Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0a35b16

Browse files
committed
Add Exabeam New-Scale platform support
Implements comprehensive Exabeam New-Scale platform integration with:- EQL query generation with proper syntax and string quoting- Analytics rule export with JSON formatting for New-Scale import- Correlation rule export with MITRE ATT&CK technique mapping- CTI support for IOC-based threat hunting queries- CIM2 field mapping for Windows process and network eventsFeatures:- Three output types: EQL Search Query, Analytics Rule, Correlation Rule- Full CIM2 schema field mapping from Sigma to Exabeam fields- Proper EQL syntax using AND/OR/NOT operators and RGX() for regex- JSON export format compatible with New-Scale rule import- Dynamic MITRE technique extraction and rule family classification- IOC translation support for IPs, hashes, domains, URLs, and filesTechnical implementation follows Uncoder architecture patterns withproper class inheritance, YAML-based field mappings, and platformregistration through decorator system.
1 parentea12f97 commit0a35b16

File tree

11 files changed

+1091
-0
lines changed

11 files changed

+1091
-0
lines changed

‎uncoder-core/app/translator/core/models/platform_details.py‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,4 @@ class PlatformDetails:
1212
alt_platform_name:Optional[str]="Default"
1313
alt_platform:Optional[str]="regular"
1414
first_choice:Optional[int]=1
15+
file_extension:Optional[str]="txt"
Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
platform:Exabeam
2+
source:default
3+
4+
default_log_source:
5+
table:events
6+
7+
log_source:
8+
table:events
9+
10+
field_mapping:
11+
# Sigma standard field names to Exabeam CIM2
12+
CommandLine:process_command_line
13+
Image:process_path
14+
ParentImage:parent_process_path
15+
ParentCommandLine:parent_process_command_line
16+
ProcessId:process_id
17+
ParentProcessId:parent_process_id
18+
OriginalFileName:process_original_file_name
19+
User:user
20+
Computer:src_host
21+
EventID:event_id
22+
23+
# File event fields
24+
TargetFilename:file_path
25+
TargetFileName:file_path
26+
FileName:file_name
27+
FilePath:file_path
28+
29+
# Registry fields
30+
TargetObject:registry_path
31+
Details:registry_value_data
32+
RegistryKey:registry_key
33+
RegistryValue:registry_value_name
34+
35+
# Network connection fields
36+
DestinationIp:dest_ip
37+
DestinationPort:dest_port
38+
SourceIp:src_ip
39+
SourcePort:src_port
40+
Initiated:network_initiated
41+
DestinationHostname:dest_host
42+
RemoteAddress:dest_ip
43+
RemotePort:dest_port
44+
45+
# PowerShell fields
46+
ScriptBlockText:powershell_script_content
47+
48+
# Additional process fields
49+
Company:process_company
50+
Product:process_product
51+
FileDescription:process_description
52+
ProductVersion:process_product_version
53+
54+
# Service fields
55+
ServiceName:service_name
56+
ServiceFileName:service_path
57+
58+
# Authentication fields
59+
SubjectUserName:user
60+
TargetUserName:dest_user
61+
WorkstationName:src_host
62+
IpAddress:src_ip
63+
64+
# Universal CIM2 fields
65+
time:timestamp
66+
vendor:vendor
67+
product:product
68+
activity_type:activity_type
69+
outcome:outcome
70+
subject:user
71+
host:src_host
72+
73+
# Process creation
74+
process.name:process_name
75+
process.pid:process_id
76+
process.command_line:process_command_line
77+
process.parent.name:parent_process_name
78+
process.parent.pid:parent_process_id
79+
process.parent.command_line:parent_process_command_line
80+
81+
# User/Authentication
82+
user.name:user
83+
user.domain:user_domain
84+
source.user.name:src_user
85+
target.user.name:dest_user
86+
87+
# Network
88+
source.ip:src_ip
89+
destination.ip:dest_ip
90+
source.port:src_port
91+
destination.port:dest_port
92+
network.protocol:protocol
93+
source.domain:src_host
94+
destination.domain:dest_host
95+
url.original:url
96+
97+
# File
98+
file.name:file_name
99+
file.path:file_path
100+
file.directory:file_directory
101+
file.hash.md5:file_hash
102+
file.hash.sha1:file_hash
103+
file.hash.sha256:file_hash
104+
file.hash.sha512:file_hash
105+
106+
# Registry (Windows)
107+
registry.key:registry_key
108+
registry.value:registry_value_name
109+
registry.data:registry_value_data
110+
111+
# Event ID mapping
112+
event.code:event_id
113+
event.action:activity
114+
115+
# Service/System
116+
service.name:service_name
117+
winlog.channel:log_name
118+
winlog.event_id:event_id
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
platform:Exabeam
2+
source:windows_network_connection
3+
4+
conditions:
5+
event.category:'network'
6+
7+
log_source:
8+
table:[events, network_events]
9+
10+
default_log_source:
11+
table:events
12+
13+
field_mapping:
14+
# Sigma network field names to Exabeam CIM2
15+
SourceIp:src_ip
16+
DestinationIp:dest_ip
17+
SourcePort:src_port
18+
DestinationPort:dest_port
19+
SourceAddress:src_ip
20+
DestinationAddress:dest_ip
21+
RemoteAddress:dest_ip
22+
RemotePort:dest_port
23+
Protocol:protocol
24+
Initiated:network_initiated
25+
Image:process_path
26+
User:user
27+
ProcessId:process_id
28+
29+
# Network connection fields
30+
source.ip:src_ip
31+
destination.ip:dest_ip
32+
source.port:src_port
33+
destination.port:dest_port
34+
network.protocol:protocol
35+
network.direction:direction
36+
37+
# Process context
38+
process.name:process_name
39+
process.pid:process_id
40+
process.executable:process_path
41+
42+
# User context
43+
user.name:user
44+
user.domain:user_domain
45+
46+
# Host context
47+
host.name:src_host
48+
destination.domain:dest_host
49+
50+
# Event context
51+
winlog.event_id:event_id
52+
"@timestamp":timestamp
53+
time:timestamp
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
platform:Exabeam
2+
source:windows_process_creation
3+
4+
conditions:
5+
event.category:'process'
6+
7+
log_source:
8+
activity_type:process-create
9+
10+
default_log_source:
11+
activity_type:process-create
12+
13+
field_mapping:
14+
# Sigma field mappings to Exabeam CIM2 fields
15+
CommandLine:process_command_line
16+
Image:process_path
17+
ParentImage:parent_process_path
18+
ParentCommandLine:parent_process_command_line
19+
ProcessId:process_id
20+
ParentProcessId:parent_process_id
21+
ProcessGuid:process_guid
22+
ParentProcessGuid:parent_process_guid
23+
UtcTime:timestamp
24+
CreationUtcTime:timestamp
25+
User:user
26+
ParentUser:parent_process_user
27+
IntegrityLevel:process_integrity_level
28+
CurrentDirectory:process_working_directory
29+
LogonId:logon_id
30+
LogonGuid:logon_guid
31+
TerminalSessionId:terminal_session_id
32+
OriginalFileName:process_original_file_name
33+
Company:process_company
34+
Product:process_product
35+
Description:process_description
36+
FileVersion:process_file_version
37+
Hashes:process_hash
38+
md5:process_hash
39+
sha1:process_hash
40+
sha256:process_hash
41+
IMPHASH:process_imphash
42+
RuleName:rule_name
43+
44+
# File and registry fields
45+
TargetFilename:file_path
46+
TargetObject:registry_path
47+
48+
# System fields
49+
EventID:event_id
50+
Computer:src_host
51+
SubjectUserName:user
52+
TargetUserName:dest_user
53+
54+
# Network fields
55+
SourceIp:src_ip
56+
DestinationIp:dest_ip
57+
DestinationPort:dest_port
58+
SourcePort:src_port
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
fromapp.translator.platforms.exabeam.renders.exabeamimportExabeamEQLQueryRender# noqa: F401
2+
fromapp.translator.platforms.exabeam.renders.exabeamimportExabeamAnalyticsRuleRender# noqa: F401
3+
fromapp.translator.platforms.exabeam.renders.exabeamimportExabeamCorrelationRuleRender# noqa: F401
4+
fromapp.translator.platforms.exabeam.renders.exabeam_ctiimportExabeamCTI# noqa: F401
Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
"""
2+
Uncoder IO Community Edition License
3+
-----------------------------------------------------------------
4+
Copyright (c) 2024 SOC Prime, Inc.
5+
6+
Licensed under the Apache License, Version 2.0 (the "License");
7+
you may not use this file except in compliance with the License.
8+
You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing, software
13+
distributed under the License is distributed on an "AS IS" BASIS,
14+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15+
See the License for the specific language governing permissions and
16+
limitations under the License.
17+
-----------------------------------------------------------------
18+
"""
19+
20+
fromapp.translator.core.custom_types.meta_infoimportSeverityType
21+
fromapp.translator.core.models.platform_detailsimportPlatformDetails
22+
23+
PLATFORM_DETAILS= {"group_id":"exabeam","group_name":"Exabeam New-Scale","alt_platform_name":"Default"}
24+
25+
_EXABEAM_EQL_QUERY="exabeam-eql-query"
26+
_EXABEAM_ANALYTICS_RULE="exabeam-analytics-rule"
27+
_EXABEAM_CORRELATION_RULE="exabeam-correlation-rule"
28+
29+
EXABEAM_QUERY_TYPES= {
30+
_EXABEAM_EQL_QUERY,
31+
_EXABEAM_ANALYTICS_RULE,
32+
_EXABEAM_CORRELATION_RULE,
33+
}
34+
35+
EXABEAM_EQL_QUERY_DETAILS= {
36+
"platform_id":_EXABEAM_EQL_QUERY,
37+
"name":"Exabeam EQL Query",
38+
"platform_name":"Search Query (EQL)",
39+
"file_extension":"txt",
40+
**PLATFORM_DETAILS,
41+
}
42+
43+
EXABEAM_ANALYTICS_RULE_DETAILS= {
44+
"platform_id":_EXABEAM_ANALYTICS_RULE,
45+
"name":"Exabeam Analytics Rule",
46+
"platform_name":"Analytics Rule (JSON)",
47+
"file_extension":"json",
48+
**PLATFORM_DETAILS,
49+
}
50+
51+
EXABEAM_CORRELATION_RULE_DETAILS= {
52+
"platform_id":_EXABEAM_CORRELATION_RULE,
53+
"name":"Exabeam Correlation Rule",
54+
"platform_name":"Correlation Rule (JSON)",
55+
"file_extension":"json",
56+
**PLATFORM_DETAILS,
57+
}
58+
59+
exabeam_eql_query_details=PlatformDetails(**EXABEAM_EQL_QUERY_DETAILS)
60+
exabeam_analytics_rule_details=PlatformDetails(**EXABEAM_ANALYTICS_RULE_DETAILS)
61+
exabeam_correlation_rule_details=PlatformDetails(**EXABEAM_CORRELATION_RULE_DETAILS)
62+
63+
EXABEAM_ANALYTICS_RULE_TEMPLATE= {
64+
"version":"1",
65+
"ruleDefinitions": [{
66+
"templateId":"",
67+
"name":"",
68+
"description":"",
69+
"applicableEvents": [{"activity_type":""}],
70+
"detectionReason":"",
71+
"type":"factFeature",
72+
"mitre": [],
73+
"useCases": [],
74+
"value":"true",
75+
"actOnCondition":"",
76+
"suppressThreshold":"10 minutes",
77+
"trainOnCondition":"true",
78+
"suppressScope":"JoinIfExists(EntityId('type: User && direction: Source'), EntityId('type: Device && direction: Source'))",
79+
"familyId":"",
80+
"ruleGroupId":"",
81+
"severity":"Medium"
82+
}]
83+
}
84+
85+
EXABEAM_CORRELATION_RULE_TEMPLATE= {
86+
"version":"1",
87+
"ruleDefinitions": [{
88+
"name":"",
89+
"description":"",
90+
"useCase":"",
91+
"mitre": [],
92+
"sequencesExecution":"CREATION_ORDER",
93+
"severity":"medium",
94+
"sequencesConfig": {
95+
"sequences": [{
96+
"name":"",
97+
"query":"",
98+
"condition": {"triggerOnAnyMatch":True},
99+
"id":""
100+
}],
101+
"commonProperties":None,
102+
"outcomes":None
103+
}
104+
}]
105+
}
106+
107+
DEFAULT_EXABEAM_CTI_MAPPING= {
108+
"DestinationIP":"dest_ip",
109+
"SourceIP":"src_ip",
110+
"HashSha512":"file_hash",
111+
"HashSha256":"file_hash",
112+
"HashMd5":"file_hash",
113+
"Emails":"user",
114+
"Domain":"dest_host",
115+
"HashSha1":"file_hash",
116+
"Files":"file_name",
117+
"URL":"url",
118+
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp