plaso.parsers.jsonl_plugins package

Submodules

plaso.parsers.jsonl_plugins.aws_cloudtrail_log module

JSON-L parser plugin for AWS CloudTrail log files.

class plaso.parsers.jsonl_plugins.aws_cloudtrail_log.AWSCloudTrailEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

AWS CloudTrail log event data.

access_key

access key identifier.

Type

str

account_identifier

AWS account identifier.

Type

str

cloud_trail_event

CloudTrail event.

Type

str

event_name

event name.

Type

str

event_source

AWS service.

Type

str

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

resources

resources.

Type

str

source_ip

source IP address.

Type

str

user_identity_arn

AWS ARN of the user.

Type

str

user_name

name of the AWS user.

Type

str

DATA_TYPE = 'aws:cloudtrail:entry'
class plaso.parsers.jsonl_plugins.aws_cloudtrail_log.AWSCloudTrailLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for AWS CloudTrail log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'AWS CloudTrail Log'
NAME = 'aws_cloudtrail_log'

plaso.parsers.jsonl_plugins.azure_activity_log module

JSON-L parser plugin for Azure activity log files.

class plaso.parsers.jsonl_plugins.azure_activity_log.AzureActivityLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Azure activity log event data.

caller

Azure identity.

Type

str

client_ip

client IP address.

Type

str

correlation_identifier

Correlation identifier.

Type

str

event_data_identifier

Event data identifier.

Type

str

event_name

name of the event.

Type

str

level

log level.

Type

str

operation_identifier

Operation identifier.

Type

str

operation_name

operation name.

Type

str

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

resource_group

resource group.

Type

str

resource_identifier

resource.

Type

str

resource_provider

API service.

Type

str

resource_type

resource type.

Type

str

subscription_identifier

subscription identifier.

Type

str

tenant_identifier

tenant identifier.

Type

str

DATA_TYPE = 'azure:activitylog:entry'
class plaso.parsers.jsonl_plugins.azure_activity_log.AzureActivityLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Azure activity log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Azure Activity Log'
NAME = 'azure_activity_log'

plaso.parsers.jsonl_plugins.azure_application_gateway_log module

JSON-L parser plugin for Azure application gateway access log files.

class plaso.parsers.jsonl_plugins.azure_application_gateway_log.AzureApplicationGatewayAccessEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Azure application gateway access log event data.

client_ip

Client IP address of the request.

Type

str

client_port

Client TCP/UDP port for the request.

Type

int

client_response_time

Duration, in seconds, from the first byte of a client request to be processed up to the first byte sent as response to the client.

Type

int

host

Address listed in the host header of the request. If rewritten using header rewrite, contains the updated host name.

Type

str

http_method

HTTP method used by the request.

Type

str

http_status

HTTP status code returned to the client from application gateway.

Type

int

http_version

HTTP version of the request.

Type

str

instance_identifier

Application gateway instance that served the request.

Type

str

original_host

Original request host name.

Type

str

original_request_uri

Original request URL, including arguments.

Type

str

received_bytes

Size of packet received, in bytes.

Type

int

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

request_query

Server-Routed: Back-end pool instance that was sent the request. X-AzureApplicationGateway-LOG-ID: Correlation ID used for the request. It can be used to troubleshoot traffic issues on the back-end servers. SERVER-STATUS: HTTP response code that application gateway received from the back-end.

Type

str

request_uri

URI of the received request.

Type

str

sent_bytes

Size of packet sent, in bytes.

Type

int

server_response_latency

Latency of the response (in seconds) from the back-end server.

Type

str

server_routed

The back-end server that application gateway routes the request to.

Type

str

server_status

HTTP status code of the back-end server.

Type

str

ssl_cipher

Cipher suite being used for TLS communication.

Type

str

ssl_client_certificate_fingerprint

Fingerprint of the SSL client certificate.

Type

str

ssl_client_certificate_issuer_name

Name of the issuer of the SSL client certificate.

Type

str

ssl_client_verify

TODO.

Type

str

ssl_enabled

Whether communication to the back-end pools used TLS. Valid values are on and off.

Type

str

ssl_protocol

The SSL/TLS protocol used.

Type

str

time_taken

Duration, in seconds, that it takes for the first byte of a client request to be processed and its last-byte sent in the response to the client. It’s important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network.

Type

double

transaction_id

Unique identifier to correlate the request received from the client

Type

str

user_agent

User agent from the HTTP request header.

Type

str

waf_evaluation_time

Duration, in seconds, that it takes for the request to be processed by the WAF.

Type

str

waf_mode

Value can be either Detection or Prevention.

Type

str

DATA_TYPE = 'azure:application_gateway_access:entry'
class plaso.parsers.jsonl_plugins.azure_application_gateway_log.AzureApplicationGatewayAccessLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Azure application gateway access log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Azure Application Gateway access log'
NAME = 'azure_application_gateway_access_log'

plaso.parsers.jsonl_plugins.docker_container_config module

JSON-L parser plugin for Docker container configuration files.

class plaso.parsers.jsonl_plugins.docker_container_config.DockerContainerConfigurationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Docker container configuration event data.

action

whether the container was created, started, or finished.

Type

str

container_identifier

identifier of the container (SHA256).

Type

str

container_name

name of the container.

Type

str

creation_time

date and time the container was created (added).

Type

dfdatetime.DateTimeValues

end_time

date and time the container was stopped.

Type

dfdatetime.DateTimeValues

start_time

date and time the container was started.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'docker:container:configuration'
class plaso.parsers.jsonl_plugins.docker_container_config.DockerContainerConfigurationJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Docker container configuration files.

This parser handles per Docker container configuration files stored in: DOCKER_DIR/containers/<container_identifier>/config.json

CheckRequiredFormat(json_dict)[source]

Check if the record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the configuration record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Docker container configuration file'
NAME = 'docker_container_config'

plaso.parsers.jsonl_plugins.docker_container_log module

JSON-L parser plugin for Docker container log files.

class plaso.parsers.jsonl_plugins.docker_container_log.DockerContainerLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Docker container log event data.

container_identifier

identifier of the container (SHA256).

Type

str

log_line

log line.

Type

str

log_source

log source.

Type

str

written_time

date and time the entry was written.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'docker:container:log:entry'
class plaso.parsers.jsonl_plugins.docker_container_log.DockerContainerLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Docker container log files.

This parser handles per Docker container log files stored in: DOCKER_DIR/containers/<container_identifier>/<container_identifier>-json.log

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Docker container log file'
NAME = 'docker_container_log'

plaso.parsers.jsonl_plugins.docker_layer_config module

JSON-L parser plugin for Docker layer configuration files.

class plaso.parsers.jsonl_plugins.docker_layer_config.DockerLayerConfigurationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Docker layer configuration event data.

command

the command used which made Docker create a new layer.

creation_time

date and time the layer was created (added).

Type

dfdatetime.DateTimeValues

layer_identifier

the identifier of the current Docker layer (SHA-1).

DATA_TYPE = 'docker:layer:configuration'
class plaso.parsers.jsonl_plugins.docker_layer_config.DockerLayerConfigurationJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Docker layer configuration files.

This parser handles per Docker layer configuration files stored in: DOCKER_DIR/graph/<layer_identifier>/json

CheckRequiredFormat(json_dict)[source]

Check if the record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the configuration record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Docker layer configuration file'
NAME = 'docker_layer_config'

plaso.parsers.jsonl_plugins.gcp_log module

JSON-L parser plugin for Google Cloud (GCP) log files.

class plaso.parsers.jsonl_plugins.gcp_log.GCPLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Google Cloud (GCP) log event data.

container

TODO

Type

str

event_subtype

JSON event sub type or protocol buffer method.

Type

str

event_type

TODO

Type

str

filename

TODO

Type

str

firewall_rules

firewall rules.

Type

list[str]

firewall_source_ranges

firewall source ranges.

Type

list[str]

log_name

name of the log entry.

Type

str

message

TODO

Type

str

policy_deltas

TODO

Type

list[str]

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

request_account_identifier

GCP account identifier of the request.

Type

str

request_description

description of the request.

Type

str

request_direction

direction of the request.

Type

str

request_email

email address of the request.

Type

str

request_member

member of the request.

Type

str

request_metadata

request metadata values.

Type

list[str]

request_name

name of the request.

Type

str

request_target_tags

TODO

Type

str

resource_labels

resource labels.

Type

list[str]

resource_name

name of the resource.

Type

str

service_account_display_name

display name of the service account.

Type

str

service_name

name of the servie.

Type

str

severity

log entry severity.

Type

str

text_payload

text payload for logs not using a JSON or proto payload.

Type

str

user

user principal performing the logged action.

Type

str

DATA_TYPE = 'gcp:log:entry'
class plaso.parsers.jsonl_plugins.gcp_log.GCPLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Google Cloud (GCP) log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'Google Cloud (GCP) log'
NAME = 'gcp_log'

plaso.parsers.jsonl_plugins.interface module

Interface for JSON-L parser plugins.

class plaso.parsers.jsonl_plugins.interface.JSONLPlugin[source]

Bases: BasePlugin

This is an abstract class from which plugins should be based.

The following are the attributes and methods expected to be overridden by a JSON-L parser plugin.

abstract CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

NAME = 'jsonl_plugin'
Process(parser_mediator, file_object=None, **kwargs)[source]

Extracts events from a JSON-L log file.

Parameters
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.

  • file_object (Optional[dfvfs.FileIO]) – a file-like object.

plaso.parsers.jsonl_plugins.ios_app_privacy module

JSON-L parser plugin for iOS application privacy report files.

class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for iOS application privacy report files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record.

Returns

True if this is the correct parser, False otherwise.

Return type

bool

DATA_FORMAT = 'iOS Application Privacy report'
NAME = 'ios_application_privacy'
class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacyAccessEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS application privacy report event of type access.

accessor_identifier

identifier of process accessing the resource

Type

str

accessor_identifier_type

type of identifier

Type

str

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

resource_category

category of the accessed resource

Type

str

resource_identifier

GUID of the resource being accessed

Type

str

DATA_TYPE = 'ios:app_privacy:access'
class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacyNetworkEvent(*args: Any, **kwargs: Any)[source]

Bases: EventData

iOS application privacy report event of type network activity.

bundle_identifier

bundle identifier that accesssed the resource

Type

str

domain

domain name accessed

Type

str

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

DATA_TYPE = 'ios:app_privacy:network'

plaso.parsers.jsonl_plugins.microsoft365_audit_log module

JSON-L parser plugin for Microsoft (Office) 365 audit log files.

class plaso.parsers.jsonl_plugins.microsoft365_audit_log.Microsoft365AuditLogEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Microsoft (Office) 365 audit log event data.

audit_record_identifier

audit record identifier.

Type

str

application_access_context

application access context

Type

str

client_ip

client IP address.

Type

str

object_identifier

object identifier

Type

str

operation_name

operation name.

Type

str

organization_identifier

organization identifier.

Type

str

record_type

record type.

Type

int

recorded_time

date and time the log entry was recorded.

Type

dfdatetime.DateTimeValues

result_status

result status

Type

str

scope

scope.

Type

str

user_identifier

user identifier

Type

str

user_key

user key.

Type

str

user_type

user type.

Type

int

workload

Microsoft (Office) 365 service

Type

str

DATA_TYPE = 'microsoft365:audit_log:entry'
class plaso.parsers.jsonl_plugins.microsoft365_audit_log.Microsoft365AuditLogJSONLPlugin[source]

Bases: JSONLPlugin

JSON-L parser plugin for Microsoft (Office) 365 audit log files.

CheckRequiredFormat(json_dict)[source]

Check if the log record has the minimal structure required by the plugin.

Parameters

json_dict (dict) – JSON dictionary of the log record

Returns

True if this is the correct parsers, False otherwise.

Return type

bool

DATA_FORMAT = 'Microsoft (Office) 365 audit log'
NAME = 'microsoft_audit_log'

Module contents

Imports for the JSON-L parser plugins.