Skip to content

Commit 54d5c36

Browse files
nazargesyknazargesyk
committed
Merge branch 'prod' into 'gis-9241'
# Conflicts: # app/translator/platforms/arcsight/renders/arcsight_cti.py
1 parent 9186e64 commit 54d5c36

File tree

98 files changed

+812
-323
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

98 files changed

+812
-323
lines changed

uncoder-core/app/routers/ioc_translate.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,10 @@
44

55
from app.models.ioc_translation import CTIPlatform, OneTranslationCTIData
66
from app.models.translation import InfoMessage
7-
from app.translator.cti_translator import CTITranslator
7+
from app.translator.cti_translator import cti_translator
88
from app.translator.tools.const import HashType, IocParsingRule, IOCType
99

1010
iocs_router = APIRouter()
11-
cti_translator = CTITranslator()
1211

1312

1413
@iocs_router.post("/iocs/translate", description="Parse IOCs from text.")

uncoder-core/app/translator/cti_translator.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,3 +86,6 @@ def __get_iocs_chunk(
8686
@classmethod
8787
def get_renders(cls) -> list:
8888
return cls.render_manager.get_platforms_details
89+
90+
91+
cti_translator = CTITranslator()

uncoder-core/app/translator/mappings/platforms/anomali/windows_image_load.yml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
platform: Anomali
2+
source: windows_image_load
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [image_load]
8+
9+
default_log_source:
10+
product: windows
11+
category: image_load
12+
13+
field_mapping:
14+
Image: image
15+
#ImageLoaded: ImageLoaded
16+
#SignatureStatus: SignatureStatus
17+
OriginalFileName: original_file_name
18+
#Signed: Signed

uncoder-core/app/translator/mappings/platforms/anomali/windows_network_connection.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
platform: Anomali
2+
source: windows_network_connection
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [network_connection]
8+
9+
default_log_source:
10+
product: windows
11+
category: network_connection
12+
13+
field_mapping:
14+
Image: image
15+
DestinationHostname: dest
16+
DestinationIp: dest_ip
17+
DestinationPort: dest_port
18+
SourceIp: src_ip
19+
SourcePort: src_port
20+
#Initiated: Initiated

uncoder-core/app/translator/mappings/platforms/anomali/windows_pipe_created.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
platform: Anomali
2+
source: windows_pipe_created
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [pipe_created]
8+
9+
default_log_source:
10+
product: windows
11+
category: pipe_created
12+
13+
field_mapping:
14+
EventID: event_id
15+
#PipeName: PipeName
16+
Image: image

uncoder-core/app/translator/mappings/platforms/anomali/windows_process_access.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
2+
platform: Anomali
3+
source: windows_process_access
4+
5+
6+
log_source:
7+
product: [windows]
8+
category: [process_access]
9+
10+
default_log_source:
11+
product: windows
12+
category: process_access
13+
14+
field_mapping:
15+
#SourceProcessGUID: SourceProcessGUID
16+
#SourceProcessId: SourceProcessId
17+
#SourceThreadId: SourceThreadId
18+
#ourceImage: SourceImage
19+
#TargetProcessGUID: TargetProcessGUID
20+
#TargerProcessId: TargerProcessId
21+
#TargetImage: TargetImage
22+
#GrantedAccess: GrantedAccess
23+
#CallTrace: CallTrace
24+
User: user

uncoder-core/app/translator/mappings/platforms/anomali/windows_process_creation.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
platform: Anomali
2+
source: windows_process_creation
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [process_creation]
8+
9+
default_log_source:
10+
product: windows
11+
category: process_creation
12+
13+
field_mapping:
14+
CommandLine: command_line
15+
#CurrentDirectory: CurrentDirectory
16+
Hashes: file_hash
17+
Image: image
18+
#IntegrityLevel: IntegrityLevel
19+
ParentCommandLine: parent_command_line
20+
ParentImage: parent_image
21+
#ParentUser: ParentUser
22+
#Product: Product
23+
User: user

uncoder-core/app/translator/mappings/platforms/anomali/windows_registry_event.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
platform: Anomali
2+
source: windows_registry_event
3+
4+
log_source:
5+
product: [windows]
6+
category: [registry_event, registry_set, registry_delete, registry_add]
7+
8+
default_log_source:
9+
product: windows
10+
category: registry_event
11+
12+
field_mapping:
13+
TargetObject: reg_key
14+
Image: image
15+
Details: reg_value_data
16+
EventType: event_name
17+
CommandLine: command_line
18+
#LogonId: LogonId
19+
#Product: Product
20+
#Company: Company
21+
#IntegrityLevel: IntegrityLevel
22+
#CurrentDirectory: CurrentDirectory
23+
ProcessId: process_id
24+
ParentProcessId: parent_process_id
25+
ParentCommandLine: parent_command_line
26+
ParentImage: parent_image
27+
#ParentUser: ParentUser
28+
#ParentIntegrityLevel: ParentIntegrityLevel
29+
#ParentLogonId: ParentLogonId
30+
#ParentProduct: ParentProduct
31+
#ParentCompany: ParentCompany

uncoder-core/app/translator/mappings/platforms/anomali/windows_security.yml

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
platform: Anomali
2+
source: windows_security
3+
4+
5+
log_source:
6+
product: [windows]
7+
service: [security]
8+
9+
default_log_source:
10+
product: windows
11+
service: security
12+
13+
field_mapping:
14+
EventID: event_id
15+
ParentImage: parent_image
16+
#AccessMask: AccessMask
17+
AccountName: user
18+
#AllowedToDelegateTo: AllowedToDelegateTo
19+
#AttributeLDAPDisplayName: AttributeLDAPDisplayName
20+
#AuditPolicyChanges: AuditPolicyChanges
21+
#AuthenticationPackageName: AuthenticationPackageName
22+
#CallingProcessName: CallingProcessName
23+
#Channel: Channel
24+
#ComputerName: ComputerName
25+
#EventType: EventType
26+
#FailureReason: FailureReason
27+
#FileName: FileName
28+
#GrantedAccess: GrantedAccess
29+
#Hashes: Hashes
30+
#HiveName: HiveName
31+
#IpAddress: IpAddress
32+
#IpPort: IpPort
33+
#KeyLength: KeyLength
34+
#LogonProcessName: LogonProcessName
35+
#LogonType: LogonType
36+
#LinkName: LinkName
37+
#MemberName: MemberName
38+
#MemberSid: MemberSid
39+
#NewProcessName: NewProcessName
40+
#ObjectClass: ObjectClass
41+
#ObjectType: ObjectType
42+
#ObjectValueName: ObjectValueName
43+
#Path: Path
44+
#CommandLine: CommandLine
45+
#OldUacValue: OldUacValue
46+
#CertIssuerName: CertIssuerName
47+
#SubStatus: SubStatus
48+
#DisplayName: DisplayName
49+
#TaskContent: TaskContent
50+
#ServiceSid: ServiceSid
51+
#CertThumbprint: CertThumbprint
52+
#ObjectName: ObjectName
53+
#ClassName: ClassName
54+
#NotificationPackageName: NotificationPackageName
55+
#NewSd: NewSd
56+
#TestSigning: TestSigning
57+
#TargetInfo: TargetInfo
58+
#ParentProcessId: ParentProcessId
59+
#AccessList: AccessList
60+
#GroupMembership: GroupMembership
61+
#FilterName: FilterName
62+
#ChangeType: ChangeType
63+
#LayerName: LayerName
64+
#ServiceAccount: ServiceAccount
65+
#ClientProcessId: ClientProcessId
66+
#AttributeValue: AttributeValue
67+
#SessionName: SessionName
68+
#TaskName: TaskName
69+
#ObjectDN: ObjectDN
70+
#TemplateContent: TemplateContent
71+
#NewTemplateContent: NewTemplateContent
72+
#SourcePort: SourcePort
73+
#PasswordLastSet: PasswordLastSet
74+
#PrivilegeList: PrivilegeList
75+
#DeviceDescription: DeviceDescription
76+
#TargetServerName: TargetServerName
77+
#NewTargetUserName: NewTargetUserName
78+
#OperationType: OperationType
79+
#DestPort: DestPort
80+
#ServiceStartType: ServiceStartType
81+
#OldTargetUserName: OldTargetUserName
82+
#UserPrincipalName: UserPrincipalName
83+
#Accesses: Accesses
84+
#DnsHostName: DnsHostName
85+
#DisableIntegrityChecks: DisableIntegrityChecks
86+
#AuditSourceName: AuditSourceName
87+
#Workstation: Workstation
88+
#DestAddress: DestAddress
89+
#PreAuthType: PreAuthType
90+
#SecurityPackageName: SecurityPackageName
91+
#SubjectLogonId: SubjectLogonId
92+
#NewUacValue: NewUacValue
93+
#EnabledPrivilegeList: EnabledPrivilegeList
94+
#RelativeTargetName: RelativeTargetName
95+
#CertSerialNumber: CertSerialNumber
96+
#SidHistory: SidHistory
97+
#TargetLogonId: TargetLogonId
98+
#KernelDebug: KernelDebug
99+
#CallerProcessName: CallerProcessName
100+
#Properties: Properties
101+
#UserAccountControl: UserAccountControl
102+
#RegistryValue: RegistryValue
103+
#SecurityID: SecurityID
104+
#ServiceFileName: ServiceFileName
105+
#SecurityDescriptor: SecurityDescriptor
106+
#ServiceName: ServiceName
107+
#ShareName: ShareName
108+
#NewValue: NewValue
109+
#Source: Source
110+
#Status: Status
111+
#SubjectDomainName: SubjectDomainName
112+
#SubjectUserName: SubjectUserName
113+
#SubjectUserSid: SubjectUserSid
114+
#SourceAddr: SourceAddr
115+
#SourceAddress: SourceAddress
116+
#TargetName: TargetName
117+
#ServicePrincipalNames: ServicePrincipalNames
118+
#TargetDomainName: TargetDomainName
119+
#TargetSid: TargetSid
120+
#TargetUserName: TargetUserName
121+
#ObjectServer: ObjectServer
122+
#TargetUserSid: TargetUserSid
123+
#TicketEncryptionType: TicketEncryptionType
124+
#TicketOptions: TicketOptions
125+
#WorkstationName: WorkstationName
126+
#TransmittedServices: TransmittedServices
127+
#AuthenticationAlgorithm: AuthenticationAlgorithm
128+
#LayerRTID: LayerRTID
129+
#BSSID: BSSID
130+
#BSSType: BSSType
131+
#CipherAlgorithm: CipherAlgorithm
132+
#ConnectionId: ConnectionId
133+
#ConnectionMode: ConnectionMode
134+
#InterfaceDescription: InterfaceDescription
135+
#InterfaceGuid: InterfaceGuid
136+
#OnexEnabled: OnexEnabled
137+
#PHYType: PHYType
138+
#ProfileName: ProfileName
139+
#SSID: SSID
140+
#Domain: Domain
141+
#ServiceType: ServiceType
142+
#SourceName: SourceName
143+
#StartType: StartType
144+
#UserID: UserID
145+
#ParentProcessName: ParentProcessName
146+
#Service: Service
147+
#ProcessName: ProcessName

uncoder-core/app/translator/mappings/platforms/anomali/windows_sysmon.yml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
platform: Anomali
2+
source: windows_sysmon
3+
4+
5+
log_source:
6+
product: [windows]
7+
service: [sysmon]
8+
9+
default_log_source:
10+
product: windows
11+
service: sysmon
12+
13+
field_mapping:
14+
CommandLine: command_line
15+
Image: image
16+
ParentImage: parent_image
17+
EventID: event_id
18+
#CallTrace: CallTrace
19+
#Company: Company
20+
#CurrentDirectory: CurrentDirectory
21+
#Description: Description
22+
DestinationHostname: dest
23+
DestinationIp: dest_ip
24+
#DestinationIsIpv6: DestinationIsIpv6
25+
DestinationPort: dest_port
26+
#DestinationPortName: DestinationPortName
27+
Hashes: file_hash
28+
#Initiated: Initiated
29+
#IntegrityLevel: IntegrityLevel
30+
ParentCommandLine: parent_command_line
31+
#Product: Product
32+
#Protocol: Protocol
33+
#RuleName: RuleName
34+
SourceHostname: src
35+
SourceIp: src_ip
36+
#SourceIsIpv6: SourceIsIpv6
37+
SourcePort: src_port
38+
#SourcePortName: SourcePortName
39+
TargetFilename: file_name
40+
User: user
41+
OriginalFileName: original_file_name
42+
#Signed: Signed
43+
#Signature: Signature
44+
#SignatureStatus: SignatureStatus
45+
TargetObject: reg_key
46+
Details: reg_value_data
47+
QueryName: query
48+
QueryResults: record_type
49+
#QueryStatus: QueryStatus
50+
#IsExecutable: IsExecutable
51+
#PipeName: PipeName
52+
#ImageLoaded: ImageLoaded
53+
#ImagePath: ImagePath
54+
#Imphash: Imphash
55+
#SourceImage: SourceImage
56+
#StartModule: StartModule
57+
#TargetImage: TargetImage
58+
Device: dvc_name
59+
ProcessID: process_id
60+
#FileVersion: FileVersion
61+
#StartAddress: StartAddress
62+
#StartFunction: StartFunction
63+
EventType: event_name

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy