gis-8397 add CarbonBlack render

nazargesyk · nazargesyk · commit ed9b5c61eea7 · 2024-12-17T15:47:17.000+02:00
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/default.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/default.yml
@@ -0,0 +1,2 @@
+platform: CarbonBlack
+source: default
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/linux_dns_query.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/linux_dns_query.yml
@@ -0,0 +1,8 @@
+platform: CarbonBlack
+source: linux_dns_query
+
+
+field_mapping:
+  User:
+    - childproc_username
+    - process_username
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/linux_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/linux_network_connection.yml
@@ -0,0 +1,9 @@
+platform: CarbonBlack
+source: linux_network_connection
+
+
+field_mapping:
+  DestinationHostname:
+    - netconn_domain
+    - netconn_proxy_domain
+  DestinationPort: netconn_port
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/macos_dns_query.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/macos_dns_query.yml
@@ -0,0 +1,8 @@
+platform: CarbonBlack
+source: macos_dns_query
+
+
+field_mapping:
+  User:
+    - childproc_username
+    - process_username
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/macos_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/macos_network_connection.yml
@@ -0,0 +1,9 @@
+platform: CarbonBlack
+source: macos_network_connection
+
+
+field_mapping:
+  DestinationHostname:
+    - netconn_domain
+    - netconn_proxy_domain
+  DestinationPort: netconn_port
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_create_remote_thread.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_create_remote_thread.yml
@@ -0,0 +1,7 @@
+platform: CarbonBlack
+source: windows_create_remote_thread
+
+
+field_mapping:
+  SourceImage: parent_name
+  StartModule: modload_name
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_dns_query.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_dns_query.yml
@@ -0,0 +1,8 @@
+platform: CarbonBlack
+source: windows_dns_query
+
+
+field_mapping:
+  User:
+    - childproc_username
+    - process_username
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_file_event.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_file_event.yml
@@ -0,0 +1,8 @@
+platform: CarbonBlack
+source: windows_file_event
+
+
+field_mapping:
+  User:
+    - childproc_username
+    - process_username
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_image_load.yml
@@ -0,0 +1,6 @@
+platform: CarbonBlack
+source: windows_image_load
+
+
+field_mapping:
+  OriginalFileName: process_original_filename
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_network_connection.yml
@@ -0,0 +1,9 @@
+platform: CarbonBlack
+source: windows_network_connection
+
+
+field_mapping:
+  DestinationHostname:
+    - netconn_domain
+    - netconn_proxy_domain
+  DestinationPort: netconn_port
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_process_creation.yml
@@ -0,0 +1,14 @@
+platform: CarbonBlack
+source: windows_process_creation
+
+
+field_mapping:
+  Hashes:
+    - md5
+    - filewrite_md5
+    - childproc_md5
+    - parent_md5
+  User:
+    - childproc_username
+    - process_username
+  OriginalFileName: process_original_filename
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_registry_event.yml
@@ -0,0 +1,9 @@
+platform: CarbonBlack
+source: windows_registry_event
+
+
+field_mapping:
+  TargetObject: regmod_name
+  User:
+    - childproc_username
+    - process_username
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_security.yml
@@ -0,0 +1,17 @@
+platform: CarbonBlack
+source: windows_security
+
+
+field_mapping:
+  AccountName:
+    - process_username
+    - childproc_username
+  ComputerName: device_name
+  NewProcessName: process_name
+  DeviceDescription:
+    - process_product_name
+    - process_product_version
+    - process_publisher
+    - process_file_description
+  DestPort: netconn_port
+  UserID: parent_name
diff --git a/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/carbonblack/windows_sysmon.yml
@@ -0,0 +1,51 @@
+platform: CarbonBlack
+source: windows_sysmon
+
+
+
+field_mapping:
+  CommandLine: process_cmdline
+  Image: process_name
+  ParentImage: parent_name
+  Company: process_publisher
+  Description:
+    - process_product_name
+    - process_product_version
+    - process_publisher
+    - process_file_description
+  DestinationHostname:
+    - netconn_domain
+    - netconn_proxy_domain
+  DestinationIp:
+    - netconn_ipv4
+    - netconn_ipv6
+  DestinationIsIpv6: ipaddr
+  Hashes:
+    - md5
+    - filewrite_md5
+    - childproc_md5
+    - parent_md5
+  IntegrityLevel: process_integrity_level
+  ParentCommandLine: parent_cmdline
+  Product:
+    - process_product_name
+    - process_file_description
+  SourceIp:
+    - netconn_ipv4
+    - netconn_ipv6
+    - netconn_local_ipv4
+    - netconn_local_ipv6
+  SourcePort: netconn_port
+  TargetFilename: filemod_name
+  User: childproc_username;process_username
+  OriginalFileName: process_original_filename
+  Signature:
+    - childproc_publisher
+    - filemod_publisher
+    - modload_publisher
+    - parent_publisher
+    - process_publisher
+  ImageLoaded: modload_name
+  StartModule: modload_name
+  TargetImage: filemod_name
+  FileVersion: process_product_version
diff --git a/uncoder-core/app/translator/platforms/carbonblack/__init__.py b/uncoder-core/app/translator/platforms/carbonblack/__init__.py
@@ -1 +1,2 @@
+from app.translator.platforms.carbonblack.renders.carbonblack import CarbonBlackQueryRender  # noqa: F401
 from app.translator.platforms.carbonblack.renders.carbonblack_cti import CarbonBlackCTI  # noqa: F401
diff --git a/uncoder-core/app/translator/platforms/carbonblack/const.py b/uncoder-core/app/translator/platforms/carbonblack/const.py
@@ -1,7 +1,23 @@
+from app.translator.core.models.platform_details import PlatformDetails
+
 CARBON_BLACK_QUERY_DETAILS = {
     "platform_id": "carbonblack",
     "name": "Carbon Black Cloud",
     "group_name": "VMware Carbon Black",
     "group_id": "carbonblack-pack",
     "platform_name": "Query (Cloud)",
 }
+
+DEFAULT_CARBONBLACK_CTI_MAPPING = {
+    "SourceIP": "netconn_local_ipv4",
+    "DestinationIP": "netconn_ipv4",
+    "Domain": "netconn_domain",
+    "URL": "netconn_domain",
+    "HashMd5": "hash",
+    "HashSha256": "hash",
+    "Files": "filemod_name",
+    "Emails": "process_username",
+}
+
+
+carbonblack_query_details = PlatformDetails(**CARBON_BLACK_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/carbonblack/escape_manager.py b/uncoder-core/app/translator/platforms/carbonblack/escape_manager.py
@@ -0,0 +1,20 @@
+from typing import ClassVar
+
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.escape_manager import EscapeManager
+from app.translator.core.models.escape_details import EscapeDetails
+
+
+class CarbonBlackEscapeManager(EscapeManager):
+    escape_map: ClassVar[dict[str, list[EscapeDetails]]] = {
+        ValueType.value: [
+            EscapeDetails(
+                pattern='([\s+\\-=&?!|(){}.\\[\\]^"~:/]|(?<!\\\\)\\\\(?![*?\\\\])|\\\\u|&&|\\|\\|)',
+                escape_symbols="\\\\\g<1>",
+            )
+        ],
+        ValueType.regex_value: [EscapeDetails(pattern=r"([$^*+()\[\]{}|.?\-\\])", escape_symbols=r"\\\1")],
+    }
+
+
+carbon_black_escape_manager = CarbonBlackEscapeManager()
diff --git a/uncoder-core/app/translator/platforms/carbonblack/mapping.py b/uncoder-core/app/translator/platforms/carbonblack/mapping.py
@@ -0,0 +1,18 @@
+from app.translator.core.mapping import BaseStrictLogSourcesPlatformMappings, LogSourceSignature
+from app.translator.platforms.carbonblack.const import carbonblack_query_details
+
+
+class CarbonBlackLogSourceSignature(LogSourceSignature):
+    def is_suitable(self) -> bool:
+        return True
+
+    def __str__(self) -> str:
+        return ""
+
+
+class CarbonBlackMappings(BaseStrictLogSourcesPlatformMappings):
+    def prepare_log_source_signature(self, mapping: dict) -> CarbonBlackLogSourceSignature:
+        ...
+
+
+carbonblack_query_mappings = CarbonBlackMappings(platform_dir="carbonblack", platform_details=carbonblack_query_details)
diff --git a/uncoder-core/app/translator/platforms/carbonblack/mappings/__init__.py b/uncoder-core/app/translator/platforms/carbonblack/mappings/__init__.py
diff --git a/uncoder-core/app/translator/platforms/carbonblack/mappings/carbonblack_cti.py b/uncoder-core/app/translator/platforms/carbonblack/mappings/carbonblack_cti.py
diff --git a/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack.py b/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack.py
@@ -0,0 +1,103 @@
+from app.translator.const import DEFAULT_VALUE_TYPE
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.models.platform_details import PlatformDetails
+from app.translator.core.render import BaseFieldValueRender, PlatformQueryRender
+from app.translator.managers import render_manager
+from app.translator.platforms.carbonblack.const import carbonblack_query_details
+from app.translator.platforms.carbonblack.mapping import CarbonBlackMappings, carbonblack_query_mappings
+from app.translator.platforms.carbonblack.str_value_manager import (
+    CarbonBlackStrValueManager,
+    carbon_black_str_value_manager,
+)
+
+
+class CarbonBlackFieldValueRender(BaseFieldValueRender):
+    details: PlatformDetails = carbonblack_query_details
+    str_value_manager: CarbonBlackStrValueManager = carbon_black_str_value_manager
+
+    @staticmethod
+    def _wrap_str_value(value: str) -> str:
+        return f'"{value}"'
+
+    @staticmethod
+    def _wrap_int_value(value: int) -> str:
+        return f'"{value}"'
+
+    def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.equal_modifier(field=field, value=v) for v in value)})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field}:{value}"
+
+    def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = [
+                self._pre_process_value(field, val, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+                for val in value
+            ]
+            return f"(NOT {field}:({self.or_token.join(values)})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"(NOT {field}:{self.apply_value(value)})"
+
+    def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.or_token.join(
+                [f"*{self._pre_process_value(field, val, value_type=ValueType.value)}*" for val in value]
+            )
+            return f"{field}:({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value)
+        return f"{field}:*{value}*"
+
+    def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.or_token.join(
+                [f"*{self._pre_process_value(field, val, value_type=ValueType.value)}" for val in value]
+            )
+            return f"{field}:({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value)
+        return f"{field}:*{value}"
+
+    def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.or_token.join(
+                [f"{self._pre_process_value(field, val, value_type=ValueType.value)}*" for val in value]
+            )
+            return f"{field}:({values}"
+        value = self._pre_process_value(field, value, value_type=ValueType.value)
+        return f"{field}:{value}*"
+
+    def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
+        value = self._pre_process_value(field, value, value_type=ValueType.regex_value)
+        return f"{field}:/{value}/"
+
+    def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.keywords(field=field, value=v) for v in value)})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value)
+        return f"(*{value}*)"
+
+    def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.is_none(field=field, value=v) for v in value)})"
+        return f"NOT _exists_:{field}"
+
+    def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.is_not_none(field=field, value=v) for v in value)})"
+        return f"_exists_:{field}"
+
+
+@render_manager.register
+class CarbonBlackQueryRender(PlatformQueryRender):
+    details: PlatformDetails = carbonblack_query_details
+    mappings: CarbonBlackMappings = carbonblack_query_mappings
+
+    or_token = "OR"
+    and_token = "AND"
+    not_token = "NOT"
+
+    comment_symbol = "//"
+
+    field_value_render = CarbonBlackFieldValueRender(or_token=or_token)
diff --git a/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py b/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py
@@ -20,13 +20,12 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.carbonblack.const import CARBON_BLACK_QUERY_DETAILS
-from app.translator.platforms.carbonblack.mappings.carbonblack_cti import DEFAULT_CARBONBLACK_MAPPING
+from app.translator.platforms.carbonblack.const import DEFAULT_CARBONBLACK_CTI_MAPPING, carbonblack_query_details
 
 
 @render_cti_manager.register
 class CarbonBlackCTI(RenderCTI):
-    details: PlatformDetails = PlatformDetails(**CARBON_BLACK_QUERY_DETAILS)
+    details: PlatformDetails = carbonblack_query_details
 
     field_value_template: str = "{key}:{value}"
     or_operator: str = " OR "
@@ -35,4 +34,4 @@ class CarbonBlackCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "({result})\n"
     final_result_for_one: str = "{result}\n"
-    default_mapping = DEFAULT_CARBONBLACK_MAPPING
+    default_mapping = DEFAULT_CARBONBLACK_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/carbonblack/str_value_manager.py b/uncoder-core/app/translator/platforms/carbonblack/str_value_manager.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+platform: CarbonBlack`
	`2`	`+source: default`