plaso.parsers.jsonl_plugins package
Submodules
plaso.parsers.jsonl_plugins.aws_cloudtrail_log module
JSON-L parser plugin for AWS CloudTrail log files.
- class plaso.parsers.jsonl_plugins.aws_cloudtrail_log.AWSCloudTrailEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
AWS CloudTrail log event data.
- access_key
access key identifier.
- Type:
str
- account_identifier
AWS account identifier.
- Type:
str
- cloud_trail_event
CloudTrail event.
- Type:
str
- event_name
event name.
- Type:
str
- event_source
AWS service.
- Type:
str
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- resources
resources.
- Type:
str
- source_ip
source IP address.
- Type:
str
- user_identity_arn
AWS ARN of the user.
- Type:
str
- user_name
name of the AWS user.
- Type:
str
- DATA_TYPE = 'aws:cloudtrail:entry'
- class plaso.parsers.jsonl_plugins.aws_cloudtrail_log.AWSCloudTrailLogJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for AWS CloudTrail log files.
- CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'AWS CloudTrail Log'
- NAME = 'aws_cloudtrail_log'
plaso.parsers.jsonl_plugins.azure_activity_log module
JSON-L parser plugin for Azure activity log files.
- class plaso.parsers.jsonl_plugins.azure_activity_log.AzureActivityLogEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Azure activity log event data.
- caller
Azure identity.
- Type:
str
- client_ip
client IP address.
- Type:
str
- correlation_identifier
Correlation identifier.
- Type:
str
- event_data_identifier
Event data identifier.
- Type:
str
- event_name
name of the event.
- Type:
str
- level
log level.
- Type:
str
- operation_identifier
Operation identifier.
- Type:
str
- operation_name
operation name.
- Type:
str
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- resource_group
resource group.
- Type:
str
- resource_identifier
resource.
- Type:
str
- resource_provider
API service.
- Type:
str
- resource_type
resource type.
- Type:
str
- subscription_identifier
subscription identifier.
- Type:
str
- tenant_identifier
tenant identifier.
- Type:
str
- DATA_TYPE = 'azure:activitylog:entry'
- class plaso.parsers.jsonl_plugins.azure_activity_log.AzureActivityLogJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for Azure activity log files.
- CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'Azure Activity Log'
- NAME = 'azure_activity_log'
plaso.parsers.jsonl_plugins.azure_application_gateway_log module
JSON-L parser plugin for Azure application gateway access log files.
- class plaso.parsers.jsonl_plugins.azure_application_gateway_log.AzureApplicationGatewayAccessEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Azure application gateway access log event data.
- client_ip
Client IP address of the request.
- Type:
str
- client_port
Client TCP/UDP port for the request.
- Type:
int
- client_response_time
Duration, in seconds, from the first byte of a client request to be processed up to the first byte sent as response to the client.
- Type:
int
- host
Address listed in the host header of the request. If rewritten using header rewrite, contains the updated host name.
- Type:
str
- http_method
HTTP method used by the request.
- Type:
str
- http_status
HTTP status code returned to the client from application gateway.
- Type:
int
- http_version
HTTP version of the request.
- Type:
str
- instance_identifier
Application gateway instance that served the request.
- Type:
str
- original_host
Original request host name.
- Type:
str
- original_request_uri
Original request URL, including arguments.
- Type:
str
- received_bytes
Size of packet received, in bytes.
- Type:
int
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- request_query
Server-Routed: Back-end pool instance that was sent the request. X-AzureApplicationGateway-LOG-ID: Correlation ID used for the request. It can be used to troubleshoot traffic issues on the back-end servers. SERVER-STATUS: HTTP response code that application gateway received from the back-end.
- Type:
str
- request_uri
URI of the received request.
- Type:
str
- sent_bytes
Size of packet sent, in bytes.
- Type:
int
- server_response_latency
Latency of the response (in seconds) from the back-end server.
- Type:
str
- server_routed
The back-end server that application gateway routes the request to.
- Type:
str
- server_status
HTTP status code of the back-end server.
- Type:
str
- ssl_cipher
Cipher suite being used for TLS communication.
- Type:
str
- ssl_client_certificate_fingerprint
Fingerprint of the SSL client certificate.
- Type:
str
- ssl_client_certificate_issuer_name
Name of the issuer of the SSL client certificate.
- Type:
str
- ssl_client_verify
TODO.
- Type:
str
- ssl_enabled
Whether communication to the back-end pools used TLS. Valid values are on and off.
- Type:
str
- ssl_protocol
The SSL/TLS protocol used.
- Type:
str
- time_taken
Duration, in seconds, that it takes for the first byte of a client request to be processed and its last-byte sent in the response to the client. It’s important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network.
- Type:
double
- transaction_id
Unique identifier to correlate the request received from the client
- Type:
str
- user_agent
User agent from the HTTP request header.
- Type:
str
- waf_evaluation_time
Duration, in seconds, that it takes for the request to be processed by the WAF.
- Type:
str
- waf_mode
Value can be either Detection or Prevention.
- Type:
str
- DATA_TYPE = 'azure:application_gateway_access:entry'
- class plaso.parsers.jsonl_plugins.azure_application_gateway_log.AzureApplicationGatewayAccessLogJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for Azure application gateway access log files.
- CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'Azure Application Gateway access log'
- NAME = 'azure_application_gateway_access_log'
plaso.parsers.jsonl_plugins.docker_container_config module
JSON-L parser plugin for Docker container configuration files.
- class plaso.parsers.jsonl_plugins.docker_container_config.DockerContainerConfigurationEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Docker container configuration event data.
- action
whether the container was created, started, or finished.
- Type:
str
- container_identifier
identifier of the container (SHA256).
- Type:
str
- container_name
name of the container.
- Type:
str
- creation_time
date and time the container was created (added).
- Type:
dfdatetime.DateTimeValues
- end_time
date and time the container was stopped.
- Type:
dfdatetime.DateTimeValues
- start_time
date and time the container was started.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'docker:container:configuration'
- class plaso.parsers.jsonl_plugins.docker_container_config.DockerContainerConfigurationJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for Docker container configuration files.
This parser handles per Docker container configuration files stored in: DOCKER_DIR/containers/<container_identifier>/config.json
- CheckRequiredFormat(json_dict)[source]
Check if the record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the configuration record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'Docker container configuration file'
- NAME = 'docker_container_config'
plaso.parsers.jsonl_plugins.docker_container_log module
JSON-L parser plugin for Docker container log files.
- class plaso.parsers.jsonl_plugins.docker_container_log.DockerContainerLogEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Docker container log event data.
- container_identifier
identifier of the container (SHA256).
- Type:
str
- log_line
log line.
- Type:
str
- log_source
log source.
- Type:
str
- written_time
date and time the entry was written.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'docker:container:log:entry'
- class plaso.parsers.jsonl_plugins.docker_container_log.DockerContainerLogJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for Docker container log files.
This parser handles per Docker container log files stored in: DOCKER_DIR/containers/<container_identifier>/<container_identifier>-json.log
- CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'Docker container log file'
- NAME = 'docker_container_log'
plaso.parsers.jsonl_plugins.docker_layer_config module
JSON-L parser plugin for Docker layer configuration files.
- class plaso.parsers.jsonl_plugins.docker_layer_config.DockerLayerConfigurationEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Docker layer configuration event data.
- command
the command used which made Docker create a new layer.
- creation_time
date and time the layer was created (added).
- Type:
dfdatetime.DateTimeValues
- layer_identifier
the identifier of the current Docker layer (SHA-1).
- DATA_TYPE = 'docker:layer:configuration'
- class plaso.parsers.jsonl_plugins.docker_layer_config.DockerLayerConfigurationJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for Docker layer configuration files.
This parser handles per Docker layer configuration files stored in: DOCKER_DIR/graph/<layer_identifier>/json
- CheckRequiredFormat(json_dict)[source]
Check if the record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the configuration record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'Docker layer configuration file'
- NAME = 'docker_layer_config'
plaso.parsers.jsonl_plugins.gcp_log module
JSON-L parser plugin for Google Cloud (GCP) log files.
- class plaso.parsers.jsonl_plugins.gcp_log.GCPLogEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Google Cloud (GCP) log event data.
- container
TODO
- Type:
str
- event_subtype
JSON event sub type or protocol buffer method.
- Type:
str
- event_type
TODO
- Type:
str
- filename
TODO
- Type:
str
- firewall_rules
firewall rules.
- Type:
list[str]
- firewall_source_ranges
firewall source ranges.
- Type:
list[str]
- log_name
name of the log entry.
- Type:
str
- message
TODO
- Type:
str
- policy_deltas
TODO
- Type:
list[str]
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- request_account_identifier
GCP account identifier of the request.
- Type:
str
- request_description
description of the request.
- Type:
str
- request_direction
direction of the request.
- Type:
str
- request_email
email address of the request.
- Type:
str
- request_member
member of the request.
- Type:
str
- request_metadata
request metadata values.
- Type:
list[str]
- request_name
name of the request.
- Type:
str
- request_target_tags
TODO
- Type:
str
- resource_labels
resource labels.
- Type:
list[str]
- resource_name
name of the resource.
- Type:
str
- service_account_display_name
display name of the service account.
- Type:
str
- service_name
name of the servie.
- Type:
str
- severity
log entry severity.
- Type:
str
- text_payload
text payload for logs not using a JSON or proto payload.
- Type:
str
- user
user principal performing the logged action.
- Type:
str
- DATA_TYPE = 'gcp:log:entry'
- class plaso.parsers.jsonl_plugins.gcp_log.GCPLogJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for Google Cloud (GCP) log files.
- CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'Google Cloud (GCP) log'
- NAME = 'gcp_log'
plaso.parsers.jsonl_plugins.interface module
Interface for JSON-L parser plugins.
- class plaso.parsers.jsonl_plugins.interface.JSONLPlugin[source]
Bases:
BasePlugin
This is an abstract class from which plugins should be based.
The following are the attributes and methods expected to be overridden by a JSON-L parser plugin.
- abstract CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- NAME = 'jsonl_plugin'
- Process(parser_mediator, file_object=None, **kwargs)[source]
Extracts events from a JSON-L log file.
- Parameters:
parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
file_object (Optional[dfvfs.FileIO]) – a file-like object.
plaso.parsers.jsonl_plugins.ios_app_privacy module
JSON-L parser plugin for iOS application privacy report files.
- class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for iOS application privacy report files.
- CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record.
- Returns:
True if this is the correct parser, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'iOS Application Privacy report'
- NAME = 'ios_application_privacy'
- class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacyAccessEvent(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iOS application privacy report event of type access.
- accessor_identifier
identifier of process accessing the resource
- Type:
str
- accessor_identifier_type
type of identifier
- Type:
str
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- resource_category
category of the accessed resource
- Type:
str
- resource_identifier
GUID of the resource being accessed
- Type:
str
- DATA_TYPE = 'ios:app_privacy:access'
- class plaso.parsers.jsonl_plugins.ios_app_privacy.IOSAppPrivacyNetworkEvent(*args: Any, **kwargs: Any)[source]
Bases:
EventData
iOS application privacy report event of type network activity.
- bundle_identifier
bundle identifier that accesssed the resource
- Type:
str
- domain
domain name accessed
- Type:
str
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- DATA_TYPE = 'ios:app_privacy:network'
plaso.parsers.jsonl_plugins.microsoft365_audit_log module
JSON-L parser plugin for Microsoft (Office) 365 audit log files.
- class plaso.parsers.jsonl_plugins.microsoft365_audit_log.Microsoft365AuditLogEventData(*args: Any, **kwargs: Any)[source]
Bases:
EventData
Microsoft (Office) 365 audit log event data.
- audit_record_identifier
audit record identifier.
- Type:
str
- application_access_context
application access context
- Type:
str
- client_ip
client IP address.
- Type:
str
- object_identifier
object identifier
- Type:
str
- operation_name
operation name.
- Type:
str
- organization_identifier
organization identifier.
- Type:
str
- record_type
record type.
- Type:
int
- recorded_time
date and time the log entry was recorded.
- Type:
dfdatetime.DateTimeValues
- result_status
result status
- Type:
str
- scope
scope.
- Type:
str
- user_identifier
user identifier
- Type:
str
- user_key
user key.
- Type:
str
- user_type
user type.
- Type:
int
- workload
Microsoft (Office) 365 service
- Type:
str
- DATA_TYPE = 'microsoft365:audit_log:entry'
- class plaso.parsers.jsonl_plugins.microsoft365_audit_log.Microsoft365AuditLogJSONLPlugin[source]
Bases:
JSONLPlugin
JSON-L parser plugin for Microsoft (Office) 365 audit log files.
- CheckRequiredFormat(json_dict)[source]
Check if the log record has the minimal structure required by the plugin.
- Parameters:
json_dict (dict) – JSON dictionary of the log record
- Returns:
True if this is the correct parsers, False otherwise.
- Return type:
bool
- DATA_FORMAT = 'Microsoft (Office) 365 audit log'
- NAME = 'microsoft_audit_log'
Module contents
Imports for the JSON-L parser plugins.