@grc-claw/ingest 2.0.0

package/dist/cloud-severity.d.ts

@@ -0,0 +1,5 @@
+import type { Severity } from '@grc-claw/core';
+export declare function labelToSeverity(label: string | undefined): Severity;
+/** GuardDuty 0.1–8.0 */
+export declare function guardDutyScore(score: number): Severity;
+//# sourceMappingURL=cloud-severity.d.ts.map

package/dist/cloud-severity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-severity.d.ts","sourceRoot":"","sources":["../src/cloud-severity.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE/C,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,CAMnE;AAED,wBAAwB;AACxB,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAKtD"}

package/dist/cloud-severity.js

@@ -0,0 +1,21 @@
+export function labelToSeverity(label) {
+    const v = (label ?? 'low').toUpperCase();
+    if (v.includes('CRIT'))
+        return 'critical';
+    if (v === 'HIGH' || v === '4')
+        return 'high';
+    if (v === 'MEDIUM' || v === '3')
+        return 'medium';
+    return 'low';
+}
+/** GuardDuty 0.1–8.0 */
+export function guardDutyScore(score) {
+    if (score >= 7)
+        return 'critical';
+    if (score >= 4)
+        return 'high';
+    if (score >= 2)
+        return 'medium';
+    return 'low';
+}
+//# sourceMappingURL=cloud-severity.js.map

package/dist/cloud-severity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-severity.js","sourceRoot":"","sources":["../src/cloud-severity.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,eAAe,CAAC,KAAyB;IACvD,MAAM,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACzC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,UAAU,CAAC;IAC1C,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,MAAM,CAAC;IAC7C,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,QAAQ,CAAC;IACjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,wBAAwB;AACxB,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,UAAU,CAAC;IAClC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IAC9B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IAChC,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+export * from './severity.js';
+export * from './cloud-severity.js';
+export * from './uuid.js';
+export { normalizeWazuh, type WazuhAlert } from './normalizers/wazuh.js';
+export { normalizeSuricata, type SuricataEveAlert } from './normalizers/suricata.js';
+export { normalizeSnort, type SnortAlertJson } from './normalizers/snort.js';
+export { normalizeElastic, type ElasticAlertDoc } from './normalizers/elastic.js';
+export { normalizeUfwLine } from './normalizers/ufw.js';
+export { normalizeCloud, normalizeAwsGuardDuty, normalizeAzureSentinel, normalizeGcpChronicle, CLOUD_INGEST_SOURCES, type CloudIngestSource, } from './normalizers/cloud.js';
+import type { SecurityEventCanonical } from '@grc-claw/core';
+import { type CloudIngestSource } from './normalizers/cloud.js';
+export type OssIngestSource = 'wazuh' | 'suricata' | 'snort' | 'elastic' | 'ufw';
+export type IngestSource = OssIngestSource | CloudIngestSource;
+export declare function isCloudSource(source: string): source is CloudIngestSource;
+export declare function normalizeBySource(source: IngestSource, payload: unknown, tenantId: number): SecurityEventCanonical | null;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,WAAW,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,KAAK,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,iBAAiB,EAAE,KAAK,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AACrF,OAAO,EAAE,cAAc,EAAE,KAAK,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EAAE,gBAAgB,EAAE,KAAK,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EACL,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,EACpB,KAAK,iBAAiB,GACvB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAC7D,OAAO,EAGL,KAAK,iBAAiB,EACvB,MAAM,wBAAwB,CAAC;AAOhC,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,KAAK,CAAC;AACjF,MAAM,MAAM,YAAY,GAAG,eAAe,GAAG,iBAAiB,CAAC;AAE/D,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,IAAI,iBAAiB,CAEzE;AAED,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,YAAY,EACpB,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,GACf,sBAAsB,GAAG,IAAI,CAkB/B"}

package/dist/index.js

@@ -0,0 +1,38 @@
+export * from './severity.js';
+export * from './cloud-severity.js';
+export * from './uuid.js';
+export { normalizeWazuh } from './normalizers/wazuh.js';
+export { normalizeSuricata } from './normalizers/suricata.js';
+export { normalizeSnort } from './normalizers/snort.js';
+export { normalizeElastic } from './normalizers/elastic.js';
+export { normalizeUfwLine } from './normalizers/ufw.js';
+export { normalizeCloud, normalizeAwsGuardDuty, normalizeAzureSentinel, normalizeGcpChronicle, CLOUD_INGEST_SOURCES, } from './normalizers/cloud.js';
+import { CLOUD_INGEST_SOURCES, normalizeCloud, } from './normalizers/cloud.js';
+import { normalizeElastic } from './normalizers/elastic.js';
+import { normalizeSnort } from './normalizers/snort.js';
+import { normalizeSuricata } from './normalizers/suricata.js';
+import { normalizeUfwLine } from './normalizers/ufw.js';
+import { normalizeWazuh } from './normalizers/wazuh.js';
+export function isCloudSource(source) {
+    return CLOUD_INGEST_SOURCES.includes(source);
+}
+export function normalizeBySource(source, payload, tenantId) {
+    if (isCloudSource(source)) {
+        return normalizeCloud(source, payload, tenantId);
+    }
+    switch (source) {
+        case 'wazuh':
+            return normalizeWazuh(payload, tenantId);
+        case 'suricata':
+            return normalizeSuricata(payload, tenantId);
+        case 'snort':
+            return normalizeSnort(payload, tenantId);
+        case 'elastic':
+            return normalizeElastic(payload, tenantId);
+        case 'ufw':
+            return typeof payload === 'string' ? normalizeUfwLine(payload, tenantId) : null;
+        default:
+            return null;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,WAAW,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAmB,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,iBAAiB,EAAyB,MAAM,2BAA2B,CAAC;AACrF,OAAO,EAAE,cAAc,EAAuB,MAAM,wBAAwB,CAAC;AAC7E,OAAO,EAAE,gBAAgB,EAAwB,MAAM,0BAA0B,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EACL,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,GAErB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,oBAAoB,EACpB,cAAc,GAEf,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAKxD,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,OAAQ,oBAA0C,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,MAAoB,EACpB,OAAgB,EAChB,QAAgB;IAEhB,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IACD,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,OAAO;YACV,OAAO,cAAc,CAAC,OAA+C,EAAE,QAAQ,CAAC,CAAC;QACnF,KAAK,UAAU;YACb,OAAO,iBAAiB,CAAC,OAAkD,EAAE,QAAQ,CAAC,CAAC;QACzF,KAAK,OAAO;YACV,OAAO,cAAc,CAAC,OAA+C,EAAE,QAAQ,CAAC,CAAC;QACnF,KAAK,SAAS;YACZ,OAAO,gBAAgB,CAAC,OAAiD,EAAE,QAAQ,CAAC,CAAC;QACvF,KAAK,KAAK;YACR,OAAO,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAClF;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/normalizers/cloud.d.ts

@@ -0,0 +1,15 @@
+import type { SecurityEventCanonical } from '@grc-claw/core';
+export declare function normalizeAwsGuardDuty(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeAwsCloudWatch(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeAwsSecurityHub(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeAwsCloudTrail(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeAzureSentinel(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeAzureDefender(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeAzureMonitor(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeGcpChronicle(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeGcpScc(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export declare function normalizeGcpCloudLogging(raw: Record<string, unknown>, tenantId: number): SecurityEventCanonical;
+export type CloudIngestSource = 'aws_cloudwatch' | 'aws_guardduty' | 'aws_securityhub' | 'aws_cloudtrail' | 'azure_sentinel' | 'azure_defender' | 'azure_monitor' | 'gcp_chronicle' | 'gcp_scc' | 'gcp_cloud_logging';
+export declare function normalizeCloud(source: CloudIngestSource, payload: unknown, tenantId: number): SecurityEventCanonical | null;
+export declare const CLOUD_INGEST_SOURCES: CloudIngestSource[];
+//# sourceMappingURL=cloud.d.ts.map

package/dist/normalizers/cloud.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud.d.ts","sourceRoot":"","sources":["../../src/normalizers/cloud.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AA8B7D,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAU5G;AAED,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAK7G;AAED,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAQ9G;AAED,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAM7G;AAED,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAO7G;AAED,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAK7G;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAM5G;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAW5G;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAKtG;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAK/G;AAED,MAAM,MAAM,iBAAiB,GACzB,gBAAgB,GAChB,eAAe,GACf,iBAAiB,GACjB,gBAAgB,GAChB,gBAAgB,GAChB,gBAAgB,GAChB,eAAe,GACf,eAAe,GACf,SAAS,GACT,mBAAmB,CAAC;AAExB,wBAAgB,cAAc,CAC5B,MAAM,EAAE,iBAAiB,EACzB,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,GACf,sBAAsB,GAAG,IAAI,CA2B/B;AAED,eAAO,MAAM,oBAAoB,EAAE,iBAAiB,EAWnD,CAAC"}

package/dist/normalizers/cloud.js

@@ -0,0 +1,136 @@
+import { guardDutyScore, labelToSeverity } from '../cloud-severity.js';
+import { stableEventUuid } from '../uuid.js';
+function base(sourceSystem, eventType, severity, tenantId, message, uuidParts, extra = {}) {
+    const ts = String(extra['@timestamp'] ?? new Date().toISOString());
+    return {
+        eventUuid: stableEventUuid([sourceSystem, ...uuidParts]),
+        eventType,
+        severity,
+        sourceSystem,
+        tenantId,
+        eventData: {
+            '@timestamp': ts,
+            message,
+            rule: { category: 'cloud' },
+            raw: extra.raw,
+            ...extra,
+        },
+    };
+}
+export function normalizeAwsGuardDuty(raw, tenantId) {
+    const detail = raw.detail ?? raw;
+    const score = Number(detail.severity ?? 5);
+    const id = String(detail.id ?? detail.findingId ?? 'gd-unknown');
+    const type = String(detail.type ?? 'GuardDutyFinding');
+    return base('aws_guardduty', 'identity.compromise', guardDutyScore(score), tenantId, type, [
+        id,
+        type,
+        score,
+    ], { raw, '@timestamp': detail.updatedAt });
+}
+export function normalizeAwsCloudWatch(raw, tenantId) {
+    const alarm = raw.alarmName ?? raw.AlarmName ?? 'CloudWatch alarm';
+    const state = String(raw.newStateValue ?? raw.state ?? 'ALARM');
+    const sev = state === 'ALARM' ? 'high' : 'low';
+    return base('aws_cloudwatch', 'host.anomaly', sev, tenantId, alarm, [alarm, state], { raw });
+}
+export function normalizeAwsSecurityHub(raw, tenantId) {
+    const finding = raw.Finding ?? raw;
+    const sev = labelToSeverity(String(finding.Severity?.Label ?? finding.Severity ?? 'LOW'));
+    const id = String(finding.Id ?? finding.id ?? 'sh-unknown');
+    const title = String(finding.Title ?? finding.description ?? 'Security Hub finding');
+    return base('aws_securityhub', 'cloud.misconfig', sev, tenantId, title, [id], { raw: finding });
+}
+export function normalizeAwsCloudTrail(raw, tenantId) {
+    const eventName = String(raw.eventName ?? raw.EventName ?? 'CloudTrailEvent');
+    const user = String(raw.userIdentity?.arn ?? raw.userName ?? '');
+    const sev = /Delete|PutBucketPolicy|AttachUserPolicy|CreateAccessKey/i.test(eventName) ? 'high' : 'medium';
+    return base('aws_cloudtrail', 'cloud.api', sev, tenantId, eventName, [eventName, user], { raw });
+}
+export function normalizeAzureSentinel(raw, tenantId) {
+    const props = raw.properties ?? raw;
+    const sev = labelToSeverity(String(props.severity ?? props.Severity ?? 'Low'));
+    const title = String(props.title ?? props.displayName ?? 'Sentinel incident');
+    const id = String(raw.id ?? props.incidentNumber ?? 'sentinel-unknown');
+    const eventType = /sign-?in|auth/i.test(title) ? 'auth.failure' : 'network.intrusion';
+    return base('azure_sentinel', eventType, sev, tenantId, title, [id], { raw: props });
+}
+export function normalizeAzureDefender(raw, tenantId) {
+    const props = raw.properties ?? raw;
+    const sev = labelToSeverity(String(props.severity ?? 'Medium'));
+    const title = String(props.alertDisplayName ?? props.title ?? 'Defender alert');
+    return base('azure_defender', 'cloud.misconfig', sev, tenantId, title, [title], { raw: props });
+}
+export function normalizeAzureMonitor(raw, tenantId) {
+    const data = raw.data ?? raw;
+    const essentials = data.essentials ?? data;
+    const sev = labelToSeverity(String(essentials.severity ?? 'Sev3'));
+    const alert = String(essentials.alertRule ?? essentials.alertId ?? 'Azure Monitor alert');
+    return base('azure_monitor', 'host.anomaly', sev, tenantId, alert, [alert], { raw: data });
+}
+export function normalizeGcpChronicle(raw, tenantId) {
+    const results = raw.security_result ?? [];
+    const first = results[0] ?? {};
+    const sev = labelToSeverity(String(first.severity ?? 'LOW'));
+    const summary = String(first.summary ?? first.description ?? 'Chronicle alert');
+    const principal = raw.principal;
+    const src = Array.isArray(principal?.ip) ? principal.ip[0] : principal?.ip;
+    return base('gcp_chronicle', 'network.intrusion', sev, tenantId, summary, [summary, src], {
+        raw,
+        source: src ? { ip: String(src) } : undefined,
+    });
+}
+export function normalizeGcpScc(raw, tenantId) {
+    const finding = raw.finding ?? raw;
+    const sev = labelToSeverity(String(finding.severity ?? 'SEVERITY_UNSPECIFIED'));
+    const category = String(finding.category ?? 'SCC finding');
+    return base('gcp_scc', 'cloud.misconfig', sev, tenantId, category, [category], { raw: finding });
+}
+export function normalizeGcpCloudLogging(raw, tenantId) {
+    const proto = raw.protoPayload ?? raw;
+    const method = String(proto.methodName ?? proto.method ?? 'logging.event');
+    const sev = /delete|setIamPolicy/i.test(method) ? 'high' : 'medium';
+    return base('gcp_cloud_logging', 'cloud.api', sev, tenantId, method, [method], { raw: proto });
+}
+export function normalizeCloud(source, payload, tenantId) {
+    if (!payload || typeof payload !== 'object')
+        return null;
+    const raw = payload;
+    switch (source) {
+        case 'aws_guardduty':
+            return normalizeAwsGuardDuty(raw, tenantId);
+        case 'aws_cloudwatch':
+            return normalizeAwsCloudWatch(raw, tenantId);
+        case 'aws_securityhub':
+            return normalizeAwsSecurityHub(raw, tenantId);
+        case 'aws_cloudtrail':
+            return normalizeAwsCloudTrail(raw, tenantId);
+        case 'azure_sentinel':
+            return normalizeAzureSentinel(raw, tenantId);
+        case 'azure_defender':
+            return normalizeAzureDefender(raw, tenantId);
+        case 'azure_monitor':
+            return normalizeAzureMonitor(raw, tenantId);
+        case 'gcp_chronicle':
+            return normalizeGcpChronicle(raw, tenantId);
+        case 'gcp_scc':
+            return normalizeGcpScc(raw, tenantId);
+        case 'gcp_cloud_logging':
+            return normalizeGcpCloudLogging(raw, tenantId);
+        default:
+            return null;
+    }
+}
+export const CLOUD_INGEST_SOURCES = [
+    'aws_cloudwatch',
+    'aws_guardduty',
+    'aws_securityhub',
+    'aws_cloudtrail',
+    'azure_sentinel',
+    'azure_defender',
+    'azure_monitor',
+    'gcp_chronicle',
+    'gcp_scc',
+    'gcp_cloud_logging',
+];
+//# sourceMappingURL=cloud.js.map

package/dist/normalizers/cloud.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud.js","sourceRoot":"","sources":["../../src/normalizers/cloud.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,SAAS,IAAI,CACX,YAAoD,EACpD,SAAiB,EACjB,QAA4C,EAC5C,QAAgB,EAChB,OAAe,EACf,SAA0C,EAC1C,QAAiC,EAAE;IAEnC,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IACnE,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,CAAC,YAAY,EAAE,GAAG,SAAS,CAAC,CAAC;QACxD,SAAS;QACT,QAAQ;QACR,YAAY;QACZ,QAAQ;QACR,SAAS,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO;YACP,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE;YAC3B,GAAG,EAAE,KAAK,CAAC,GAA0C;YACrD,GAAG,KAAK;SACT;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,GAA4B,EAAE,QAAgB;IAClF,MAAM,MAAM,GAAI,GAAG,CAAC,MAAkC,IAAI,GAAG,CAAC;IAC9D,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,SAAS,IAAI,YAAY,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,IAAI,kBAAkB,CAAC,CAAC;IACvD,OAAO,IAAI,CAAC,eAAe,EAAE,qBAAqB,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE;QACzF,EAAE;QACF,IAAI;QACJ,KAAK;KACN,EAAE,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,CAAC,SAAmB,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,GAA4B,EAAE,QAAgB;IACnF,MAAM,KAAK,GAAI,GAAG,CAAC,SAAoB,IAAK,GAAG,CAAC,SAAoB,IAAI,kBAAkB,CAAC;IAC3F,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,KAAK,IAAI,OAAO,CAAC,CAAC;IAChE,MAAM,GAAG,GAAG,KAAK,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;IAC/C,OAAO,IAAI,CAAC,gBAAgB,EAAE,cAAc,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,GAA4B,EAAE,QAAgB;IACpF,MAAM,OAAO,GAAI,GAAG,CAAC,OAAmC,IAAI,GAAG,CAAC;IAChE,MAAM,GAAG,GAAG,eAAe,CACzB,MAAM,CAAE,OAAO,CAAC,QAAoC,EAAE,KAAK,IAAI,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC,CAC1F,CAAC;IACF,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,OAAO,CAAC,EAAE,IAAI,YAAY,CAAC,CAAC;IAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,WAAW,IAAI,sBAAsB,CAAC,CAAC;IACrF,OAAO,IAAI,CAAC,iBAAiB,EAAE,iBAAiB,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;AAClG,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,GAA4B,EAAE,QAAgB;IACnF,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,SAAS,IAAI,iBAAiB,CAAC,CAAC;IAC9E,MAAM,IAAI,GAAG,MAAM,CAAE,GAAG,CAAC,YAAwC,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAC9F,MAAM,GAAG,GACP,0DAA0D,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;IACjG,OAAO,IAAI,CAAC,gBAAgB,EAAE,WAAW,EAAE,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,GAA4B,EAAE,QAAgB;IACnF,MAAM,KAAK,GAAI,GAAG,CAAC,UAAsC,IAAI,GAAG,CAAC;IACjE,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC;IAC/E,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,WAAW,IAAI,mBAAmB,CAAC,CAAC;IAC9E,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,IAAI,KAAK,CAAC,cAAc,IAAI,kBAAkB,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,mBAAmB,CAAC;IACtF,OAAO,IAAI,CAAC,gBAAgB,EAAE,SAAS,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;AACvF,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,GAA4B,EAAE,QAAgB;IACnF,MAAM,KAAK,GAAI,GAAG,CAAC,UAAsC,IAAI,GAAG,CAAC;IACjE,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,IAAI,QAAQ,CAAC,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,gBAAgB,IAAI,KAAK,CAAC,KAAK,IAAI,gBAAgB,CAAC,CAAC;IAChF,OAAO,IAAI,CAAC,gBAAgB,EAAE,iBAAiB,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;AAClG,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,GAA4B,EAAE,QAAgB;IAClF,MAAM,IAAI,GAAI,GAAG,CAAC,IAAgC,IAAI,GAAG,CAAC;IAC1D,MAAM,UAAU,GAAI,IAAI,CAAC,UAAsC,IAAI,IAAI,CAAC;IACxE,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,SAAS,IAAI,UAAU,CAAC,OAAO,IAAI,qBAAqB,CAAC,CAAC;IAC1F,OAAO,IAAI,CAAC,eAAe,EAAE,cAAc,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;AAC7F,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,GAA4B,EAAE,QAAgB;IAClF,MAAM,OAAO,GAAI,GAAG,CAAC,eAA6C,IAAI,EAAE,CAAC;IACzE,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/B,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC;IAC7D,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,WAAW,IAAI,iBAAiB,CAAC,CAAC;IAChF,MAAM,SAAS,GAAG,GAAG,CAAC,SAAgD,CAAC;IACvE,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC;IAC3E,OAAO,IAAI,CAAC,eAAe,EAAE,mBAAmB,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QACxF,GAAG;QACH,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;KAC9C,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAA4B,EAAE,QAAgB;IAC5E,MAAM,OAAO,GAAI,GAAG,CAAC,OAAmC,IAAI,GAAG,CAAC;IAChE,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,sBAAsB,CAAC,CAAC,CAAC;IAChF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,aAAa,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,SAAS,EAAE,iBAAiB,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,GAA4B,EAAE,QAAgB;IACrF,MAAM,KAAK,GAAI,GAAG,CAAC,YAAwC,IAAI,GAAG,CAAC;IACnE,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,MAAM,IAAI,eAAe,CAAC,CAAC;IAC3E,MAAM,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;IACpE,OAAO,IAAI,CAAC,mBAAmB,EAAE,WAAW,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;AACjG,CAAC;AAcD,MAAM,UAAU,cAAc,CAC5B,MAAyB,EACzB,OAAgB,EAChB,QAAgB;IAEhB,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACzD,MAAM,GAAG,GAAG,OAAkC,CAAC;IAC/C,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,eAAe;YAClB,OAAO,qBAAqB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC9C,KAAK,gBAAgB;YACnB,OAAO,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC/C,KAAK,iBAAiB;YACpB,OAAO,uBAAuB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAChD,KAAK,gBAAgB;YACnB,OAAO,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC/C,KAAK,gBAAgB;YACnB,OAAO,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC/C,KAAK,gBAAgB;YACnB,OAAO,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC/C,KAAK,eAAe;YAClB,OAAO,qBAAqB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC9C,KAAK,eAAe;YAClB,OAAO,qBAAqB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC9C,KAAK,SAAS;YACZ,OAAO,eAAe,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACxC,KAAK,mBAAmB;YACtB,OAAO,wBAAwB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACjD;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,oBAAoB,GAAwB;IACvD,gBAAgB;IAChB,eAAe;IACf,iBAAiB;IACjB,gBAAgB;IAChB,gBAAgB;IAChB,gBAAgB;IAChB,eAAe;IACf,eAAe;IACf,SAAS;IACT,mBAAmB;CACpB,CAAC"}

package/dist/normalizers/elastic.d.ts

@@ -0,0 +1,12 @@
+import type { SecurityEventCanonical } from '@grc-claw/core';
+export interface ElasticAlertDoc {
+    '@timestamp'?: string;
+    'kibana.alert.rule.name'?: string;
+    'kibana.alert.severity'?: string;
+    'kibana.alert.uuid'?: string;
+    'source.ip'?: string;
+    'destination.ip'?: string;
+    'event.category'?: string[];
+}
+export declare function normalizeElastic(raw: ElasticAlertDoc, tenantId: number): SecurityEventCanonical;
+//# sourceMappingURL=elastic.d.ts.map

package/dist/normalizers/elastic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"elastic.d.ts","sourceRoot":"","sources":["../../src/normalizers/elastic.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAY,MAAM,gBAAgB,CAAC;AAGvE,MAAM,WAAW,eAAe;IAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAUD,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CA2B/F"}

package/dist/normalizers/elastic.js

@@ -0,0 +1,39 @@
+import { stableEventUuid } from '../uuid.js';
+function elasticSeverity(s) {
+    const v = (s ?? 'low').toLowerCase();
+    if (v === 'critical')
+        return 'critical';
+    if (v === 'high')
+        return 'high';
+    if (v === 'medium')
+        return 'medium';
+    return 'low';
+}
+export function normalizeElastic(raw, tenantId) {
+    const ts = raw['@timestamp'] ?? new Date().toISOString();
+    const ruleName = raw['kibana.alert.rule.name'] ?? 'Elastic alert';
+    const src = raw['source.ip'];
+    const dst = raw['destination.ip'];
+    const categories = raw['event.category'] ?? [];
+    const eventType = categories.includes('intrusion_detection')
+        ? 'network.intrusion'
+        : categories.includes('authentication')
+            ? 'auth.failure'
+            : 'host.anomaly';
+    return {
+        eventUuid: stableEventUuid(['elastic', ruleName, src, dst, ts, raw['kibana.alert.uuid']]),
+        eventType,
+        severity: elasticSeverity(raw['kibana.alert.severity']),
+        sourceSystem: 'elastic',
+        tenantId,
+        eventData: {
+            '@timestamp': ts,
+            message: ruleName,
+            source: src ? { ip: src } : undefined,
+            destination: dst ? { ip: dst } : undefined,
+            rule: { id: raw['kibana.alert.uuid'], name: ruleName, category: 'elastic' },
+            raw: raw,
+        },
+    };
+}
+//# sourceMappingURL=elastic.js.map

package/dist/normalizers/elastic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"elastic.js","sourceRoot":"","sources":["../../src/normalizers/elastic.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAY7C,SAAS,eAAe,CAAC,CAAU;IACjC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACxC,IAAI,CAAC,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IACpC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAoB,EAAE,QAAgB;IACrE,MAAM,EAAE,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACzD,MAAM,QAAQ,GAAG,GAAG,CAAC,wBAAwB,CAAC,IAAI,eAAe,CAAC;IAClE,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAClC,MAAM,UAAU,GAAG,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC/C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QAC1D,CAAC,CAAC,mBAAmB;QACrB,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACrC,CAAC,CAAC,cAAc;YAChB,CAAC,CAAC,cAAc,CAAC;IAErB,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC;QACzF,SAAS;QACT,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACvD,YAAY,EAAE,SAAS;QACvB,QAAQ;QACR,SAAS,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,QAAQ;YACjB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,SAAS;YACrC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,SAAS;YAC1C,IAAI,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,mBAAmB,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE;YAC3E,GAAG,EAAE,GAA8B;SACpC;KACF,CAAC;AACJ,CAAC"}

package/dist/normalizers/snort.d.ts

@@ -0,0 +1,16 @@
+import type { SecurityEventCanonical } from '@grc-claw/core';
+export interface SnortAlertJson {
+    timestamp?: string;
+    msg?: string;
+    gid?: number;
+    sid?: number;
+    rev?: number;
+    priority?: number;
+    proto?: string;
+    src_addr?: string;
+    src_port?: number;
+    dst_addr?: string;
+    dst_port?: number;
+}
+export declare function normalizeSnort(raw: SnortAlertJson, tenantId: number): SecurityEventCanonical;
+//# sourceMappingURL=snort.d.ts.map

package/dist/normalizers/snort.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"snort.d.ts","sourceRoot":"","sources":["../../src/normalizers/snort.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAI7D,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAoB5F"}

package/dist/normalizers/snort.js

@@ -0,0 +1,23 @@
+import { snortPriorityToSeverity } from '../severity.js';
+import { stableEventUuid } from '../uuid.js';
+export function normalizeSnort(raw, tenantId) {
+    const ruleId = `${raw.gid ?? 1}:${raw.sid ?? 0}:${raw.rev ?? 0}`;
+    const priority = raw.priority ?? 3;
+    const ts = raw.timestamp ?? new Date().toISOString();
+    return {
+        eventUuid: stableEventUuid(['snort', ruleId, raw.src_addr, raw.dst_addr, ts]),
+        eventType: 'network.intrusion',
+        severity: snortPriorityToSeverity(priority),
+        sourceSystem: 'snort',
+        tenantId,
+        eventData: {
+            '@timestamp': ts,
+            message: raw.msg ?? 'Snort alert',
+            source: raw.src_addr ? { ip: raw.src_addr, port: raw.src_port ?? 0 } : undefined,
+            destination: raw.dst_addr ? { ip: raw.dst_addr, port: raw.dst_port ?? 0 } : undefined,
+            rule: { id: ruleId, name: raw.msg, category: 'snort' },
+            raw: raw,
+        },
+    };
+}
+//# sourceMappingURL=snort.js.map

package/dist/normalizers/snort.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"snort.js","sourceRoot":"","sources":["../../src/normalizers/snort.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAgB7C,MAAM,UAAU,cAAc,CAAC,GAAmB,EAAE,QAAgB;IAClE,MAAM,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;IACjE,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErD,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC7E,SAAS,EAAE,mBAAmB;QAC9B,QAAQ,EAAE,uBAAuB,CAAC,QAAQ,CAAC;QAC3C,YAAY,EAAE,OAAO;QACrB,QAAQ;QACR,SAAS,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,GAAG,CAAC,GAAG,IAAI,aAAa;YACjC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;YAChF,WAAW,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;YACrF,IAAI,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE;YACtD,GAAG,EAAE,GAA8B;SACpC;KACF,CAAC;AACJ,CAAC"}

package/dist/normalizers/suricata.d.ts

@@ -0,0 +1,19 @@
+import type { SecurityEventCanonical } from '@grc-claw/core';
+export interface SuricataEveAlert {
+    timestamp?: string;
+    event_type?: string;
+    src_ip?: string;
+    src_port?: number;
+    dest_ip?: string;
+    dest_port?: number;
+    proto?: string;
+    alert?: {
+        signature_id?: number;
+        signature?: string;
+        severity?: number;
+        category?: string;
+    };
+    flow_id?: number;
+}
+export declare function normalizeSuricata(raw: SuricataEveAlert, tenantId: number): SecurityEventCanonical;
+//# sourceMappingURL=suricata.d.ts.map

package/dist/normalizers/suricata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"suricata.d.ts","sourceRoot":"","sources":["../../src/normalizers/suricata.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAI7D,MAAM,WAAW,gBAAgB;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE;QACN,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAwBjG"}

package/dist/normalizers/suricata.js

@@ -0,0 +1,27 @@
+import { suricataSeverityToSeverity } from '../severity.js';
+import { stableEventUuid } from '../uuid.js';
+export function normalizeSuricata(raw, tenantId) {
+    const sev = raw.alert?.severity ?? 3;
+    const sigId = String(raw.alert?.signature_id ?? 0);
+    const ts = raw.timestamp ?? new Date().toISOString();
+    return {
+        eventUuid: stableEventUuid(['suricata', sigId, raw.src_ip, raw.dest_ip, ts, raw.flow_id]),
+        eventType: 'network.intrusion',
+        severity: suricataSeverityToSeverity(sev),
+        sourceSystem: 'suricata',
+        tenantId,
+        eventData: {
+            '@timestamp': ts,
+            message: raw.alert?.signature ?? 'Suricata alert',
+            source: raw.src_ip ? { ip: raw.src_ip, port: raw.src_port ?? 0 } : undefined,
+            destination: raw.dest_ip ? { ip: raw.dest_ip, port: raw.dest_port ?? 0 } : undefined,
+            rule: {
+                id: sigId,
+                name: raw.alert?.signature,
+                category: raw.alert?.category,
+            },
+            raw: raw,
+        },
+    };
+}
+//# sourceMappingURL=suricata.js.map

package/dist/normalizers/suricata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"suricata.js","sourceRoot":"","sources":["../../src/normalizers/suricata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,0BAA0B,EAAE,MAAM,gBAAgB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAmB7C,MAAM,UAAU,iBAAiB,CAAC,GAAqB,EAAE,QAAgB;IACvE,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,YAAY,IAAI,CAAC,CAAC,CAAC;IACnD,MAAM,EAAE,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErD,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QACzF,SAAS,EAAE,mBAAmB;QAC9B,QAAQ,EAAE,0BAA0B,CAAC,GAAG,CAAC;QACzC,YAAY,EAAE,UAAU;QACxB,QAAQ;QACR,SAAS,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,SAAS,IAAI,gBAAgB;YACjD,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,QAAQ,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;YAC5E,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;YACpF,IAAI,EAAE;gBACJ,EAAE,EAAE,KAAK;gBACT,IAAI,EAAE,GAAG,CAAC,KAAK,EAAE,SAAS;gBAC1B,QAAQ,EAAE,GAAG,CAAC,KAAK,EAAE,QAAQ;aAC9B;YACD,GAAG,EAAE,GAA8B;SACpC;KACF,CAAC;AACJ,CAAC"}

package/dist/normalizers/ufw.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityEventCanonical } from '@grc-claw/core';
+export declare function normalizeUfwLine(line: string, tenantId: number): SecurityEventCanonical | null;
+//# sourceMappingURL=ufw.d.ts.map

package/dist/normalizers/ufw.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ufw.d.ts","sourceRoot":"","sources":["../../src/normalizers/ufw.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAO7D,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,GAAG,IAAI,CAqB9F"}

package/dist/normalizers/ufw.js

@@ -0,0 +1,26 @@
+import { firewallActionToSeverity } from '../severity.js';
+import { stableEventUuid } from '../uuid.js';
+const UFW_RE = /\[UFW\s+(?<action>BLOCK|ALLOW|AUDIT)[^\]]*\].*SRC=(?<src>[\d.]+).*DST=(?<dst>[\d.]+).*PROTO=(?<proto>\w+)(?:.*DPT=(?<dpt>\d+))?/;
+export function normalizeUfwLine(line, tenantId) {
+    const m = line.match(UFW_RE);
+    if (!m?.groups)
+        return null;
+    const { action, src, dst, proto, dpt } = m.groups;
+    const ts = new Date().toISOString();
+    return {
+        eventUuid: stableEventUuid(['ufw', action, src, dst, proto, dpt, line.slice(0, 80)]),
+        eventType: 'firewall.block',
+        severity: firewallActionToSeverity(action),
+        sourceSystem: 'ufw',
+        tenantId,
+        eventData: {
+            '@timestamp': ts,
+            message: line.trim(),
+            source: { ip: src },
+            destination: { ip: dst, port: dpt ? Number(dpt) : 0 },
+            rule: { category: 'firewall', name: `UFW ${action}` },
+            raw: { line },
+        },
+    };
+}
+//# sourceMappingURL=ufw.js.map

package/dist/normalizers/ufw.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ufw.js","sourceRoot":"","sources":["../../src/normalizers/ufw.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,MAAM,GACV,iIAAiI,CAAC;AAEpI,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,QAAgB;IAC7D,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,IAAI,CAAC,CAAC,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,MAAM,EAAE,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAEpC,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACpF,SAAS,EAAE,gBAAgB;QAC3B,QAAQ,EAAE,wBAAwB,CAAC,MAAM,CAAC;QAC1C,YAAY,EAAE,KAAK;QACnB,QAAQ;QACR,SAAS,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE;YACpB,MAAM,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE;YACnB,WAAW,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE;YACrD,IAAI,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,MAAM,EAAE,EAAE;YACrD,GAAG,EAAE,EAAE,IAAI,EAAE;SACd;KACF,CAAC;AACJ,CAAC"}

package/dist/normalizers/wazuh.d.ts

@@ -0,0 +1,18 @@
+import type { SecurityEventCanonical } from '@grc-claw/core';
+export interface WazuhAlert {
+    rule?: {
+        id?: string | number;
+        level?: number;
+        description?: string;
+    };
+    data?: {
+        srcip?: string;
+        dstip?: string;
+        srcport?: string;
+        dstport?: string;
+    };
+    timestamp?: string;
+    id?: string;
+}
+export declare function normalizeWazuh(raw: WazuhAlert, tenantId: number): SecurityEventCanonical;
+//# sourceMappingURL=wazuh.d.ts.map

package/dist/normalizers/wazuh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wazuh.d.ts","sourceRoot":"","sources":["../../src/normalizers/wazuh.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAI7D,MAAM,WAAW,UAAU;IACzB,IAAI,CAAC,EAAE;QAAE,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACtE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,MAAM,CAAC;CACb;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,CAwBxF"}

package/dist/normalizers/wazuh.js

@@ -0,0 +1,27 @@
+import { wazuhLevelToSeverity } from '../severity.js';
+import { stableEventUuid } from '../uuid.js';
+export function normalizeWazuh(raw, tenantId) {
+    const level = Number(raw.rule?.level ?? 5);
+    const ruleId = String(raw.rule?.id ?? '0');
+    const src = raw.data?.srcip;
+    const dst = raw.data?.dstip;
+    const ts = raw.timestamp ?? new Date().toISOString();
+    const eventType = level >= 10 ? 'auth.failure' : 'host.anomaly';
+    return {
+        eventUuid: stableEventUuid(['wazuh', ruleId, src, dst, ts, raw.id]),
+        eventType,
+        severity: wazuhLevelToSeverity(level),
+        sourceSystem: 'wazuh',
+        tenantId,
+        eventData: {
+            '@timestamp': ts,
+            message: raw.rule?.description ?? 'Wazuh alert',
+            host: {},
+            source: src ? { ip: src, port: Number(raw.data?.srcport) || undefined } : undefined,
+            destination: dst ? { ip: dst, port: Number(raw.data?.dstport) || undefined } : undefined,
+            rule: { id: ruleId, name: raw.rule?.description, category: 'wazuh' },
+            raw: raw,
+        },
+    };
+}
+//# sourceMappingURL=wazuh.js.map

package/dist/normalizers/wazuh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wazuh.js","sourceRoot":"","sources":["../../src/normalizers/wazuh.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAS7C,MAAM,UAAU,cAAc,CAAC,GAAe,EAAE,QAAgB;IAC9D,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,IAAI,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC;IAC5B,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC;IAC5B,MAAM,EAAE,GAAG,GAAG,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrD,MAAM,SAAS,GAAG,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC;IAEhE,OAAO;QACL,SAAS,EAAE,eAAe,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;QACnE,SAAS;QACT,QAAQ,EAAE,oBAAoB,CAAC,KAAK,CAAC;QACrC,YAAY,EAAE,OAAO;QACrB,QAAQ;QACR,SAAS,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE,WAAW,IAAI,aAAa;YAC/C,IAAI,EAAE,EAAE;YACR,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS;YACnF,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS;YACxF,IAAI,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE;YACpE,GAAG,EAAE,GAA8B;SACpC;KACF,CAAC;AACJ,CAAC"}

package/dist/severity.d.ts

@@ -0,0 +1,6 @@
+import type { Severity } from '@grc-claw/core';
+export declare function wazuhLevelToSeverity(level: number): Severity;
+export declare function suricataSeverityToSeverity(sev: number): Severity;
+export declare function snortPriorityToSeverity(priority: number): Severity;
+export declare function firewallActionToSeverity(action: string): Severity;
+//# sourceMappingURL=severity.d.ts.map

package/dist/severity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"severity.d.ts","sourceRoot":"","sources":["../src/severity.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAE/C,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAK5D;AAED,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAKhE;AAED,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAKlE;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,QAAQ,CAIjE"}

package/dist/severity.js

@@ -0,0 +1,34 @@
+export function wazuhLevelToSeverity(level) {
+    if (level >= 12)
+        return 'critical';
+    if (level >= 8)
+        return 'high';
+    if (level >= 5)
+        return 'medium';
+    return 'low';
+}
+export function suricataSeverityToSeverity(sev) {
+    if (sev <= 1)
+        return 'critical';
+    if (sev === 2)
+        return 'high';
+    if (sev === 3)
+        return 'medium';
+    return 'low';
+}
+export function snortPriorityToSeverity(priority) {
+    if (priority <= 1)
+        return 'critical';
+    if (priority === 2)
+        return 'high';
+    if (priority === 3)
+        return 'medium';
+    return 'low';
+}
+export function firewallActionToSeverity(action) {
+    const a = action.toUpperCase();
+    if (a.includes('BLOCK') || a.includes('DROP') || a.includes('REJECT'))
+        return 'medium';
+    return 'low';
+}
+//# sourceMappingURL=severity.js.map

package/dist/severity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"severity.js","sourceRoot":"","sources":["../src/severity.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IAC9B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IAChC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,IAAI,GAAG,IAAI,CAAC;QAAE,OAAO,UAAU,CAAC;IAChC,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAC7B,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC/B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,IAAI,QAAQ,IAAI,CAAC;QAAE,OAAO,UAAU,CAAC;IACrC,IAAI,QAAQ,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,QAAQ,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IACpC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAAc;IACrD,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAC/B,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvF,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/uuid.d.ts

@@ -0,0 +1,3 @@
+/** Stable id for dedupe on retry (ingest-oss-siem-ids-logs) */
+export declare function stableEventUuid(parts: (string | number | undefined)[]): string;
+//# sourceMappingURL=uuid.d.ts.map

package/dist/uuid.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"uuid.d.ts","sourceRoot":"","sources":["../src/uuid.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,wBAAgB,eAAe,CAAC,KAAK,EAAE,CAAC,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC,EAAE,GAAG,MAAM,CAI9E"}

package/dist/uuid.js

@@ -0,0 +1,8 @@
+import { createHash } from 'node:crypto';
+/** Stable id for dedupe on retry (ingest-oss-siem-ids-logs) */
+export function stableEventUuid(parts) {
+    const payload = parts.filter((p) => p !== undefined && p !== '').join('|');
+    const hash = createHash('sha256').update(payload).digest('hex').slice(0, 32);
+    return `${hash.slice(0, 8)}-${hash.slice(8, 12)}-${hash.slice(12, 16)}-${hash.slice(16, 20)}-${hash.slice(20, 32)}`;
+}
+//# sourceMappingURL=uuid.js.map

package/dist/uuid.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"uuid.js","sourceRoot":"","sources":["../src/uuid.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,+DAA+D;AAC/D,MAAM,UAAU,eAAe,CAAC,KAAsC;IACpE,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7E,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC;AACtH,CAAC"}

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "@grc-claw/ingest",
+  "version": "2.0.0",
+  "description": "OSS SIEM/IDS/firewall log normalizers (ingest-oss-siem-ids-logs)",
+  "license": "MIT",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "npm run build && tsc -p tsconfig.test.json && node --test dist-test/comprehensive.test.js dist-test/cloud-integration.test.js"
+  },
+  "dependencies": {
+    "@grc-claw/core": "*"
+  },
+  "devDependencies": {
+    "@grc-claw/agent-runtime": "*",
+    "@grc-claw/a2z-connector": "*",
+    "@grc-claw/evidence": "*",
+    "@grc-claw/frameworks": "*"
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  }
+}