From 9186e6448a3643e7023430824fc2624a00b159cf Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Tue, 10 Dec 2024 15:25:11 +0200
Subject: [PATCH 1/2] gis-9241 fix ArcsightKeyword cti
---
.../translator/platforms/arcsight/renders/arcsight_cti.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py b/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py
index 778ef04e..924a3c9e 100644
--- a/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py
+++ b/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py
@@ -1,16 +1,16 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.arcsight.const import ARCSIGHT_QUERY_DETAILS
+from app.translator.platforms.arcsight.const import arcsight_query_details
from app.translator.platforms.arcsight.mappings.arcsight_cti import DEFAULT_ARCSIGHT_MAPPING
@render_cti_manager.register
class ArcsightKeyword(RenderCTI):
- details: PlatformDetails = PlatformDetails(**ARCSIGHT_QUERY_DETAILS)
+ details: PlatformDetails = arcsight_query_details
default_mapping = DEFAULT_ARCSIGHT_MAPPING
- field_value_template: str = "{key} = {value}"
+ field_value_template: str = '{key} = "{value}"'
or_operator: str = " OR "
group_or_operator: str = " OR "
or_group: str = "{or_group}"
From 54d5c3602812140256662a5ef49809506961aab3 Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Mon, 23 Dec 2024 15:59:50 +0200
Subject: [PATCH 2/2] Merge branch 'prod' into 'gis-9241'
# Conflicts:
# app/translator/platforms/arcsight/renders/arcsight_cti.py
---
uncoder-core/app/routers/ioc_translate.py | 3 +-
uncoder-core/app/translator/cti_translator.py | 3 +
.../platforms/anomali/windows_image_load.yml | 18 +++
.../anomali/windows_network_connection.yml | 20 +++
.../anomali/windows_pipe_created.yml | 16 ++
.../anomali/windows_process_access.yml | 24 +++
.../anomali/windows_process_creation.yml | 23 +++
.../anomali/windows_registry_event.yml | 31 ++++
.../platforms/anomali/windows_security.yml | 147 ++++++++++++++++++
.../platforms/anomali/windows_sysmon.yml | 63 ++++++++
.../platforms/anomali/windows_system.yml | 27 ++++
.../platforms/anomali/windows_wmi_event.yml | 15 ++
.../platforms/sigma/windows_pipe_created.yml | 2 +-
.../translator/platforms/arcsight/const.py | 20 ++-
.../platforms/arcsight/mappings/__init__.py | 0
.../arcsight/mappings/arcsight_cti.py | 12 --
.../arcsight/renders/arcsight_cti.py | 5 +-
.../app/translator/platforms/athena/const.py | 14 ++
.../platforms/athena/mappings/__init__.py | 0
.../platforms/athena/mappings/athena_cti.py | 12 --
.../platforms/athena/renders/athena_cti.py | 5 +-
.../translator/platforms/carbonblack/const.py | 16 ++
.../carbonblack/mappings/__init__.py | 0
.../carbonblack/mappings/carbonblack_cti.py | 10 --
.../carbonblack/renders/carbonblack_cti.py | 7 +-
.../translator/platforms/chronicle/const.py | 18 ++-
.../platforms/chronicle/mappings/__init__.py | 0
.../chronicle/mappings/chronicle_cti.py | 11 --
.../chronicle/renders/chronicle_cti.py | 5 +-
.../translator/platforms/crowdstrike/const.py | 13 ++
.../crowdstrike/mappings/__init__.py | 0
.../crowdstrike/mappings/crowdstrike_cti.py | 11 --
.../crowdstrike/renders/crowdstrike_cti.py | 5 +-
.../platforms/elasticsearch/const.py | 13 ++
.../elasticsearch/mappings/__init__.py | 0
.../mappings/elasticsearch_cti_cti.py | 12 --
.../renders/elasticsearch_cti.py | 8 +-
.../platforms/fireeye_helix/const.py | 13 ++
.../fireeye_helix/mappings/__init__.py | 0
.../fireeye_helix/mappings/fireeye_helix.py | 12 --
.../renders/fireeye_helix_cti.py | 5 +-
.../app/translator/platforms/graylog/const.py | 13 ++
.../platforms/graylog/mappings/__init__.py | 0
.../platforms/graylog/mappings/graylog_cti.py | 12 --
.../platforms/graylog/renders/graylog_cti.py | 5 +-
.../translator/platforms/logpoint/const.py | 13 ++
.../platforms/logpoint/mappings/__init__.py | 0
.../logpoint/mappings/logpoint_cti.py | 12 --
.../logpoint/renders/logpoint_cti.py | 5 +-
.../translator/platforms/logscale/const.py | 13 ++
.../platforms/logscale/mappings/__init__.py | 0
.../logscale/mappings/logscale_cti.py | 12 --
.../logscale/renders/logscale_cti.py | 5 +-
.../translator/platforms/microsoft/const.py | 36 ++++-
.../platforms/microsoft/mappings/__init__.py | 0
.../platforms/microsoft/mappings/mdatp_cti.py | 11 --
.../mappings/microsoft_sentinel_cti.py | 12 --
.../renders/microsoft_defender_cti.py | 8 +-
.../renders/microsoft_sentinel_cti.py | 8 +-
.../translator/platforms/opensearch/const.py | 13 ++
.../platforms/opensearch/mappings/__init__.py | 0
.../opensearch/mappings/opensearch_cti.py | 12 --
.../opensearch/renders/opensearch_cti.py | 5 +-
.../app/translator/platforms/qradar/const.py | 14 ++
.../platforms/qradar/mappings/__init__.py | 0
.../platforms/qradar/mappings/qradar_cti.py | 12 --
.../platforms/qradar/renders/qradar_cti.py | 5 +-
.../app/translator/platforms/qualys/const.py | 13 ++
.../platforms/qualys/mappings/__init__.py | 0
.../platforms/qualys/mappings/qualys_cti.py | 12 --
.../platforms/qualys/renders/qualys_cti.py | 5 +-
.../platforms/rsa_netwitness/const.py | 13 ++
.../rsa_netwitness/mappings/__init__.py | 0
.../mappings/rsa_netwitness_cti.py | 12 --
.../renders/rsa_netwitness_cti.py | 8 +-
.../translator/platforms/securonix/const.py | 13 ++
.../platforms/securonix/mappings/__init__.py | 0
.../securonix/mappings/securonix_cti.py | 12 --
.../securonix/renders/securonix_cti.py | 5 +-
.../platforms/sentinel_one/const.py | 31 +++-
.../sentinel_one/mappings/__init__.py | 0
.../platforms/sentinel_one/mappings/s1_cti.py | 12 --
.../platforms/sentinel_one/renders/s1_cti.py | 7 +-
.../translator/platforms/sigma/__init__.py | 1 +
.../app/translator/platforms/sigma/const.py | 12 ++
.../platforms/sigma/renders/sigma_cti.py | 43 +++++
.../translator/platforms/snowflake/const.py | 13 ++
.../platforms/snowflake/mappings/__init__.py | 0
.../snowflake/mappings/snowflake_cti.py | 12 --
.../snowflake/renders/snowflake_cti.py | 5 +-
.../app/translator/platforms/splunk/const.py | 14 ++
.../platforms/splunk/mappings/__init__.py | 0
.../platforms/splunk/mappings/splunk_cti.py | 12 --
.../platforms/splunk/renders/splunk_cti.py | 5 +-
.../translator/platforms/sumo_logic/const.py | 13 ++
.../platforms/sumo_logic/mappings/__init__.py | 0
.../sumo_logic/mappings/sumologic_cti.py | 12 --
.../sumo_logic/renders/sumologic_cti.py | 5 +-
98 files changed, 812 insertions(+), 323 deletions(-)
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_image_load.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_network_connection.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_pipe_created.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_process_access.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_process_creation.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_registry_event.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_security.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_sysmon.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_system.yml
create mode 100644 uncoder-core/app/translator/mappings/platforms/anomali/windows_wmi_event.yml
delete mode 100644 uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/athena/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/carbonblack/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/carbonblack/mappings/carbonblack_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/chronicle/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/crowdstrike/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/elasticsearch/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/fireeye_helix/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py
delete mode 100644 uncoder-core/app/translator/platforms/graylog/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/logpoint/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/logscale/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/logscale/mappings/logscale_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/microsoft/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/microsoft/mappings/mdatp_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/microsoft/mappings/microsoft_sentinel_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/opensearch/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/opensearch/mappings/opensearch_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/qradar/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/qradar/mappings/qradar_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/qualys/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/qualys/mappings/qualys_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/rsa_netwitness/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/securonix/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/securonix/mappings/securonix_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/sentinel_one/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py
create mode 100644 uncoder-core/app/translator/platforms/sigma/renders/sigma_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/snowflake/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/snowflake/mappings/snowflake_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/splunk/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/splunk/mappings/splunk_cti.py
delete mode 100644 uncoder-core/app/translator/platforms/sumo_logic/mappings/__init__.py
delete mode 100644 uncoder-core/app/translator/platforms/sumo_logic/mappings/sumologic_cti.py
diff --git a/uncoder-core/app/routers/ioc_translate.py b/uncoder-core/app/routers/ioc_translate.py
index 7eb702ed..3e78125d 100644
--- a/uncoder-core/app/routers/ioc_translate.py
+++ b/uncoder-core/app/routers/ioc_translate.py
@@ -4,11 +4,10 @@
from app.models.ioc_translation import CTIPlatform, OneTranslationCTIData
from app.models.translation import InfoMessage
-from app.translator.cti_translator import CTITranslator
+from app.translator.cti_translator import cti_translator
from app.translator.tools.const import HashType, IocParsingRule, IOCType
iocs_router = APIRouter()
-cti_translator = CTITranslator()
@iocs_router.post("/iocs/translate", description="Parse IOCs from text.")
diff --git a/uncoder-core/app/translator/cti_translator.py b/uncoder-core/app/translator/cti_translator.py
index 79b25fc4..740839cc 100644
--- a/uncoder-core/app/translator/cti_translator.py
+++ b/uncoder-core/app/translator/cti_translator.py
@@ -86,3 +86,6 @@ def __get_iocs_chunk(
@classmethod
def get_renders(cls) -> list:
return cls.render_manager.get_platforms_details
+
+
+cti_translator = CTITranslator()
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_image_load.yml
new file mode 100644
index 00000000..d3aa7544
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_image_load.yml
@@ -0,0 +1,18 @@
+platform: Anomali
+source: windows_image_load
+
+
+log_source:
+ product: [windows]
+ category: [image_load]
+
+default_log_source:
+ product: windows
+ category: image_load
+
+field_mapping:
+ Image: image
+ #ImageLoaded: ImageLoaded
+ #SignatureStatus: SignatureStatus
+ OriginalFileName: original_file_name
+ #Signed: Signed
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_network_connection.yml
new file mode 100644
index 00000000..c18cc5c3
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_network_connection.yml
@@ -0,0 +1,20 @@
+platform: Anomali
+source: windows_network_connection
+
+
+log_source:
+ product: [windows]
+ category: [network_connection]
+
+default_log_source:
+ product: windows
+ category: network_connection
+
+field_mapping:
+ Image: image
+ DestinationHostname: dest
+ DestinationIp: dest_ip
+ DestinationPort: dest_port
+ SourceIp: src_ip
+ SourcePort: src_port
+ #Initiated: Initiated
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_pipe_created.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_pipe_created.yml
new file mode 100644
index 00000000..9144d683
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_pipe_created.yml
@@ -0,0 +1,16 @@
+platform: Anomali
+source: windows_pipe_created
+
+
+log_source:
+ product: [windows]
+ category: [pipe_created]
+
+default_log_source:
+ product: windows
+ category: pipe_created
+
+field_mapping:
+ EventID: event_id
+ #PipeName: PipeName
+ Image: image
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_process_access.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_process_access.yml
new file mode 100644
index 00000000..5f105eb0
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_process_access.yml
@@ -0,0 +1,24 @@
+
+platform: Anomali
+source: windows_process_access
+
+
+log_source:
+ product: [windows]
+ category: [process_access]
+
+default_log_source:
+ product: windows
+ category: process_access
+
+field_mapping:
+ #SourceProcessGUID: SourceProcessGUID
+ #SourceProcessId: SourceProcessId
+ #SourceThreadId: SourceThreadId
+ #ourceImage: SourceImage
+ #TargetProcessGUID: TargetProcessGUID
+ #TargerProcessId: TargerProcessId
+ #TargetImage: TargetImage
+ #GrantedAccess: GrantedAccess
+ #CallTrace: CallTrace
+ User: user
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_process_creation.yml
new file mode 100644
index 00000000..8af5bdbe
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_process_creation.yml
@@ -0,0 +1,23 @@
+platform: Anomali
+source: windows_process_creation
+
+
+log_source:
+ product: [windows]
+ category: [process_creation]
+
+default_log_source:
+ product: windows
+ category: process_creation
+
+field_mapping:
+ CommandLine: command_line
+ #CurrentDirectory: CurrentDirectory
+ Hashes: file_hash
+ Image: image
+ #IntegrityLevel: IntegrityLevel
+ ParentCommandLine: parent_command_line
+ ParentImage: parent_image
+ #ParentUser: ParentUser
+ #Product: Product
+ User: user
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_registry_event.yml
new file mode 100644
index 00000000..aa91e179
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_registry_event.yml
@@ -0,0 +1,31 @@
+platform: Anomali
+source: windows_registry_event
+
+log_source:
+ product: [windows]
+ category: [registry_event, registry_set, registry_delete, registry_add]
+
+default_log_source:
+ product: windows
+ category: registry_event
+
+field_mapping:
+ TargetObject: reg_key
+ Image: image
+ Details: reg_value_data
+ EventType: event_name
+ CommandLine: command_line
+ #LogonId: LogonId
+ #Product: Product
+ #Company: Company
+ #IntegrityLevel: IntegrityLevel
+ #CurrentDirectory: CurrentDirectory
+ ProcessId: process_id
+ ParentProcessId: parent_process_id
+ ParentCommandLine: parent_command_line
+ ParentImage: parent_image
+ #ParentUser: ParentUser
+ #ParentIntegrityLevel: ParentIntegrityLevel
+ #ParentLogonId: ParentLogonId
+ #ParentProduct: ParentProduct
+ #ParentCompany: ParentCompany
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_security.yml
new file mode 100644
index 00000000..6809de3c
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_security.yml
@@ -0,0 +1,147 @@
+platform: Anomali
+source: windows_security
+
+
+log_source:
+ product: [windows]
+ service: [security]
+
+default_log_source:
+ product: windows
+ service: security
+
+field_mapping:
+ EventID: event_id
+ ParentImage: parent_image
+ #AccessMask: AccessMask
+ AccountName: user
+ #AllowedToDelegateTo: AllowedToDelegateTo
+ #AttributeLDAPDisplayName: AttributeLDAPDisplayName
+ #AuditPolicyChanges: AuditPolicyChanges
+ #AuthenticationPackageName: AuthenticationPackageName
+ #CallingProcessName: CallingProcessName
+ #Channel: Channel
+ #ComputerName: ComputerName
+ #EventType: EventType
+ #FailureReason: FailureReason
+ #FileName: FileName
+ #GrantedAccess: GrantedAccess
+ #Hashes: Hashes
+ #HiveName: HiveName
+ #IpAddress: IpAddress
+ #IpPort: IpPort
+ #KeyLength: KeyLength
+ #LogonProcessName: LogonProcessName
+ #LogonType: LogonType
+ #LinkName: LinkName
+ #MemberName: MemberName
+ #MemberSid: MemberSid
+ #NewProcessName: NewProcessName
+ #ObjectClass: ObjectClass
+ #ObjectType: ObjectType
+ #ObjectValueName: ObjectValueName
+ #Path: Path
+ #CommandLine: CommandLine
+ #OldUacValue: OldUacValue
+ #CertIssuerName: CertIssuerName
+ #SubStatus: SubStatus
+ #DisplayName: DisplayName
+ #TaskContent: TaskContent
+ #ServiceSid: ServiceSid
+ #CertThumbprint: CertThumbprint
+ #ObjectName: ObjectName
+ #ClassName: ClassName
+ #NotificationPackageName: NotificationPackageName
+ #NewSd: NewSd
+ #TestSigning: TestSigning
+ #TargetInfo: TargetInfo
+ #ParentProcessId: ParentProcessId
+ #AccessList: AccessList
+ #GroupMembership: GroupMembership
+ #FilterName: FilterName
+ #ChangeType: ChangeType
+ #LayerName: LayerName
+ #ServiceAccount: ServiceAccount
+ #ClientProcessId: ClientProcessId
+ #AttributeValue: AttributeValue
+ #SessionName: SessionName
+ #TaskName: TaskName
+ #ObjectDN: ObjectDN
+ #TemplateContent: TemplateContent
+ #NewTemplateContent: NewTemplateContent
+ #SourcePort: SourcePort
+ #PasswordLastSet: PasswordLastSet
+ #PrivilegeList: PrivilegeList
+ #DeviceDescription: DeviceDescription
+ #TargetServerName: TargetServerName
+ #NewTargetUserName: NewTargetUserName
+ #OperationType: OperationType
+ #DestPort: DestPort
+ #ServiceStartType: ServiceStartType
+ #OldTargetUserName: OldTargetUserName
+ #UserPrincipalName: UserPrincipalName
+ #Accesses: Accesses
+ #DnsHostName: DnsHostName
+ #DisableIntegrityChecks: DisableIntegrityChecks
+ #AuditSourceName: AuditSourceName
+ #Workstation: Workstation
+ #DestAddress: DestAddress
+ #PreAuthType: PreAuthType
+ #SecurityPackageName: SecurityPackageName
+ #SubjectLogonId: SubjectLogonId
+ #NewUacValue: NewUacValue
+ #EnabledPrivilegeList: EnabledPrivilegeList
+ #RelativeTargetName: RelativeTargetName
+ #CertSerialNumber: CertSerialNumber
+ #SidHistory: SidHistory
+ #TargetLogonId: TargetLogonId
+ #KernelDebug: KernelDebug
+ #CallerProcessName: CallerProcessName
+ #Properties: Properties
+ #UserAccountControl: UserAccountControl
+ #RegistryValue: RegistryValue
+ #SecurityID: SecurityID
+ #ServiceFileName: ServiceFileName
+ #SecurityDescriptor: SecurityDescriptor
+ #ServiceName: ServiceName
+ #ShareName: ShareName
+ #NewValue: NewValue
+ #Source: Source
+ #Status: Status
+ #SubjectDomainName: SubjectDomainName
+ #SubjectUserName: SubjectUserName
+ #SubjectUserSid: SubjectUserSid
+ #SourceAddr: SourceAddr
+ #SourceAddress: SourceAddress
+ #TargetName: TargetName
+ #ServicePrincipalNames: ServicePrincipalNames
+ #TargetDomainName: TargetDomainName
+ #TargetSid: TargetSid
+ #TargetUserName: TargetUserName
+ #ObjectServer: ObjectServer
+ #TargetUserSid: TargetUserSid
+ #TicketEncryptionType: TicketEncryptionType
+ #TicketOptions: TicketOptions
+ #WorkstationName: WorkstationName
+ #TransmittedServices: TransmittedServices
+ #AuthenticationAlgorithm: AuthenticationAlgorithm
+ #LayerRTID: LayerRTID
+ #BSSID: BSSID
+ #BSSType: BSSType
+ #CipherAlgorithm: CipherAlgorithm
+ #ConnectionId: ConnectionId
+ #ConnectionMode: ConnectionMode
+ #InterfaceDescription: InterfaceDescription
+ #InterfaceGuid: InterfaceGuid
+ #OnexEnabled: OnexEnabled
+ #PHYType: PHYType
+ #ProfileName: ProfileName
+ #SSID: SSID
+ #Domain: Domain
+ #ServiceType: ServiceType
+ #SourceName: SourceName
+ #StartType: StartType
+ #UserID: UserID
+ #ParentProcessName: ParentProcessName
+ #Service: Service
+ #ProcessName: ProcessName
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_sysmon.yml
new file mode 100644
index 00000000..284c2685
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_sysmon.yml
@@ -0,0 +1,63 @@
+platform: Anomali
+source: windows_sysmon
+
+
+log_source:
+ product: [windows]
+ service: [sysmon]
+
+default_log_source:
+ product: windows
+ service: sysmon
+
+field_mapping:
+ CommandLine: command_line
+ Image: image
+ ParentImage: parent_image
+ EventID: event_id
+ #CallTrace: CallTrace
+ #Company: Company
+ #CurrentDirectory: CurrentDirectory
+ #Description: Description
+ DestinationHostname: dest
+ DestinationIp: dest_ip
+ #DestinationIsIpv6: DestinationIsIpv6
+ DestinationPort: dest_port
+ #DestinationPortName: DestinationPortName
+ Hashes: file_hash
+ #Initiated: Initiated
+ #IntegrityLevel: IntegrityLevel
+ ParentCommandLine: parent_command_line
+ #Product: Product
+ #Protocol: Protocol
+ #RuleName: RuleName
+ SourceHostname: src
+ SourceIp: src_ip
+ #SourceIsIpv6: SourceIsIpv6
+ SourcePort: src_port
+ #SourcePortName: SourcePortName
+ TargetFilename: file_name
+ User: user
+ OriginalFileName: original_file_name
+ #Signed: Signed
+ #Signature: Signature
+ #SignatureStatus: SignatureStatus
+ TargetObject: reg_key
+ Details: reg_value_data
+ QueryName: query
+ QueryResults: record_type
+ #QueryStatus: QueryStatus
+ #IsExecutable: IsExecutable
+ #PipeName: PipeName
+ #ImageLoaded: ImageLoaded
+ #ImagePath: ImagePath
+ #Imphash: Imphash
+ #SourceImage: SourceImage
+ #StartModule: StartModule
+ #TargetImage: TargetImage
+ Device: dvc_name
+ ProcessID: process_id
+ #FileVersion: FileVersion
+ #StartAddress: StartAddress
+ #StartFunction: StartFunction
+ EventType: event_name
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_system.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_system.yml
new file mode 100644
index 00000000..d64ced48
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_system.yml
@@ -0,0 +1,27 @@
+platform: Anomali
+source: windows_system
+
+
+log_source:
+ product: [windows]
+ service: [system]
+
+default_log_source:
+ product: windows
+ service: system
+
+field_mapping:
+ EventID: event_id
+ #AccountName: AccountName
+ #ImagePath: ImagePath
+ #ServiceName: ServiceName
+ #ServiceType: ServiceType
+ #StartType: StartType
+ #Provider_Name: Provider_Name
+ #Origin: Origin
+ #HiveName: HiveName
+ #Caption: Caption
+ #param1: param1
+ #param2: param2
+ #Channel: Channel
+ #DeviceName: DeviceName
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/windows_wmi_event.yml b/uncoder-core/app/translator/mappings/platforms/anomali/windows_wmi_event.yml
new file mode 100644
index 00000000..58cbcb9e
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/anomali/windows_wmi_event.yml
@@ -0,0 +1,15 @@
+platform: Anomali
+source: windows_wmi_event
+
+
+log_source:
+ product: [windows]
+ category: [wmi_event]
+
+default_log_source:
+ product: windows
+ category: wmi_event
+
+field_mapping:
+# Destination: Destination
+ EventID: event_id
diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/windows_pipe_created.yml b/uncoder-core/app/translator/mappings/platforms/sigma/windows_pipe_created.yml
index eb6cc32c..7934d1e2 100644
--- a/uncoder-core/app/translator/mappings/platforms/sigma/windows_pipe_created.yml
+++ b/uncoder-core/app/translator/mappings/platforms/sigma/windows_pipe_created.yml
@@ -11,6 +11,6 @@ default_log_source:
category: pipe_created
field_mapping:
- EventID: action_evtlog_event_id
+ EventID: EventID
PipeName: PipeName
Image: Image
\ No newline at end of file
diff --git a/uncoder-core/app/translator/platforms/arcsight/const.py b/uncoder-core/app/translator/platforms/arcsight/const.py
index 0bd27667..0f431d87 100644
--- a/uncoder-core/app/translator/platforms/arcsight/const.py
+++ b/uncoder-core/app/translator/platforms/arcsight/const.py
@@ -1,8 +1,26 @@
+from app.translator.core.models.platform_details import PlatformDetails
+
ARCSIGHT_QUERY_DETAILS = {
- "platform_id": "arcsight",
+ "platform_id": "arcsight-query",
"name": "ArcSight Query",
"group_name": "ArcSight",
"group_id": "arcsight",
"platform_name": "Query",
"alt_platform_name": "CEF",
}
+
+
+DEFAULT_ARCSIGHT_CTI_MAPPING = {
+ "SourceIP": "sourceAddress",
+ "DestinationIP": "destinationAddress",
+ "Domain": "destinationDnsDomain",
+ "URL": "requestUrl",
+ "HashMd5": "fileHash",
+ "HashSha1": "fileHash",
+ "HashSha256": "fileHash",
+ "HashSha512": "fileHash",
+ "Emails": "sender-address",
+ "Files": "winlog.event_data.TargetFilename",
+}
+
+arcsight_query_details = PlatformDetails(**ARCSIGHT_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py b/uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py b/uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py
deleted file mode 100644
index 4a01074d..00000000
--- a/uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_ARCSIGHT_MAPPING = {
- "SourceIP": "sourceAddress",
- "DestinationIP": "destinationAddress",
- "Domain": "destinationDnsDomain",
- "URL": "requestUrl",
- "HashMd5": "fileHash",
- "HashSha1": "fileHash",
- "HashSha256": "fileHash",
- "HashSha512": "fileHash",
- "Emails": "sender-address",
- "Files": "winlog.event_data.TargetFilename",
-}
diff --git a/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py b/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py
index 924a3c9e..63fe8f90 100644
--- a/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py
+++ b/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py
@@ -1,16 +1,15 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.arcsight.const import arcsight_query_details
-from app.translator.platforms.arcsight.mappings.arcsight_cti import DEFAULT_ARCSIGHT_MAPPING
+from app.translator.platforms.arcsight.const import arcsight_query_details, DEFAULT_ARCSIGHT_CTI_MAPPING
@render_cti_manager.register
class ArcsightKeyword(RenderCTI):
details: PlatformDetails = arcsight_query_details
- default_mapping = DEFAULT_ARCSIGHT_MAPPING
field_value_template: str = '{key} = "{value}"'
+ default_mapping = DEFAULT_ARCSIGHT_CTI_MAPPING
or_operator: str = " OR "
group_or_operator: str = " OR "
or_group: str = "{or_group}"
diff --git a/uncoder-core/app/translator/platforms/athena/const.py b/uncoder-core/app/translator/platforms/athena/const.py
index db261b69..ea10735d 100644
--- a/uncoder-core/app/translator/platforms/athena/const.py
+++ b/uncoder-core/app/translator/platforms/athena/const.py
@@ -9,4 +9,18 @@
"alt_platform_name": "OCSF",
}
+DEFAULT_ATHENA_CTI_MAPPING = {
+ "SourceIP": "src_endpoint",
+ "DestinationIP": "dst_endpoint",
+ "Domain": "dst_endpoint",
+ "URL": "http_request",
+ "HashMd5": "unmapped.file.hash.md5",
+ "HashSha1": "unmapped.file.hash.sha1",
+ "HashSha256": "unmapped.file.hash.sha256",
+ "HashSha512": "unmapped.file.hash.sha512",
+ "Email": "email",
+ "FileName": "file.name",
+}
+
+
athena_query_details = PlatformDetails(**ATHENA_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/athena/mappings/__init__.py b/uncoder-core/app/translator/platforms/athena/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py b/uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py
deleted file mode 100644
index c41aeb77..00000000
--- a/uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_ATHENA_MAPPING = {
- "SourceIP": "src_endpoint",
- "DestinationIP": "dst_endpoint",
- "Domain": "dst_endpoint",
- "URL": "http_request",
- "HashMd5": "unmapped.file.hash.md5",
- "HashSha1": "unmapped.file.hash.sha1",
- "HashSha256": "unmapped.file.hash.sha256",
- "HashSha512": "unmapped.file.hash.sha512",
- "Email": "email",
- "FileName": "file.name",
-}
diff --git a/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py b/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py
index c46290e8..285b3e2e 100644
--- a/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py
+++ b/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.athena.const import athena_query_details
-from app.translator.platforms.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING
+from app.translator.platforms.athena.const import DEFAULT_ATHENA_CTI_MAPPING, athena_query_details
@render_cti_manager.register
@@ -35,4 +34,4 @@ class AthenaCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "SELECT * from eventlog where {result}\n"
final_result_for_one: str = "SELECT * from eventlog where {result}\n"
- default_mapping = DEFAULT_ATHENA_MAPPING
+ default_mapping = DEFAULT_ATHENA_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/carbonblack/const.py b/uncoder-core/app/translator/platforms/carbonblack/const.py
index 8f1d8958..e1c2fdf1 100644
--- a/uncoder-core/app/translator/platforms/carbonblack/const.py
+++ b/uncoder-core/app/translator/platforms/carbonblack/const.py
@@ -1,3 +1,5 @@
+from app.translator.core.models.platform_details import PlatformDetails
+
CARBON_BLACK_QUERY_DETAILS = {
"platform_id": "carbonblack",
"name": "Carbon Black Cloud",
@@ -5,3 +7,17 @@
"group_id": "carbonblack-pack",
"platform_name": "Query (Cloud)",
}
+
+DEFAULT_CARBONBLACK_CTI_MAPPING = {
+ "SourceIP": "netconn_local_ipv4",
+ "DestinationIP": "netconn_ipv4",
+ "Domain": "netconn_domain",
+ "URL": "netconn_domain",
+ "HashMd5": "hash",
+ "HashSha256": "hash",
+ "Files": "filemod_name",
+ "Emails": "process_username",
+}
+
+
+carbonblack_query_details = PlatformDetails(**CARBON_BLACK_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/carbonblack/mappings/__init__.py b/uncoder-core/app/translator/platforms/carbonblack/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/carbonblack/mappings/carbonblack_cti.py b/uncoder-core/app/translator/platforms/carbonblack/mappings/carbonblack_cti.py
deleted file mode 100644
index 50497e61..00000000
--- a/uncoder-core/app/translator/platforms/carbonblack/mappings/carbonblack_cti.py
+++ /dev/null
@@ -1,10 +0,0 @@
-DEFAULT_CARBONBLACK_MAPPING = {
- "SourceIP": "netconn_local_ipv4",
- "DestinationIP": "netconn_ipv4",
- "Domain": "netconn_domain",
- "URL": "netconn_domain",
- "HashMd5": "hash",
- "HashSha256": "hash",
- "Files": "filemod_name",
- "Emails": "process_username",
-}
diff --git a/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py b/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py
index 489a1288..154ee0b5 100644
--- a/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py
+++ b/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py
@@ -20,13 +20,12 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.carbonblack.const import CARBON_BLACK_QUERY_DETAILS
-from app.translator.platforms.carbonblack.mappings.carbonblack_cti import DEFAULT_CARBONBLACK_MAPPING
+from app.translator.platforms.carbonblack.const import DEFAULT_CARBONBLACK_CTI_MAPPING, carbonblack_query_details
@render_cti_manager.register
class CarbonBlackCTI(RenderCTI):
- details: PlatformDetails = PlatformDetails(**CARBON_BLACK_QUERY_DETAILS)
+ details: PlatformDetails = carbonblack_query_details
field_value_template: str = "{key}:{value}"
or_operator: str = " OR "
@@ -35,4 +34,4 @@ class CarbonBlackCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_CARBONBLACK_MAPPING
+ default_mapping = DEFAULT_CARBONBLACK_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/chronicle/const.py b/uncoder-core/app/translator/platforms/chronicle/const.py
index d788860a..5bb4363c 100644
--- a/uncoder-core/app/translator/platforms/chronicle/const.py
+++ b/uncoder-core/app/translator/platforms/chronicle/const.py
@@ -20,22 +20,34 @@
$e
}"""
-PLATFORM_DETAILS = {"group_id": "chronicle-pack", "group_name": "Chronicle Security", "alt_platform_name": "UDM"}
+PLATFORM_DETAILS = {"group_id": "chronicle-pack", "group_name": "Google SecOps", "alt_platform_name": "UDM"}
CHRONICLE_QUERY_DETAILS = {
"platform_id": "chronicle-yaral-query",
- "name": "Chronicle Security Query",
+ "name": "Google SecOps Query",
"platform_name": "Query (UDM)",
**PLATFORM_DETAILS,
}
CHRONICLE_RULE_DETAILS = {
"platform_id": "chronicle-yaral-rule",
- "name": "Chronicle Security Rule",
+ "name": "Google SecOps Rule",
"platform_name": "Rule (YARA-L)",
"first_choice": 0,
**PLATFORM_DETAILS,
}
+DEFAULT_CHRONICLE_CTI_MAPPING = {
+ "DestinationIP": "target.ip",
+ "SourceIP": "principal.ip",
+ "HashSha256": "target.file.sha256",
+ "HashMd5": "target.file.md5",
+ "Emails": "network.email.from",
+ "Domain": "target.hostname",
+ "HashSha1": "target.file.sha1",
+ "Files": "target.file.full_path",
+ "URL": "target.url",
+}
+
chronicle_query_details = PlatformDetails(**CHRONICLE_QUERY_DETAILS)
chronicle_rule_details = PlatformDetails(**CHRONICLE_RULE_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/chronicle/mappings/__init__.py b/uncoder-core/app/translator/platforms/chronicle/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py b/uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py
deleted file mode 100644
index 84c71608..00000000
--- a/uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py
+++ /dev/null
@@ -1,11 +0,0 @@
-DEFAULT_CHRONICLE_MAPPING = {
- "DestinationIP": "target.ip",
- "SourceIP": "principal.ip",
- "HashSha256": "target.file.sha256",
- "HashMd5": "target.file.md5",
- "Emails": "network.email.from",
- "Domain": "target.hostname",
- "HashSha1": "target.file.sha1",
- "Files": "target.file.full_path",
- "URL": "target.url",
-}
diff --git a/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py b/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py
index ca68950d..3d5d15ea 100644
--- a/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py
+++ b/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.chronicle.const import chronicle_query_details
-from app.translator.platforms.chronicle.mappings.chronicle_cti import DEFAULT_CHRONICLE_MAPPING
+from app.translator.platforms.chronicle.const import DEFAULT_CHRONICLE_CTI_MAPPING, chronicle_query_details
@render_cti_manager.register
@@ -35,4 +34,4 @@ class ChronicleQueryCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "{result}\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_CHRONICLE_MAPPING
+ default_mapping = DEFAULT_CHRONICLE_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/crowdstrike/const.py b/uncoder-core/app/translator/platforms/crowdstrike/const.py
index 11dd01c5..7a76084d 100644
--- a/uncoder-core/app/translator/platforms/crowdstrike/const.py
+++ b/uncoder-core/app/translator/platforms/crowdstrike/const.py
@@ -8,4 +8,17 @@
"group_name": "CrowdStrike Endpoint Security",
}
+DEFAULT_CROWDSTRIKE_CTI_MAPPING = {
+ "DestinationIP": "RemoteAddressIP4",
+ "SourceIP": "LocalAddressIP4",
+ "HashSha256": "SHA256HashData",
+ "HashMd5": "MD5HashData",
+ "Emails": "emails",
+ "Domain": "DomainName",
+ "HashSha1": "SHA1HashData",
+ "Files": "TargetFileName",
+ "URL": "HttpUrl",
+}
+
+
crowdstrike_query_details = PlatformDetails(**CROWDSTRIKE_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/crowdstrike/mappings/__init__.py b/uncoder-core/app/translator/platforms/crowdstrike/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py b/uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py
deleted file mode 100644
index 7e4010c2..00000000
--- a/uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py
+++ /dev/null
@@ -1,11 +0,0 @@
-DEFAULT_CROWDSTRIKE_MAPPING = {
- "DestinationIP": "RemoteAddressIP4",
- "SourceIP": "LocalAddressIP4",
- "HashSha256": "SHA256HashData",
- "HashMd5": "MD5HashData",
- "Emails": "emails",
- "Domain": "DomainName",
- "HashSha1": "SHA1HashData",
- "Files": "TargetFileName",
- "URL": "HttpUrl",
-}
diff --git a/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py b/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py
index cb04502f..baabea37 100644
--- a/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py
+++ b/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.crowdstrike.const import crowdstrike_query_details
-from app.translator.platforms.crowdstrike.mappings.crowdstrike_cti import DEFAULT_CROWDSTRIKE_MAPPING
+from app.translator.platforms.crowdstrike.const import DEFAULT_CROWDSTRIKE_CTI_MAPPING, crowdstrike_query_details
@render_cti_manager.register
@@ -35,4 +34,4 @@ class CrowdStrikeCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_CROWDSTRIKE_MAPPING
+ default_mapping = DEFAULT_CROWDSTRIKE_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/const.py b/uncoder-core/app/translator/platforms/elasticsearch/const.py
index 59a50ac3..51402819 100644
--- a/uncoder-core/app/translator/platforms/elasticsearch/const.py
+++ b/uncoder-core/app/translator/platforms/elasticsearch/const.py
@@ -240,3 +240,16 @@
"query": "",
"actions": [],
}
+
+DEFAULT_ELASTICSEARCH_CTI_MAPPING = {
+ "DestinationIP": "destination.ip",
+ "SourceIP": "source.ip",
+ "HashSha512": "file.hash.sha512",
+ "HashSha256": "file.hash.sha256",
+ "HashMd5": "file.hash.md5",
+ "Emails": "email.from.address",
+ "Domain": "destination.domain",
+ "HashSha1": "file.hash.sha1",
+ "Files": "file.name",
+ "URL": "url.original",
+}
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/mappings/__init__.py b/uncoder-core/app/translator/platforms/elasticsearch/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py b/uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py
deleted file mode 100644
index e4b0564f..00000000
--- a/uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_ELASTICSEARCH_MAPPING = {
- "DestinationIP": "destination.ip",
- "SourceIP": "source.ip",
- "HashSha512": "file.hash.sha512",
- "HashSha256": "file.hash.sha256",
- "HashMd5": "file.hash.md5",
- "Emails": "email.from.address",
- "Domain": "destination.domain",
- "HashSha1": "file.hash.sha1",
- "Files": "file.name",
- "URL": "url.original",
-}
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py
index 34f2514e..820b6d54 100644
--- a/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py
+++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py
@@ -20,8 +20,10 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.elasticsearch.const import elasticsearch_lucene_query_details
-from app.translator.platforms.elasticsearch.mappings.elasticsearch_cti_cti import DEFAULT_ELASTICSEARCH_MAPPING
+from app.translator.platforms.elasticsearch.const import (
+ DEFAULT_ELASTICSEARCH_CTI_MAPPING,
+ elasticsearch_lucene_query_details,
+)
@render_cti_manager.register
@@ -35,4 +37,4 @@ class ElasticsearchCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_ELASTICSEARCH_MAPPING
+ default_mapping = DEFAULT_ELASTICSEARCH_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/const.py b/uncoder-core/app/translator/platforms/fireeye_helix/const.py
index 72160a2e..b06e4d50 100644
--- a/uncoder-core/app/translator/platforms/fireeye_helix/const.py
+++ b/uncoder-core/app/translator/platforms/fireeye_helix/const.py
@@ -5,3 +5,16 @@
"group_id": "fireeye",
"platform_name": "Query",
}
+
+DEFAULT_FIREEYE_HELIX_CTI_MAPPING = {
+ "SourceIP": "~srcipv4",
+ "DestinationIP": "~dstipv4",
+ "Domain": "domain",
+ "URL": "url",
+ "HashMd5": "~hash",
+ "HashSha1": "~hash",
+ "HashSha256": "~hash",
+ "HashSha512": "~hash",
+ "Emails": "emails",
+ "Files": "filepath",
+}
diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/mappings/__init__.py b/uncoder-core/app/translator/platforms/fireeye_helix/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py b/uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py
deleted file mode 100644
index 5a040ab6..00000000
--- a/uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_FIREEYE_HELIX_MAPPING = {
- "SourceIP": "~srcipv4",
- "DestinationIP": "~dstipv4",
- "Domain": "domain",
- "URL": "url",
- "HashMd5": "~hash",
- "HashSha1": "~hash",
- "HashSha256": "~hash",
- "HashSha512": "~hash",
- "Emails": "emails",
- "Files": "filepath",
-}
diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py b/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py
index 8aaf0f0c..51dba4e5 100644
--- a/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py
+++ b/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.fireeye_helix.const import FIREEYE_HELIX_QUERY_DETAILS
-from app.translator.platforms.fireeye_helix.mappings.fireeye_helix import DEFAULT_FIREEYE_HELIX_MAPPING
+from app.translator.platforms.fireeye_helix.const import DEFAULT_FIREEYE_HELIX_CTI_MAPPING, FIREEYE_HELIX_QUERY_DETAILS
@render_cti_manager.register
@@ -35,4 +34,4 @@ class FireeyeHelixCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_FIREEYE_HELIX_MAPPING
+ default_mapping = DEFAULT_FIREEYE_HELIX_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/graylog/const.py b/uncoder-core/app/translator/platforms/graylog/const.py
index f13757f5..90270013 100644
--- a/uncoder-core/app/translator/platforms/graylog/const.py
+++ b/uncoder-core/app/translator/platforms/graylog/const.py
@@ -8,5 +8,18 @@
"group_id": "graylog",
}
+DEFAULT_GRAYLOG_CTI_MAPPING = {
+ "SourceIP": "source.ip",
+ "DestinationIP": "destination.ip",
+ "Domain": "destination.domain",
+ "URL": "url.original",
+ "HashMd5": "file.hash.md5",
+ "HashSha1": "file.hash.sha1",
+ "HashSha256": "file.hash.sha256",
+ "HashSha512": "file.hash.sha512",
+ "Emails": "emails",
+ "Files": "filePath",
+}
+
graylog_query_details = PlatformDetails(**GRAYLOG_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/graylog/mappings/__init__.py b/uncoder-core/app/translator/platforms/graylog/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py b/uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py
deleted file mode 100644
index bacf4936..00000000
--- a/uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_GRAYLOG_MAPPING = {
- "SourceIP": "source.ip",
- "DestinationIP": "destination.ip",
- "Domain": "destination.domain",
- "URL": "url.original",
- "HashMd5": "file.hash.md5",
- "HashSha1": "file.hash.sha1",
- "HashSha256": "file.hash.sha256",
- "HashSha512": "file.hash.sha512",
- "Emails": "emails",
- "Files": "filePath",
-}
diff --git a/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py b/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py
index b607b8d4..ae8ee06a 100644
--- a/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py
+++ b/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.graylog.const import GRAYLOG_QUERY_DETAILS
-from app.translator.platforms.graylog.mappings.graylog_cti import DEFAULT_GRAYLOG_MAPPING
+from app.translator.platforms.graylog.const import DEFAULT_GRAYLOG_CTI_MAPPING, GRAYLOG_QUERY_DETAILS
@render_cti_manager.register
@@ -35,4 +34,4 @@ class GraylogCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_GRAYLOG_MAPPING
+ default_mapping = DEFAULT_GRAYLOG_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/logpoint/const.py b/uncoder-core/app/translator/platforms/logpoint/const.py
index 76346910..68685661 100644
--- a/uncoder-core/app/translator/platforms/logpoint/const.py
+++ b/uncoder-core/app/translator/platforms/logpoint/const.py
@@ -5,3 +5,16 @@
"platform_name": "Query",
"group_id": "logpoint",
}
+
+DEFAULT_LOGPOINT_CTI_MAPPING = {
+ "DestinationIP": "dst_ip",
+ "SourceIP": "src_ip",
+ "HashSha512": "hash",
+ "HashSha256": "hash",
+ "HashMd5": "hash",
+ "Emails": "emails",
+ "Domain": "host",
+ "HashSha1": "hash",
+ "Files": "files",
+ "URL": "url",
+}
diff --git a/uncoder-core/app/translator/platforms/logpoint/mappings/__init__.py b/uncoder-core/app/translator/platforms/logpoint/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py b/uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py
deleted file mode 100644
index c296afa8..00000000
--- a/uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_LOGPOINT_MAPPING = {
- "DestinationIP": "dst_ip",
- "SourceIP": "src_ip",
- "HashSha512": "hash",
- "HashSha256": "hash",
- "HashMd5": "hash",
- "Emails": "emails",
- "Domain": "host",
- "HashSha1": "hash",
- "Files": "files",
- "URL": "url",
-}
diff --git a/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py b/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py
index f4799a81..1bf42fd5 100644
--- a/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py
+++ b/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.logpoint.const import LOGPOINT_QUERY_DETAILS
-from app.translator.platforms.logpoint.mappings.logpoint_cti import DEFAULT_LOGPOINT_MAPPING
+from app.translator.platforms.logpoint.const import DEFAULT_LOGPOINT_CTI_MAPPING, LOGPOINT_QUERY_DETAILS
@render_cti_manager.register
@@ -35,4 +34,4 @@ class LogpointCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_LOGPOINT_MAPPING
+ default_mapping = DEFAULT_LOGPOINT_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/logscale/const.py b/uncoder-core/app/translator/platforms/logscale/const.py
index 3a52d181..efc05c46 100644
--- a/uncoder-core/app/translator/platforms/logscale/const.py
+++ b/uncoder-core/app/translator/platforms/logscale/const.py
@@ -25,6 +25,19 @@
**PLATFORM_DETAILS,
}
+DEFAULT_LOGSCALE_CTI_MAPPING = {
+ "DestinationIP": "dst_ip",
+ "SourceIP": "src_ip",
+ "HashSha512": "file.hash.sha512",
+ "HashSha256": "file.hash.sha256",
+ "HashMd5": "file.hash.md5",
+ "Emails": "email",
+ "Domain": "host",
+ "HashSha1": "file.hash.sha1",
+ "Files": "winlog.event_data.TargetFilename",
+ "URL": "url",
+}
+
logscale_query_details = PlatformDetails(**LOGSCALE_QUERY_DETAILS)
logscale_alert_details = PlatformDetails(**LOGSCALE_ALERT_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/logscale/mappings/__init__.py b/uncoder-core/app/translator/platforms/logscale/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/logscale/mappings/logscale_cti.py b/uncoder-core/app/translator/platforms/logscale/mappings/logscale_cti.py
deleted file mode 100644
index 54103fc7..00000000
--- a/uncoder-core/app/translator/platforms/logscale/mappings/logscale_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_LOGSCALE_MAPPING = {
- "DestinationIP": "dst_ip",
- "SourceIP": "src_ip",
- "HashSha512": "file.hash.sha512",
- "HashSha256": "file.hash.sha256",
- "HashMd5": "file.hash.md5",
- "Emails": "email",
- "Domain": "host",
- "HashSha1": "file.hash.sha1",
- "Files": "winlog.event_data.TargetFilename",
- "URL": "url",
-}
diff --git a/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py b/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py
index 3dc73d1a..cf2e45ad 100644
--- a/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py
+++ b/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.logscale.const import logscale_query_details
-from app.translator.platforms.logscale.mappings.logscale_cti import DEFAULT_LOGSCALE_MAPPING
+from app.translator.platforms.logscale.const import DEFAULT_LOGSCALE_CTI_MAPPING, logscale_query_details
@render_cti_manager.register
@@ -35,4 +34,4 @@ class LogScaleCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = '@stream="http" {result}\n'
final_result_for_one: str = '@stream="http" {result}\n'
- default_mapping = DEFAULT_LOGSCALE_MAPPING
+ default_mapping = DEFAULT_LOGSCALE_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/microsoft/const.py b/uncoder-core/app/translator/platforms/microsoft/const.py
index 5a877d8a..9450f423 100644
--- a/uncoder-core/app/translator/platforms/microsoft/const.py
+++ b/uncoder-core/app/translator/platforms/microsoft/const.py
@@ -19,15 +19,18 @@
PLATFORM_DETAILS = {"group_id": "sentinel", "group_name": "Microsoft Sentinel"}
+_SENTINEL_KQL_QUERY = "sentinel-kql-query"
+_SENTINEL_KQL_RULE = "sentinel-kql-rule"
+
MICROSOFT_SENTINEL_QUERY_DETAILS = {
- "platform_id": "sentinel-kql-query",
+ "platform_id": _SENTINEL_KQL_QUERY,
"name": "Microsoft Sentinel Query",
"platform_name": "Query (Kusto)",
**PLATFORM_DETAILS,
}
MICROSOFT_SENTINEL_RULE_DETAILS = {
- "platform_id": "sentinel-kql-rule",
+ "platform_id": _SENTINEL_KQL_RULE,
"name": "Microsoft Sentinel Rule",
"platform_name": "Rule (Kusto)",
"first_choice": 0,
@@ -50,6 +53,35 @@
"group_id": "microsoft-defender",
}
+
+DEFAULT_MICROSOFT_DEFENDER_CTI_MAPPING = {
+ "DestinationIP": "RemoteIP",
+ "SourceIP": "LocalIP",
+ "HashSha256": "InitiatingProcessSHA256",
+ "HashMd5": "InitiatingProcessMD5",
+ "Emails": "SenderFromAddress",
+ "Domain": "RemoteUrl",
+ "HashSha1": "InitiatingProcessSHA1",
+ "Files": "FileName",
+ "URL": "RemoteUrl",
+}
+
+DEFAULT_MICROSOFT_SENTINEL_CTI_MAPPING = {
+ "DestinationIP": "DestinationIp",
+ "SourceIP": "SourceIp",
+ "HashSha512": "FileHashSha512",
+ "HashSha256": "FileHashSha256",
+ "HashMd5": "FileHashMd5",
+ "Emails": "SenderFromAddress",
+ "Domain": "DestinationHostname",
+ "HashSha1": "FileHashSha1",
+ "Files": "TargetFileName",
+ "URL": "URL",
+}
+
+MICROSOFT_SENTINEL_QUERY_TYPES = {_SENTINEL_KQL_QUERY, _SENTINEL_KQL_RULE}
+
+
microsoft_defender_query_details = PlatformDetails(**MICROSOFT_DEFENDER_DETAILS)
microsoft_sentinel_query_details = PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS)
microsoft_sentinel_rule_details = PlatformDetails(**MICROSOFT_SENTINEL_RULE_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/microsoft/mappings/__init__.py b/uncoder-core/app/translator/platforms/microsoft/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/microsoft/mappings/mdatp_cti.py b/uncoder-core/app/translator/platforms/microsoft/mappings/mdatp_cti.py
deleted file mode 100644
index 96150ec1..00000000
--- a/uncoder-core/app/translator/platforms/microsoft/mappings/mdatp_cti.py
+++ /dev/null
@@ -1,11 +0,0 @@
-DEFAULT_MICROSOFT_DEFENDER_MAPPING = {
- "DestinationIP": "RemoteIP",
- "SourceIP": "LocalIP",
- "HashSha256": "InitiatingProcessSHA256",
- "HashMd5": "InitiatingProcessMD5",
- "Emails": "SenderFromAddress",
- "Domain": "RemoteUrl",
- "HashSha1": "InitiatingProcessSHA1",
- "Files": "FileName",
- "URL": "RemoteUrl",
-}
diff --git a/uncoder-core/app/translator/platforms/microsoft/mappings/microsoft_sentinel_cti.py b/uncoder-core/app/translator/platforms/microsoft/mappings/microsoft_sentinel_cti.py
deleted file mode 100644
index 33a9d0da..00000000
--- a/uncoder-core/app/translator/platforms/microsoft/mappings/microsoft_sentinel_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_MICROSOFT_SENTINEL_MAPPING = {
- "DestinationIP": "DestinationIp",
- "SourceIP": "SourceIp",
- "HashSha512": "FileHashSha512",
- "HashSha256": "FileHashSha256",
- "HashMd5": "FileHashMd5",
- "Emails": "SenderFromAddress",
- "Domain": "DestinationHostname",
- "HashSha1": "FileHashSha1",
- "Files": "TargetFileName",
- "URL": "URL",
-}
diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py
index 72521800..40726e4c 100644
--- a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py
+++ b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py
@@ -22,8 +22,10 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.microsoft.const import microsoft_defender_query_details
-from app.translator.platforms.microsoft.mappings.mdatp_cti import DEFAULT_MICROSOFT_DEFENDER_MAPPING
+from app.translator.platforms.microsoft.const import (
+ DEFAULT_MICROSOFT_DEFENDER_CTI_MAPPING,
+ microsoft_defender_query_details,
+)
@render_cti_manager.register
@@ -40,7 +42,7 @@ class MicrosoftDefenderCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "union * | where ({result})\n"
final_result_for_one: str = "union * | where {result}\n"
- default_mapping = DEFAULT_MICROSOFT_DEFENDER_MAPPING
+ default_mapping = DEFAULT_MICROSOFT_DEFENDER_CTI_MAPPING
def create_field_value(self, field: str, value: str, generic_field: str) -> str:
if field_value_template := self.field_value_templates_map.get(generic_field):
diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py
index 018c0934..9ac314e8 100644
--- a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py
+++ b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py
@@ -20,8 +20,10 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.microsoft.const import microsoft_sentinel_query_details
-from app.translator.platforms.microsoft.mappings.microsoft_sentinel_cti import DEFAULT_MICROSOFT_SENTINEL_MAPPING
+from app.translator.platforms.microsoft.const import (
+ DEFAULT_MICROSOFT_SENTINEL_CTI_MAPPING,
+ microsoft_sentinel_query_details,
+)
@render_cti_manager.register
@@ -35,4 +37,4 @@ class MicrosoftSentinelCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "search ({result})\n"
final_result_for_one: str = "search {result}\n"
- default_mapping = DEFAULT_MICROSOFT_SENTINEL_MAPPING
+ default_mapping = DEFAULT_MICROSOFT_SENTINEL_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/opensearch/const.py b/uncoder-core/app/translator/platforms/opensearch/const.py
index 913e2255..6522143c 100644
--- a/uncoder-core/app/translator/platforms/opensearch/const.py
+++ b/uncoder-core/app/translator/platforms/opensearch/const.py
@@ -54,3 +54,16 @@
}
],
}
+
+DEFAULT_OPENSEARCH_CTI_MAPPING = {
+ "DestinationIP": "destination.ip",
+ "SourceIP": "source.ip",
+ "HashSha512": "file.hash.sha512",
+ "HashSha256": "file.hash.sha256",
+ "HashMd5": "file.hash.md5",
+ "Emails": "email.from.address",
+ "Domain": "destination.domain",
+ "HashSha1": "file.hash.sha1",
+ "Files": "file.name",
+ "URL": "url.original",
+}
diff --git a/uncoder-core/app/translator/platforms/opensearch/mappings/__init__.py b/uncoder-core/app/translator/platforms/opensearch/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/opensearch/mappings/opensearch_cti.py b/uncoder-core/app/translator/platforms/opensearch/mappings/opensearch_cti.py
deleted file mode 100644
index 1b4b6fd1..00000000
--- a/uncoder-core/app/translator/platforms/opensearch/mappings/opensearch_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_OPENSEARCH_MAPPING = {
- "DestinationIP": "destination.ip",
- "SourceIP": "source.ip",
- "HashSha512": "file.hash.sha512",
- "HashSha256": "file.hash.sha256",
- "HashMd5": "file.hash.md5",
- "Emails": "email.from.address",
- "Domain": "destination.domain",
- "HashSha1": "file.hash.sha1",
- "Files": "file.name",
- "URL": "url.original",
-}
diff --git a/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py b/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py
index 40931c08..5991b487 100644
--- a/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py
+++ b/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.opensearch.const import opensearch_query_details
-from app.translator.platforms.opensearch.mappings.opensearch_cti import DEFAULT_OPENSEARCH_MAPPING
+from app.translator.platforms.opensearch.const import DEFAULT_OPENSEARCH_CTI_MAPPING, opensearch_query_details
@render_cti_manager.register
@@ -35,4 +34,4 @@ class OpenSearchCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_OPENSEARCH_MAPPING
+ default_mapping = DEFAULT_OPENSEARCH_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/qradar/const.py b/uncoder-core/app/translator/platforms/qradar/const.py
index 5143509a..ec16bd42 100644
--- a/uncoder-core/app/translator/platforms/qradar/const.py
+++ b/uncoder-core/app/translator/platforms/qradar/const.py
@@ -8,4 +8,18 @@
"group_name": "QRadar",
}
+DEFAULT_QRADAR_CTI_MAPPING = {
+ "DestinationIP": "destinationip",
+ "SourceIP": "sourceip",
+ "HashSha512": "File Hash",
+ "HashSha256": "File Hash",
+ "HashMd5": "File Hash",
+ "Emails": "emails",
+ "Domain": "Hostname",
+ "HashSha1": "File Hash",
+ "Files": "Filename",
+ "URL": "URL",
+}
+
+
qradar_query_details = PlatformDetails(**QRADAR_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/qradar/mappings/__init__.py b/uncoder-core/app/translator/platforms/qradar/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/qradar/mappings/qradar_cti.py b/uncoder-core/app/translator/platforms/qradar/mappings/qradar_cti.py
deleted file mode 100644
index d0cf36a0..00000000
--- a/uncoder-core/app/translator/platforms/qradar/mappings/qradar_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_QRADAR_MAPPING = {
- "DestinationIP": "destinationip",
- "SourceIP": "sourceip",
- "HashSha512": "File Hash",
- "HashSha256": "File Hash",
- "HashMd5": "File Hash",
- "Emails": "emails",
- "Domain": "Hostname",
- "HashSha1": "File Hash",
- "Files": "Filename",
- "URL": "URL",
-}
diff --git a/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py b/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py
index 529b9620..6159ba86 100644
--- a/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py
+++ b/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.qradar.const import qradar_query_details
-from app.translator.platforms.qradar.mappings.qradar_cti import DEFAULT_QRADAR_MAPPING
+from app.translator.platforms.qradar.const import DEFAULT_QRADAR_CTI_MAPPING, qradar_query_details
@render_cti_manager.register
@@ -35,4 +34,4 @@ class QRadarCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "SELECT UTF8(payload) from events where {result}\n"
final_result_for_one: str = "SELECT UTF8(payload) from events where {result}\n"
- default_mapping = DEFAULT_QRADAR_MAPPING
+ default_mapping = DEFAULT_QRADAR_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/qualys/const.py b/uncoder-core/app/translator/platforms/qualys/const.py
index 5abc3ff4..f7632710 100644
--- a/uncoder-core/app/translator/platforms/qualys/const.py
+++ b/uncoder-core/app/translator/platforms/qualys/const.py
@@ -5,3 +5,16 @@
"group_name": "Qualys",
"group_id": "qualys",
}
+
+DEFAULT_QUALYS_CTI_MAPPING = {
+ "DestinationIP": "network.remote.address.ip",
+ "SourceIP": "network.local.address.ip",
+ "HashSha512": "file.hash.sha512",
+ "HashSha256": "file.hash.sha256",
+ "HashMd5": "file.hash.md5",
+ "Emails": "emails",
+ "Domain": "domain",
+ "HashSha1": "file.hash.sha1",
+ "Files": "file.name",
+ "URL": "url",
+}
diff --git a/uncoder-core/app/translator/platforms/qualys/mappings/__init__.py b/uncoder-core/app/translator/platforms/qualys/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/qualys/mappings/qualys_cti.py b/uncoder-core/app/translator/platforms/qualys/mappings/qualys_cti.py
deleted file mode 100644
index 2b1c125d..00000000
--- a/uncoder-core/app/translator/platforms/qualys/mappings/qualys_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_QUALYS_MAPPING = {
- "DestinationIP": "network.remote.address.ip",
- "SourceIP": "network.local.address.ip",
- "HashSha512": "file.hash.sha512",
- "HashSha256": "file.hash.sha256",
- "HashMd5": "file.hash.md5",
- "Emails": "emails",
- "Domain": "domain",
- "HashSha1": "file.hash.sha1",
- "Files": "file.name",
- "URL": "url",
-}
diff --git a/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py b/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py
index 149d8975..3ccce6ba 100644
--- a/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py
+++ b/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py
@@ -17,8 +17,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.qualys.const import QUALYS_QUERY_DETAILS
-from app.translator.platforms.qualys.mappings.qualys_cti import DEFAULT_QUALYS_MAPPING
+from app.translator.platforms.qualys.const import DEFAULT_QUALYS_CTI_MAPPING, QUALYS_QUERY_DETAILS
@render_cti_manager.register
@@ -32,4 +31,4 @@ class QualysCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_QUALYS_MAPPING
+ default_mapping = DEFAULT_QUALYS_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/const.py b/uncoder-core/app/translator/platforms/rsa_netwitness/const.py
index 2b62ca82..fd3f95ad 100644
--- a/uncoder-core/app/translator/platforms/rsa_netwitness/const.py
+++ b/uncoder-core/app/translator/platforms/rsa_netwitness/const.py
@@ -5,3 +5,16 @@
"platform_name": "Query",
"group_id": "rsa_netwitness",
}
+
+DEFAULT_RSA_NETWITNESS_CTI_MAPPING = {
+ "DestinationIP": "ip.dst",
+ "SourceIP": "ip.src",
+ "HashSha512": "hash",
+ "HashSha256": "hash",
+ "HashMd5": "hash",
+ "Emails": "emails",
+ "Domain": "domain",
+ "HashSha1": "hash",
+ "Files": "files",
+ "URL": "web.page",
+}
diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/__init__.py b/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py b/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py
deleted file mode 100644
index 238fa6fa..00000000
--- a/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_RSA_NETWITNESS_MAPPING = {
- "DestinationIP": "ip.dst",
- "SourceIP": "ip.src",
- "HashSha512": "hash",
- "HashSha256": "hash",
- "HashMd5": "hash",
- "Emails": "emails",
- "Domain": "domain",
- "HashSha1": "hash",
- "Files": "files",
- "URL": "web.page",
-}
diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py b/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py
index 808c0879..fe40bb8c 100644
--- a/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py
+++ b/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py
@@ -20,8 +20,10 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.rsa_netwitness.const import RSA_NETWITNESS_QUERY_DETAILS
-from app.translator.platforms.rsa_netwitness.mappings.rsa_netwitness_cti import DEFAULT_RSA_NETWITNESS_MAPPING
+from app.translator.platforms.rsa_netwitness.const import (
+ DEFAULT_RSA_NETWITNESS_CTI_MAPPING,
+ RSA_NETWITNESS_QUERY_DETAILS,
+)
@render_cti_manager.register
@@ -35,4 +37,4 @@ class RSANetwitnessCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_RSA_NETWITNESS_MAPPING
+ default_mapping = DEFAULT_RSA_NETWITNESS_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/securonix/const.py b/uncoder-core/app/translator/platforms/securonix/const.py
index 01a7d4a9..9e301819 100644
--- a/uncoder-core/app/translator/platforms/securonix/const.py
+++ b/uncoder-core/app/translator/platforms/securonix/const.py
@@ -5,3 +5,16 @@
"group_name": "Securonix",
"group_id": "securonix",
}
+
+DEFAULT_SECURONIX_CTI_MAPPING = {
+ "DestinationIP": "@destinationaddress",
+ "SourceIP": "@sourceaddress",
+ "HashSha512": "@filehash",
+ "HashSha256": "@filehash",
+ "HashMd5": "@filehash",
+ "Emails": "emails",
+ "Domain": "@destinationhostname",
+ "HashSha1": "@filehash",
+ "Files": "@filename",
+ "URL": "@requesturl",
+}
diff --git a/uncoder-core/app/translator/platforms/securonix/mappings/__init__.py b/uncoder-core/app/translator/platforms/securonix/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/securonix/mappings/securonix_cti.py b/uncoder-core/app/translator/platforms/securonix/mappings/securonix_cti.py
deleted file mode 100644
index 8c717f62..00000000
--- a/uncoder-core/app/translator/platforms/securonix/mappings/securonix_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_SECURONIX_MAPPING = {
- "DestinationIP": "@destinationaddress",
- "SourceIP": "@sourceaddress",
- "HashSha512": "@filehash",
- "HashSha256": "@filehash",
- "HashMd5": "@filehash",
- "Emails": "emails",
- "Domain": "@destinationhostname",
- "HashSha1": "@filehash",
- "Files": "@filename",
- "URL": "@requesturl",
-}
diff --git a/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py b/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py
index aff9736a..28445d27 100644
--- a/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py
+++ b/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.securonix.const import SECURONIX_QUERY_DETAILS
-from app.translator.platforms.securonix.mappings.securonix_cti import DEFAULT_SECURONIX_MAPPING
+from app.translator.platforms.securonix.const import DEFAULT_SECURONIX_CTI_MAPPING, SECURONIX_QUERY_DETAILS
@render_cti_manager.register
@@ -35,4 +34,4 @@ class SecuronixCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "index = archive AND {result}\n"
final_result_for_one: str = "index = archive AND {result}\n"
- default_mapping = DEFAULT_SECURONIX_MAPPING
+ default_mapping = DEFAULT_SECURONIX_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/const.py b/uncoder-core/app/translator/platforms/sentinel_one/const.py
index b9dc9dbe..09dd07fe 100644
--- a/uncoder-core/app/translator/platforms/sentinel_one/const.py
+++ b/uncoder-core/app/translator/platforms/sentinel_one/const.py
@@ -1,7 +1,34 @@
+from app.translator.core.models.platform_details import PlatformDetails
+
+PLATFORM_DETAILS = {"group_id": "sentinel-one", "group_name": "SentinelOne"}
+
SENTINEL_ONE_EVENTS_QUERY_DETAILS = {
"platform_id": "s1-events",
"name": "SentinelOne Events Query",
- "group_name": "SentinelOne",
- "group_id": "sentinel-one",
"platform_name": "Query (Events)",
+ **PLATFORM_DETAILS,
}
+
+SENTINEL_ONE_POWER_QUERY_DETAILS = {
+ "platform_id": "sentinel-one-power-query",
+ "name": "SentinelOne Power Query",
+ "platform_name": "Power Query",
+ **PLATFORM_DETAILS,
+}
+
+DEFAULT_S1EVENTS_CTI_MAPPING = {
+ "SourceIP": "SrcIP",
+ "DestinationIP": "DstIP",
+ "Domain": "DNS",
+ "URL": "Url",
+ "HashMd5": "Md5",
+ "HashSha1": "Sha1",
+ "HashSha256": "Sha256",
+ "HashSha512": "Sha512",
+ "Emails": "emails",
+ "Files": "TgtFilePath",
+}
+
+
+sentinel_one_events_query_details = PlatformDetails(**SENTINEL_ONE_EVENTS_QUERY_DETAILS)
+sentinel_one_power_query_details = PlatformDetails(**SENTINEL_ONE_POWER_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/mappings/__init__.py b/uncoder-core/app/translator/platforms/sentinel_one/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py b/uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py
deleted file mode 100644
index 5af2678d..00000000
--- a/uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_S1EVENTS_MAPPING = {
- "SourceIP": "SrcIP",
- "DestinationIP": "DstIP",
- "Domain": "DNS",
- "URL": "Url",
- "HashMd5": "Md5",
- "HashSha1": "Sha1",
- "HashSha256": "Sha256",
- "HashSha512": "Sha512",
- "Emails": "emails",
- "Files": "TgtFilePath",
-}
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py b/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py
index 917ec84c..a83702d9 100644
--- a/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py
+++ b/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py
@@ -20,13 +20,12 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.sentinel_one.const import SENTINEL_ONE_EVENTS_QUERY_DETAILS
-from app.translator.platforms.sentinel_one.mappings.s1_cti import DEFAULT_S1EVENTS_MAPPING
+from app.translator.platforms.sentinel_one.const import DEFAULT_S1EVENTS_CTI_MAPPING, sentinel_one_events_query_details
@render_cti_manager.register
class S1EventsCTI(RenderCTI):
- details: PlatformDetails = PlatformDetails(**SENTINEL_ONE_EVENTS_QUERY_DETAILS)
+ details: PlatformDetails = sentinel_one_events_query_details
field_value_template: str = '"{value}"'
or_operator: str = ", "
@@ -35,4 +34,4 @@ class S1EventsCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_S1EVENTS_MAPPING
+ default_mapping = DEFAULT_S1EVENTS_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/sigma/__init__.py b/uncoder-core/app/translator/platforms/sigma/__init__.py
index 488692b8..b4c8f9cd 100644
--- a/uncoder-core/app/translator/platforms/sigma/__init__.py
+++ b/uncoder-core/app/translator/platforms/sigma/__init__.py
@@ -1,2 +1,3 @@
from app.translator.platforms.sigma.parsers.sigma import SigmaParser # noqa: F401
from app.translator.platforms.sigma.renders.sigma import SigmaRender # noqa: F401
+from app.translator.platforms.sigma.renders.sigma_cti import SigmaRenderCTI # noqa: F401
diff --git a/uncoder-core/app/translator/platforms/sigma/const.py b/uncoder-core/app/translator/platforms/sigma/const.py
index aaedda41..02dc8ce1 100644
--- a/uncoder-core/app/translator/platforms/sigma/const.py
+++ b/uncoder-core/app/translator/platforms/sigma/const.py
@@ -8,4 +8,16 @@
"group_id": "sigma",
}
+DEFAULT_SIGMA_CTI_MAPPING = {
+ "SourceIP": "dst_ip",
+ "DestinationIP": "dst_ip",
+ "Domain": "dest_domain",
+ "URL": "url",
+ "HashMd5": "Hashes",
+ "HashSha1": "Hashes",
+ "HashSha256": "Hashes",
+ "HashSha512": "Hashes",
+}
+
+
sigma_rule_details = PlatformDetails(**SIGMA_RULE_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/sigma/renders/sigma_cti.py b/uncoder-core/app/translator/platforms/sigma/renders/sigma_cti.py
new file mode 100644
index 00000000..680965f1
--- /dev/null
+++ b/uncoder-core/app/translator/platforms/sigma/renders/sigma_cti.py
@@ -0,0 +1,43 @@
+import uuid
+import yaml
+
+from app.translator.core.custom_types.meta_info import SeverityType
+from app.translator.core.models.iocs import IocsChunkValue
+from app.translator.core.models.platform_details import PlatformDetails
+from app.translator.core.render_cti import RenderCTI
+from app.translator.managers import render_cti_manager
+from app.translator.platforms.sigma.const import sigma_rule_details, DEFAULT_SIGMA_CTI_MAPPING
+
+
+@render_cti_manager.register
+class SigmaRenderCTI(RenderCTI):
+ details: PlatformDetails = sigma_rule_details
+ default_mapping = DEFAULT_SIGMA_CTI_MAPPING
+
+ def render(self, data: list[list[IocsChunkValue]]) -> list[str]:
+ final_result = []
+ for iocs_chunk in data:
+ data_values = self.collect_sigma_data_values(iocs_chunk)
+ rule = {
+ "title": "Sigma automatically generated based on IOCs",
+ "id": uuid.uuid4().__str__(),
+ "description": "Detects suspicious activity based on IOCs.",
+ "status": "experimental",
+ "author": "SOC Prime",
+ "logsource": {"product": "windows"},
+ "fields": list(data_values.keys()),
+ "detection": {"selection": data_values, "condition": "selection"},
+ "level": SeverityType.low,
+ "falsepositives": "",
+ }
+ final_result.append(yaml.dump(rule, default_flow_style=False, sort_keys=False))
+ return final_result
+
+ def collect_sigma_data_values(self, chunk: list[IocsChunkValue]) -> dict:
+ raw_data_values = {}
+ for value in chunk:
+ if value.platform_field in raw_data_values.keys():
+ raw_data_values[value.platform_field].append(value.value)
+ else:
+ raw_data_values[value.platform_field] = [value.value]
+ return raw_data_values
diff --git a/uncoder-core/app/translator/platforms/snowflake/const.py b/uncoder-core/app/translator/platforms/snowflake/const.py
index 0bcdea5d..4f9e390b 100644
--- a/uncoder-core/app/translator/platforms/snowflake/const.py
+++ b/uncoder-core/app/translator/platforms/snowflake/const.py
@@ -5,3 +5,16 @@
"group_id": "snowflake-pack",
"platform_name": "Query (SQL)",
}
+
+DEFAULT_SNOWFLAKE_CTI_MAPPING = {
+ "SourceIP": "source.ip",
+ "DestinationIP": "destination.ip",
+ "Domain": "destination.domain",
+ "URL": "url.original",
+ "HashMd5": "file.hash.md5",
+ "HashSha1": "file.hash.sha1",
+ "HashSha256": "file.hash.sha256",
+ "HashSha512": "file.hash.sha512",
+ "Files": "file.path",
+ "Emails": "user.name",
+}
diff --git a/uncoder-core/app/translator/platforms/snowflake/mappings/__init__.py b/uncoder-core/app/translator/platforms/snowflake/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/snowflake/mappings/snowflake_cti.py b/uncoder-core/app/translator/platforms/snowflake/mappings/snowflake_cti.py
deleted file mode 100644
index 9fe8848b..00000000
--- a/uncoder-core/app/translator/platforms/snowflake/mappings/snowflake_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_SNOWFLAKE_MAPPING = {
- "SourceIP": "source.ip",
- "DestinationIP": "destination.ip",
- "Domain": "destination.domain",
- "URL": "url.original",
- "HashMd5": "file.hash.md5",
- "HashSha1": "file.hash.sha1",
- "HashSha256": "file.hash.sha256",
- "HashSha512": "file.hash.sha512",
- "Files": "file.path",
- "Emails": "user.name",
-}
diff --git a/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py b/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py
index 3507a50a..125a7c8a 100644
--- a/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py
+++ b/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.snowflake.const import SNOWFLAKE_QUERY_DETAILS
-from app.translator.platforms.snowflake.mappings.snowflake_cti import DEFAULT_SNOWFLAKE_MAPPING
+from app.translator.platforms.snowflake.const import DEFAULT_SNOWFLAKE_CTI_MAPPING, SNOWFLAKE_QUERY_DETAILS
@render_cti_manager.register
@@ -35,4 +34,4 @@ class SnowflakeCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "SELECT * FROM table WHERE {result}\n"
final_result_for_one: str = "SELECT * FROM table WHERE {result}\n"
- default_mapping = DEFAULT_SNOWFLAKE_MAPPING
+ default_mapping = DEFAULT_SNOWFLAKE_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/splunk/const.py b/uncoder-core/app/translator/platforms/splunk/const.py
index 7d0bb15a..a81a2bb8 100644
--- a/uncoder-core/app/translator/platforms/splunk/const.py
+++ b/uncoder-core/app/translator/platforms/splunk/const.py
@@ -50,6 +50,20 @@
**PLATFORM_DETAILS,
}
+DEFAULT_SPLUNK_CTI_MAPPING = {
+ "DestinationIP": "dest_ip",
+ "SourceIP": "src_ip",
+ "HashSha512": "file_hash",
+ "HashSha256": "file_hash",
+ "HashMd5": "file_hash",
+ "Emails": "All_Email.src_user",
+ "Domain": "dest_host",
+ "HashSha1": "file_hash",
+ "Files": "file_path",
+ "URL": "url",
+}
+
+
splunk_query_details = PlatformDetails(**SPLUNK_QUERY_DETAILS)
splunk_alert_details = PlatformDetails(**SPLUNK_ALERT_DETAILS)
splunk_alert_yml_details = PlatformDetails(**SPLUNK_ALERT_YML_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/splunk/mappings/__init__.py b/uncoder-core/app/translator/platforms/splunk/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/splunk/mappings/splunk_cti.py b/uncoder-core/app/translator/platforms/splunk/mappings/splunk_cti.py
deleted file mode 100644
index 37ce29a7..00000000
--- a/uncoder-core/app/translator/platforms/splunk/mappings/splunk_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_SPLUNK_MAPPING = {
- "DestinationIP": "dest_ip",
- "SourceIP": "src_ip",
- "HashSha512": "file_hash",
- "HashSha256": "file_hash",
- "HashMd5": "file_hash",
- "Emails": "All_Email.src_user",
- "Domain": "dest_host",
- "HashSha1": "file_hash",
- "Files": "file_path",
- "URL": "url",
-}
diff --git a/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py b/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py
index 92bcb056..60d26cea 100644
--- a/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py
+++ b/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.splunk.const import splunk_query_details
-from app.translator.platforms.splunk.mappings.splunk_cti import DEFAULT_SPLUNK_MAPPING
+from app.translator.platforms.splunk.const import DEFAULT_SPLUNK_CTI_MAPPING, splunk_query_details
@render_cti_manager.register
@@ -35,4 +34,4 @@ class SplunkCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_SPLUNK_MAPPING
+ default_mapping = DEFAULT_SPLUNK_CTI_MAPPING
diff --git a/uncoder-core/app/translator/platforms/sumo_logic/const.py b/uncoder-core/app/translator/platforms/sumo_logic/const.py
index f15ef435..2fa1019e 100644
--- a/uncoder-core/app/translator/platforms/sumo_logic/const.py
+++ b/uncoder-core/app/translator/platforms/sumo_logic/const.py
@@ -6,3 +6,16 @@
"first_choice": 0,
"group_id": "sumologic",
}
+
+DEFAULT_SUMOLOGIC_CTI_MAPPING = {
+ "SourceIP": "src_ip",
+ "DestinationIP": "dst_ip",
+ "Domain": "host",
+ "URL": "url",
+ "HashMd5": "fileHash",
+ "HashSha1": "fileHash",
+ "HashSha256": "fileHash",
+ "HashSha512": "fileHash",
+ "Emails": "flattened_destinations",
+ "Files": "files",
+}
diff --git a/uncoder-core/app/translator/platforms/sumo_logic/mappings/__init__.py b/uncoder-core/app/translator/platforms/sumo_logic/mappings/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/uncoder-core/app/translator/platforms/sumo_logic/mappings/sumologic_cti.py b/uncoder-core/app/translator/platforms/sumo_logic/mappings/sumologic_cti.py
deleted file mode 100644
index e6856f42..00000000
--- a/uncoder-core/app/translator/platforms/sumo_logic/mappings/sumologic_cti.py
+++ /dev/null
@@ -1,12 +0,0 @@
-DEFAULT_SUMOLOGIC_MAPPING = {
- "SourceIP": "src_ip",
- "DestinationIP": "dst_ip",
- "Domain": "host",
- "URL": "url",
- "HashMd5": "fileHash",
- "HashSha1": "fileHash",
- "HashSha256": "fileHash",
- "HashSha512": "fileHash",
- "Emails": "flattened_destinations",
- "Files": "files",
-}
diff --git a/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py b/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py
index 804d664e..f268265e 100644
--- a/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py
+++ b/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py
@@ -20,8 +20,7 @@
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.render_cti import RenderCTI
from app.translator.managers import render_cti_manager
-from app.translator.platforms.sumo_logic.const import SUMO_LOGIC_QUERY_DETAILS
-from app.translator.platforms.sumo_logic.mappings.sumologic_cti import DEFAULT_SUMOLOGIC_MAPPING
+from app.translator.platforms.sumo_logic.const import SUMO_LOGIC_QUERY_DETAILS, DEFAULT_SUMOLOGIC_CTI_MAPPING
@render_cti_manager.register
@@ -35,4 +34,4 @@ class SumologicCTI(RenderCTI):
result_join: str = ""
final_result_for_many: str = "({result})\n"
final_result_for_one: str = "{result}\n"
- default_mapping = DEFAULT_SUMOLOGIC_MAPPING
+ default_mapping = DEFAULT_SUMOLOGIC_CTI_MAPPING
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy