diff --git a/uncoder-core/app/routers/ioc_translate.py b/uncoder-core/app/routers/ioc_translate.py index 7eb702ed..3e78125d 100644 --- a/uncoder-core/app/routers/ioc_translate.py +++ b/uncoder-core/app/routers/ioc_translate.py @@ -4,11 +4,10 @@ from app.models.ioc_translation import CTIPlatform, OneTranslationCTIData from app.models.translation import InfoMessage -from app.translator.cti_translator import CTITranslator +from app.translator.cti_translator import cti_translator from app.translator.tools.const import HashType, IocParsingRule, IOCType iocs_router = APIRouter() -cti_translator = CTITranslator() @iocs_router.post("/iocs/translate", description="Parse IOCs from text.") diff --git a/uncoder-core/app/translator/cti_translator.py b/uncoder-core/app/translator/cti_translator.py index 79b25fc4..740839cc 100644 --- a/uncoder-core/app/translator/cti_translator.py +++ b/uncoder-core/app/translator/cti_translator.py @@ -86,3 +86,6 @@ def __get_iocs_chunk( @classmethod def get_renders(cls) -> list: return cls.render_manager.get_platforms_details + + +cti_translator = CTITranslator() diff --git a/uncoder-core/app/translator/platforms/arcsight/const.py b/uncoder-core/app/translator/platforms/arcsight/const.py index f9af112e..0f431d87 100644 --- a/uncoder-core/app/translator/platforms/arcsight/const.py +++ b/uncoder-core/app/translator/platforms/arcsight/const.py @@ -9,4 +9,18 @@ "alt_platform_name": "CEF", } + +DEFAULT_ARCSIGHT_CTI_MAPPING = { + "SourceIP": "sourceAddress", + "DestinationIP": "destinationAddress", + "Domain": "destinationDnsDomain", + "URL": "requestUrl", + "HashMd5": "fileHash", + "HashSha1": "fileHash", + "HashSha256": "fileHash", + "HashSha512": "fileHash", + "Emails": "sender-address", + "Files": "winlog.event_data.TargetFilename", +} + arcsight_query_details = PlatformDetails(**ARCSIGHT_QUERY_DETAILS) diff --git a/uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py b/uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py b/uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py deleted file mode 100644 index 4a01074d..00000000 --- a/uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_ARCSIGHT_MAPPING = { - "SourceIP": "sourceAddress", - "DestinationIP": "destinationAddress", - "Domain": "destinationDnsDomain", - "URL": "requestUrl", - "HashMd5": "fileHash", - "HashSha1": "fileHash", - "HashSha256": "fileHash", - "HashSha512": "fileHash", - "Emails": "sender-address", - "Files": "winlog.event_data.TargetFilename", -} diff --git a/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py b/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py index 8e41b677..22b135cc 100644 --- a/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py +++ b/uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py @@ -1,15 +1,14 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.arcsight.const import arcsight_query_details -from app.translator.platforms.arcsight.mappings.arcsight_cti import DEFAULT_ARCSIGHT_MAPPING +from app.translator.platforms.arcsight.const import arcsight_query_details, DEFAULT_ARCSIGHT_CTI_MAPPING @render_cti_manager.register class ArcsightKeyword(RenderCTI): details: PlatformDetails = arcsight_query_details - default_mapping = DEFAULT_ARCSIGHT_MAPPING + default_mapping = DEFAULT_ARCSIGHT_CTI_MAPPING field_value_template: str = "{key} = {value}" or_operator: str = " OR " group_or_operator: str = " OR " diff --git a/uncoder-core/app/translator/platforms/athena/const.py b/uncoder-core/app/translator/platforms/athena/const.py index db261b69..ea10735d 100644 --- a/uncoder-core/app/translator/platforms/athena/const.py +++ b/uncoder-core/app/translator/platforms/athena/const.py @@ -9,4 +9,18 @@ "alt_platform_name": "OCSF", } +DEFAULT_ATHENA_CTI_MAPPING = { + "SourceIP": "src_endpoint", + "DestinationIP": "dst_endpoint", + "Domain": "dst_endpoint", + "URL": "http_request", + "HashMd5": "unmapped.file.hash.md5", + "HashSha1": "unmapped.file.hash.sha1", + "HashSha256": "unmapped.file.hash.sha256", + "HashSha512": "unmapped.file.hash.sha512", + "Email": "email", + "FileName": "file.name", +} + + athena_query_details = PlatformDetails(**ATHENA_QUERY_DETAILS) diff --git a/uncoder-core/app/translator/platforms/athena/mappings/__init__.py b/uncoder-core/app/translator/platforms/athena/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py b/uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py deleted file mode 100644 index c41aeb77..00000000 --- a/uncoder-core/app/translator/platforms/athena/mappings/athena_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_ATHENA_MAPPING = { - "SourceIP": "src_endpoint", - "DestinationIP": "dst_endpoint", - "Domain": "dst_endpoint", - "URL": "http_request", - "HashMd5": "unmapped.file.hash.md5", - "HashSha1": "unmapped.file.hash.sha1", - "HashSha256": "unmapped.file.hash.sha256", - "HashSha512": "unmapped.file.hash.sha512", - "Email": "email", - "FileName": "file.name", -} diff --git a/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py b/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py index c46290e8..285b3e2e 100644 --- a/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py +++ b/uncoder-core/app/translator/platforms/athena/renders/athena_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.athena.const import athena_query_details -from app.translator.platforms.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING +from app.translator.platforms.athena.const import DEFAULT_ATHENA_CTI_MAPPING, athena_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class AthenaCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "SELECT * from eventlog where {result}\n" final_result_for_one: str = "SELECT * from eventlog where {result}\n" - default_mapping = DEFAULT_ATHENA_MAPPING + default_mapping = DEFAULT_ATHENA_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/chronicle/const.py b/uncoder-core/app/translator/platforms/chronicle/const.py index 142eaae7..5bb4363c 100644 --- a/uncoder-core/app/translator/platforms/chronicle/const.py +++ b/uncoder-core/app/translator/platforms/chronicle/const.py @@ -37,5 +37,17 @@ **PLATFORM_DETAILS, } +DEFAULT_CHRONICLE_CTI_MAPPING = { + "DestinationIP": "target.ip", + "SourceIP": "principal.ip", + "HashSha256": "target.file.sha256", + "HashMd5": "target.file.md5", + "Emails": "network.email.from", + "Domain": "target.hostname", + "HashSha1": "target.file.sha1", + "Files": "target.file.full_path", + "URL": "target.url", +} + chronicle_query_details = PlatformDetails(**CHRONICLE_QUERY_DETAILS) chronicle_rule_details = PlatformDetails(**CHRONICLE_RULE_DETAILS) diff --git a/uncoder-core/app/translator/platforms/chronicle/mappings/__init__.py b/uncoder-core/app/translator/platforms/chronicle/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py b/uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py deleted file mode 100644 index 84c71608..00000000 --- a/uncoder-core/app/translator/platforms/chronicle/mappings/chronicle_cti.py +++ /dev/null @@ -1,11 +0,0 @@ -DEFAULT_CHRONICLE_MAPPING = { - "DestinationIP": "target.ip", - "SourceIP": "principal.ip", - "HashSha256": "target.file.sha256", - "HashMd5": "target.file.md5", - "Emails": "network.email.from", - "Domain": "target.hostname", - "HashSha1": "target.file.sha1", - "Files": "target.file.full_path", - "URL": "target.url", -} diff --git a/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py b/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py index ca68950d..3d5d15ea 100644 --- a/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py +++ b/uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.chronicle.const import chronicle_query_details -from app.translator.platforms.chronicle.mappings.chronicle_cti import DEFAULT_CHRONICLE_MAPPING +from app.translator.platforms.chronicle.const import DEFAULT_CHRONICLE_CTI_MAPPING, chronicle_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class ChronicleQueryCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "{result}\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_CHRONICLE_MAPPING + default_mapping = DEFAULT_CHRONICLE_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/crowdstrike/const.py b/uncoder-core/app/translator/platforms/crowdstrike/const.py index 11dd01c5..7a76084d 100644 --- a/uncoder-core/app/translator/platforms/crowdstrike/const.py +++ b/uncoder-core/app/translator/platforms/crowdstrike/const.py @@ -8,4 +8,17 @@ "group_name": "CrowdStrike Endpoint Security", } +DEFAULT_CROWDSTRIKE_CTI_MAPPING = { + "DestinationIP": "RemoteAddressIP4", + "SourceIP": "LocalAddressIP4", + "HashSha256": "SHA256HashData", + "HashMd5": "MD5HashData", + "Emails": "emails", + "Domain": "DomainName", + "HashSha1": "SHA1HashData", + "Files": "TargetFileName", + "URL": "HttpUrl", +} + + crowdstrike_query_details = PlatformDetails(**CROWDSTRIKE_QUERY_DETAILS) diff --git a/uncoder-core/app/translator/platforms/crowdstrike/mappings/__init__.py b/uncoder-core/app/translator/platforms/crowdstrike/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py b/uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py deleted file mode 100644 index 7e4010c2..00000000 --- a/uncoder-core/app/translator/platforms/crowdstrike/mappings/crowdstrike_cti.py +++ /dev/null @@ -1,11 +0,0 @@ -DEFAULT_CROWDSTRIKE_MAPPING = { - "DestinationIP": "RemoteAddressIP4", - "SourceIP": "LocalAddressIP4", - "HashSha256": "SHA256HashData", - "HashMd5": "MD5HashData", - "Emails": "emails", - "Domain": "DomainName", - "HashSha1": "SHA1HashData", - "Files": "TargetFileName", - "URL": "HttpUrl", -} diff --git a/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py b/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py index cb04502f..baabea37 100644 --- a/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py +++ b/uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.crowdstrike.const import crowdstrike_query_details -from app.translator.platforms.crowdstrike.mappings.crowdstrike_cti import DEFAULT_CROWDSTRIKE_MAPPING +from app.translator.platforms.crowdstrike.const import DEFAULT_CROWDSTRIKE_CTI_MAPPING, crowdstrike_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class CrowdStrikeCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_CROWDSTRIKE_MAPPING + default_mapping = DEFAULT_CROWDSTRIKE_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/elasticsearch/const.py b/uncoder-core/app/translator/platforms/elasticsearch/const.py index 59a50ac3..51402819 100644 --- a/uncoder-core/app/translator/platforms/elasticsearch/const.py +++ b/uncoder-core/app/translator/platforms/elasticsearch/const.py @@ -240,3 +240,16 @@ "query": "", "actions": [], } + +DEFAULT_ELASTICSEARCH_CTI_MAPPING = { + "DestinationIP": "destination.ip", + "SourceIP": "source.ip", + "HashSha512": "file.hash.sha512", + "HashSha256": "file.hash.sha256", + "HashMd5": "file.hash.md5", + "Emails": "email.from.address", + "Domain": "destination.domain", + "HashSha1": "file.hash.sha1", + "Files": "file.name", + "URL": "url.original", +} diff --git a/uncoder-core/app/translator/platforms/elasticsearch/mappings/__init__.py b/uncoder-core/app/translator/platforms/elasticsearch/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py b/uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py deleted file mode 100644 index e4b0564f..00000000 --- a/uncoder-core/app/translator/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_ELASTICSEARCH_MAPPING = { - "DestinationIP": "destination.ip", - "SourceIP": "source.ip", - "HashSha512": "file.hash.sha512", - "HashSha256": "file.hash.sha256", - "HashMd5": "file.hash.md5", - "Emails": "email.from.address", - "Domain": "destination.domain", - "HashSha1": "file.hash.sha1", - "Files": "file.name", - "URL": "url.original", -} diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py index 34f2514e..820b6d54 100644 --- a/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py +++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py @@ -20,8 +20,10 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.elasticsearch.const import elasticsearch_lucene_query_details -from app.translator.platforms.elasticsearch.mappings.elasticsearch_cti_cti import DEFAULT_ELASTICSEARCH_MAPPING +from app.translator.platforms.elasticsearch.const import ( + DEFAULT_ELASTICSEARCH_CTI_MAPPING, + elasticsearch_lucene_query_details, +) @render_cti_manager.register @@ -35,4 +37,4 @@ class ElasticsearchCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_ELASTICSEARCH_MAPPING + default_mapping = DEFAULT_ELASTICSEARCH_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_eql.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_eql.py index 1bf657fc..530c404d 100644 --- a/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_eql.py +++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_eql.py @@ -119,7 +119,6 @@ def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: # noqa: AR @render_manager.register - class ElasticSearchEQLQueryRender(ExtraConditionMixin, PlatformQueryRender): details: PlatformDetails = elastic_eql_query_details mappings: LuceneMappings = elastic_eql_query_mappings diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/const.py b/uncoder-core/app/translator/platforms/fireeye_helix/const.py index 72160a2e..b06e4d50 100644 --- a/uncoder-core/app/translator/platforms/fireeye_helix/const.py +++ b/uncoder-core/app/translator/platforms/fireeye_helix/const.py @@ -5,3 +5,16 @@ "group_id": "fireeye", "platform_name": "Query", } + +DEFAULT_FIREEYE_HELIX_CTI_MAPPING = { + "SourceIP": "~srcipv4", + "DestinationIP": "~dstipv4", + "Domain": "domain", + "URL": "url", + "HashMd5": "~hash", + "HashSha1": "~hash", + "HashSha256": "~hash", + "HashSha512": "~hash", + "Emails": "emails", + "Files": "filepath", +} diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/mappings/__init__.py b/uncoder-core/app/translator/platforms/fireeye_helix/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py b/uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py deleted file mode 100644 index 5a040ab6..00000000 --- a/uncoder-core/app/translator/platforms/fireeye_helix/mappings/fireeye_helix.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_FIREEYE_HELIX_MAPPING = { - "SourceIP": "~srcipv4", - "DestinationIP": "~dstipv4", - "Domain": "domain", - "URL": "url", - "HashMd5": "~hash", - "HashSha1": "~hash", - "HashSha256": "~hash", - "HashSha512": "~hash", - "Emails": "emails", - "Files": "filepath", -} diff --git a/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py b/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py index 8aaf0f0c..51dba4e5 100644 --- a/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py +++ b/uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.fireeye_helix.const import FIREEYE_HELIX_QUERY_DETAILS -from app.translator.platforms.fireeye_helix.mappings.fireeye_helix import DEFAULT_FIREEYE_HELIX_MAPPING +from app.translator.platforms.fireeye_helix.const import DEFAULT_FIREEYE_HELIX_CTI_MAPPING, FIREEYE_HELIX_QUERY_DETAILS @render_cti_manager.register @@ -35,4 +34,4 @@ class FireeyeHelixCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_FIREEYE_HELIX_MAPPING + default_mapping = DEFAULT_FIREEYE_HELIX_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/graylog/const.py b/uncoder-core/app/translator/platforms/graylog/const.py index f13757f5..90270013 100644 --- a/uncoder-core/app/translator/platforms/graylog/const.py +++ b/uncoder-core/app/translator/platforms/graylog/const.py @@ -8,5 +8,18 @@ "group_id": "graylog", } +DEFAULT_GRAYLOG_CTI_MAPPING = { + "SourceIP": "source.ip", + "DestinationIP": "destination.ip", + "Domain": "destination.domain", + "URL": "url.original", + "HashMd5": "file.hash.md5", + "HashSha1": "file.hash.sha1", + "HashSha256": "file.hash.sha256", + "HashSha512": "file.hash.sha512", + "Emails": "emails", + "Files": "filePath", +} + graylog_query_details = PlatformDetails(**GRAYLOG_QUERY_DETAILS) diff --git a/uncoder-core/app/translator/platforms/graylog/mappings/__init__.py b/uncoder-core/app/translator/platforms/graylog/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py b/uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py deleted file mode 100644 index bacf4936..00000000 --- a/uncoder-core/app/translator/platforms/graylog/mappings/graylog_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_GRAYLOG_MAPPING = { - "SourceIP": "source.ip", - "DestinationIP": "destination.ip", - "Domain": "destination.domain", - "URL": "url.original", - "HashMd5": "file.hash.md5", - "HashSha1": "file.hash.sha1", - "HashSha256": "file.hash.sha256", - "HashSha512": "file.hash.sha512", - "Emails": "emails", - "Files": "filePath", -} diff --git a/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py b/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py index b607b8d4..ae8ee06a 100644 --- a/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py +++ b/uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.graylog.const import GRAYLOG_QUERY_DETAILS -from app.translator.platforms.graylog.mappings.graylog_cti import DEFAULT_GRAYLOG_MAPPING +from app.translator.platforms.graylog.const import DEFAULT_GRAYLOG_CTI_MAPPING, GRAYLOG_QUERY_DETAILS @render_cti_manager.register @@ -35,4 +34,4 @@ class GraylogCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_GRAYLOG_MAPPING + default_mapping = DEFAULT_GRAYLOG_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/logpoint/const.py b/uncoder-core/app/translator/platforms/logpoint/const.py index 76346910..68685661 100644 --- a/uncoder-core/app/translator/platforms/logpoint/const.py +++ b/uncoder-core/app/translator/platforms/logpoint/const.py @@ -5,3 +5,16 @@ "platform_name": "Query", "group_id": "logpoint", } + +DEFAULT_LOGPOINT_CTI_MAPPING = { + "DestinationIP": "dst_ip", + "SourceIP": "src_ip", + "HashSha512": "hash", + "HashSha256": "hash", + "HashMd5": "hash", + "Emails": "emails", + "Domain": "host", + "HashSha1": "hash", + "Files": "files", + "URL": "url", +} diff --git a/uncoder-core/app/translator/platforms/logpoint/mappings/__init__.py b/uncoder-core/app/translator/platforms/logpoint/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py b/uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py deleted file mode 100644 index c296afa8..00000000 --- a/uncoder-core/app/translator/platforms/logpoint/mappings/logpoint_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_LOGPOINT_MAPPING = { - "DestinationIP": "dst_ip", - "SourceIP": "src_ip", - "HashSha512": "hash", - "HashSha256": "hash", - "HashMd5": "hash", - "Emails": "emails", - "Domain": "host", - "HashSha1": "hash", - "Files": "files", - "URL": "url", -} diff --git a/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py b/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py index f4799a81..1bf42fd5 100644 --- a/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py +++ b/uncoder-core/app/translator/platforms/logpoint/renders/logpoint_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.logpoint.const import LOGPOINT_QUERY_DETAILS -from app.translator.platforms.logpoint.mappings.logpoint_cti import DEFAULT_LOGPOINT_MAPPING +from app.translator.platforms.logpoint.const import DEFAULT_LOGPOINT_CTI_MAPPING, LOGPOINT_QUERY_DETAILS @render_cti_manager.register @@ -35,4 +34,4 @@ class LogpointCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_LOGPOINT_MAPPING + default_mapping = DEFAULT_LOGPOINT_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/logscale/const.py b/uncoder-core/app/translator/platforms/logscale/const.py index 3a52d181..efc05c46 100644 --- a/uncoder-core/app/translator/platforms/logscale/const.py +++ b/uncoder-core/app/translator/platforms/logscale/const.py @@ -25,6 +25,19 @@ **PLATFORM_DETAILS, } +DEFAULT_LOGSCALE_CTI_MAPPING = { + "DestinationIP": "dst_ip", + "SourceIP": "src_ip", + "HashSha512": "file.hash.sha512", + "HashSha256": "file.hash.sha256", + "HashMd5": "file.hash.md5", + "Emails": "email", + "Domain": "host", + "HashSha1": "file.hash.sha1", + "Files": "winlog.event_data.TargetFilename", + "URL": "url", +} + logscale_query_details = PlatformDetails(**LOGSCALE_QUERY_DETAILS) logscale_alert_details = PlatformDetails(**LOGSCALE_ALERT_DETAILS) diff --git a/uncoder-core/app/translator/platforms/logscale/mappings/__init__.py b/uncoder-core/app/translator/platforms/logscale/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/logscale/mappings/logscale_cti.py b/uncoder-core/app/translator/platforms/logscale/mappings/logscale_cti.py deleted file mode 100644 index 54103fc7..00000000 --- a/uncoder-core/app/translator/platforms/logscale/mappings/logscale_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_LOGSCALE_MAPPING = { - "DestinationIP": "dst_ip", - "SourceIP": "src_ip", - "HashSha512": "file.hash.sha512", - "HashSha256": "file.hash.sha256", - "HashMd5": "file.hash.md5", - "Emails": "email", - "Domain": "host", - "HashSha1": "file.hash.sha1", - "Files": "winlog.event_data.TargetFilename", - "URL": "url", -} diff --git a/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py b/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py index 3dc73d1a..cf2e45ad 100644 --- a/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py +++ b/uncoder-core/app/translator/platforms/logscale/renders/logscale_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.logscale.const import logscale_query_details -from app.translator.platforms.logscale.mappings.logscale_cti import DEFAULT_LOGSCALE_MAPPING +from app.translator.platforms.logscale.const import DEFAULT_LOGSCALE_CTI_MAPPING, logscale_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class LogScaleCTI(RenderCTI): result_join: str = "" final_result_for_many: str = '@stream="http" {result}\n' final_result_for_one: str = '@stream="http" {result}\n' - default_mapping = DEFAULT_LOGSCALE_MAPPING + default_mapping = DEFAULT_LOGSCALE_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/microsoft/const.py b/uncoder-core/app/translator/platforms/microsoft/const.py index a4797eb7..30d2be92 100644 --- a/uncoder-core/app/translator/platforms/microsoft/const.py +++ b/uncoder-core/app/translator/platforms/microsoft/const.py @@ -53,7 +53,31 @@ "group_id": "microsoft-defender", } -MICROSOFT_SENTINEL_QUERY_TYPES = {_SENTINEL_KQL_QUERY, _SENTINEL_KQL_RULE} + +DEFAULT_MICROSOFT_DEFENDER_CTI_MAPPING = { + "DestinationIP": "RemoteIP", + "SourceIP": "LocalIP", + "HashSha256": "InitiatingProcessSHA256", + "HashMd5": "InitiatingProcessMD5", + "Emails": "SenderFromAddress", + "Domain": "RemoteUrl", + "HashSha1": "InitiatingProcessSHA1", + "Files": "FileName", + "URL": "RemoteUrl", +} + +DEFAULT_MICROSOFT_SENTINEL_CTI_MAPPING = { + "DestinationIP": "DestinationIp", + "SourceIP": "SourceIp", + "HashSha512": "FileHashSha512", + "HashSha256": "FileHashSha256", + "HashMd5": "FileHashMd5", + "Emails": "SenderFromAddress", + "Domain": "DestinationHostname", + "HashSha1": "FileHashSha1", + "Files": "TargetFileName", + "URL": "URL", +} microsoft_defender_query_details = PlatformDetails(**MICROSOFT_DEFENDER_DETAILS) microsoft_sentinel_query_details = PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS) diff --git a/uncoder-core/app/translator/platforms/microsoft/mappings/__init__.py b/uncoder-core/app/translator/platforms/microsoft/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/microsoft/mappings/mdatp_cti.py b/uncoder-core/app/translator/platforms/microsoft/mappings/mdatp_cti.py deleted file mode 100644 index 96150ec1..00000000 --- a/uncoder-core/app/translator/platforms/microsoft/mappings/mdatp_cti.py +++ /dev/null @@ -1,11 +0,0 @@ -DEFAULT_MICROSOFT_DEFENDER_MAPPING = { - "DestinationIP": "RemoteIP", - "SourceIP": "LocalIP", - "HashSha256": "InitiatingProcessSHA256", - "HashMd5": "InitiatingProcessMD5", - "Emails": "SenderFromAddress", - "Domain": "RemoteUrl", - "HashSha1": "InitiatingProcessSHA1", - "Files": "FileName", - "URL": "RemoteUrl", -} diff --git a/uncoder-core/app/translator/platforms/microsoft/mappings/microsoft_sentinel_cti.py b/uncoder-core/app/translator/platforms/microsoft/mappings/microsoft_sentinel_cti.py deleted file mode 100644 index 33a9d0da..00000000 --- a/uncoder-core/app/translator/platforms/microsoft/mappings/microsoft_sentinel_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_MICROSOFT_SENTINEL_MAPPING = { - "DestinationIP": "DestinationIp", - "SourceIP": "SourceIp", - "HashSha512": "FileHashSha512", - "HashSha256": "FileHashSha256", - "HashMd5": "FileHashMd5", - "Emails": "SenderFromAddress", - "Domain": "DestinationHostname", - "HashSha1": "FileHashSha1", - "Files": "TargetFileName", - "URL": "URL", -} diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py index 72521800..40726e4c 100644 --- a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py +++ b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_defender_cti.py @@ -22,8 +22,10 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.microsoft.const import microsoft_defender_query_details -from app.translator.platforms.microsoft.mappings.mdatp_cti import DEFAULT_MICROSOFT_DEFENDER_MAPPING +from app.translator.platforms.microsoft.const import ( + DEFAULT_MICROSOFT_DEFENDER_CTI_MAPPING, + microsoft_defender_query_details, +) @render_cti_manager.register @@ -40,7 +42,7 @@ class MicrosoftDefenderCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "union * | where ({result})\n" final_result_for_one: str = "union * | where {result}\n" - default_mapping = DEFAULT_MICROSOFT_DEFENDER_MAPPING + default_mapping = DEFAULT_MICROSOFT_DEFENDER_CTI_MAPPING def create_field_value(self, field: str, value: str, generic_field: str) -> str: if field_value_template := self.field_value_templates_map.get(generic_field): diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py index 018c0934..9ac314e8 100644 --- a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py +++ b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_cti.py @@ -20,8 +20,10 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.microsoft.const import microsoft_sentinel_query_details -from app.translator.platforms.microsoft.mappings.microsoft_sentinel_cti import DEFAULT_MICROSOFT_SENTINEL_MAPPING +from app.translator.platforms.microsoft.const import ( + DEFAULT_MICROSOFT_SENTINEL_CTI_MAPPING, + microsoft_sentinel_query_details, +) @render_cti_manager.register @@ -35,4 +37,4 @@ class MicrosoftSentinelCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "search ({result})\n" final_result_for_one: str = "search {result}\n" - default_mapping = DEFAULT_MICROSOFT_SENTINEL_MAPPING + default_mapping = DEFAULT_MICROSOFT_SENTINEL_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/opensearch/const.py b/uncoder-core/app/translator/platforms/opensearch/const.py index 913e2255..6522143c 100644 --- a/uncoder-core/app/translator/platforms/opensearch/const.py +++ b/uncoder-core/app/translator/platforms/opensearch/const.py @@ -54,3 +54,16 @@ } ], } + +DEFAULT_OPENSEARCH_CTI_MAPPING = { + "DestinationIP": "destination.ip", + "SourceIP": "source.ip", + "HashSha512": "file.hash.sha512", + "HashSha256": "file.hash.sha256", + "HashMd5": "file.hash.md5", + "Emails": "email.from.address", + "Domain": "destination.domain", + "HashSha1": "file.hash.sha1", + "Files": "file.name", + "URL": "url.original", +} diff --git a/uncoder-core/app/translator/platforms/opensearch/mappings/__init__.py b/uncoder-core/app/translator/platforms/opensearch/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/opensearch/mappings/opensearch_cti.py b/uncoder-core/app/translator/platforms/opensearch/mappings/opensearch_cti.py deleted file mode 100644 index 1b4b6fd1..00000000 --- a/uncoder-core/app/translator/platforms/opensearch/mappings/opensearch_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_OPENSEARCH_MAPPING = { - "DestinationIP": "destination.ip", - "SourceIP": "source.ip", - "HashSha512": "file.hash.sha512", - "HashSha256": "file.hash.sha256", - "HashMd5": "file.hash.md5", - "Emails": "email.from.address", - "Domain": "destination.domain", - "HashSha1": "file.hash.sha1", - "Files": "file.name", - "URL": "url.original", -} diff --git a/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py b/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py index 40931c08..5991b487 100644 --- a/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py +++ b/uncoder-core/app/translator/platforms/opensearch/renders/opensearch_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.opensearch.const import opensearch_query_details -from app.translator.platforms.opensearch.mappings.opensearch_cti import DEFAULT_OPENSEARCH_MAPPING +from app.translator.platforms.opensearch.const import DEFAULT_OPENSEARCH_CTI_MAPPING, opensearch_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class OpenSearchCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_OPENSEARCH_MAPPING + default_mapping = DEFAULT_OPENSEARCH_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/qradar/const.py b/uncoder-core/app/translator/platforms/qradar/const.py index 5143509a..ec16bd42 100644 --- a/uncoder-core/app/translator/platforms/qradar/const.py +++ b/uncoder-core/app/translator/platforms/qradar/const.py @@ -8,4 +8,18 @@ "group_name": "QRadar", } +DEFAULT_QRADAR_CTI_MAPPING = { + "DestinationIP": "destinationip", + "SourceIP": "sourceip", + "HashSha512": "File Hash", + "HashSha256": "File Hash", + "HashMd5": "File Hash", + "Emails": "emails", + "Domain": "Hostname", + "HashSha1": "File Hash", + "Files": "Filename", + "URL": "URL", +} + + qradar_query_details = PlatformDetails(**QRADAR_QUERY_DETAILS) diff --git a/uncoder-core/app/translator/platforms/qradar/mappings/__init__.py b/uncoder-core/app/translator/platforms/qradar/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/qradar/mappings/qradar_cti.py b/uncoder-core/app/translator/platforms/qradar/mappings/qradar_cti.py deleted file mode 100644 index d0cf36a0..00000000 --- a/uncoder-core/app/translator/platforms/qradar/mappings/qradar_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_QRADAR_MAPPING = { - "DestinationIP": "destinationip", - "SourceIP": "sourceip", - "HashSha512": "File Hash", - "HashSha256": "File Hash", - "HashMd5": "File Hash", - "Emails": "emails", - "Domain": "Hostname", - "HashSha1": "File Hash", - "Files": "Filename", - "URL": "URL", -} diff --git a/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py b/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py index 529b9620..6159ba86 100644 --- a/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py +++ b/uncoder-core/app/translator/platforms/qradar/renders/qradar_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.qradar.const import qradar_query_details -from app.translator.platforms.qradar.mappings.qradar_cti import DEFAULT_QRADAR_MAPPING +from app.translator.platforms.qradar.const import DEFAULT_QRADAR_CTI_MAPPING, qradar_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class QRadarCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "SELECT UTF8(payload) from events where {result}\n" final_result_for_one: str = "SELECT UTF8(payload) from events where {result}\n" - default_mapping = DEFAULT_QRADAR_MAPPING + default_mapping = DEFAULT_QRADAR_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/qualys/const.py b/uncoder-core/app/translator/platforms/qualys/const.py index 5abc3ff4..f7632710 100644 --- a/uncoder-core/app/translator/platforms/qualys/const.py +++ b/uncoder-core/app/translator/platforms/qualys/const.py @@ -5,3 +5,16 @@ "group_name": "Qualys", "group_id": "qualys", } + +DEFAULT_QUALYS_CTI_MAPPING = { + "DestinationIP": "network.remote.address.ip", + "SourceIP": "network.local.address.ip", + "HashSha512": "file.hash.sha512", + "HashSha256": "file.hash.sha256", + "HashMd5": "file.hash.md5", + "Emails": "emails", + "Domain": "domain", + "HashSha1": "file.hash.sha1", + "Files": "file.name", + "URL": "url", +} diff --git a/uncoder-core/app/translator/platforms/qualys/mappings/__init__.py b/uncoder-core/app/translator/platforms/qualys/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/qualys/mappings/qualys_cti.py b/uncoder-core/app/translator/platforms/qualys/mappings/qualys_cti.py deleted file mode 100644 index 2b1c125d..00000000 --- a/uncoder-core/app/translator/platforms/qualys/mappings/qualys_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_QUALYS_MAPPING = { - "DestinationIP": "network.remote.address.ip", - "SourceIP": "network.local.address.ip", - "HashSha512": "file.hash.sha512", - "HashSha256": "file.hash.sha256", - "HashMd5": "file.hash.md5", - "Emails": "emails", - "Domain": "domain", - "HashSha1": "file.hash.sha1", - "Files": "file.name", - "URL": "url", -} diff --git a/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py b/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py index 149d8975..3ccce6ba 100644 --- a/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py +++ b/uncoder-core/app/translator/platforms/qualys/renders/qualys_cti.py @@ -17,8 +17,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.qualys.const import QUALYS_QUERY_DETAILS -from app.translator.platforms.qualys.mappings.qualys_cti import DEFAULT_QUALYS_MAPPING +from app.translator.platforms.qualys.const import DEFAULT_QUALYS_CTI_MAPPING, QUALYS_QUERY_DETAILS @render_cti_manager.register @@ -32,4 +31,4 @@ class QualysCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_QUALYS_MAPPING + default_mapping = DEFAULT_QUALYS_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/const.py b/uncoder-core/app/translator/platforms/rsa_netwitness/const.py index 2b62ca82..fd3f95ad 100644 --- a/uncoder-core/app/translator/platforms/rsa_netwitness/const.py +++ b/uncoder-core/app/translator/platforms/rsa_netwitness/const.py @@ -5,3 +5,16 @@ "platform_name": "Query", "group_id": "rsa_netwitness", } + +DEFAULT_RSA_NETWITNESS_CTI_MAPPING = { + "DestinationIP": "ip.dst", + "SourceIP": "ip.src", + "HashSha512": "hash", + "HashSha256": "hash", + "HashMd5": "hash", + "Emails": "emails", + "Domain": "domain", + "HashSha1": "hash", + "Files": "files", + "URL": "web.page", +} diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/__init__.py b/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py b/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py deleted file mode 100644 index 238fa6fa..00000000 --- a/uncoder-core/app/translator/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_RSA_NETWITNESS_MAPPING = { - "DestinationIP": "ip.dst", - "SourceIP": "ip.src", - "HashSha512": "hash", - "HashSha256": "hash", - "HashMd5": "hash", - "Emails": "emails", - "Domain": "domain", - "HashSha1": "hash", - "Files": "files", - "URL": "web.page", -} diff --git a/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py b/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py index 808c0879..fe40bb8c 100644 --- a/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py +++ b/uncoder-core/app/translator/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py @@ -20,8 +20,10 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.rsa_netwitness.const import RSA_NETWITNESS_QUERY_DETAILS -from app.translator.platforms.rsa_netwitness.mappings.rsa_netwitness_cti import DEFAULT_RSA_NETWITNESS_MAPPING +from app.translator.platforms.rsa_netwitness.const import ( + DEFAULT_RSA_NETWITNESS_CTI_MAPPING, + RSA_NETWITNESS_QUERY_DETAILS, +) @render_cti_manager.register @@ -35,4 +37,4 @@ class RSANetwitnessCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_RSA_NETWITNESS_MAPPING + default_mapping = DEFAULT_RSA_NETWITNESS_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/securonix/const.py b/uncoder-core/app/translator/platforms/securonix/const.py index 01a7d4a9..9e301819 100644 --- a/uncoder-core/app/translator/platforms/securonix/const.py +++ b/uncoder-core/app/translator/platforms/securonix/const.py @@ -5,3 +5,16 @@ "group_name": "Securonix", "group_id": "securonix", } + +DEFAULT_SECURONIX_CTI_MAPPING = { + "DestinationIP": "@destinationaddress", + "SourceIP": "@sourceaddress", + "HashSha512": "@filehash", + "HashSha256": "@filehash", + "HashMd5": "@filehash", + "Emails": "emails", + "Domain": "@destinationhostname", + "HashSha1": "@filehash", + "Files": "@filename", + "URL": "@requesturl", +} diff --git a/uncoder-core/app/translator/platforms/securonix/mappings/__init__.py b/uncoder-core/app/translator/platforms/securonix/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/securonix/mappings/securonix_cti.py b/uncoder-core/app/translator/platforms/securonix/mappings/securonix_cti.py deleted file mode 100644 index 8c717f62..00000000 --- a/uncoder-core/app/translator/platforms/securonix/mappings/securonix_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_SECURONIX_MAPPING = { - "DestinationIP": "@destinationaddress", - "SourceIP": "@sourceaddress", - "HashSha512": "@filehash", - "HashSha256": "@filehash", - "HashMd5": "@filehash", - "Emails": "emails", - "Domain": "@destinationhostname", - "HashSha1": "@filehash", - "Files": "@filename", - "URL": "@requesturl", -} diff --git a/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py b/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py index aff9736a..28445d27 100644 --- a/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py +++ b/uncoder-core/app/translator/platforms/securonix/renders/securonix_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.securonix.const import SECURONIX_QUERY_DETAILS -from app.translator.platforms.securonix.mappings.securonix_cti import DEFAULT_SECURONIX_MAPPING +from app.translator.platforms.securonix.const import DEFAULT_SECURONIX_CTI_MAPPING, SECURONIX_QUERY_DETAILS @render_cti_manager.register @@ -35,4 +34,4 @@ class SecuronixCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "index = archive AND {result}\n" final_result_for_one: str = "index = archive AND {result}\n" - default_mapping = DEFAULT_SECURONIX_MAPPING + default_mapping = DEFAULT_SECURONIX_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/sigma/__init__.py b/uncoder-core/app/translator/platforms/sigma/__init__.py index 488692b8..b4c8f9cd 100644 --- a/uncoder-core/app/translator/platforms/sigma/__init__.py +++ b/uncoder-core/app/translator/platforms/sigma/__init__.py @@ -1,2 +1,3 @@ from app.translator.platforms.sigma.parsers.sigma import SigmaParser # noqa: F401 from app.translator.platforms.sigma.renders.sigma import SigmaRender # noqa: F401 +from app.translator.platforms.sigma.renders.sigma_cti import SigmaRenderCTI # noqa: F401 diff --git a/uncoder-core/app/translator/platforms/sigma/const.py b/uncoder-core/app/translator/platforms/sigma/const.py index aaedda41..02dc8ce1 100644 --- a/uncoder-core/app/translator/platforms/sigma/const.py +++ b/uncoder-core/app/translator/platforms/sigma/const.py @@ -8,4 +8,16 @@ "group_id": "sigma", } +DEFAULT_SIGMA_CTI_MAPPING = { + "SourceIP": "dst_ip", + "DestinationIP": "dst_ip", + "Domain": "dest_domain", + "URL": "url", + "HashMd5": "Hashes", + "HashSha1": "Hashes", + "HashSha256": "Hashes", + "HashSha512": "Hashes", +} + + sigma_rule_details = PlatformDetails(**SIGMA_RULE_DETAILS) diff --git a/uncoder-core/app/translator/platforms/sigma/renders/sigma_cti.py b/uncoder-core/app/translator/platforms/sigma/renders/sigma_cti.py new file mode 100644 index 00000000..680965f1 --- /dev/null +++ b/uncoder-core/app/translator/platforms/sigma/renders/sigma_cti.py @@ -0,0 +1,43 @@ +import uuid +import yaml + +from app.translator.core.custom_types.meta_info import SeverityType +from app.translator.core.models.iocs import IocsChunkValue +from app.translator.core.models.platform_details import PlatformDetails +from app.translator.core.render_cti import RenderCTI +from app.translator.managers import render_cti_manager +from app.translator.platforms.sigma.const import sigma_rule_details, DEFAULT_SIGMA_CTI_MAPPING + + +@render_cti_manager.register +class SigmaRenderCTI(RenderCTI): + details: PlatformDetails = sigma_rule_details + default_mapping = DEFAULT_SIGMA_CTI_MAPPING + + def render(self, data: list[list[IocsChunkValue]]) -> list[str]: + final_result = [] + for iocs_chunk in data: + data_values = self.collect_sigma_data_values(iocs_chunk) + rule = { + "title": "Sigma automatically generated based on IOCs", + "id": uuid.uuid4().__str__(), + "description": "Detects suspicious activity based on IOCs.", + "status": "experimental", + "author": "SOC Prime", + "logsource": {"product": "windows"}, + "fields": list(data_values.keys()), + "detection": {"selection": data_values, "condition": "selection"}, + "level": SeverityType.low, + "falsepositives": "", + } + final_result.append(yaml.dump(rule, default_flow_style=False, sort_keys=False)) + return final_result + + def collect_sigma_data_values(self, chunk: list[IocsChunkValue]) -> dict: + raw_data_values = {} + for value in chunk: + if value.platform_field in raw_data_values.keys(): + raw_data_values[value.platform_field].append(value.value) + else: + raw_data_values[value.platform_field] = [value.value] + return raw_data_values diff --git a/uncoder-core/app/translator/platforms/snowflake/const.py b/uncoder-core/app/translator/platforms/snowflake/const.py index 0bcdea5d..4f9e390b 100644 --- a/uncoder-core/app/translator/platforms/snowflake/const.py +++ b/uncoder-core/app/translator/platforms/snowflake/const.py @@ -5,3 +5,16 @@ "group_id": "snowflake-pack", "platform_name": "Query (SQL)", } + +DEFAULT_SNOWFLAKE_CTI_MAPPING = { + "SourceIP": "source.ip", + "DestinationIP": "destination.ip", + "Domain": "destination.domain", + "URL": "url.original", + "HashMd5": "file.hash.md5", + "HashSha1": "file.hash.sha1", + "HashSha256": "file.hash.sha256", + "HashSha512": "file.hash.sha512", + "Files": "file.path", + "Emails": "user.name", +} diff --git a/uncoder-core/app/translator/platforms/snowflake/mappings/__init__.py b/uncoder-core/app/translator/platforms/snowflake/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/snowflake/mappings/snowflake_cti.py b/uncoder-core/app/translator/platforms/snowflake/mappings/snowflake_cti.py deleted file mode 100644 index 9fe8848b..00000000 --- a/uncoder-core/app/translator/platforms/snowflake/mappings/snowflake_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_SNOWFLAKE_MAPPING = { - "SourceIP": "source.ip", - "DestinationIP": "destination.ip", - "Domain": "destination.domain", - "URL": "url.original", - "HashMd5": "file.hash.md5", - "HashSha1": "file.hash.sha1", - "HashSha256": "file.hash.sha256", - "HashSha512": "file.hash.sha512", - "Files": "file.path", - "Emails": "user.name", -} diff --git a/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py b/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py index 3507a50a..125a7c8a 100644 --- a/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py +++ b/uncoder-core/app/translator/platforms/snowflake/renders/snowflake_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.snowflake.const import SNOWFLAKE_QUERY_DETAILS -from app.translator.platforms.snowflake.mappings.snowflake_cti import DEFAULT_SNOWFLAKE_MAPPING +from app.translator.platforms.snowflake.const import DEFAULT_SNOWFLAKE_CTI_MAPPING, SNOWFLAKE_QUERY_DETAILS @render_cti_manager.register @@ -35,4 +34,4 @@ class SnowflakeCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "SELECT * FROM table WHERE {result}\n" final_result_for_one: str = "SELECT * FROM table WHERE {result}\n" - default_mapping = DEFAULT_SNOWFLAKE_MAPPING + default_mapping = DEFAULT_SNOWFLAKE_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/splunk/const.py b/uncoder-core/app/translator/platforms/splunk/const.py index 7d0bb15a..a81a2bb8 100644 --- a/uncoder-core/app/translator/platforms/splunk/const.py +++ b/uncoder-core/app/translator/platforms/splunk/const.py @@ -50,6 +50,20 @@ **PLATFORM_DETAILS, } +DEFAULT_SPLUNK_CTI_MAPPING = { + "DestinationIP": "dest_ip", + "SourceIP": "src_ip", + "HashSha512": "file_hash", + "HashSha256": "file_hash", + "HashMd5": "file_hash", + "Emails": "All_Email.src_user", + "Domain": "dest_host", + "HashSha1": "file_hash", + "Files": "file_path", + "URL": "url", +} + + splunk_query_details = PlatformDetails(**SPLUNK_QUERY_DETAILS) splunk_alert_details = PlatformDetails(**SPLUNK_ALERT_DETAILS) splunk_alert_yml_details = PlatformDetails(**SPLUNK_ALERT_YML_DETAILS) diff --git a/uncoder-core/app/translator/platforms/splunk/mappings/__init__.py b/uncoder-core/app/translator/platforms/splunk/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/splunk/mappings/splunk_cti.py b/uncoder-core/app/translator/platforms/splunk/mappings/splunk_cti.py deleted file mode 100644 index 37ce29a7..00000000 --- a/uncoder-core/app/translator/platforms/splunk/mappings/splunk_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_SPLUNK_MAPPING = { - "DestinationIP": "dest_ip", - "SourceIP": "src_ip", - "HashSha512": "file_hash", - "HashSha256": "file_hash", - "HashMd5": "file_hash", - "Emails": "All_Email.src_user", - "Domain": "dest_host", - "HashSha1": "file_hash", - "Files": "file_path", - "URL": "url", -} diff --git a/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py b/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py index 92bcb056..60d26cea 100644 --- a/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py +++ b/uncoder-core/app/translator/platforms/splunk/renders/splunk_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.splunk.const import splunk_query_details -from app.translator.platforms.splunk.mappings.splunk_cti import DEFAULT_SPLUNK_MAPPING +from app.translator.platforms.splunk.const import DEFAULT_SPLUNK_CTI_MAPPING, splunk_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class SplunkCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_SPLUNK_MAPPING + default_mapping = DEFAULT_SPLUNK_CTI_MAPPING diff --git a/uncoder-core/app/translator/platforms/sumo_logic/const.py b/uncoder-core/app/translator/platforms/sumo_logic/const.py index f15ef435..2fa1019e 100644 --- a/uncoder-core/app/translator/platforms/sumo_logic/const.py +++ b/uncoder-core/app/translator/platforms/sumo_logic/const.py @@ -6,3 +6,16 @@ "first_choice": 0, "group_id": "sumologic", } + +DEFAULT_SUMOLOGIC_CTI_MAPPING = { + "SourceIP": "src_ip", + "DestinationIP": "dst_ip", + "Domain": "host", + "URL": "url", + "HashMd5": "fileHash", + "HashSha1": "fileHash", + "HashSha256": "fileHash", + "HashSha512": "fileHash", + "Emails": "flattened_destinations", + "Files": "files", +} diff --git a/uncoder-core/app/translator/platforms/sumo_logic/mappings/__init__.py b/uncoder-core/app/translator/platforms/sumo_logic/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/sumo_logic/mappings/sumologic_cti.py b/uncoder-core/app/translator/platforms/sumo_logic/mappings/sumologic_cti.py deleted file mode 100644 index e6856f42..00000000 --- a/uncoder-core/app/translator/platforms/sumo_logic/mappings/sumologic_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_SUMOLOGIC_MAPPING = { - "SourceIP": "src_ip", - "DestinationIP": "dst_ip", - "Domain": "host", - "URL": "url", - "HashMd5": "fileHash", - "HashSha1": "fileHash", - "HashSha256": "fileHash", - "HashSha512": "fileHash", - "Emails": "flattened_destinations", - "Files": "files", -} diff --git a/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py b/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py index 804d664e..f268265e 100644 --- a/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py +++ b/uncoder-core/app/translator/platforms/sumo_logic/renders/sumologic_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.sumo_logic.const import SUMO_LOGIC_QUERY_DETAILS -from app.translator.platforms.sumo_logic.mappings.sumologic_cti import DEFAULT_SUMOLOGIC_MAPPING +from app.translator.platforms.sumo_logic.const import SUMO_LOGIC_QUERY_DETAILS, DEFAULT_SUMOLOGIC_CTI_MAPPING @render_cti_manager.register @@ -35,4 +34,4 @@ class SumologicCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_SUMOLOGIC_MAPPING + default_mapping = DEFAULT_SUMOLOGIC_CTI_MAPPING pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy