plaso.parsers.jsonl_plugins package

Submodules

plaso.parsers.jsonl_plugins.aws_cloudtrail_log module

JSON-L parser plugin for AWS CloudTrail log files.

class plaso.parsers.jsonl_plugins.aws_cloudtrail_log.AWSCloudTrailEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

AWS CloudTrail log event data.

access_key

access key identifier.

Type: str

account_identifier

AWS account identifier.

Type: str

cloud_trail_event

CloudTrail event.

Type: str

event_name

event name.

Type: str

event_source

AWS service.

Type: str

recorded_time

date and time the log entry was recorded.

Type: dfdatetime.DateTimeValues

resources

resources.

Type: str

source_ip

source IP address.

Type: str

user_identity_arn

AWS ARN of the user.

Type: str

user_name

name of the AWS user.

Type: str

DATA_TYPE = 'aws:cloudtrail:entry'

class plaso.parsers.jsonl_plugins.aws_cloudtrail_log.AWSCloudTrailLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for AWS CloudTrail log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'AWS CloudTrail Log'

NAME = 'aws_cloudtrail_log'

plaso.parsers.jsonl_plugins.azure_activity_log module

JSON-L parser plugin for Azure activity log files.

class plaso.parsers.jsonl_plugins.azure_activity_log.AzureActivityLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Azure activity log event data.

caller

Azure identity.

Type: str

client_ip

client IP address.

Type: str

correlation_identifier

Correlation identifier.

Type: str

event_data_identifier

Event data identifier.

Type: str

event_name

name of the event.

Type: str

level

log level.

Type: str

operation_identifier

Operation identifier.

Type: str

operation_name

operation name.

Type: str

recorded_time

date and time the log entry was recorded.

Type: dfdatetime.DateTimeValues

resource_group

resource group.

Type: str

resource_identifier

resource.

Type: str

resource_provider

API service.

Type: str

resource_type

resource type.

Type: str

subscription_identifier

subscription identifier.

Type: str

tenant_identifier

tenant identifier.

Type: str

DATA_TYPE = 'azure:activitylog:entry'

class plaso.parsers.jsonl_plugins.azure_activity_log.AzureActivityLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Azure activity log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'Azure Activity Log'

NAME = 'azure_activity_log'

plaso.parsers.jsonl_plugins.azure_application_gateway_log module

JSON-L parser plugin for Azure application gateway access log files.

class plaso.parsers.jsonl_plugins.azure_application_gateway_log.AzureApplicationGatewayAccessEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Azure application gateway access log event data.

client_ip

Client IP address of the request.

Type: str

client_port

Client TCP/UDP port for the request.

Type: int

client_response_time

Duration, in seconds, from the first byte of a client request to be processed up to the first byte sent as response to the client.

Type: int

host

Address listed in the host header of the request. If rewritten using header rewrite, contains the updated host name.

Type: str

http_method

HTTP method used by the request.

Type: str

http_status

HTTP status code returned to the client from application gateway.

Type: int

http_version

HTTP version of the request.

Type: str

instance_identifier

Application gateway instance that served the request.

Type: str

original_host

Original request host name.

Type: str

original_request_uri

Original request URL, including arguments.

Type: str

received_bytes

Size of packet received, in bytes.

Type: int

recorded_time

date and time the log entry was recorded.

Type: dfdatetime.DateTimeValues

request_query

Server-Routed: Back-end pool instance that was sent the request. X-AzureApplicationGateway-LOG-ID: Correlation ID used for the request. It can be used to troubleshoot traffic issues on the back-end servers. SERVER-STATUS: HTTP response code that application gateway received from the back-end.

Type: str

request_uri

URI of the received request.

Type: str

sent_bytes

Size of packet sent, in bytes.

Type: int

server_response_latency

Latency of the response (in seconds) from the back-end server.

Type: str

server_routed

The back-end server that application gateway routes the request to.

Type: str

server_status

HTTP status code of the back-end server.

Type: str

ssl_cipher

Cipher suite being used for TLS communication.

Type: str

ssl_client_certificate_fingerprint

Fingerprint of the SSL client certificate.

Type: str

ssl_client_certificate_issuer_name

Name of the issuer of the SSL client certificate.

Type: str

ssl_client_verify

TODO.

Type: str

ssl_enabled

Whether communication to the back-end pools used TLS. Valid values are on and off.

Type: str

ssl_protocol

The SSL/TLS protocol used.

Type: str

time_taken

Duration, in seconds, that it takes for the first byte of a client request to be processed and its last-byte sent in the response to the client. It’s important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network.

Type: double

transaction_id

Unique identifier to correlate the request received from the client

Type: str

user_agent

User agent from the HTTP request header.

Type: str

waf_evaluation_time

Duration, in seconds, that it takes for the request to be processed by the WAF.

Type: str

waf_mode

Value can be either Detection or Prevention.

Type: str

DATA_TYPE = 'azure:application_gateway_access:entry'

class plaso.parsers.jsonl_plugins.azure_application_gateway_log.AzureApplicationGatewayAccessLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Azure application gateway access log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'Azure Application Gateway access log'

NAME = 'azure_application_gateway_access_log'

plaso.parsers.jsonl_plugins.docker_container_config module

JSON-L parser plugin for Docker container configuration files.

class plaso.parsers.jsonl_plugins.docker_container_config.DockerContainerConfigurationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Docker container configuration event data.

action

whether the container was created, started, or finished.

Type: str

container_identifier

identifier of the container (SHA256).

Type: str

container_name

name of the container.

Type: str

creation_time

date and time the container was created (added).

Type: dfdatetime.DateTimeValues

end_time

date and time the container was stopped.

Type: dfdatetime.DateTimeValues

start_time

date and time the container was started.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'docker:container:configuration'

class plaso.parsers.jsonl_plugins.docker_container_config.DockerContainerConfigurationJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Docker container configuration files.

This parser handles per Docker container configuration files stored in: DOCKER_DIR/containers/<container_identifier>/config.json

CheckRequiredFormat(json_dict)[source]

Check if the record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the configuration record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'Docker container configuration file'

NAME = 'docker_container_config'

plaso.parsers.jsonl_plugins.docker_container_log module

JSON-L parser plugin for Docker container log files.

class plaso.parsers.jsonl_plugins.docker_container_log.DockerContainerLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Docker container log event data.

container_identifier

identifier of the container (SHA256).

Type: str

log_line

log line.

Type: str

log_source

log source.

Type: str

written_time

date and time the entry was written.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'docker:container:log:entry'

class plaso.parsers.jsonl_plugins.docker_container_log.DockerContainerLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Docker container log files.

This parser handles per Docker container log files stored in: DOCKER_DIR/containers/<container_identifier>/<container_identifier>-json.log

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'Docker container log file'

NAME = 'docker_container_log'

plaso.parsers.jsonl_plugins.docker_layer_config module

JSON-L parser plugin for Docker layer configuration files.

class plaso.parsers.jsonl_plugins.docker_layer_config.DockerLayerConfigurationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Docker layer configuration event data.

command: the command used which made Docker create a new layer.

creation_time

date and time the layer was created (added).

Type: dfdatetime.DateTimeValues

layer_identifier: the identifier of the current Docker layer (SHA-1).

DATA_TYPE = 'docker:layer:configuration'

class plaso.parsers.jsonl_plugins.docker_layer_config.DockerLayerConfigurationJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Docker layer configuration files.

This parser handles per Docker layer configuration files stored in: DOCKER_DIR/graph/<layer_identifier>/json

CheckRequiredFormat(json_dict)[source]

Check if the record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the configuration record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'Docker layer configuration file'

NAME = 'docker_layer_config'

plaso.parsers.jsonl_plugins.gcp_log module

JSON-L parser plugin for Google Cloud (GCP) log files.

class plaso.parsers.jsonl_plugins.gcp_log.GCPLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Cloud (GCP) log event data.

container

TODO

Type: str

event_subtype

JSON event sub type or protocol buffer method.

Type: str

event_type

TODO

Type: str

filename

TODO

Type: str

firewall_rules

firewall rules.

Type: list[str]

firewall_source_ranges

firewall source ranges.

Type: list[str]

log_name

name of the log entry.

Type: str

message

TODO

Type: str

policy_deltas

TODO

Type: list[str]

recorded_time

date and time the log entry was recorded.

Type: dfdatetime.DateTimeValues

request_account_identifier

GCP account identifier of the request.

Type: str

request_description

description of the request.

Type: str

request_direction

direction of the request.

Type: str

request_email

email address of the request.

Type: str

request_member

member of the request.

Type: str

request_metadata

request metadata values.

Type: list[str]

request_name

name of the request.

Type: str

request_target_tags

TODO

Type: str

resource_labels

resource labels.

Type: list[str]

resource_name

name of the resource.

Type: str

service_account_display_name

display name of the service account.

Type: str

service_name

name of the servie.

Type: str

severity

log entry severity.

Type: str

text_payload

text payload for logs not using a JSON or proto payload.

Type: str

user

user principal performing the logged action.

Type: str

DATA_TYPE = 'gcp:log:entry'

class plaso.parsers.jsonl_plugins.gcp_log.GCPLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Google Cloud (GCP) log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'Google Cloud (GCP) log'

NAME = 'gcp_log'

plaso.parsers.jsonl_plugins.interface module

Interface for JSON-L parser plugins.

class plaso.parsers.jsonl_plugins.interface.JSONLPlugin[source]

Bases: BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a JSON-L parser plugin.

abstract CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

NAME = 'jsonl_plugin'

Process(parser_mediator, file_object=None, **kwargs)[source]

Extracts events from a JSON-L log file.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
file_object (Optional[dfvfs.FileIO]) – a file-like object.

plaso.parsers.jsonl_plugins.ios_app_privacy module

JSON-L parser plugin for iOS application privacy report files.

class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for iOS application privacy report files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record.
Returns: True if this is the correct parser, False otherwise.
Return type: bool

DATA_FORMAT = 'iOS Application Privacy report'

NAME = 'ios_application_privacy'

class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacyAccessEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS application privacy report event of type access.

accessor_identifier

identifier of process accessing the resource

Type: str

accessor_identifier_type

type of identifier

Type: str

recorded_time

date and time the log entry was recorded.

Type: dfdatetime.DateTimeValues

resource_category

category of the accessed resource

Type: str

resource_identifier

GUID of the resource being accessed

Type: str

DATA_TYPE = 'ios:app_privacy:access'

class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacyNetworkEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS application privacy report event of type network activity.

bundle_identifier

bundle identifier that accesssed the resource

Type: str

domain

domain name accessed

Type: str

recorded_time

date and time the log entry was recorded.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'ios:app_privacy:network'

plaso.parsers.jsonl_plugins.microsoft365_audit_log module

JSON-L parser plugin for Microsoft (Office) 365 audit log files.

class plaso.parsers.jsonl_plugins.microsoft365_audit_log.Microsoft365AuditLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Microsoft (Office) 365 audit log event data.

audit_record_identifier

audit record identifier.

Type: str

application_access_context

application access context

Type: str

client_ip

client IP address.

Type: str

object_identifier

object identifier

Type: str

operation_name

operation name.

Type: str

organization_identifier

organization identifier.

Type: str

record_type

record type.

Type: int

recorded_time

date and time the log entry was recorded.

Type: dfdatetime.DateTimeValues

result_status

result status

Type: str

scope

scope.

Type: str

user_identifier

user identifier

Type: str

user_key

user key.

Type: str

user_type

user type.

Type: int

workload

Microsoft (Office) 365 service

Type: str

DATA_TYPE = 'microsoft365:audit_log:entry'

class plaso.parsers.jsonl_plugins.microsoft365_audit_log.Microsoft365AuditLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Microsoft (Office) 365 audit log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters: json_dict (dict) – JSON dictionary of the log record
Returns: True if this is the correct parsers, False otherwise.
Return type: bool

DATA_FORMAT = 'Microsoft (Office) 365 audit log'

NAME = 'microsoft_audit_log'

Module contents

Imports for the JSON-L parser plugins.