Update sshd pipeline and map OCSF attributes

ssh_check/assets/logs/sshd.yaml

@@ -1,4 +1,4 @@
 # bypass-global-missing-date-remapper-checks
 id: sshd
 metric_id: ssh
 backend_only: false
@@ -38,6 +38,8 @@
         matchRules: |
           sshd.logins.pwd %{regex("Accepted|Failed"):system.action} %{regex("password"):system.type} for %{_auth} from %{_client_ip} port %{_client_port} ssh2
 
+          sshd.logins.invalid.pwd %{regex("Accepted|Failed"):system.action} %{regex("password"):system.type} for invalid user %{_auth} from %{_client_ip} port %{_client_port} ssh2 
+
           sshd.logins.key.success %{regex("Accepted"):system.action} %{regex("publickey"):system.type} for %{_auth} from %{_client_ip} port %{_client_port} ssh2(: %{notSpace:system.algorithm} %{notSpace:system.key})?
 
           sshd.disconnect (error: )?Received %{regex("disconnect"):system.action} from %{_client_ip}: %{greedyData:system.type}
@@ -61,3 +63,114 @@
         - 'pam_unix(sshd:session): session closed for user marc.szalkiewicz'
         - 'Accepted publickey for toptop from 172.22.179.72 port 58599 ssh2: RSA 01:fa:c1:75:ee:fbxxxx:xxxxx'
         - 'Received disconnect from 172.22.179.72: 11: disconnected by user'
+    - type: pipeline
+      name: OCSF pipeline for SSH Authentication [3002]
+      enabled: true
+      ocsf:
+        isOcsf: true
+      filter:
+        query: "@system.user:*"
+      processors:
+        - type: string-builder-processor
+          name: Add ocsf.metadata.product.name
+          enabled: true
+          template: "OpenSSH"
+          target: ocsf.metadata.product.name
+          replaceMissing: false
+        - type: string-builder-processor
+          name: Add ocsf.metadata.product.vendor_name
+          enabled: true
+          template: "OpenBSD"
+          replaceMissing: false
+          target: ocsf.metadata.product.vendor_name
+        - type: schema-processor
+          name: Apply OCSF schema for 3002
+          enabled: true
+          mappers:
+            - type: schema-remapper
+              name: Map `ocsf.metadata` to `ocsf.metadata`
+              sources:
+                - ocsf.metadata
+              target: ocsf.metadata
+              preserveSource: true
+              overrideOnConflict: true
+            - type: schema-category-mapper
+              name: ocsf.activity_id
+              categories:
+                - filter:
+                    query: "@system.action:Accepted"
+                    name: Logon
+                    id: 1
+                - filter:
+                    query: "@system.action:\"session closed\""
+                    name: Logoff
+                    id: 2
+              targets:
+                name: ocsf.activity_name
+                id: ocsf.activity_id
+            - type: schema-category-mapper
+              name: ocsf.type_name
+              id: ocsf.type_uid
+              categories:
+                - filter:
+                    query: "@system.action:Accepted"
+                  name: "Authentication: Logon"
+                  id: 300201
+                - filter:
+                    query: "@system.action:\"session closed\""
+                  name: "Authentication: Logoff"
+                  id: 300202
+              targets:
+                name: ocsf.type_uid
+            - type: schema-category-mapper
+              name: ocsf.severity_id
+              categories:
+                - filter:
+                    query: "@system.action:*"
+                  name: Informational
+                  id: 1
+              targets:
+                name: ocsf.severity
+                id: ocsf.severity_id
+            - type: schema-remapper
+              name: Map `@system.user` to `ocsf.user.name`
+              sources:
+                - '@system.user'
+              target: ocsf.user.name
+              preserveSource: true
+              overrideOnConflict: true
+            - type: schema-remapper
+              name: Map `network.client.ip` to `ocsf.src_endpoint.ip`
+              sources:
+                - network.client.ip
+              target: ocsf.src_endpoint.ip
+              preserveSource: true
+              overrideOnConflict: true
+            - type: schema-remapper
+              name: Map `timestamp` to `ocsf.time`
+              sources:
+                - 'timestamp'
+              target: ocsf.time
+              preserveSource: true
+              overrideOnConflict: true
+            - type: schema-category-mapper
+              name: ocsf.status_id
+              categories:
+                - filter:
+                    query: "@system.action:Accepted"
+                  name: Success
+                  id: 1
+                - filter:
+                    query: "@system.action:Failed"
+                  name: Failure
+                  id: 2
+              targets:
+                name: ocsf.status
+                id: ocsf.status_id
+          schema:
+            schemaType: ocsf
+            version: 1.5.0
+            className: Authentication Activity
+            classUid: 3002
+            extensions: []
+            profiles: []

ssh_check/assets/logs/sshd_tests.yaml

@@ -40,4 +40,32 @@ tests:
     message: "Received disconnect from 172.22.179.72: 11: disconnected by user"
     tags:
      - "source:LOGS_SOURCE"
+ -
+  sample: "Failed password for invalid user admin from 192.168.1.100 port 22334 ssh2"
+  result:
+    custom:
+      network:
+        client:
+          ip: "192.168.1.100"
+          port: "22334"
+      ocsf:
+        metadata:
+          product:
+            name: "OpenSSH"
+            vendor_name: "OpenBSD"
+        severity: "Informational"
+        severity_id: 1
+        src_endpoint:
+          ip: "192.168.1.100"
+        status: "Failure"
+        status_id: 2
+        user:
+          name: "admin"
+      system:
+        action: "Failed"
+        type: "password"
+        user: "admin"
+    message: "Failed password for invalid user admin from 192.168.1.100 port 22334 ssh2"
+    tags:
+     - "source:LOGS_SOURCE"