Skip to content

Commit 4f8ab8f

Browse files
nazargesyknazargesyk
authored
Merge branch 'main' into gis-8825
2 parents 1ca0bb3 + 0e5e0ca commit 4f8ab8f

File tree

82 files changed

+781
-236
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

82 files changed

+781
-236
lines changed

uncoder-core/app/translator/core/functions.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,10 @@ def order_to_render(self) -> dict[str, int]:
164164

165165
return {}
166166

167+
@property
168+
def supported_render_names(self) -> set[str]:
169+
return set(self._renders_map)
170+
167171

168172
class PlatformFunctions:
169173
dir_path: str = None

uncoder-core/app/translator/core/models/query_container.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@ def __init__(
8888
self.risk_score = risk_score
8989
self.type_ = type_ or ""
9090
self.description = description or ""
91-
self.author = [v.strip() for v in author] if author else []
91+
self.author = [v.strip() for v in author] if author and author != [None] else []
9292
self.date = date or datetime.now().date().strftime("%Y-%m-%d")
9393
self.output_table_fields = output_table_fields or []
9494
self.query_fields = query_fields or []

uncoder-core/app/translator/core/str_value_manager.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,11 @@ class StrValueManager:
182182
container_spec_symbols_map: ClassVar[dict[type[BaseSpecSymbol], str]] = CONTAINER_SPEC_SYMBOLS_MAP
183183

184184
@staticmethod
185-
def from_str_to_container(value: str) -> StrValue:
185+
def from_str_to_container(
186+
value: str,
187+
value_type: str = ValueType.value, # noqa: ARG004
188+
escape_symbol: Optional[str] = None, # noqa: ARG004
189+
) -> StrValue:
186190
return StrValue(value=value, split_value=[value])
187191

188192
def from_re_str_to_container(self, value: str) -> StrValue:

uncoder-core/app/translator/core/tokenizer.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -162,8 +162,7 @@ def search_multi_value(
162162

163163
def _get_field_value_match(self, query: str, operator: str, field_name: str, value_pattern: str) -> re.Match:
164164
field_value_pattern = self.get_field_value_pattern(operator, field_name, value_pattern)
165-
field_value_regex = re.compile(field_value_pattern, re.IGNORECASE)
166-
field_value_match = re.match(field_value_regex, query)
165+
field_value_match = re.match(field_value_pattern, query, re.IGNORECASE)
167166
if field_value_match is None:
168167
raise TokenizerGeneralException(error=f"Value couldn't be found in query part: {query}")
169168

uncoder-core/app/translator/mappings/platforms/anomali/common.yml renamed to uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,19 @@
11
platform: Anomali
2-
description: Common field mapping
2+
source: proxy
33

44
field_mapping:
55
c-uri-query: url
66
c-useragent: user_agent
7+
c-uri: url
8+
cs-method: http_method
9+
cs-bytes: bytes_out
10+
cs-referrer: http_referrer
11+
sc-status: return_code
12+
13+
dns-query: query
14+
dns-answer: answer
15+
dns-record: record_type
16+
717
CommandLine: command_line
818
DestinationHostname: dest
919
DestinationIp: dest_ip

uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
platform: Anomali
2+
source: webserver
3+
4+
field_mapping:
5+
c-uri-query: url
6+
c-useragent: user_agent
7+
c-uri: url
8+
cs-method: http_method
9+
cs-bytes: bytes_out
10+
cs-referrer: http_referrer
11+
sc-status: return_code
12+
13+
dns-query: query
14+
dns-answer: answer
15+
dns-record: record_type
16+
17+
CommandLine: command_line
18+
DestinationHostname: dest
19+
DestinationIp: dest_ip
20+
DestinationPort: dest_port
21+
Details: reg_value_data
22+
dst_ip: dest_ip
23+
dst_port: dest_port
24+
EventID: event_id
25+
EventName: event_name
26+
FileName: file_name
27+
FilePath: file_path
28+
Image: image
29+
NewProcessName: image
30+
OriginalFileName: original_file_name
31+
ParentCommandLine: parent_command_line
32+
ParentImage: parent_image
33+
ParentProcessID: parent_process_id
34+
Platform: platform
35+
ProcessCommandLine: command_line
36+
ProcessID: process_id
37+
SourceImage: parent_image
38+
SourcePort: src_port
39+
TargetFilename: file_name
40+
TargetObject: reg_key
41+
UserAgent: user_agent

uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
platform: ElasticSearch ES|QL
2+
source: aws_cloudtrail
3+
log_source:
4+
index: [logs-*]
5+
default_log_source:
6+
index: logs-*
7+
field_mapping:
8+
additionalEventdata: aws.cloudtrail.additional_eventdata
9+
apiVersion: aws.cloudtrail.api_version
10+
awsRegion: cloud.region
11+
errorCode: aws.cloudtrail.error_code
12+
errorMessage: aws.cloudtrail.error_message
13+
eventID: event.id
14+
eventName: event.action
15+
eventSource: event.provider
16+
eventTime: '@timestamp'
17+
eventType: aws.cloudtrail.event_type
18+
eventVersion: aws.cloudtrail.event_version
19+
managementEvent: aws.cloudtrail.management_event
20+
readOnly: aws.cloudtrail.read_only
21+
requestID: aws.cloudtrail.request_id
22+
requestParameters: aws.cloudtrail.request_parameters
23+
resources.accountId: aws.cloudtrail.resources.account_id
24+
resources.ARN: aws.cloudtrail.resources.arn
25+
resources.type: aws.cloudtrail.resources.type
26+
responseElements: aws.cloudtrail.response_elements
27+
serviceEventDetails: aws.cloudtrail.service_event_details
28+
sharedEventId: aws.cloudtrail.shared_event_id
29+
sourceIPAddress: source.address
30+
userAgent: user_agent
31+
userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
32+
userIdentity.accountId: cloud.account.id
33+
userIdentity.arn: aws.cloudtrail.user_identity.arn
34+
userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
35+
userIdentity.principalId: user.id
36+
userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
37+
userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
38+
userIdentity.sessionContext.sessionIssuer.userName: role.name
39+
userIdentity.type: aws.cloudtrail.user_identity.type
40+
userIdentity.userName: user.name
41+
vpcEndpointId: aws.cloudtrail.vpc_endpoint_id

uncoder-core/app/translator/mappings/platforms/falco/aws_cloudtrail.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
platform: Falco
2+
source: aws_cloudtrail
3+
4+
field_mapping:
5+
eventSource: ct.src
6+
eventName: ct.name
7+
errorCode: ct.error
8+
RequestParameters: json.value[/requestParameters]

uncoder-core/app/translator/mappings/platforms/falco/default.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
platform: Falco
2+
source: default
3+
4+
5+
field_mapping:
6+
{}

uncoder-core/app/translator/mappings/platforms/microsoft_sentinel/windows_security.yml

Lines changed: 46 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -14,16 +14,16 @@ field_mapping:
1414
AccessMask: AccessMask
1515
AccountName: AccountName
1616
AllowedToDelegateTo: AllowedToDelegateTo
17-
AttributeLDAPDisplayName:
17+
AttributeLDAPDisplayName: AttributeLDAPDisplayName
1818
AuditPolicyChanges: AuditPolicyChanges
1919
AuthenticationPackageName: AuthenticationPackageName
2020
CallingProcessName: CallingProcessName
2121
Channel: Channel
2222
ComputerName: Computer
2323
EventType: EventType
2424
FailureReason: FailureReason
25-
FileName: FilePath
26-
GrantedAccess:
25+
FileName: FileName
26+
GrantedAccess: GrantedAccess
2727
Hashes: FileHash
2828
HiveName: HiveName
2929
IpAddress: IpAddress
@@ -48,83 +48,83 @@ field_mapping:
4848
TaskContent: TaskContent
4949
ServiceSid: ServiceSid
5050
CertThumbprint: CertThumbprint
51-
ClassName: duplicate
52-
NotificationPackageName: ClassName
51+
ClassName: ClassName
52+
NotificationPackageName: NotificationPackageName
5353
NewSd: NewSd
5454
TestSigning: TestSigning
5555
TargetInfo: TargetInfo
56-
ClientProcessId: TargetInfo
56+
ClientProcessId: ClientProcessId
5757
ParentProcessId: ParentProcessId
5858
AccessList: AccessList
5959
GroupMembership: GroupMembership
6060
FilterName: FilterName
6161
ChangeType: ChangeType
6262
LayerName: LayerName
6363
ServiceAccount: ServiceAccount
64-
AttributeValue: ServiceAccount
64+
AttributeValue: AttributeValue
6565
SessionName: SessionName
6666
TaskName: TaskName
67-
ObjectDN: SessionName
67+
ObjectDN: ObjectDN
6868
TemplateContent: TemplateContent
6969
NewTemplateContent: NewTemplateContent
70-
SourcePort: TemplateContent
70+
SourcePort: SourcePort
7171
PasswordLastSet: PasswordLastSet
7272
PrivilegeList: PrivilegeList
73-
DeviceDescription: PasswordLastSet
74-
TargetServerName: PrivilegeList
75-
NewTargetUserName: DeviceDescription
76-
OperationType: TargetServerName
73+
DeviceDescription: DeviceDescription
74+
TargetServerName: TargetServerName
75+
NewTargetUserName: NewTargetUserName
76+
OperationType: OperationType
7777
DestPort: DestPort
78-
ServiceStartType: OperationType
78+
ServiceStartType: ServiceStartType
7979
OldTargetUserName: OldTargetUserName
80-
UserPrincipalName: ServiceStartType
80+
UserPrincipalName: UserPrincipalName
8181
Accesses: Accesses
82-
DnsHostName: UserPrincipalName
83-
DisableIntegrityChecks: AccessList
82+
DnsHostName: DnsHostName
83+
DisableIntegrityChecks: DisableIntegrityChecks
8484
AuditSourceName: AuditSourceName
8585
Workstation: Workstation
8686
DestAddress: DestAddress
87-
PreAuthType: Workstation
87+
PreAuthType: PreAuthType
8888
SecurityPackageName: SecurityPackageName
8989
SubjectLogonId: SubjectLogonId
9090
NewUacValue: NewUacValue
91-
EnabledPrivilegeList: SubjectLogonId
92-
RelativeTargetName: NewUacValue
91+
EnabledPrivilegeList: EnabledPrivilegeList
92+
RelativeTargetName: RelativeTargetName
9393
CertSerialNumber: CertSerialNumber
94-
SidHistory: RelativeTargetName
94+
SidHistory: SidHistory
9595
TargetLogonId: TargetLogonId
96-
KernelDebug: SidHistory
97-
CallerProcessName: TargetLogonId
96+
KernelDebug: KernelDebug
97+
CallerProcessName: CallerProcessName
9898
ProcessName: ProcessName
99-
Properties: CallerProcessName
100-
UserAccountControl: ProcessName
101-
RegistryValue: Properties
102-
SecurityID: UserAccountControl
99+
Properties: Properties
100+
UserAccountControl: UserAccountControl
101+
RegistryValue: RegistryValue
102+
SecurityID: SecurityID
103103
ServiceFileName: ServiceFileName
104-
SecurityDescriptor: SecurityID
105-
ServiceName: ServiceFileName
106-
ShareName: SecurityDescriptor
107-
NewValue: ServiceName
108-
Source: ShareName
109-
Status: NewValue
104+
SecurityDescriptor: SecurityDescriptor
105+
ServiceName: ServiceName
106+
ShareName: ShareName
107+
NewValue: NewValue
108+
Source: Source
109+
Status: Status
110110
SubjectDomainName: SubjectDomainName
111-
SubjectUserName: Status
112-
SubjectUserSid: SubjectDomainName
113-
SourceAddr: SubjectUserName
114-
SourceAddress: SubjectUserSid
111+
SubjectUserName: SubjectUserName
112+
SubjectUserSid: SubjectUserSid
113+
SourceAddr: SourceAddr
114+
SourceAddress: SourceAddress
115115
TargetName: TargetName
116116
ServicePrincipalNames: ServicePrincipalNames
117-
TargetDomainName: TargetName
117+
TargetDomainName: TargetDomainName
118118
TargetSid: TargetSid
119-
TargetUserName: TargetDomainName
120-
ObjectServer: TargetSid
121-
TargetUserSid: TargetUserName
122-
TicketEncryptionType: ObjectServer
123-
TicketOptions: TargetUserSid
119+
TargetUserName: TargetUserName
120+
ObjectServer: ObjectServer
121+
TargetUserSid: TargetUserSid
122+
TicketEncryptionType: TicketEncryptionType
123+
TicketOptions: TicketOptions
124124
WorkstationName: WorkstationName
125125
TransmittedServices: TransmittedServices
126-
AuthenticationAlgorithm: WorkstationName
127-
LayerRTID: TransmittedServices
126+
AuthenticationAlgorithm: AuthenticationAlgorithm
127+
LayerRTID: LayerRTID
128128
BSSID: BSSID
129129
BSSType: BSSType
130130
CipherAlgorithm: CipherAlgorithm
@@ -139,7 +139,7 @@ field_mapping:
139139
Domain: Domain
140140
ServiceType: ServiceType
141141
SourceName: SourceName
142-
StartType: ServiceType
142+
StartType: StartType
143143
UserID: UserID
144144
ParentProcessName: ParentProcessName
145145
Service: Service

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy