ocsf/meraki_logs/metadata.yaml b/pipelines/community/transform_ocsf/meraki_logs/metadata.yaml index 5f6f08a..d79533d 100644 --- a/pipelines/community/transform_ocsf/meraki_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/meraki_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:53.133310Z\",\n \"vendor\": \"Cisco\",\n \"\ product\": \"Meraki Flow Logs\",\n \"version\": \"1.0\",\n \"event_type\": \"security_event\",\n\ \ \"message\": \"Sample Cisco Meraki Flow Logs event at 2026-04-20T03:40:53.133310Z\",\n \"severity\"\ diff --git a/pipelines/community/transform_ocsf/microservice_tracing_logs/metadata.yaml b/pipelines/community/transform_ocsf/microservice_tracing_logs/metadata.yaml index 4d7db86..03b4d3c 100644 --- a/pipelines/community/transform_ocsf/microservice_tracing_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/microservice_tracing_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: distributed tracing; varies (OTLP, HEC, file)}" + auth_type: "N/A" sample_record: "{\n \"raw\": \"10.187.153.143 - - [20/Apr/2026:03:40:53 +0000] \\\"GET /product?id=123\ \ HTTP/1.1\\\" 200 3212\"\n}" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events diff --git a/pipelines/community/transform_ocsf/microsoft_365/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_365/metadata.yaml index 349748a..642c3ce 100644 --- a/pipelines/community/transform_ocsf/microsoft_365/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_365/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"id\": \"cb1628d2-7c07-4435-9f4e-87fd44024d05\",\n \"azureSubscriptionId\": \"\ 6deb1e8b-896d-484a-a649-aeb6aebfeaf9\",\n \"azureTenantId\": \"8c7e1716-01d8-4aeb-ac89-c691e8957e6f\"\ ,\n \"activityGroupName\": \"Suspicious email forwarding\",\n \"assignedTo\": \"unassigned\",\n\ diff --git a/pipelines/community/transform_ocsf/microsoft_365_mgmt_api_logs/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_365_mgmt_api_logs/metadata.yaml index bd0af23..48915d3 100644 --- a/pipelines/community/transform_ocsf/microsoft_365_mgmt_api_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_365_mgmt_api_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"id\": \"d15d200c-cd0b-4c50-bf85-bd5fbcb96282\",\n \"azureSubscriptionId\": \"\ 3dfb1dbb-9d1b-4d63-bf46-b9623108eb33\",\n \"azureTenantId\": \"843fbd74-0736-4324-94ba-6668a58f1b09\"\ ,\n \"activityGroupName\": \"Anomalous file share activities\",\n \"assignedTo\": \"unassigned\"\ diff --git a/pipelines/community/transform_ocsf/microsoft_activedirectory_logs/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_activedirectory_logs/metadata.yaml index 4be430d..0b7f8d7 100644 --- a/pipelines/community/transform_ocsf/microsoft_activedirectory_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_activedirectory_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: agent-based collection (Windows Event Forwarding / Winlogbeat)}" + auth_type: "N/A" sample_record: "{\n \"activityDateTime\": \"2026-04-20T00:28:00+00:00\",\n \"correlationId\": \"d3da5820-47fd-4403-8974-ffa4b5ca45b4\"\ ,\n \"id\": \"2f5193d6-6c4b-422b-8b28-956eba098215\",\n \"initiatedBy\": {},\n \"targetResources\"\ : []\n}" diff --git a/pipelines/community/transform_ocsf/microsoft_defender_for_cloud/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_defender_for_cloud/metadata.yaml index 89b95f2..0f25106 100644 --- a/pipelines/community/transform_ocsf/microsoft_defender_for_cloud/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_defender_for_cloud/metadata.yaml @@ -13,6 +13,8 @@ metadata_details: format: json ocsf_version: 1.3.0 ingestion_method: "Observo OCSFSerializer (Lua-based transform)" + ingest_mode: "API Call" + auth_type: "OAuth" ocsf_mapping: class_uid: 2004 class_name: "Detection Finding" diff --git a/pipelines/community/transform_ocsf/microsoft_entra_logs/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_entra_logs/metadata.yaml index c1ffc31..740331b 100644 --- a/pipelines/community/transform_ocsf/microsoft_entra_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_entra_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "OAuth" sample_record: "{\n \"records\": [\n {\n \"time\": \"2026-04-20T03:40:52.922656Z\",\n \ \ \"resourceId\": \"/tenants/10971e92-a42a-434d-b233-88301f11c1cd/providers/Microsoft.aadiam\",\n\ \ \"operationName\": \"Sign-in activity\",\n \"operationVersion\": \"1.0\",\n \"category\"\ diff --git a/pipelines/community/transform_ocsf/microsoft_eventhub_azure_signin_logs/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_eventhub_azure_signin_logs/metadata.yaml index 7d5883d..3897bd8 100644 --- a/pipelines/community/transform_ocsf/microsoft_eventhub_azure_signin_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_eventhub_azure_signin_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Azure Event Hub stream (AMQP/Kafka protocol)}" + auth_type: "OAuth" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52.863882Z\",\n \"vendor\": \"Microsoft\",\n\ \ \"product\": \"Eventhub Azure Signin Logs\",\n \"version\": \"1.0\",\n \"event_type\": \"security_event\"\ ,\n \"message\": \"Sample Microsoft Eventhub Azure Signin Logs event at 2026-04-20T03:40:52.863882Z\"\ diff --git a/pipelines/community/transform_ocsf/microsoft_eventhub_defender_email_logs/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_eventhub_defender_email_logs/metadata.yaml index 6fd5990..a8cf6f3 100644 --- a/pipelines/community/transform_ocsf/microsoft_eventhub_defender_email_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_eventhub_defender_email_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Azure Event Hub stream (AMQP/Kafka protocol)}" + auth_type: "OAuth" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52.867055Z\",\n \"vendor\": \"Microsoft\",\n\ \ \"product\": \"Eventhub Defender Email Logs\",\n \"version\": \"1.0\",\n \"event_type\": \"security_event\"\ ,\n \"message\": \"Sample Microsoft Eventhub Defender Email Logs event at 2026-04-20T03:40:52.867055Z\"\ diff --git a/pipelines/community/transform_ocsf/microsoft_eventhub_defender_emailforcloud_logs/metadata.yaml b/pipelines/community/transform_ocsf/microsoft_eventhub_defender_emailforcloud_logs/metadata.yaml index da6e704..5e1f2dc 100644 --- a/pipelines/community/transform_ocsf/microsoft_eventhub_defender_emailforcloud_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/microsoft_eventhub_defender_emailforcloud_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: Azure Event Hub stream (AMQP/Kafka protocol)}" + auth_type: "OAuth" sample_record: "{\n \"timestamp\": \"2026-04-20T03:40:52.867901Z\",\n \"vendor\": \"Microsoft\",\n\ \ \"product\": \"Eventhub Defender Emailforcloud Logs\",\n \"version\": \"1.0\",\n \"event_type\"\ : \"security_event\",\n \"message\": \"Sample Microsoft Eventhub Defender Emailforcloud Logs event\ diff --git a/pipelines/community/transform_ocsf/mimecast_mimecast_logs/metadata.yaml b/pipelines/community/transform_ocsf/mimecast_mimecast_logs/metadata.yaml index ff7b7d5..7130a2d 100644 --- a/pipelines/community/transform_ocsf/mimecast_mimecast_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/mimecast_mimecast_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"identifier\": \"TTP Impersonation Protection\",\n \"mimecastEvent\": {\n \ \ \"date\": \"2026-04-20T03:40:53+0000\",\n \"senderAddress\": \"CEO \"\ ,\n \"recipientAddress\": \"nyota.uhura@business.com\",\n \"subject\": \"CEO: Quick question\"\ diff --git a/pipelines/community/transform_ocsf/netskope/metadata.yaml b/pipelines/community/transform_ocsf/netskope/metadata.yaml index b52d947..fc814dd 100644 --- a/pipelines/community/transform_ocsf/netskope/metadata.yaml +++ b/pipelines/community/transform_ocsf/netskope/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "Bearer Token" sample_record: "{\n \"_id\": \"14957026-b22e-4586-a6a6-67b54bae26ef\",\n \"_event_id\": \"9225623\"\ ,\n \"_category_id\": 1996,\n \"_category_tags\": [\n \"page\",\n \"social_networking\"\n\ \ ],\n \"_correlation_id\": \"52b690c6-82d0-45cb-81af-2635435a1813\",\n \"_detection_name\": \"\ diff --git a/pipelines/community/transform_ocsf/nginx_error_logs/metadata.yaml b/pipelines/community/transform_ocsf/nginx_error_logs/metadata.yaml index e22bdaa..ad4ae65 100644 --- a/pipelines/community/transform_ocsf/nginx_error_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/nginx_error_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: file-based agent ingestion (nginx error.log)}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/nginx_kvlog_logs/metadata.yaml b/pipelines/community/transform_ocsf/nginx_kvlog_logs/metadata.yaml index aae09a5..d7fffcf 100644 --- a/pipelines/community/transform_ocsf/nginx_kvlog_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/nginx_kvlog_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: file-based agent ingestion (nginx access.log)}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/okta/metadata.yaml b/pipelines/community/transform_ocsf/okta/metadata.yaml index 388556b..617525c 100644 --- a/pipelines/community/transform_ocsf/okta/metadata.yaml +++ b/pipelines/community/transform_ocsf/okta/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"actor\": {\n \"id\": \"00u4729hjsVRU197Y5d7\",\n \"type\": \"User\",\n\ \ \"alternateId\": \"pnnpydhb@example.com\",\n \"displayName\": \"Pnnpydhb\",\n \"detailEntry\"\ : null\n },\n \"client\": {\n \"userAgent\": {\n \"rawUserAgent\": \"Mozilla/5.0 (X11; Linux\ diff --git a/pipelines/community/transform_ocsf/okta_logs/metadata.yaml b/pipelines/community/transform_ocsf/okta_logs/metadata.yaml index ce3b400..a0596f1 100644 --- a/pipelines/community/transform_ocsf/okta_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/okta_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"actor\": {\n \"id\": \"00u9823hjkLMN456P7q8\",\n \"type\": \"User\",\n\ \ \"alternateId\": \"wgxxzxgs@example.com\",\n \"displayName\": \"Wgxxzxgs\",\n \"detailEntry\"\ : null\n },\n \"client\": {\n \"userAgent\": {\n \"rawUserAgent\": \"Mozilla/5.0 (iPhone;\ diff --git a/pipelines/community/transform_ocsf/okta_ocsf_logs/metadata.yaml b/pipelines/community/transform_ocsf/okta_ocsf_logs/metadata.yaml index b7dbb70..82d105a 100644 --- a/pipelines/community/transform_ocsf/okta_ocsf_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/okta_ocsf_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"actor\": {\n \"id\": \"00u9823hjkLMN456P7q8\",\n \"type\": \"User\",\n\ \ \"alternateId\": \"ekvchlpb@example.com\",\n \"displayName\": \"Ekvchlpb\",\n \"detailEntry\"\ : null\n },\n \"client\": {\n \"userAgent\": {\n \"rawUserAgent\": \"Mozilla/5.0 (iPhone;\ diff --git a/pipelines/community/transform_ocsf/paloalto_alternate_logs/metadata.yaml b/pipelines/community/transform_ocsf/paloalto_alternate_logs/metadata.yaml index 89b9cfc..0b4a7e8 100644 --- a/pipelines/community/transform_ocsf/paloalto_alternate_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/paloalto_alternate_logs/metadata.yaml @@ -19,6 +19,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \",2026/04/20 03:40:53,691730434167825,TRAFFIC,deny,,2026/04/20 03:37:07,10.179.150.164,198.29.82.93,10.179.150.164,198.29.82.93,block-default,corp\\\ \\amanda.peterson,,dns,vsys1,trust,dmz,ethernet1/7,ethernet1/4,FORWARD,,538008,1,23369,21,23369,21,0x0,tcp,deny,969,653,316,1,2026/04/20\ \ 03:37:07,37,networking,,873468,0x0,DE,DE,,0,0,tcp-fin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\"\ diff --git a/pipelines/community/transform_ocsf/paloalto_logs/metadata.yaml b/pipelines/community/transform_ocsf/paloalto_logs/metadata.yaml index 0944f89..6268baa 100644 --- a/pipelines/community/transform_ocsf/paloalto_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/paloalto_logs/metadata.yaml @@ -18,6 +18,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \",2026/04/20 03:40:53,864807510225175,TRAFFIC,deny,,2026/04/20 03:39:26,111.25.68.217,192.168.193.61,111.25.68.217,192.168.193.61,block-malware,corp\\\ \\dennis.campbell,,unknown-tcp,vsys1,external,guest,ethernet1/4,ethernet1/8,FORWARD,,635306,1,1380,25,1380,25,0x0,udp,deny,674,303,371,8,2026/04/20\ \ 03:39:26,16,networking,,855183,0x0,CN,CN,,4,3,tcp-rst,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\"\ diff --git a/pipelines/community/transform_ocsf/paloalto_vpn_logs/metadata.yaml b/pipelines/community/transform_ocsf/paloalto_vpn_logs/metadata.yaml index 8293264..23e667f 100644 --- a/pipelines/community/transform_ocsf/paloalto_vpn_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/paloalto_vpn_logs/metadata.yaml @@ -16,6 +16,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \",2026/04/20 03:40:53,735337944354878,TRAFFIC,end,,2026/04/20 03:36:43,172.22.126.110,202.100.77.40,172.22.126.110,202.100.77.40,allow-smtp,corp\\\ \\sarah.price,,smtp,vsys1,trust,untrust,ethernet1/3,ethernet1/8,FORWARD,,294077,1,33435,21,33435,21,0x0,udp,allow,9012185,4055086,4957099,8959,2026/04/20\ \ 03:36:43,77,internet-communications,,481829,0x0,FR,,,5375,3583,aged-out,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\"\ diff --git a/pipelines/community/transform_ocsf/pfsense_firewall_logs/metadata.yaml b/pipelines/community/transform_ocsf/pfsense_firewall_logs/metadata.yaml index 0885e1a..46c874d 100644 --- a/pipelines/community/transform_ocsf/pfsense_firewall_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/pfsense_firewall_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:33:53Z\",\n \"userName\": \"jordy.laforge@starfleet.corp\"\ ,\n \"sourceIp\": \"121.154.250.14\",\n \"deviceId\": \"ENTERPRISE-BRIDGE-01\",\n \"query\": \"\ vulcan-academy.org\",\n \"queryType\": \"CNAME\",\n \"responseCode\": \"NOERROR\",\n \"answer\"\ diff --git a/pipelines/community/transform_ocsf/proofpoint/metadata.yaml b/pipelines/community/transform_ocsf/proofpoint/metadata.yaml index 242cda1..e7baa59 100644 --- a/pipelines/community/transform_ocsf/proofpoint/metadata.yaml +++ b/pipelines/community/transform_ocsf/proofpoint/metadata.yaml @@ -13,6 +13,8 @@ metadata_details: format: json ocsf_version: 1.3.0 ingestion_method: "Observo OCSFSerializer (Lua-based transform)" + ingest_mode: "API Call" + auth_type: "API Key & Secret" ocsf_mapping: class_uid: 2004 class_name: "Detection Finding" diff --git a/pipelines/community/transform_ocsf/rubrik_backup_logs/metadata.yaml b/pipelines/community/transform_ocsf/rubrik_backup_logs/metadata.yaml index 4822eb7..f5c874e 100644 --- a/pipelines/community/transform_ocsf/rubrik_backup_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/rubrik_backup_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/sample_test_logs/metadata.yaml b/pipelines/community/transform_ocsf/sample_test_logs/metadata.yaml index db24e8d..4a2abbf 100644 --- a/pipelines/community/transform_ocsf/sample_test_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/sample_test_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: test fixture; not a real source}" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/singularityidentity_singularityidentity_logs/metadata.yaml b/pipelines/community/transform_ocsf/singularityidentity_singularityidentity_logs/metadata.yaml index dd66111..9473569 100644 --- a/pipelines/community/transform_ocsf/singularityidentity_singularityidentity_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/singularityidentity_singularityidentity_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "Bearer Token" sample_record: "{\n \"event.id\": \"022b19fe-cddf-4fb9-876a-1145d9946c08\",\n \"event.time\": 1776611693170,\n\ \ \"event.category\": \"Authentication\",\n \"event.type\": \"Failed Login\",\n \"event.login.type\"\ : \"NetworkCleartext\",\n \"event.login.userName\": \"svc_backup\",\n \"event.login.loginIsSuccessful\"\ diff --git a/pipelines/community/transform_ocsf/snyk/metadata.yaml b/pipelines/community/transform_ocsf/snyk/metadata.yaml index d375a66..6e18e3f 100644 --- a/pipelines/community/transform_ocsf/snyk/metadata.yaml +++ b/pipelines/community/transform_ocsf/snyk/metadata.yaml @@ -13,6 +13,8 @@ metadata_details: format: json ocsf_version: 1.3.0 ingestion_method: "Observo OCSFSerializer (Lua-based transform)" + ingest_mode: "API Call" + auth_type: "Bearer Token" ocsf_mapping: class_uid: 2002 class_name: "Vulnerability Finding" diff --git a/pipelines/community/transform_ocsf/sonicwall_firewall_logs/metadata.yaml b/pipelines/community/transform_ocsf/sonicwall_firewall_logs/metadata.yaml index d2cc355..bc93715 100644 --- a/pipelines/community/transform_ocsf/sonicwall_firewall_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/sonicwall_firewall_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"datetime\": \"2026-04-20T03:37:53.173316+00:00\",\n \"user\": [\n \"user58@company.com\"\ \n ],\n \"department\": \"IT\",\n \"locationname\": \"San Jose\",\n \"cdport\": 143,\n \"csport\"\ : 51333,\n \"sdport\": \"0\",\n \"ssport\": \"0\",\n \"csip\": \"10.71.221.162\",\n \"cdip\":\ diff --git a/pipelines/community/transform_ocsf/spam_detection_logs/metadata.yaml b/pipelines/community/transform_ocsf/spam_detection_logs/metadata.yaml index abb2b0b..35a42cd 100644 --- a/pipelines/community/transform_ocsf/spam_detection_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/spam_detection_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: detection-specific output; varies}" + auth_type: "N/A" sample_record: "{\n \"GUID\": \"30098147-26c9-444f-9f39-51e7a1790fe1\",\n \"QID\": \"Q688630\",\n\ \ \"id\": \"7de16791-edde-4eca-88ef-df50156b1e9a\",\n \"messageID\": \"\"\ ,\n \"messageTime\": \"2026-04-20T03:40:39.175Z\",\n \"messageSize\": 627750,\n \"subject\": \"\ diff --git a/pipelines/community/transform_ocsf/sql_database_logs/metadata.yaml b/pipelines/community/transform_ocsf/sql_database_logs/metadata.yaml index f24ce1c..8ed2696 100644 --- a/pipelines/community/transform_ocsf/sql_database_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/sql_database_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: file-based agent or direct query; varies by DBMS}" + auth_type: "N/A" sample_record: "{\n \"raw\": \"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\ \\r\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-5-21-4285566019-1825441702-8592822878-3306\\\\r\\\\n\\\\tAccount\ \ Name:\\\\t\\\\tjean.picard\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tSTARFLEET\\\\r\\\\n\\\\tLogon\ diff --git a/pipelines/community/transform_ocsf/squid_proxy_logs/metadata.yaml b/pipelines/community/transform_ocsf/squid_proxy_logs/metadata.yaml index 8c84839..cdc4d93 100644 --- a/pipelines/community/transform_ocsf/squid_proxy_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/squid_proxy_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/syslog_space_delimited_logs/metadata.yaml b/pipelines/community/transform_ocsf/syslog_space_delimited_logs/metadata.yaml index fe01cef..7ed6419 100644 --- a/pipelines/community/transform_ocsf/syslog_space_delimited_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/syslog_space_delimited_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/tailscale_tailscale_logs/metadata.yaml b/pipelines/community/transform_ocsf/tailscale_tailscale_logs/metadata.yaml index 0344604..b5b9059 100644 --- a/pipelines/community/transform_ocsf/tailscale_tailscale_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/tailscale_tailscale_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "Bearer Token" sample_record: "{\n \"exitTraffic\": true,\n \"nodeId\": \"n07b6f0466aab42efCNTRL\",\n \"physicalTraffic\"\ : {\n \"src\": \"13.148.174.68\",\n \"dst\": \"207.253.172.89\"\n },\n \"subnetTraffic\":\ \ {\n \"src\": \"100.97.127.156\",\n \"dst\": \"196.221.15.113\"\n },\n \"proto\": 6,\n \"\ diff --git a/pipelines/community/transform_ocsf/teleport_logs/metadata.yaml b/pipelines/community/transform_ocsf/teleport_logs/metadata.yaml index 0607c70..73f2097 100644 --- a/pipelines/community/transform_ocsf/teleport_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/teleport_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "Bearer Token" sample_record: "{\n \"event\": \"role.deleted\",\n \"uid\": \"e7d2d159-644e-4b21-81dd-d513007b2436\"\ ,\n \"time\": \"2026-04-20T02:49:52.871481+00:00Z\",\n \"user\": \"alice\",\n \"cluster_name\"\ : \"teleport.company.com\",\n \"metadata\": {\n \"origin\": \"cli\",\n \"session_id\": \"7637dfbf-7133-4d45-95e2-a2323822fcb9\"\ diff --git a/pipelines/community/transform_ocsf/tenable_vulnerability_management_audit_logging/metadata.yaml b/pipelines/community/transform_ocsf/tenable_vulnerability_management_audit_logging/metadata.yaml index cc82af3..a797e17 100644 --- a/pipelines/community/transform_ocsf/tenable_vulnerability_management_audit_logging/metadata.yaml +++ b/pipelines/community/transform_ocsf/tenable_vulnerability_management_audit_logging/metadata.yaml @@ -13,6 +13,8 @@ metadata_details: format: json ocsf_version: 1.3.0 ingestion_method: "Observo OCSFSerializer (Lua-based transform)" + ingest_mode: "API Call" + auth_type: "API Key & Secret" ocsf_mapping: class_uid: 2002 class_name: "Vulnerability Finding" diff --git a/pipelines/community/transform_ocsf/ufw_firewall_logs/metadata.yaml b/pipelines/community/transform_ocsf/ufw_firewall_logs/metadata.yaml index d694a17..d49ba5d 100644 --- a/pipelines/community/transform_ocsf/ufw_firewall_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/ufw_firewall_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/vcenter_logs/metadata.yaml b/pipelines/community/transform_ocsf/vcenter_logs/metadata.yaml index ac707de..ec690cb 100644 --- a/pipelines/community/transform_ocsf/vcenter_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/vcenter_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"[event-90034] [1] [2026-04-20T03:40:53.196528+00:00Z] [UserLoginSessionEvent]\ \ [warning] [service-account@vsphere.local] [prod-db-01] [4923034] [User logged in on host esx01.corp.local]\"\ \n}" diff --git a/pipelines/community/transform_ocsf/vectra_ai_logs/metadata.yaml b/pipelines/community/transform_ocsf/vectra_ai_logs/metadata.yaml index 30d4928..319c4b7 100644 --- a/pipelines/community/transform_ocsf/vectra_ai_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/vectra_ai_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"raw\": \"<134>Apr 20 03:36:35 vectra-brain vectra_json_health -: {\\\"version\\\ \":\\\"v3.3\\\",\\\"category\\\":\\\"health\\\",\\\"health_status\\\":\\\"critical\\\",\\\"cpu_usage\\\ \":90,\\\"memory_usage\\\":38,\\\"disk_usage\\\":60,\\\"capture_rate\\\":0.9512391732822396,\\\"active_hosts\\\ diff --git a/pipelines/community/transform_ocsf/vmware_vcenter_logs/metadata.yaml b/pipelines/community/transform_ocsf/vmware_vcenter_logs/metadata.yaml index 4c11d87..1942f43 100644 --- a/pipelines/community/transform_ocsf/vmware_vcenter_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/vmware_vcenter_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"raw\": \"[event-60626] [1] [2026-04-20T03:40:52.883706+00:00Z] [VmClonedEvent]\ \ [info] [Administrator@vsphere.local] [infra-dns-01] [7327860] [Virtual machine cloned on host esx03.corp.local]\"\ \n}" diff --git a/pipelines/community/transform_ocsf/vpc_logs/metadata.yaml b/pipelines/community/transform_ocsf/vpc_logs/metadata.yaml index 04d56f4..b919972 100644 --- a/pipelines/community/transform_ocsf/vpc_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/vpc_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: cloud VPC flow logs; varies (AWS=S3/IAM, GCP=API/OAuth, Azure=Storage/OAuth)}" + auth_type: "N/A" sample_record: "{\n \"version\": \"2\",\n \"account_id\": \"961993689209\",\n \"interface_id\": \"\ eni-9747c42664d6496e9\",\n \"srcaddr\": \"10.226.113.5\",\n \"dstaddr\": \"203.0.113.73\",\n \"\ srcport\": 8082,\n \"dstport\": 3389,\n \"protocol\": 6,\n \"packets\": 397,\n \"bytes\": 20421,\n\ diff --git a/pipelines/community/transform_ocsf/watchguard_firewall_logs/metadata.yaml b/pipelines/community/transform_ocsf/watchguard_firewall_logs/metadata.yaml index 2ffe693..0c5e0fe 100644 --- a/pipelines/community/transform_ocsf/watchguard_firewall_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/watchguard_firewall_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Syslog" + auth_type: "N/A" sample_record: "{\n \"timestamp\": \"2026-04-20T03:30:53Z\",\n \"userName\": \"deanna.troi@starfleet.corp\"\ ,\n \"sourceIp\": \"126.153.119.95\",\n \"deviceId\": \"DS9-OPS-01\",\n \"query\": \"memory-alpha.org\"\ ,\n \"queryType\": \"SOA\",\n \"responseCode\": \"REFUSED\",\n \"answer\": \"\",\n \"action\"\ diff --git a/pipelines/community/transform_ocsf/windows_event_log_logs/metadata.yaml b/pipelines/community/transform_ocsf/windows_event_log_logs/metadata.yaml index 6458348..0c4600e 100644 --- a/pipelines/community/transform_ocsf/windows_event_log_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/windows_event_log_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "Other - {Explain: agent-based collection (Windows Event Forwarding / Winlogbeat)}" + auth_type: "N/A" sample_record: "{\n \"raw\": \"An account was successfully logged on.\\\\r\\\\n\\\\r\\\\nSubject:\\\ \\r\\\\n\\\\tSecurity ID:\\\\t\\\\tS-1-5-21-7414108797-5892774083-6555493966-8406\\\\r\\\\n\\\\tAccount\ \ Name:\\\\t\\\\tjordy.laforge\\\\r\\\\n\\\\tAccount Domain:\\\\t\\\\tSTARFLEET\\\\r\\\\n\\\\tLogon\ diff --git a/pipelines/community/transform_ocsf/wiz_cloud_security_logs/metadata.yaml b/pipelines/community/transform_ocsf/wiz_cloud_security_logs/metadata.yaml index 58cc23e..0ef8136 100644 --- a/pipelines/community/transform_ocsf/wiz_cloud_security_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/wiz_cloud_security_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"Record\": {\n \"eventTime\": \"2026-04-20T03:36:06.2074Z\",\n \"eventName\"\ : \"UpdateUserRole\",\n \"eventType\": \"Update User\",\n \"eventID\": \"9975f265-e0d5-4b46-b097-8b7d2b6b62fc\"\ ,\n \"requestID\": \"d8b655e6-bff3-464e-86a0-f6c405f49d39\",\n \"userIdentity\": {\n \"\ diff --git a/pipelines/community/transform_ocsf/wiz_issue/metadata.yaml b/pipelines/community/transform_ocsf/wiz_issue/metadata.yaml index 365df86..9699c5a 100644 --- a/pipelines/community/transform_ocsf/wiz_issue/metadata.yaml +++ b/pipelines/community/transform_ocsf/wiz_issue/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"id\": \"wiz-issue-92324e96-d8d1-4e9a-bcb8-14eed356e1a5\",\n \"targetExternalId\"\ : \"arn:aws:s3:::company-public-assets\",\n \"deleted\": false,\n \"targetObjectProviderUniqueId\"\ : \"arn:aws:s3:::company-public-assets\",\n \"firstSeenAt\": \"2026-04-19T14:51:33.000Z\",\n \"\ diff --git a/pipelines/community/transform_ocsf/zscaler_dns_firewall/metadata.yaml b/pipelines/community/transform_ocsf/zscaler_dns_firewall/metadata.yaml index e25892b..883a4e8 100644 --- a/pipelines/community/transform_ocsf/zscaler_dns_firewall/metadata.yaml +++ b/pipelines/community/transform_ocsf/zscaler_dns_firewall/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"timestamp\": \"2026-04-20T03:34:52Z\",\n \"userName\": \"deanna.troi@starfleet.corp\"\ ,\n \"sourceIp\": \"51.25.59.27\",\n \"deviceId\": \"ENTERPRISE-BRIDGE-02\",\n \"query\": \"starfleet-academy.edu\"\ ,\n \"queryType\": \"SRV\",\n \"responseCode\": \"SERVFAIL\",\n \"answer\": \"\",\n \"action\"\ diff --git a/pipelines/community/transform_ocsf/zscaler_firewall_logs/metadata.yaml b/pipelines/community/transform_ocsf/zscaler_firewall_logs/metadata.yaml index 70e298e..e55957c 100644 --- a/pipelines/community/transform_ocsf/zscaler_firewall_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/zscaler_firewall_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "{\n \"datetime\": \"2026-04-20T03:36:52.892752+00:00\",\n \"user\": [\n \"user58@company.com\"\ \n ],\n \"department\": \"IT\",\n \"locationname\": \"Frankfurt\",\n \"cdport\": 25,\n \"csport\"\ : 65087,\n \"sdport\": \"0\",\n \"ssport\": \"0\",\n \"csip\": \"10.198.155.163\",\n \"cdip\"\ diff --git a/pipelines/community/transform_ocsf/zscaler_logs/metadata.yaml b/pipelines/community/transform_ocsf/zscaler_logs/metadata.yaml index 376db6a..d4c2899 100644 --- a/pipelines/community/transform_ocsf/zscaler_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/zscaler_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings. diff --git a/pipelines/community/transform_ocsf/zscaler_zia_logs/metadata.yaml b/pipelines/community/transform_ocsf/zscaler_zia_logs/metadata.yaml index 4d9f86f..405c534 100644 --- a/pipelines/community/transform_ocsf/zscaler_zia_logs/metadata.yaml +++ b/pipelines/community/transform_ocsf/zscaler_zia_logs/metadata.yaml @@ -14,6 +14,8 @@ metadata_details: format: source-specific JSON/KV/syslog ocsf_version: 1.3.0 ingestion_method: Observo OCSFSerializer (Lua-based transform) + ingest_mode: "API Call" + auth_type: "API Key & Secret" sample_record: "(realistic sample not available \u2014 use empty {} for testing)" dependency_summary: Requires Observo OCSFSerializer template with Lua runtime (lupa). Source events must match the field layout exercised by the Lua mappings.