Skip to content

Gis 9137 Create IOCs sigma render #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Dec 17, 2024
Merged

Gis 9137 Create IOCs sigma render #222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a033392
gis-9137 add sigma cti render
nazargesyk Nov 14, 2024
6a98de3
Merge branch 'prod' into 'gis-9137'
nazargesyk Dec 3, 2024
fc418e0
Merge branch 'main' into gis-9137
nazargesyk Dec 17, 2024
e220ae4
Merge branch 'main' into gis-9137
nazargesyk Dec 17, 2024
6c0a565
merge
nazargesyk Dec 17, 2024
aa56c12
Merge branch 'main' into gis-9137
nazargesyk Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions uncoder-core/app/routers/ioc_translate.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,10 @@

from app.models.ioc_translation import CTIPlatform, OneTranslationCTIData
from app.models.translation import InfoMessage
from app.translator.cti_translator import CTITranslator
from app.translator.cti_translator import cti_translator
from app.translator.tools.const import HashType, IocParsingRule, IOCType

iocs_router = APIRouter()
cti_translator = CTITranslator()


@iocs_router.post("/iocs/translate", description="Parse IOCs from text.")
Expand Down
3 changes: 3 additions & 0 deletions uncoder-core/app/translator/cti_translator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,3 +86,6 @@ def __get_iocs_chunk(
@classmethod
def get_renders(cls) -> list:
return cls.render_manager.get_platforms_details


cti_translator = CTITranslator()
14 changes: 14 additions & 0 deletions uncoder-core/app/translator/platforms/arcsight/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,18 @@
"alt_platform_name": "CEF",
}


DEFAULT_ARCSIGHT_CTI_MAPPING = {
"SourceIP": "sourceAddress",
"DestinationIP": "destinationAddress",
"Domain": "destinationDnsDomain",
"URL": "requestUrl",
"HashMd5": "fileHash",
"HashSha1": "fileHash",
"HashSha256": "fileHash",
"HashSha512": "fileHash",
"Emails": "sender-address",
"Files": "winlog.event_data.TargetFilename",
}

arcsight_query_details = PlatformDetails(**ARCSIGHT_QUERY_DETAILS)
Empty file removed uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py
View file
Open in desktop
Empty file.
12 changes: 0 additions & 12 deletions uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py
View file
Open in desktop

This file was deleted.

5 changes: 2 additions & 3 deletions uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,14 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
from app.translator.platforms.arcsight.const import arcsight_query_details
from app.translator.platforms.arcsight.mappings.arcsight_cti import DEFAULT_ARCSIGHT_MAPPING
from app.translator.platforms.arcsight.const import arcsight_query_details, DEFAULT_ARCSIGHT_CTI_MAPPING


@render_cti_manager.register
class ArcsightKeyword(RenderCTI):
details: PlatformDetails = arcsight_query_details

default_mapping = DEFAULT_ARCSIGHT_MAPPING
default_mapping = DEFAULT_ARCSIGHT_CTI_MAPPING
field_value_template: str = "{key} = {value}"
or_operator: str = " OR "
group_or_operator: str = " OR "
Expand Down
14 changes: 14 additions & 0 deletions uncoder-core/app/translator/platforms/athena/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,18 @@
"alt_platform_name": "OCSF",
}

DEFAULT_ATHENA_CTI_MAPPING = {
"SourceIP": "src_endpoint",
"DestinationIP": "dst_endpoint",
"Domain": "dst_endpoint",
"URL": "http_request",
"HashMd5": "unmapped.file.hash.md5",
"HashSha1": "unmapped.file.hash.sha1",
"HashSha256": "unmapped.file.hash.sha256",
"HashSha512": "unmapped.file.hash.sha512",
"Email": "email",
"FileName": "file.name",
}


athena_query_details = PlatformDetails(**ATHENA_QUERY_DETAILS)
Empty file removed uncoder-core/app/translator/platforms/athena/mappings/__init__.py
View file
Open in desktop
Empty file.
12 changes: 0 additions & 12 deletions uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py
View file
Open in desktop

This file was deleted.

5 changes: 2 additions & 3 deletions uncoder-core/app/translator/platforms/athena/renders/athena_cti.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
from app.translator.platforms.athena.const import athena_query_details
from app.translator.platforms.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING
from app.translator.platforms.athena.const import DEFAULT_ATHENA_CTI_MAPPING, athena_query_details


@render_cti_manager.register
Expand All @@ -35,4 +34,4 @@ class AthenaCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "SELECT * from eventlog where {result}\n"
final_result_for_one: str = "SELECT * from eventlog where {result}\n"
default_mapping = DEFAULT_ATHENA_MAPPING
default_mapping = DEFAULT_ATHENA_CTI_MAPPING
12 changes: 12 additions & 0 deletions uncoder-core/app/translator/platforms/chronicle/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,5 +37,17 @@
**PLATFORM_DETAILS,
}

DEFAULT_CHRONICLE_CTI_MAPPING = {
"DestinationIP": "target.ip",
"SourceIP": "principal.ip",
"HashSha256": "target.file.sha256",
"HashMd5": "target.file.md5",
"Emails": "network.email.from",
"Domain": "target.hostname",
"HashSha1": "target.file.sha1",
"Files": "target.file.full_path",
"URL": "target.url",
}

chronicle_query_details = PlatformDetails(**CHRONICLE_QUERY_DETAILS)
chronicle_rule_details = PlatformDetails(**CHRONICLE_RULE_DETAILS)
Empty file removed uncoder-core/app/translator/platforms/chronicle/mappings/__init__.py
View file
Open in desktop
Empty file.
11 changes: 0 additions & 11 deletions uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py
View file
Open in desktop

This file was deleted.

5 changes: 2 additions & 3 deletions uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
from app.translator.platforms.chronicle.const import chronicle_query_details
from app.translator.platforms.chronicle.mappings.chronicle_cti import DEFAULT_CHRONICLE_MAPPING
from app.translator.platforms.chronicle.const import DEFAULT_CHRONICLE_CTI_MAPPING, chronicle_query_details


@render_cti_manager.register
Expand All @@ -35,4 +34,4 @@ class ChronicleQueryCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "{result}\n"
final_result_for_one: str = "{result}\n"
default_mapping = DEFAULT_CHRONICLE_MAPPING
default_mapping = DEFAULT_CHRONICLE_CTI_MAPPING
13 changes: 13 additions & 0 deletions uncoder-core/app/translator/platforms/crowdstrike/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,17 @@
"group_name": "CrowdStrike Endpoint Security",
}

DEFAULT_CROWDSTRIKE_CTI_MAPPING = {
"DestinationIP": "RemoteAddressIP4",
"SourceIP": "LocalAddressIP4",
"HashSha256": "SHA256HashData",
"HashMd5": "MD5HashData",
"Emails": "emails",
"Domain": "DomainName",
"HashSha1": "SHA1HashData",
"Files": "TargetFileName",
"URL": "HttpUrl",
}


crowdstrike_query_details = PlatformDetails(**CROWDSTRIKE_QUERY_DETAILS)
Empty file removed uncoder-core/app/translator/platforms/crowdstrike/mappings/__init__.py
View file
Open in desktop
Empty file.
11 changes: 0 additions & 11 deletions uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py
View file
Open in desktop

This file was deleted.

5 changes: 2 additions & 3 deletions uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
from app.translator.platforms.crowdstrike.const import crowdstrike_query_details
from app.translator.platforms.crowdstrike.mappings.crowdstrike_cti import DEFAULT_CROWDSTRIKE_MAPPING
from app.translator.platforms.crowdstrike.const import DEFAULT_CROWDSTRIKE_CTI_MAPPING, crowdstrike_query_details


@render_cti_manager.register
Expand All @@ -35,4 +34,4 @@ class CrowdStrikeCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
default_mapping = DEFAULT_CROWDSTRIKE_MAPPING
default_mapping = DEFAULT_CROWDSTRIKE_CTI_MAPPING
13 changes: 13 additions & 0 deletions uncoder-core/app/translator/platforms/elasticsearch/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,3 +240,16 @@
"query": "",
"actions": [],
}

DEFAULT_ELASTICSEARCH_CTI_MAPPING = {
"DestinationIP": "destination.ip",
"SourceIP": "source.ip",
"HashSha512": "file.hash.sha512",
"HashSha256": "file.hash.sha256",
"HashMd5": "file.hash.md5",
"Emails": "email.from.address",
"Domain": "destination.domain",
"HashSha1": "file.hash.sha1",
"Files": "file.name",
"URL": "url.original",
}
Empty file removed uncoder-core/app/translator/platforms/elasticsearch/mappings/__init__.py
View file
Open in desktop
Empty file.
12 changes: 0 additions & 12 deletions uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py
View file
Open in desktop

This file was deleted.

8 changes: 5 additions & 3 deletions uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
from app.translator.platforms.elasticsearch.const import elasticsearch_lucene_query_details
from app.translator.platforms.elasticsearch.mappings.elasticsearch_cti_cti import DEFAULT_ELASTICSEARCH_MAPPING
from app.translator.platforms.elasticsearch.const import (
DEFAULT_ELASTICSEARCH_CTI_MAPPING,
elasticsearch_lucene_query_details,
)


@render_cti_manager.register
Expand All @@ -35,4 +37,4 @@ class ElasticsearchCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
default_mapping = DEFAULT_ELASTICSEARCH_MAPPING
default_mapping = DEFAULT_ELASTICSEARCH_CTI_MAPPING
1 change: 0 additions & 1 deletion uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_eql.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,6 @@ def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: # noqa: AR


@render_manager.register

class ElasticSearchEQLQueryRender(ExtraConditionMixin, PlatformQueryRender):
details: PlatformDetails = elastic_eql_query_details
mappings: LuceneMappings = elastic_eql_query_mappings
Expand Down
13 changes: 13 additions & 0 deletions uncoder-core/app/translator/platforms/fireeye_helix/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,16 @@
"group_id": "fireeye",
"platform_name": "Query",
}

DEFAULT_FIREEYE_HELIX_CTI_MAPPING = {
"SourceIP": "~srcipv4",
"DestinationIP": "~dstipv4",
"Domain": "domain",
"URL": "url",
"HashMd5": "~hash",
"HashSha1": "~hash",
"HashSha256": "~hash",
"HashSha512": "~hash",
"Emails": "emails",
"Files": "filepath",
}
Empty file removed uncoder-core/app/translator/platforms/fireeye_helix/mappings/__init__.py
View file
Open in desktop
Empty file.
12 changes: 0 additions & 12 deletions uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py
View file
Open in desktop

This file was deleted.

5 changes: 2 additions & 3 deletions uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
from app.translator.platforms.fireeye_helix.const import FIREEYE_HELIX_QUERY_DETAILS
from app.translator.platforms.fireeye_helix.mappings.fireeye_helix import DEFAULT_FIREEYE_HELIX_MAPPING
from app.translator.platforms.fireeye_helix.const import DEFAULT_FIREEYE_HELIX_CTI_MAPPING, FIREEYE_HELIX_QUERY_DETAILS


@render_cti_manager.register
Expand All @@ -35,4 +34,4 @@ class FireeyeHelixCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
default_mapping = DEFAULT_FIREEYE_HELIX_MAPPING
default_mapping = DEFAULT_FIREEYE_HELIX_CTI_MAPPING
13 changes: 13 additions & 0 deletions uncoder-core/app/translator/platforms/graylog/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,18 @@
"group_id": "graylog",
}

DEFAULT_GRAYLOG_CTI_MAPPING = {
"SourceIP": "source.ip",
"DestinationIP": "destination.ip",
"Domain": "destination.domain",
"URL": "url.original",
"HashMd5": "file.hash.md5",
"HashSha1": "file.hash.sha1",
"HashSha256": "file.hash.sha256",
"HashSha512": "file.hash.sha512",
"Emails": "emails",
"Files": "filePath",
}


graylog_query_details = PlatformDetails(**GRAYLOG_QUERY_DETAILS)
Empty file removed uncoder-core/app/translator/platforms/graylog/mappings/__init__.py
View file
Open in desktop
Empty file.
12 changes: 0 additions & 12 deletions uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py
View file
Open in desktop

This file was deleted.

5 changes: 2 additions & 3 deletions uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
from app.translator.platforms.graylog.const import GRAYLOG_QUERY_DETAILS
from app.translator.platforms.graylog.mappings.graylog_cti import DEFAULT_GRAYLOG_MAPPING
from app.translator.platforms.graylog.const import DEFAULT_GRAYLOG_CTI_MAPPING, GRAYLOG_QUERY_DETAILS


@render_cti_manager.register
Expand All @@ -35,4 +34,4 @@ class GraylogCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
default_mapping = DEFAULT_GRAYLOG_MAPPING
default_mapping = DEFAULT_GRAYLOG_CTI_MAPPING
13 changes: 13 additions & 0 deletions uncoder-core/app/translator/platforms/logpoint/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,16 @@
"platform_name": "Query",
"group_id": "logpoint",
}

DEFAULT_LOGPOINT_CTI_MAPPING = {
"DestinationIP": "dst_ip",
"SourceIP": "src_ip",
"HashSha512": "hash",
"HashSha256": "hash",
"HashMd5": "hash",
"Emails": "emails",
"Domain": "host",
"HashSha1": "hash",
"Files": "files",
"URL": "url",
}
Empty file removed uncoder-core/app/translator/platforms/logpoint/mappings/__init__.py
View file
Open in desktop
Empty file.
12 changes: 0 additions & 12 deletions uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py
View file
Open in desktop

This file was deleted.

Loading
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy