vaspera 2.10.1 → 2.12.0

package/dist/integrations/siem/datadog.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Datadog Logs Client
+ *
+ * Logs API client for Datadog integration.
+ *
+ * @module integrations/siem/datadog
+ */
+import type { SIEMClient, SIEMEvent, SIEMTestResult, SIEMSendResult, SIEMBatchResult, DatadogConfig } from "./types.js";
+/**
+ * Datadog Logs API client
+ */
+export declare class DatadogClient implements SIEMClient {
+    readonly provider: "datadog";
+    private config;
+    private endpoint;
+    constructor(config: DatadogConfig);
+    /**
+     * Test connection to Datadog
+     */
+    testConnection(): Promise<SIEMTestResult>;
+    /**
+     * Send a single event to Datadog
+     */
+    sendEvent(event: SIEMEvent): Promise<SIEMSendResult>;
+    /**
+     * Send multiple events in batch
+     */
+    sendEvents(events: SIEMEvent[]): Promise<SIEMBatchResult>;
+    /**
+     * Close connection
+     */
+    close(): Promise<void>;
+}
+/**
+ * Create a Datadog client from configuration
+ */
+export declare function createDatadogClient(config: {
+    apiKey: string;
+    site?: string;
+    service?: string;
+    env?: string;
+    tags?: string[];
+}): DatadogClient;
+//# sourceMappingURL=datadog.d.ts.map

package/dist/integrations/siem/datadog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"datadog.d.ts","sourceRoot":"","sources":["../../../src/integrations/siem/datadog.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EACV,UAAU,EACV,SAAS,EACT,cAAc,EACd,cAAc,EACd,eAAe,EACf,aAAa,EACd,MAAM,YAAY,CAAC;AAcpB;;GAEG;AACH,qBAAa,aAAc,YAAW,UAAU;IAC9C,QAAQ,CAAC,QAAQ,EAAG,SAAS,CAAU;IACvC,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,QAAQ,CAAS;gBAEb,MAAM,EAAE,aAAa;IAMjC;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC;IAuC/C;;OAEG;IACG,SAAS,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,cAAc,CAAC;IAsD1D;;OAEG;IACG,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC;IAsE/D;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAG7B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB,GAAG,aAAa,CAehB"}

package/dist/integrations/siem/datadog.js

@@ -0,0 +1,211 @@
+/**
+ * Datadog Logs Client
+ *
+ * Logs API client for Datadog integration.
+ *
+ * @module integrations/siem/datadog
+ */
+import { logger } from "../../logger.js";
+import { formatForDatadog } from "./format.js";
+/**
+ * Datadog site to API endpoint mapping
+ */
+const DATADOG_ENDPOINTS = {
+    "datadoghq.com": "https://http-intake.logs.datadoghq.com",
+    "us3.datadoghq.com": "https://http-intake.logs.us3.datadoghq.com",
+    "us5.datadoghq.com": "https://http-intake.logs.us5.datadoghq.com",
+    "datadoghq.eu": "https://http-intake.logs.datadoghq.eu",
+    "ap1.datadoghq.com": "https://http-intake.logs.ap1.datadoghq.com",
+    "ddog-gov.com": "https://http-intake.logs.ddog-gov.com",
+};
+/**
+ * Datadog Logs API client
+ */
+export class DatadogClient {
+    provider = "datadog";
+    config;
+    endpoint;
+    constructor(config) {
+        this.config = config;
+        const site = config.options?.site || "datadoghq.com";
+        this.endpoint = DATADOG_ENDPOINTS[site] || DATADOG_ENDPOINTS["datadoghq.com"];
+    }
+    /**
+     * Test connection to Datadog
+     */
+    async testConnection() {
+        const startTime = Date.now();
+        try {
+            // Datadog validates the API key on first request
+            const testEvent = {
+                timestamp: new Date().toISOString(),
+                eventType: "scan.started",
+                severity: "informational",
+                project: "test",
+                message: "Vaspera connection test",
+                source: "vaspera",
+                data: { test: true },
+            };
+            const result = await this.sendEvent(testEvent);
+            return {
+                success: result.success,
+                provider: "datadog",
+                endpoint: this.endpoint,
+                latencyMs: Date.now() - startTime,
+                error: result.error,
+                details: {
+                    site: this.config.options?.site || "datadoghq.com",
+                    service: this.config.options?.service,
+                },
+            };
+        }
+        catch (error) {
+            return {
+                success: false,
+                provider: "datadog",
+                endpoint: this.endpoint,
+                latencyMs: Date.now() - startTime,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Send a single event to Datadog
+     */
+    async sendEvent(event) {
+        const timestamp = new Date().toISOString();
+        try {
+            const payload = formatForDatadog(event, {
+                service: this.config.options?.service,
+                env: this.config.options?.env,
+                tags: this.config.options?.tags,
+            });
+            const response = await fetch(`${this.endpoint}/api/v2/logs`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "DD-API-KEY": this.config.token,
+                },
+                body: JSON.stringify([payload]),
+                signal: AbortSignal.timeout(30000),
+            });
+            if (response.ok || response.status === 202) {
+                logger.debug("siem.datadog.event_sent", {
+                    eventType: event.eventType,
+                });
+                return {
+                    success: true,
+                    timestamp,
+                };
+            }
+            const errorText = await response.text();
+            logger.warn("siem.datadog.send_failed", {
+                status: response.status,
+                error: errorText,
+            });
+            return {
+                success: false,
+                timestamp,
+                error: `HTTP ${response.status}: ${errorText}`,
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            logger.error("siem.datadog.send_error", { error: errorMessage });
+            return {
+                success: false,
+                timestamp,
+                error: errorMessage,
+            };
+        }
+    }
+    /**
+     * Send multiple events in batch
+     */
+    async sendEvents(events) {
+        if (events.length === 0) {
+            return {
+                success: true,
+                totalEvents: 0,
+                successCount: 0,
+                failureCount: 0,
+            };
+        }
+        try {
+            const payloads = events.map((event) => formatForDatadog(event, {
+                service: this.config.options?.service,
+                env: this.config.options?.env,
+                tags: this.config.options?.tags,
+            }));
+            const response = await fetch(`${this.endpoint}/api/v2/logs`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "DD-API-KEY": this.config.token,
+                },
+                body: JSON.stringify(payloads),
+                signal: AbortSignal.timeout(60000),
+            });
+            if (response.ok || response.status === 202) {
+                logger.info("siem.datadog.batch_sent", {
+                    eventCount: events.length,
+                });
+                return {
+                    success: true,
+                    totalEvents: events.length,
+                    successCount: events.length,
+                    failureCount: 0,
+                };
+            }
+            const errorText = await response.text();
+            logger.warn("siem.datadog.batch_failed", {
+                status: response.status,
+                error: errorText,
+                eventCount: events.length,
+            });
+            return {
+                success: false,
+                totalEvents: events.length,
+                successCount: 0,
+                failureCount: events.length,
+                errors: [{ index: 0, error: `HTTP ${response.status}: ${errorText}` }],
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            logger.error("siem.datadog.batch_error", { error: errorMessage });
+            return {
+                success: false,
+                totalEvents: events.length,
+                successCount: 0,
+                failureCount: events.length,
+                errors: [{ index: 0, error: errorMessage }],
+            };
+        }
+    }
+    /**
+     * Close connection
+     */
+    async close() {
+        // No persistent connection to close for Datadog API
+    }
+}
+/**
+ * Create a Datadog client from configuration
+ */
+export function createDatadogClient(config) {
+    const site = config.site || "datadoghq.com";
+    return new DatadogClient({
+        provider: "datadog",
+        enabled: true,
+        endpoint: DATADOG_ENDPOINTS[site] || DATADOG_ENDPOINTS["datadoghq.com"],
+        token: config.apiKey,
+        options: {
+            site,
+            service: config.service || "vaspera-hardening",
+            env: config.env,
+            tags: config.tags,
+        },
+    });
+}
+//# sourceMappingURL=datadog.js.map

package/dist/integrations/siem/datadog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"datadog.js","sourceRoot":"","sources":["../../../src/integrations/siem/datadog.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAU/C;;GAEG;AACH,MAAM,iBAAiB,GAA2B;IAChD,eAAe,EAAE,wCAAwC;IACzD,mBAAmB,EAAE,4CAA4C;IACjE,mBAAmB,EAAE,4CAA4C;IACjE,cAAc,EAAE,uCAAuC;IACvD,mBAAmB,EAAE,4CAA4C;IACjE,cAAc,EAAE,uCAAuC;CACxD,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,aAAa;IACf,QAAQ,GAAG,SAAkB,CAAC;IAC/B,MAAM,CAAgB;IACtB,QAAQ,CAAS;IAEzB,YAAY,MAAqB;QAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,eAAe,CAAC;QACrD,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAChF,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc;QAClB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,iDAAiD;YACjD,MAAM,SAAS,GAAc;gBAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,SAAS,EAAE,cAAc;gBACzB,QAAQ,EAAE,eAAe;gBACzB,OAAO,EAAE,MAAM;gBACf,OAAO,EAAE,yBAAyB;gBAClC,MAAM,EAAE,SAAS;gBACjB,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aACrB,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAE/C,OAAO;gBACL,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBACjC,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO,EAAE;oBACP,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,eAAe;oBAClD,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO;iBACtC;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBACjC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,KAAgB;QAC9B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,EAAE;gBACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO;gBACrC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG;gBAC7B,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI;aAChC,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ,cAAc,EAAE;gBAC3D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;iBAChC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC;gBAC/B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;aACnC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC3C,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;oBACtC,SAAS,EAAE,KAAK,CAAC,SAAS;iBAC3B,CAAC,CAAC;gBAEH,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS;iBACV,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;gBACtC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,SAAS;aACjB,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS;gBACT,KAAK,EAAE,QAAQ,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE;aAC/C,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5E,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;YAEjE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS;gBACT,KAAK,EAAE,YAAY;aACpB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CAAC,MAAmB;QAClC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,WAAW,EAAE,CAAC;gBACd,YAAY,EAAE,CAAC;gBACf,YAAY,EAAE,CAAC;aAChB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CACpC,gBAAgB,CAAC,KAAK,EAAE;gBACtB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO;gBACrC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG;gBAC7B,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI;aAChC,CAAC,CACH,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ,cAAc,EAAE;gBAC3D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;iBAChC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;gBAC9B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;aACnC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC3C,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE;oBACrC,UAAU,EAAE,MAAM,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,WAAW,EAAE,MAAM,CAAC,MAAM;oBAC1B,YAAY,EAAE,MAAM,CAAC,MAAM;oBAC3B,YAAY,EAAE,CAAC;iBAChB,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;gBACvC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,KAAK,EAAE,SAAS;gBAChB,UAAU,EAAE,MAAM,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,MAAM,CAAC,MAAM;gBAC1B,YAAY,EAAE,CAAC;gBACf,YAAY,EAAE,MAAM,CAAC,MAAM;gBAC3B,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,EAAE,CAAC;aACvE,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5E,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;YAElE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,MAAM,CAAC,MAAM;gBAC1B,YAAY,EAAE,CAAC;gBACf,YAAY,EAAE,MAAM,CAAC,MAAM;gBAC3B,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;aAC5C,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,oDAAoD;IACtD,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAMnC;IACC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,eAAe,CAAC;IAE5C,OAAO,IAAI,aAAa,CAAC;QACvB,QAAQ,EAAE,SAAS;QACnB,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,iBAAiB,CAAC,IAAI,CAAC,IAAI,iBAAiB,CAAC,eAAe,CAAC;QACvE,KAAK,EAAE,MAAM,CAAC,MAAM;QACpB,OAAO,EAAE;YACP,IAAI;YACJ,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,mBAAmB;YAC9C,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/integrations/siem/format.d.ts

@@ -0,0 +1,59 @@
+/**
+ * SIEM Event Formatting
+ *
+ * Converts Vaspera events to SIEM-compatible formats (CEF, JSON).
+ *
+ * @module integrations/siem/format
+ */
+import type { Severity } from "../../certification/types.js";
+import type { SIEMEvent, SIEMSeverity, FindingEventData, ScanEventData, CertificationEventData } from "./types.js";
+/**
+ * Map Vaspera severity to SIEM severity
+ */
+export declare function mapSeverity(severity: Severity): SIEMSeverity;
+/**
+ * Map SIEM severity to CEF numeric severity (0-10)
+ */
+export declare function severityToCEF(severity: SIEMSeverity): number;
+/**
+ * Format event as CEF string
+ */
+export declare function formatAsCEF(event: SIEMEvent): string;
+/**
+ * Format event as JSON for generic SIEM ingestion
+ */
+export declare function formatAsJSON(event: SIEMEvent): object;
+/**
+ * Format event for Splunk HEC
+ */
+export declare function formatForSplunk(event: SIEMEvent, options?: {
+    index?: string;
+    source?: string;
+    sourceType?: string;
+    host?: string;
+}): object;
+/**
+ * Format event for Microsoft Sentinel (Log Analytics)
+ */
+export declare function formatForSentinel(event: SIEMEvent): object;
+/**
+ * Format event for Datadog
+ */
+export declare function formatForDatadog(event: SIEMEvent, options?: {
+    service?: string;
+    env?: string;
+    tags?: string[];
+}): object;
+/**
+ * Create a finding event
+ */
+export declare function createFindingEvent(project: string, eventType: "finding.new" | "finding.fixed" | "finding.false_positive", finding: FindingEventData, certificationId?: string): SIEMEvent;
+/**
+ * Create a scan event
+ */
+export declare function createScanEvent(project: string, eventType: "scan.started" | "scan.completed" | "scan.failed", scan: ScanEventData, certificationId?: string): SIEMEvent;
+/**
+ * Create a certification event
+ */
+export declare function createCertificationEvent(project: string, eventType: "certification.started" | "certification.completed", certification: CertificationEventData): SIEMEvent;
+//# sourceMappingURL=format.d.ts.map

package/dist/integrations/siem/format.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"format.d.ts","sourceRoot":"","sources":["../../../src/integrations/siem/format.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAC7D,OAAO,KAAK,EACV,SAAS,EAET,YAAY,EAEZ,gBAAgB,EAChB,aAAa,EACb,sBAAsB,EACvB,MAAM,YAAY,CAAC;AAMpB;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,GAAG,YAAY,CAe5D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,YAAY,GAAG,MAAM,CAe5D;AAsDD;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAqEpD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAsBrD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,SAAS,EAChB,OAAO,GAAE;IACP,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;CACV,GACL,MAAM,CASR;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAa1D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,SAAS,EAChB,OAAO,GAAE;IACP,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACZ,GACL,MAAM,CA0BR;AAmDD;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,aAAa,GAAG,eAAe,GAAG,wBAAwB,EACrE,OAAO,EAAE,gBAAgB,EACzB,eAAe,CAAC,EAAE,MAAM,GACvB,SAAS,CAaX;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,cAAc,GAAG,gBAAgB,GAAG,aAAa,EAC5D,IAAI,EAAE,aAAa,EACnB,eAAe,CAAC,EAAE,MAAM,GACvB,SAAS,CA4BX;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,uBAAuB,GAAG,yBAAyB,EAC9D,aAAa,EAAE,sBAAsB,GACpC,SAAS,CAqBX"}

package/dist/integrations/siem/format.js

@@ -0,0 +1,360 @@
+/**
+ * SIEM Event Formatting
+ *
+ * Converts Vaspera events to SIEM-compatible formats (CEF, JSON).
+ *
+ * @module integrations/siem/format
+ */
+const DEVICE_VENDOR = "Vaspera";
+const DEVICE_PRODUCT = "Hardening MCP";
+const DEVICE_VERSION = "2.11.0";
+/**
+ * Map Vaspera severity to SIEM severity
+ */
+export function mapSeverity(severity) {
+    switch (severity) {
+        case "critical":
+            return "critical";
+        case "high":
+            return "high";
+        case "medium":
+            return "medium";
+        case "low":
+            return "low";
+        case "info":
+            return "informational";
+        default:
+            return "informational";
+    }
+}
+/**
+ * Map SIEM severity to CEF numeric severity (0-10)
+ */
+export function severityToCEF(severity) {
+    switch (severity) {
+        case "critical":
+            return 10;
+        case "high":
+            return 8;
+        case "medium":
+            return 5;
+        case "low":
+            return 3;
+        case "informational":
+            return 1;
+        default:
+            return 0;
+    }
+}
+/**
+ * Map event type to signature ID
+ */
+function eventTypeToSignatureId(eventType) {
+    const mapping = {
+        "finding.new": "VASP-001",
+        "finding.fixed": "VASP-002",
+        "finding.false_positive": "VASP-003",
+        "scan.started": "VASP-010",
+        "scan.completed": "VASP-011",
+        "scan.failed": "VASP-012",
+        "certification.started": "VASP-020",
+        "certification.completed": "VASP-021",
+        "compliance.report": "VASP-030",
+        "autofix.applied": "VASP-040",
+        "autofix.pr_created": "VASP-041",
+    };
+    return mapping[eventType] || "VASP-999";
+}
+/**
+ * Map event type to human-readable name
+ */
+function eventTypeToName(eventType) {
+    const mapping = {
+        "finding.new": "New Security Finding",
+        "finding.fixed": "Security Finding Fixed",
+        "finding.false_positive": "Finding Marked False Positive",
+        "scan.started": "Security Scan Started",
+        "scan.completed": "Security Scan Completed",
+        "scan.failed": "Security Scan Failed",
+        "certification.started": "Certification Started",
+        "certification.completed": "Certification Completed",
+        "compliance.report": "Compliance Report Generated",
+        "autofix.applied": "Autofix Applied",
+        "autofix.pr_created": "Autofix Pull Request Created",
+    };
+    return mapping[eventType] || "Unknown Event";
+}
+/**
+ * Escape CEF special characters
+ */
+function escapeCEF(value) {
+    return value
+        .replace(/\\/g, "\\\\")
+        .replace(/=/g, "\\=")
+        .replace(/\|/g, "\\|")
+        .replace(/\n/g, "\\n")
+        .replace(/\r/g, "\\r");
+}
+/**
+ * Format event as CEF string
+ */
+export function formatAsCEF(event) {
+    const fields = {
+        version: 0,
+        deviceVendor: DEVICE_VENDOR,
+        deviceProduct: DEVICE_PRODUCT,
+        deviceVersion: DEVICE_VERSION,
+        signatureId: eventTypeToSignatureId(event.eventType),
+        name: eventTypeToName(event.eventType),
+        severity: severityToCEF(event.severity),
+        extension: {},
+    };
+    // Build extension fields
+    const ext = fields.extension;
+    ext["rt"] = new Date(event.timestamp).getTime();
+    ext["msg"] = escapeCEF(event.message);
+    ext["src"] = event.source;
+    ext["cs1"] = event.project;
+    ext["cs1Label"] = "project";
+    if (event.certificationId) {
+        ext["cs2"] = event.certificationId;
+        ext["cs2Label"] = "certificationId";
+    }
+    // Add finding-specific fields
+    const data = event.data;
+    if (data.findingId) {
+        ext["externalId"] = data.findingId;
+    }
+    if (data.file) {
+        ext["filePath"] = escapeCEF(data.file);
+    }
+    if (data.line) {
+        ext["fileId"] = data.line;
+    }
+    if (data.category) {
+        ext["cat"] = escapeCEF(data.category);
+    }
+    if (data.scanner) {
+        ext["deviceCustomString3"] = escapeCEF(data.scanner);
+        ext["deviceCustomString3Label"] = "scanner";
+    }
+    if (data.ruleId) {
+        ext["cs4"] = escapeCEF(data.ruleId);
+        ext["cs4Label"] = "ruleId";
+    }
+    if (data.cweIds && data.cweIds.length > 0) {
+        ext["cs5"] = data.cweIds.join(",");
+        ext["cs5Label"] = "cweIds";
+    }
+    // Format CEF header
+    const header = [
+        `CEF:${fields.version}`,
+        escapeCEF(fields.deviceVendor),
+        escapeCEF(fields.deviceProduct),
+        escapeCEF(fields.deviceVersion),
+        escapeCEF(fields.signatureId),
+        escapeCEF(fields.name),
+        fields.severity.toString(),
+    ].join("|");
+    // Format extension
+    const extension = Object.entries(ext)
+        .map(([key, value]) => `${key}=${value}`)
+        .join(" ");
+    return `${header}|${extension}`;
+}
+/**
+ * Format event as JSON for generic SIEM ingestion
+ */
+export function formatAsJSON(event) {
+    return {
+        "@timestamp": event.timestamp,
+        event: {
+            kind: "event",
+            category: ["security"],
+            type: [event.eventType.split(".")[0]],
+            action: event.eventType,
+            severity: severityToCEF(event.severity),
+            severity_name: event.severity,
+        },
+        message: event.message,
+        source: {
+            provider: event.source,
+            version: DEVICE_VERSION,
+        },
+        project: {
+            path: event.project,
+            certification_id: event.certificationId,
+        },
+        vaspera: event.data,
+    };
+}
+/**
+ * Format event for Splunk HEC
+ */
+export function formatForSplunk(event, options = {}) {
+    return {
+        time: Math.floor(new Date(event.timestamp).getTime() / 1000),
+        host: options.host || "vaspera",
+        source: options.source || "vaspera:hardening",
+        sourcetype: options.sourceType || "_json",
+        index: options.index,
+        event: formatAsJSON(event),
+    };
+}
+/**
+ * Format event for Microsoft Sentinel (Log Analytics)
+ */
+export function formatForSentinel(event) {
+    const json = formatAsJSON(event);
+    return {
+        TimeGenerated: event.timestamp,
+        EventType_s: event.eventType,
+        Severity_s: event.severity,
+        Project_s: event.project,
+        CertificationId_g: event.certificationId || "",
+        Message_s: event.message,
+        Source_s: event.source,
+        RawEvent_s: JSON.stringify(event.data),
+        ...flattenData(event.data, "_"),
+    };
+}
+/**
+ * Format event for Datadog
+ */
+export function formatForDatadog(event, options = {}) {
+    const tags = [
+        `project:${event.project}`,
+        `event_type:${event.eventType}`,
+        `severity:${event.severity}`,
+        ...(event.certificationId ? [`certification_id:${event.certificationId}`] : []),
+        ...(options.tags || []),
+    ];
+    if (options.env) {
+        tags.push(`env:${options.env}`);
+    }
+    return {
+        ddsource: "vaspera",
+        ddtags: tags.join(","),
+        hostname: "vaspera-mcp",
+        service: options.service || "vaspera-hardening",
+        status: mapSeverityToDatadogStatus(event.severity),
+        message: event.message,
+        "@timestamp": event.timestamp,
+        event_type: event.eventType,
+        project: event.project,
+        certification_id: event.certificationId,
+        data: event.data,
+    };
+}
+/**
+ * Map SIEM severity to Datadog status
+ */
+function mapSeverityToDatadogStatus(severity) {
+    switch (severity) {
+        case "critical":
+            return "emergency";
+        case "high":
+            return "error";
+        case "medium":
+            return "warning";
+        case "low":
+            return "info";
+        case "informational":
+            return "debug";
+        default:
+            return "info";
+    }
+}
+/**
+ * Flatten nested data object for Sentinel
+ */
+function flattenData(data, suffix, prefix = "") {
+    const result = {};
+    for (const [key, value] of Object.entries(data)) {
+        const newKey = prefix ? `${prefix}_${key}${suffix}` : `${key}${suffix}`;
+        if (value === null || value === undefined) {
+            continue;
+        }
+        if (typeof value === "object" && !Array.isArray(value)) {
+            Object.assign(result, flattenData(value, suffix, key));
+        }
+        else if (Array.isArray(value)) {
+            result[newKey] = value.join(",");
+        }
+        else if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+            result[newKey] = value;
+        }
+    }
+    return result;
+}
+/**
+ * Create a finding event
+ */
+export function createFindingEvent(project, eventType, finding, certificationId) {
+    const actionVerb = eventType === "finding.new" ? "detected" : eventType === "finding.fixed" ? "fixed" : "marked as false positive";
+    return {
+        timestamp: new Date().toISOString(),
+        eventType,
+        severity: mapSeverity(finding.severity),
+        project,
+        certificationId,
+        message: `Security finding ${actionVerb}: ${finding.category} in ${finding.file || "unknown"}${finding.line ? `:${finding.line}` : ""}`,
+        source: "vaspera",
+        data: finding,
+    };
+}
+/**
+ * Create a scan event
+ */
+export function createScanEvent(project, eventType, scan, certificationId) {
+    let severity = "informational";
+    let message;
+    switch (eventType) {
+        case "scan.started":
+            message = `Security scan started with scanners: ${scan.scanners.join(", ")}`;
+            break;
+        case "scan.completed":
+            severity = scan.bySeverity.critical > 0 ? "critical" : scan.bySeverity.high > 0 ? "high" : "informational";
+            message = `Security scan completed: ${scan.findingsCount} findings (${scan.bySeverity.critical} critical, ${scan.bySeverity.high} high)`;
+            break;
+        case "scan.failed":
+            severity = "high";
+            message = `Security scan failed: ${scan.error || "Unknown error"}`;
+            break;
+    }
+    return {
+        timestamp: new Date().toISOString(),
+        eventType,
+        severity,
+        project,
+        certificationId,
+        message,
+        source: "vaspera",
+        data: scan,
+    };
+}
+/**
+ * Create a certification event
+ */
+export function createCertificationEvent(project, eventType, certification) {
+    let severity = "informational";
+    let message;
+    if (eventType === "certification.started") {
+        message = `Certification started: ${certification.certificationId}`;
+    }
+    else {
+        severity = certification.score && certification.score >= 80 ? "informational" : "medium";
+        message = `Certification completed: ${certification.level || "unknown"} (score: ${certification.score || 0})`;
+    }
+    return {
+        timestamp: new Date().toISOString(),
+        eventType,
+        severity,
+        project,
+        certificationId: certification.certificationId,
+        message,
+        source: "vaspera",
+        data: certification,
+    };
+}
+//# sourceMappingURL=format.js.map