UncoderIO
diff --git a/‎translator/app/translator/core/models/parser_output.py
Lines changed: 5 additions & 0 deletions b/‎translator/app/translator/core/models/parser_output.py
Lines changed: 5 additions & 0 deletions
diff --git a/‎translator/app/translator/mappings/platforms/logrhythm_axon/default.yml
Lines changed: 304 additions & 0 deletions b/‎translator/app/translator/mappings/platforms/logrhythm_axon/default.yml
Lines changed: 304 additions & 0 deletions
diff --git a/‎translator/app/translator/platforms/__init__.py
Lines changed: 4 additions & 0 deletions b/‎translator/app/translator/platforms/__init__.py
Lines changed: 4 additions & 0 deletions
diff --git a/‎translator/app/translator/platforms/logrhythm_axon/__init__.py b/‎translator/app/translator/platforms/logrhythm_axon/__init__.py
@@ -5,6 +5,7 @@
 
 from app.translator.core.custom_types.meta_info import SeverityType
 from app.translator.core.mapping import DEFAULT_MAPPING_NAME
+from app.translator.core.models.field import Field
 from app.translator.core.models.functions.base import ParsedFunctions
 
 
@@ -17,6 +18,7 @@ def __init__(
         description: Optional[str] = None,
         author: Optional[str] = None,
         date: Optional[str] = None,
+        fields: Optional[list[Field]] = None,
         license_: Optional[str] = None,
         severity: Optional[str] = None,
         references: Optional[list[str]] = None,
@@ -25,20 +27,23 @@ def __init__(
         status: Optional[str] = None,
         false_positives: Optional[list[str]] = None,
         source_mapping_ids: Optional[list[str]] = None,
+        parsed_logsources: Optional[dict] = None
     ) -> None:
         self.id = id_ or str(uuid.uuid4())
         self.title = title or ""
         self.description = description or ""
         self.author = author or ""
         self.date = date or datetime.now().date().strftime("%Y-%m-%d")
         self.license = license_ or "DRL 1.1"
+        self.fields = fields or []
         self.severity = severity or SeverityType.low
         self.references = references or []
         self.tags = tags or []
         self.mitre_attack = mitre_attack or {}
         self.status = status or "stable"
         self.false_positives = false_positives or []
         self.source_mapping_ids = source_mapping_ids or [DEFAULT_MAPPING_NAME]
+        self.parsed_logsources = parsed_logsources or {}
 
 
 @dataclass
 
@@ -0,0 +1,304 @@
+platform: LogRhythm Axon
+source: default
+description: Text that describe current mapping
+
+field_mapping:
+  EventID: vendor_information.id
+  Channel: general_information.log_source.type_name
+  ComputerName: origin.host.name
+  FileName: object.file.name
+  ProcessId: object.process.id
+  Image: object.process.name
+  AccountEmail: unattributed.account.email_address
+  ContextInfo: general_information.raw_message
+  CurrentDirectory: object.process.path
+  ParentProcessId: object.process.parent_process.id
+  ParentImage: object.process.parent_process.path
+  ParentCommandLine: object.process.parent_process.command_line
+  TargetFilename: object.file.name
+  SourceIp: origin.host.ip_address.value
+  SourceHostname: origin.host.name
+  SourcePort: origin.host.network_port.value
+  DestinationIp: target.host.ip_address.value
+  DestinationHostname:
+    - target.host.name
+    - target.host.domain
+  DestinationPort: target.host.network_port.value
+  DestinationPortName: action.network.protocol.name
+  ImageLoaded: object.file.path
+  SignatureStatus: object.process.signature.status
+  SourceProcessId: object.process.id
+  SourceImage: object.process.name
+  Device: object.process.path
+  Destination: object.process.name
+  QueryName: action.dns.query
+  QueryStatus: action.dns.result
+  CommandName: object.process.command_line
+  CommandPath: object.process.path
+  HostApplication: object.script.command_line
+  HostName: origin.host.name
+  ScriptName: object.script.name
+  ScriptBlockText: object.script.command_line
+  ScriptBlockId: object.script.id
+  Application: object.process.name
+  ClientAddress: origin.host.ip_address.value
+  ClientName: origin.host.domain.name
+  DestAddress: target.host.ip_address.value
+  DestPort: target.host.network_port.value
+  IpAddress: origin.host.ip_address.value
+  IpPort: origin.host.network_port.value
+  NewProcessId: object.process.id
+  NewProcessName: object.process.name
+  ParentProcessName: object.process.parent_process.name
+  ProcessName: object.process.name
+  SourceAddress: origin.host.ip_address.value
+  WorkstationName: origin.host.name
+  destination.port: target.host.network_port.value
+  dst: target.host.ip_address.value
+  dst_ip: target.host.ip_address.value
+  dst_port: target.host.network_port.value
+  network_application:
+    - action.network.protocol.name
+    - object.url.protocol
+  network_protocol: action.network.protocol.name
+  proto: action.network.protocol.name
+  src: origin.host.ip_address.value
+  src_ip: origin.host.ip_address.value
+  src_port: origin.host.network_port.value
+  action: action.command
+  mqtt_action: action.command
+  smb_action: action.command
+  tunnel_action: action.command
+  arg: object.process.command_args
+  ftp_arg: object.process.command_args
+  mysql_arg: object.process.command_args
+  pop3_arg: object.process.command_args
+  client: origin.host.ip_address.value
+  command: action.command
+  ftp_command: action.command
+  irc_command: action.command
+  pop3_command: action.command
+  duration: action.duration
+  from: origin.account.email_address
+  kerberos_from: origin.account.email_address
+  smtp_from: origin.account.email_address
+  method: action.network.http_method
+  http_method: action.network.http_method
+  sip_method: action.network.http_method
+  name: object.file.name
+  smb_files_name: object.file.name
+  software_name: object.file.name
+  weird_name: object.file.name
+  path: object.file.path
+  smb_mapping_path: object.file.path
+  smb_files_path: object.file.path
+  smtp_files_path: object.file.path
+  password: object.file.name
+  reply_to: target.account.email_address
+  response_body_len: action.network.byte_information.received
+  request_body_len: action.network.byte_information.sent
+  rtt: action.duration
+  status_code: action.result.code
+  known_certs_subject: object.certificate.subject
+  sip_subject: object.email_message.subject
+  smtp_subject: object.email_message.subject
+  ssl_subject: object.certificate.subject
+  username: origin.account.name
+  uri: object.url.path
+  user: origin.account.name
+  user_agent: action.user_agent
+  http_user_agent: action.user_agent
+  gquic_user_agent: action.user_agent
+  sip_user_agent: action.user_agent
+  smtp_user_agent: action.user_agent
+  version: object.file.version
+  gquic_version: object.file.version
+  http_version: object.file.version
+  ntp_version: object.file.version
+  socks_version: object.file.version
+  snmp_version: object.file.version
+  ssh_version: object.file.version
+  tls_version: object.file.version
+  answer: action.dns.result
+  question_length: action.network.byte_information.total
+  record_type: action.dns.record_type
+  parent_domain: target.host.domain
+  cs-bytes: action.network.byte_information.received
+  r-dns: target.host.domain
+  sc-bytes: action.network.byte_information.received
+  sc-status: action.result.code
+  c-uri: object.url.complete
+  c-uri-extension: object.url.type
+  c-uri-query: object.url.query
+  c-uri-stem: object.url.complete
+  c-useragent: action.user_agent
+  cs-host:
+    - target.host.name
+    - target.host.domain
+  cs-method: action.network.http_method
+  cs-version: object.file.version
+  uid: action.session.id
+  endpoint: origin.host.name
+  domain: target.host.domain
+  host_name: target.host.name
+  client_fqdn: origin.host.name
+  requested_addr: target.host.ip_address.value
+  server_addr: target.host.ip_address.value
+  qtype: action.dns.record_type
+  qtype_name: action.dns.record_type
+  query: action.dns.query
+  rcode_name: action.dns.result
+  md5: unattributed.hash.md5
+  sha1: unattributed.hash.sha1
+  sha256: unattributed.hash.sha256
+  sha512: unattributed.hash.sha512
+  filename: object.file.name
+  host:
+    - unattributed.host.name
+    - unattributed.host.ip_address.value
+  domainname: unattributed.host.name
+  hostname: unattributed.host.name
+  server_nb_computer_name: unattributed.host.name
+  server_tree_name: unattributed.host.name
+  server_dns_computer_name: unattributed.host.name
+  machine: unattributed.host.name
+  os: origin.host.os.platform
+  mac: unattributed.host.mac_address
+  result:
+    - action.result.message
+    - action.result.code
+    - action.result.reason
+  mailfrom: origin.account.email_address
+  rcptto: target.account.email_address
+  second_received: target.account.email_address
+  server_name: unattributed.host.name
+  c-ip: origin.host.ip_address.value
+  cs-uri: object.url.path
+  cs-uri-query: object.url.query
+  cs-uri-stem: object.url.complete
+  clientip: origin.host.ip_address.value
+  clientIP: origin.host.ip_address.value
+  dest_domain:
+    - target.host.name
+    - target.host.domain
+  dest_ip: target.host.ip_address.value
+  dest_port: target.host.network_port.value
+  agent.version: object.file.version
+  destination.hostname:
+    - target.host.name
+    - target.host.domain
+  DestinationAddress:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+  DestinationIP: target.host.ip_address.value
+  dst-ip: target.host.ip_address.value
+  dstip: target.host.ip_address.value
+  dstport: target.host.ip_address.value
+  Host: target.host.name
+  HostVersion: object.file.version
+  http_host:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+  http_uri: object.url.path
+  http_url: object.url.complete
+  http.request.url-query-params: object.url.query
+  HttpMethod: action.network.http_method
+  in_url: object.url.path
+  post_url_parameter: object.url.path
+  Request_Url: object.url.complete
+  request_url: object.url.complete
+  request_URL: object.url.complete
+  RequestUrl: object.url.complete
+  resource.url: object.url.path
+  resource.URL: object.url.path
+  sc_status: action.result.code
+  sender_domain:
+    - target.host.name
+    - target.host.domain
+  service.response_code: action.result.code
+  source:
+    - origin.host.name
+    - origin.host.domain.name
+    - origin.host.ip_address.value
+  SourceAddr: origin.host.ip_address.value
+  SourceIP: origin.host.ip_address.value
+  SourceNetworkAddress: origin.host.ip_address.value
+  srcip: origin.host.ip_address.value
+  Status: action.result.code
+  status: action.result.code
+  url: object.url.path
+  URL: object.url.path
+  url_query: object.url.query
+  url.query: object.url.query
+  uri_path: object.url.path
+  user_agent.name: action.user_agent
+  user-agent: action.user_agent
+  User-Agent: action.user_agent
+  useragent: action.user_agent
+  UserAgent: action.user_agent
+  User_Agent: action.user_agent
+  web_dest:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  web.dest:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  Web.dest:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  web.host:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  Web.host:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  web_method: action.network.http_method
+  Web_method: action.network.http_method
+  web.method: action.network.http_method
+  Web.method: action.network.http_method
+  web_src: origin.host.ip_address.value
+  web_status: action.result.code
+  Web_status: action.result.code
+  web.status: action.result.code
+  Web.status: action.result.code
+  web_uri: object.url.path
+  web_url: object.url.complete
+  destination.ip: target.host.ip_address.value
+  source.ip: origin.host.ip_address.value
+  source.port: origin.host.ip_address.value
+  Computer:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+  OriginalFileName: object.file.name
+  User: origin.account.name
+  EventType: action.command
+  TargetObject:
+    - object.registry_object.key
+    - object.registry_object.path
+    - object.resource.name
+  CommandLine: object.process.command_line
+  type:
+    - action.command
+    - action.type
+    - action.session.type
+  a0:
+    - object.process.command_line
+    - object.process.command_args
+    - object.process.name
+  cs-user-agent: action.user_agent
+  blocked:
+    - action.message
+    - action.result.reason
@@ -24,6 +24,8 @@
 from app.translator.platforms.graylog.renders.graylog import GraylogRender
 from app.translator.platforms.graylog.renders.graylog_cti import GraylogCTI
 from app.translator.platforms.logpoint.renders.logpoint_cti import LogpointCTI
+from app.translator.platforms.logrhythm_axon.renders.logrhythm_axon_query import LogRhythmAxonQueryRender
+from app.translator.platforms.logrhythm_axon.renders.logrhythm_axon_rule import LogRhythmAxonRuleRender
 from app.translator.platforms.logscale.parsers.logscale import LogScaleParser
 from app.translator.platforms.logscale.parsers.logscale_alert import LogScaleAlertParser
 from app.translator.platforms.logscale.renders.logscale_cti import LogScaleCTI
@@ -71,6 +73,8 @@
     ChronicleSecurityRuleRender(),
     AthenaQueryRender(),
     ElasticSearchQueryRender(),
+    LogRhythmAxonQueryRender(),
+    LogRhythmAxonRuleRender(),
     LogScaleQueryRender(),
     LogScaleAlertRender(),
     ElasticSearchRuleRender(),