Skip to content

Logrhythm axon render #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Feb 28, 2024
Merged

Logrhythm axon render #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5ed126c
initial-logrythm-axon
dtsprm Feb 12, 2024
3202575
added-correct-platform-naming
dtsprm Feb 12, 2024
6b25821
small-fixes-in-logrhythm-axon
dtsprm Feb 15, 2024
57026a9
fix bug in meta_info container
dtsprm Feb 15, 2024
671c542
update-regex-modifier-processing
dtsprm Feb 15, 2024
a728b22
update-regex-field-processing
dtsprm Feb 21, 2024
7a9d40b
update-mapping and unknown field name
dtsprm Feb 21, 2024
c021738
update-regex-processing
dtsprm Feb 23, 2024
cafa255
added-sub-of-escaping-backslashes
dtsprm Feb 23, 2024
0fd850f
improve-escaping-algorithm
dtsprm Feb 23, 2024
43dc2af
small-bug-fix
dtsprm Feb 23, 2024
c8accaa
small-bug-fix
dtsprm Feb 23, 2024
02845b4
fixes-in-code-quality
dtsprm Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions translator/app/translator/core/models/parser_output.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

from app.translator.core.custom_types.meta_info import SeverityType
from app.translator.core.mapping import DEFAULT_MAPPING_NAME
from app.translator.core.models.field import Field
from app.translator.core.models.functions.base import ParsedFunctions


Expand All @@ -17,6 +18,7 @@ def __init__(
description: Optional[str] = None,
author: Optional[str] = None,
date: Optional[str] = None,
fields: Optional[list[Field]] = None,
license_: Optional[str] = None,
severity: Optional[str] = None,
references: Optional[list[str]] = None,
Expand All @@ -25,20 +27,23 @@ def __init__(
status: Optional[str] = None,
false_positives: Optional[list[str]] = None,
source_mapping_ids: Optional[list[str]] = None,
parsed_logsources: Optional[dict] = None
) -> None:
self.id = id_ or str(uuid.uuid4())
self.title = title or ""
self.description = description or ""
self.author = author or ""
self.date = date or datetime.now().date().strftime("%Y-%m-%d")
self.license = license_ or "DRL 1.1"
self.fields = fields or []
self.severity = severity or SeverityType.low
self.references = references or []
self.tags = tags or []
self.mitre_attack = mitre_attack or {}
self.status = status or "stable"
self.false_positives = false_positives or []
self.source_mapping_ids = source_mapping_ids or [DEFAULT_MAPPING_NAME]
self.parsed_logsources = parsed_logsources or {}


@dataclass
Expand Down
304 changes: 304 additions & 0 deletions translator/app/translator/mappings/platforms/logrhythm_axon/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,304 @@
platform: LogRhythm Axon
source: default
description: Text that describe current mapping

field_mapping:
EventID: vendor_information.id
Channel: general_information.log_source.type_name
ComputerName: origin.host.name
FileName: object.file.name
ProcessId: object.process.id
Image: object.process.name
AccountEmail: unattributed.account.email_address
ContextInfo: general_information.raw_message
CurrentDirectory: object.process.path
ParentProcessId: object.process.parent_process.id
ParentImage: object.process.parent_process.path
ParentCommandLine: object.process.parent_process.command_line
TargetFilename: object.file.name
SourceIp: origin.host.ip_address.value
SourceHostname: origin.host.name
SourcePort: origin.host.network_port.value
DestinationIp: target.host.ip_address.value
DestinationHostname:
- target.host.name
- target.host.domain
DestinationPort: target.host.network_port.value
DestinationPortName: action.network.protocol.name
ImageLoaded: object.file.path
SignatureStatus: object.process.signature.status
SourceProcessId: object.process.id
SourceImage: object.process.name
Device: object.process.path
Destination: object.process.name
QueryName: action.dns.query
QueryStatus: action.dns.result
CommandName: object.process.command_line
CommandPath: object.process.path
HostApplication: object.script.command_line
HostName: origin.host.name
ScriptName: object.script.name
ScriptBlockText: object.script.command_line
ScriptBlockId: object.script.id
Application: object.process.name
ClientAddress: origin.host.ip_address.value
ClientName: origin.host.domain.name
DestAddress: target.host.ip_address.value
DestPort: target.host.network_port.value
IpAddress: origin.host.ip_address.value
IpPort: origin.host.network_port.value
NewProcessId: object.process.id
NewProcessName: object.process.name
ParentProcessName: object.process.parent_process.name
ProcessName: object.process.name
SourceAddress: origin.host.ip_address.value
WorkstationName: origin.host.name
destination.port: target.host.network_port.value
dst: target.host.ip_address.value
dst_ip: target.host.ip_address.value
dst_port: target.host.network_port.value
network_application:
- action.network.protocol.name
- object.url.protocol
network_protocol: action.network.protocol.name
proto: action.network.protocol.name
src: origin.host.ip_address.value
src_ip: origin.host.ip_address.value
src_port: origin.host.network_port.value
action: action.command
mqtt_action: action.command
smb_action: action.command
tunnel_action: action.command
arg: object.process.command_args
ftp_arg: object.process.command_args
mysql_arg: object.process.command_args
pop3_arg: object.process.command_args
client: origin.host.ip_address.value
command: action.command
ftp_command: action.command
irc_command: action.command
pop3_command: action.command
duration: action.duration
from: origin.account.email_address
kerberos_from: origin.account.email_address
smtp_from: origin.account.email_address
method: action.network.http_method
http_method: action.network.http_method
sip_method: action.network.http_method
name: object.file.name
smb_files_name: object.file.name
software_name: object.file.name
weird_name: object.file.name
path: object.file.path
smb_mapping_path: object.file.path
smb_files_path: object.file.path
smtp_files_path: object.file.path
password: object.file.name
reply_to: target.account.email_address
response_body_len: action.network.byte_information.received
request_body_len: action.network.byte_information.sent
rtt: action.duration
status_code: action.result.code
known_certs_subject: object.certificate.subject
sip_subject: object.email_message.subject
smtp_subject: object.email_message.subject
ssl_subject: object.certificate.subject
username: origin.account.name
uri: object.url.path
user: origin.account.name
user_agent: action.user_agent
http_user_agent: action.user_agent
gquic_user_agent: action.user_agent
sip_user_agent: action.user_agent
smtp_user_agent: action.user_agent
version: object.file.version
gquic_version: object.file.version
http_version: object.file.version
ntp_version: object.file.version
socks_version: object.file.version
snmp_version: object.file.version
ssh_version: object.file.version
tls_version: object.file.version
answer: action.dns.result
question_length: action.network.byte_information.total
record_type: action.dns.record_type
parent_domain: target.host.domain
cs-bytes: action.network.byte_information.received
r-dns: target.host.domain
sc-bytes: action.network.byte_information.received
sc-status: action.result.code
c-uri: object.url.complete
c-uri-extension: object.url.type
c-uri-query: object.url.query
c-uri-stem: object.url.complete
c-useragent: action.user_agent
cs-host:
- target.host.name
- target.host.domain
cs-method: action.network.http_method
cs-version: object.file.version
uid: action.session.id
endpoint: origin.host.name
domain: target.host.domain
host_name: target.host.name
client_fqdn: origin.host.name
requested_addr: target.host.ip_address.value
server_addr: target.host.ip_address.value
qtype: action.dns.record_type
qtype_name: action.dns.record_type
query: action.dns.query
rcode_name: action.dns.result
md5: unattributed.hash.md5
sha1: unattributed.hash.sha1
sha256: unattributed.hash.sha256
sha512: unattributed.hash.sha512
filename: object.file.name
host:
- unattributed.host.name
- unattributed.host.ip_address.value
domainname: unattributed.host.name
hostname: unattributed.host.name
server_nb_computer_name: unattributed.host.name
server_tree_name: unattributed.host.name
server_dns_computer_name: unattributed.host.name
machine: unattributed.host.name
os: origin.host.os.platform
mac: unattributed.host.mac_address
result:
- action.result.message
- action.result.code
- action.result.reason
mailfrom: origin.account.email_address
rcptto: target.account.email_address
second_received: target.account.email_address
server_name: unattributed.host.name
c-ip: origin.host.ip_address.value
cs-uri: object.url.path
cs-uri-query: object.url.query
cs-uri-stem: object.url.complete
clientip: origin.host.ip_address.value
clientIP: origin.host.ip_address.value
dest_domain:
- target.host.name
- target.host.domain
dest_ip: target.host.ip_address.value
dest_port: target.host.network_port.value
agent.version: object.file.version
destination.hostname:
- target.host.name
- target.host.domain
DestinationAddress:
- target.host.name
- target.host.domain
- target.host.ip_address.value
DestinationIP: target.host.ip_address.value
dst-ip: target.host.ip_address.value
dstip: target.host.ip_address.value
dstport: target.host.ip_address.value
Host: target.host.name
HostVersion: object.file.version
http_host:
- target.host.name
- target.host.domain
- target.host.ip_address.value
http_uri: object.url.path
http_url: object.url.complete
http.request.url-query-params: object.url.query
HttpMethod: action.network.http_method
in_url: object.url.path
post_url_parameter: object.url.path
Request_Url: object.url.complete
request_url: object.url.complete
request_URL: object.url.complete
RequestUrl: object.url.complete
resource.url: object.url.path
resource.URL: object.url.path
sc_status: action.result.code
sender_domain:
- target.host.name
- target.host.domain
service.response_code: action.result.code
source:
- origin.host.name
- origin.host.domain.name
- origin.host.ip_address.value
SourceAddr: origin.host.ip_address.value
SourceIP: origin.host.ip_address.value
SourceNetworkAddress: origin.host.ip_address.value
srcip: origin.host.ip_address.value
Status: action.result.code
status: action.result.code
url: object.url.path
URL: object.url.path
url_query: object.url.query
url.query: object.url.query
uri_path: object.url.path
user_agent.name: action.user_agent
user-agent: action.user_agent
User-Agent: action.user_agent
useragent: action.user_agent
UserAgent: action.user_agent
User_Agent: action.user_agent
web_dest:
- target.host.name
- target.host.domain
- target.host.ip_address.value
- object.url.domain
web.dest:
- target.host.name
- target.host.domain
- target.host.ip_address.value
- object.url.domain
Web.dest:
- target.host.name
- target.host.domain
- target.host.ip_address.value
- object.url.domain
web.host:
- target.host.name
- target.host.domain
- target.host.ip_address.value
- object.url.domain
Web.host:
- target.host.name
- target.host.domain
- target.host.ip_address.value
- object.url.domain
web_method: action.network.http_method
Web_method: action.network.http_method
web.method: action.network.http_method
Web.method: action.network.http_method
web_src: origin.host.ip_address.value
web_status: action.result.code
Web_status: action.result.code
web.status: action.result.code
Web.status: action.result.code
web_uri: object.url.path
web_url: object.url.complete
destination.ip: target.host.ip_address.value
source.ip: origin.host.ip_address.value
source.port: origin.host.ip_address.value
Computer:
- target.host.name
- target.host.domain
- target.host.ip_address.value
OriginalFileName: object.file.name
User: origin.account.name
EventType: action.command
TargetObject:
- object.registry_object.key
- object.registry_object.path
- object.resource.name
CommandLine: object.process.command_line
type:
- action.command
- action.type
- action.session.type
a0:
- object.process.command_line
- object.process.command_args
- object.process.name
cs-user-agent: action.user_agent
blocked:
- action.message
- action.result.reason
4 changes: 4 additions & 0 deletions translator/app/translator/platforms/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
from app.translator.platforms.graylog.renders.graylog import GraylogRender
from app.translator.platforms.graylog.renders.graylog_cti import GraylogCTI
from app.translator.platforms.logpoint.renders.logpoint_cti import LogpointCTI
from app.translator.platforms.logrhythm_axon.renders.logrhythm_axon_query import LogRhythmAxonQueryRender
from app.translator.platforms.logrhythm_axon.renders.logrhythm_axon_rule import LogRhythmAxonRuleRender
from app.translator.platforms.logscale.parsers.logscale import LogScaleParser
from app.translator.platforms.logscale.parsers.logscale_alert import LogScaleAlertParser
from app.translator.platforms.logscale.renders.logscale_cti import LogScaleCTI
Expand Down Expand Up @@ -71,6 +73,8 @@
ChronicleSecurityRuleRender(),
AthenaQueryRender(),
ElasticSearchQueryRender(),
LogRhythmAxonQueryRender(),
LogRhythmAxonRuleRender(),
LogScaleQueryRender(),
LogScaleAlertRender(),
ElasticSearchRuleRender(),
Expand Down
Empty file added translator/app/translator/platforms/logrhythm_axon/__init__.py
View file
Open in desktop
Empty file.
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy