Skip to content

Commit 8c4e32a

Browse files
nazargesyknazargesyk
authored
Merge pull request #222 from UncoderIO/gis-9137
Gis 9137 Create IOCs sigma render
2 parents 94eaf48 + aa56c12 commit 8c4e32a

File tree

80 files changed

+359
-286
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

80 files changed

+359
-286
lines changed

uncoder-core/app/routers/ioc_translate.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,10 @@
44

55
from app.models.ioc_translation import CTIPlatform, OneTranslationCTIData
66
from app.models.translation import InfoMessage
7-
from app.translator.cti_translator import CTITranslator
7+
from app.translator.cti_translator import cti_translator
88
from app.translator.tools.const import HashType, IocParsingRule, IOCType
99

1010
iocs_router = APIRouter()
11-
cti_translator = CTITranslator()
1211

1312

1413
@iocs_router.post("/iocs/translate", description="Parse IOCs from text.")

uncoder-core/app/translator/cti_translator.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,3 +86,6 @@ def __get_iocs_chunk(
8686
@classmethod
8787
def get_renders(cls) -> list:
8888
return cls.render_manager.get_platforms_details
89+
90+
91+
cti_translator = CTITranslator()

uncoder-core/app/translator/platforms/arcsight/const.py

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,4 +9,18 @@
99
"alt_platform_name": "CEF",
1010
}
1111

12+
13+
DEFAULT_ARCSIGHT_CTI_MAPPING = {
14+
"SourceIP": "sourceAddress",
15+
"DestinationIP": "destinationAddress",
16+
"Domain": "destinationDnsDomain",
17+
"URL": "requestUrl",
18+
"HashMd5": "fileHash",
19+
"HashSha1": "fileHash",
20+
"HashSha256": "fileHash",
21+
"HashSha512": "fileHash",
22+
"Emails": "sender-address",
23+
"Files": "winlog.event_data.TargetFilename",
24+
}
25+
1226
arcsight_query_details = PlatformDetails(**ARCSIGHT_QUERY_DETAILS)

uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py

Whitespace-only changes.

uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py

Lines changed: 0 additions & 12 deletions
This file was deleted.

uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,14 @@
11
from app.translator.core.models.platform_details import PlatformDetails
22
from app.translator.core.render_cti import RenderCTI
33
from app.translator.managers import render_cti_manager
4-
from app.translator.platforms.arcsight.const import arcsight_query_details
5-
from app.translator.platforms.arcsight.mappings.arcsight_cti import DEFAULT_ARCSIGHT_MAPPING
4+
from app.translator.platforms.arcsight.const import arcsight_query_details, DEFAULT_ARCSIGHT_CTI_MAPPING
65

76

87
@render_cti_manager.register
98
class ArcsightKeyword(RenderCTI):
109
details: PlatformDetails = arcsight_query_details
1110

12-
default_mapping = DEFAULT_ARCSIGHT_MAPPING
11+
default_mapping = DEFAULT_ARCSIGHT_CTI_MAPPING
1312
field_value_template: str = "{key} = {value}"
1413
or_operator: str = " OR "
1514
group_or_operator: str = " OR "

uncoder-core/app/translator/platforms/athena/const.py

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,4 +9,18 @@
99
"alt_platform_name": "OCSF",
1010
}
1111

12+
DEFAULT_ATHENA_CTI_MAPPING = {
13+
"SourceIP": "src_endpoint",
14+
"DestinationIP": "dst_endpoint",
15+
"Domain": "dst_endpoint",
16+
"URL": "http_request",
17+
"HashMd5": "unmapped.file.hash.md5",
18+
"HashSha1": "unmapped.file.hash.sha1",
19+
"HashSha256": "unmapped.file.hash.sha256",
20+
"HashSha512": "unmapped.file.hash.sha512",
21+
"Email": "email",
22+
"FileName": "file.name",
23+
}
24+
25+
1226
athena_query_details = PlatformDetails(**ATHENA_QUERY_DETAILS)

uncoder-core/app/translator/platforms/athena/mappings/__init__.py

Whitespace-only changes.

uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py

Lines changed: 0 additions & 12 deletions
This file was deleted.

uncoder-core/app/translator/platforms/athena/renders/athena_cti.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,7 @@
2020
from app.translator.core.models.platform_details import PlatformDetails
2121
from app.translator.core.render_cti import RenderCTI
2222
from app.translator.managers import render_cti_manager
23-
from app.translator.platforms.athena.const import athena_query_details
24-
from app.translator.platforms.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING
23+
from app.translator.platforms.athena.const import DEFAULT_ATHENA_CTI_MAPPING, athena_query_details
2524

2625

2726
@render_cti_manager.register
@@ -35,4 +34,4 @@ class AthenaCTI(RenderCTI):
3534
result_join: str = ""
3635
final_result_for_many: str = "SELECT * from eventlog where {result}\n"
3736
final_result_for_one: str = "SELECT * from eventlog where {result}\n"
38-
default_mapping = DEFAULT_ATHENA_MAPPING
37+
default_mapping = DEFAULT_ATHENA_CTI_MAPPING

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy