NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit9e0c582

authored

Merge branch 'main' into gis-add-anomali-mappings1612

2 parents044119e +8c4e32a commit9e0c582Copy full SHA for 9e0c582

File tree

83 files changed

+1590

-83

lines changed

uncoder-core/app/translator
- core
  - mapping.py
  - mixins
    - rule.py
    - tokens.py
  - models
    - query_container.py
  - render.py
- mappings/platforms
- platforms
  - anomali
    - mapping.py
  - arcsight
  - carbonblack
  - chronicle/parsers
    - chronicle_rule.py
  - elasticsearch
  - falco
  - microsoft
    - const.py
    - parsers
      - microsoft_sentinel.py
    - renders
      - microsoft_sentinel.py
      - microsoft_sentinel_rule.py
  - sentinel_one
  - splunk/parsers
    - splunk_alert.py
- translator.py

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

83 files changed

+1590

-83

lines changed

`‎uncoder-core/app/translator/core/mapping.py‎`

Lines changed: 21 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,12 @@ class LogSourceSignature(ABC):`
`22`	`22`	`defis_suitable(self,**kwargs)->bool:`
`23`	`23`	`raiseNotImplementedError("Abstract method")`
`24`	`24`
	`25`	`+defis_probably_suitable(self,**kwargs)->bool:`
	`26`	`+"""`
	`27`	`+ Performs check with more options, but the result is less accurate than the "is_suitable" method`
	`28`	`+ """`
	`29`	`+raiseNotImplementedError("Abstract method")`
	`30`	`+`
`25`	`31`	`@staticmethod`
`26`	`32`	`def_check_conditions(conditions:list[Union[bool,None]])->bool:`
`27`	`33`	`conditions= [conditionforconditioninconditionsifconditionisnotNone]`
`@@ -88,11 +94,13 @@ def __init__(`
`88`	`94`	`log_source_signature:_LogSourceSignatureType=None,`
`89`	`95`	`fields_mapping:Optional[FieldsMapping]=None,`
`90`	`96`	`raw_log_fields:Optional[dict]=None,`
	`97`	`+conditions:Optional[dict]=None,`
`91`	`98`	`):`
`92`	`99`	`self.source_id=source_id`
`93`	`100`	`self.log_source_signature=log_source_signature`
`94`	`101`	`self.fields_mapping=fields_mappingorFieldsMapping([])`
`95`	`102`	`self.raw_log_fields=raw_log_fields`
	`103`	`+self.conditions=conditions`
`96`	`104`
`97`	`105`
`98`	`106`	`classBasePlatformMappings:`
`@@ -123,6 +131,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:`
`123`	`131`
`124`	`132`	`field_mappings_dict=mapping_dict.get("field_mapping", {})`
`125`	`133`	`raw_log_fields=mapping_dict.get("raw_log_fields", {})`
	`134`	`+conditions=mapping_dict.get("conditions", {})`
`126`	`135`	`field_mappings_dict.update({field:fieldforfieldinraw_log_fields})`
`127`	`136`	`fields_mapping=self.prepare_fields_mapping(field_mapping=field_mappings_dict)`
`128`	`137`	`self.update_default_source_mapping(default_mapping=default_mapping,fields_mapping=fields_mapping)`
`@@ -131,6 +140,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:`
`131`	`140`	`log_source_signature=log_source_signature,`
`132`	`141`	`fields_mapping=fields_mapping,`
`133`	`142`	`raw_log_fields=raw_log_fields,`
	`143`	`+conditions=conditions,`
`134`	`144`	`)`
`135`	`145`
`136`	`146`	`ifself.skip_load_default_mappings:`
`@@ -170,19 +180,26 @@ def get_source_mappings_by_fields_and_log_sources(`
`170`	`180`
`171`	`181`	`returnby_log_sources_and_fieldsorby_fieldsor [self._source_mappings[DEFAULT_MAPPING_NAME]]`
`172`	`182`
`173`		`-defget_source_mappings_by_ids(self,source_mapping_ids:list[str])->list[SourceMapping]:`
	`183`	`+defget_source_mapping(self,source_id:str)->Optional[SourceMapping]:`
	`184`	`+returnself._source_mappings.get(source_id)`
	`185`	`+`
	`186`	`+defget_source_mappings_by_ids(`
	`187`	`+self,source_mapping_ids:list[str],return_default:bool=True`
	`188`	`+ )->list[SourceMapping]:`
`174`	`189`	`source_mappings= []`
`175`	`190`	`forsource_mapping_idinsource_mapping_ids:`
	`191`	`+ifsource_mapping_id==DEFAULT_MAPPING_NAME:`
	`192`	`+continue`
`176`	`193`	`ifsource_mapping:=self.get_source_mapping(source_mapping_id):`
`177`	`194`	`source_mappings.append(source_mapping)`
`178`	`195`
`179`		`-ifnotsource_mappings:`
	`196`	`+ifnotsource_mappingsandreturn_default:`
`180`	`197`	`source_mappings= [self.get_source_mapping(DEFAULT_MAPPING_NAME)]`
`181`	`198`
`182`	`199`	`returnsource_mappings`
`183`	`200`
`184`		`-defget_source_mapping(self,source_id:str)->Optional[SourceMapping]:`
`185`		`-returnself._source_mappings.get(source_id)`
	`201`	`+defget_source_mappings_by_log_sources(self,log_sources:dict)->Optional[list[str]]:`
	`202`	`+raiseNotImplementedError("Abstract method")`
`186`	`203`
`187`	`204`	`@property`
`188`	`205`	`defdefault_mapping(self)->SourceMapping:`

`‎uncoder-core/app/translator/core/mixins/rule.py‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ def parse_mitre_attack(self, tags: list[str]) -> MitreInfoContainer:`
`42`	`42`	`tag=tag.lower()`
`43`	`43`	`iftag.startswith("attack."):`
`44`	`44`	`tag=tag[7::]`
`45`		`-iftag.startswith("t"):`
	`45`	`+iftag[-1].isdigit():`
`46`	`46`	`parsed_techniques.append(tag)`
`47`	`47`	`else:`
`48`	`48`	`parsed_tactics.append(tag)`

`‎uncoder-core/app/translator/core/mixins/tokens.py‎`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,20 @@`
	`1`	`+fromtypingimportUnion`
	`2`	`+`
	`3`	`+fromapp.translator.core.constimportQUERY_TOKEN_TYPE`
	`4`	`+fromapp.translator.core.custom_types.tokensimportLogicalOperatorType,OperatorType`
	`5`	`+fromapp.translator.core.mappingimportSourceMapping`
	`6`	`+fromapp.translator.core.models.query_tokens.field_valueimportFieldValue`
	`7`	`+fromapp.translator.core.models.query_tokens.identifierimportIdentifier`
	`8`	`+`
	`9`	`+`
	`10`	`+classExtraConditionMixin:`
	`11`	`+defgenerate_extra_conditions(self,source_mapping:SourceMapping)->list[QUERY_TOKEN_TYPE]:`
	`12`	`+extra_tokens= []`
	`13`	`+forfield,valueinsource_mapping.conditions.items():`
	`14`	`+extra_tokens.extend(`
	`15`	`+ [`
	`16`	`+FieldValue(source_name=field,operator=Identifier(token_type=OperatorType.EQ),value=value),`
	`17`	`+Identifier(token_type=LogicalOperatorType.AND),`
	`18`	`+ ]`
	`19`	`+ )`
	`20`	`+returnextra_tokens`

`‎uncoder-core/app/translator/core/models/query_container.py‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ def __init__(`
`78`	`78`	`parsed_logsources:Optional[dict]=None,`
`79`	`79`	`timeframe:Optional[timedelta]=None,`
`80`	`80`	`query_period:Optional[timedelta]=None,`
`81`		`-mitre_attack:MitreInfoContainer=MitreInfoContainer(),`
	`81`	`+mitre_attack:Optional[MitreInfoContainer]=None,`
`82`	`82`	`raw_metainfo_container:Optional[RawMetaInfoContainer]=None,`
`83`	`83`	`)->None:`
`84`	`84`	`self.id=id_orstr(uuid.uuid4())`
`@@ -88,7 +88,7 @@ def __init__(`
`88`	`88`	`self.risk_score=risk_score`
`89`	`89`	`self.type_=type_or""`
`90`	`90`	`self.description=descriptionor""`
`91`		`-self.author= [v.strip()forvinauthor]ifauthorelse []`
	`91`	`+self.author= [v.strip()forvinauthor]ifauthorandauthor!= [None]else []`
`92`	`92`	`self.date=dateordatetime.now().date().strftime("%Y-%m-%d")`
`93`	`93`	`self.output_table_fields=output_table_fieldsor []`
`94`	`94`	`self.query_fields=query_fieldsor []`
`@@ -98,15 +98,15 @@ def __init__(`
`98`	`98`	`self.severity=severityorSeverityType.low`
`99`	`99`	`self.references=referencesor []`
`100`	`100`	`self.tags=tagsor []`
`101`		`-self.mitre_attack=mitre_attackorNone`
	`101`	`+self.mitre_attack=mitre_attackorMitreInfoContainer()`
`102`	`102`	`self.raw_mitre_attack=raw_mitre_attackor []`
`103`	`103`	`self.status=statusor"stable"`
`104`	`104`	`self.false_positives=false_positivesor []`
`105`	`105`	`self._source_mapping_ids=source_mapping_idsor [DEFAULT_MAPPING_NAME]`
`106`	`106`	`self.parsed_logsources=parsed_logsourcesor {}`
`107`	`107`	`self.timeframe=timeframe`
`108`	`108`	`self.query_period=query_period`
`109`		`-self.raw_metainfo_container=raw_metainfo_container`
	`109`	`+self.raw_metainfo_container=raw_metainfo_containerorRawMetaInfoContainer()`
`110`	`110`
`111`	`111`	`@property`
`112`	`112`	`defauthor_str(self)->str:`

`‎uncoder-core/app/translator/core/render.py‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -403,6 +403,9 @@ def process_raw_log_field_prefix(self, field: str, source_mapping: SourceMapping`
`403`	`403`	`ifraw_log_field_type:=source_mapping.raw_log_fields.get(field):`
`404`	`404`	`return [self.process_raw_log_field(field=field,field_type=raw_log_field_type)]`
`405`	`405`
	`406`	`+defgenerate_extra_conditions(self,source_mapping:SourceMapping)->list[QUERY_TOKEN_TYPE]:# noqa: ARG002`
	`407`	`+return []`
	`408`	`+`
`406`	`409`	`defgenerate_raw_log_fields(self,fields:list[Field],source_mapping:SourceMapping)->str:`
`407`	`410`	`ifnotself.raw_log_field_patterns_map:`
`408`	`411`	`return""`
`@@ -442,6 +445,9 @@ def _generate_from_tokenized_query_container_by_source_mapping(`
`442`	`445`	`source_mapping=source_mapping,`
`443`	`446`	`)`
`444`	`447`	`prefix+=f"\n{defined_raw_log_fields}"`
	`448`	`+ifsource_mapping.conditions:`
	`449`	`+extra_tokens=self.generate_extra_conditions(source_mapping=source_mapping)`
	`450`	`+query_container.tokens= [extra_tokens,query_container.tokens]`
`445`	`451`	`query=self.generate_query(tokens=query_container.tokens,source_mapping=source_mapping)`
`446`	`452`	`not_supported_functions=query_container.functions.not_supported+rendered_functions.not_supported`
`447`	`453`	`returnself.finalize_query(`

`‎uncoder-core/app/translator/mappings/platforms/anomali/common.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml‎`

Lines changed: 11 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,19 @@`
`1`	`1`	`platform:Anomali`
`2`		`-description:Common field mapping`
	`2`	`+source:proxy`
`3`	`3`
`4`	`4`	`field_mapping:`
`5`	`5`	`c-uri-query:url`
`6`	`6`	`c-useragent:user_agent`
	`7`	`+c-uri:url`
	`8`	`+cs-method:http_method`
	`9`	`+cs-bytes:bytes_out`
	`10`	`+cs-referrer:http_referrer`
	`11`	`+sc-status:return_code`
	`12`	`+`
	`13`	`+dns-query:query`
	`14`	`+dns-answer:answer`
	`15`	`+dns-record:record_type`
	`16`	`+`
`7`	`17`	`CommandLine:command_line`
`8`	`18`	`DestinationHostname:dest`
`9`	`19`	`DestinationIp:dest_ip`

`‎uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml‎`

Lines changed: 41 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,41 @@`
	`1`	`+platform:Anomali`
	`2`	`+source:webserver`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+c-uri-query:url`
	`6`	`+c-useragent:user_agent`
	`7`	`+c-uri:url`
	`8`	`+cs-method:http_method`
	`9`	`+cs-bytes:bytes_out`
	`10`	`+cs-referrer:http_referrer`
	`11`	`+sc-status:return_code`
	`12`	`+`
	`13`	`+dns-query:query`
	`14`	`+dns-answer:answer`
	`15`	`+dns-record:record_type`
	`16`	`+`
	`17`	`+CommandLine:command_line`
	`18`	`+DestinationHostname:dest`
	`19`	`+DestinationIp:dest_ip`
	`20`	`+DestinationPort:dest_port`
	`21`	`+Details:reg_value_data`
	`22`	`+dst_ip:dest_ip`
	`23`	`+dst_port:dest_port`
	`24`	`+EventID:event_id`
	`25`	`+EventName:event_name`
	`26`	`+FileName:file_name`
	`27`	`+FilePath:file_path`
	`28`	`+Image:image`
	`29`	`+NewProcessName:image`
	`30`	`+OriginalFileName:original_file_name`
	`31`	`+ParentCommandLine:parent_command_line`
	`32`	`+ParentImage:parent_image`
	`33`	`+ParentProcessID:parent_process_id`
	`34`	`+Platform:platform`
	`35`	`+ProcessCommandLine:command_line`
	`36`	`+ProcessID:process_id`
	`37`	`+SourceImage:parent_image`
	`38`	`+SourcePort:src_port`
	`39`	`+TargetFilename:file_name`
	`40`	`+TargetObject:reg_key`
	`41`	`+UserAgent:user_agent`

`‎uncoder-core/app/translator/mappings/platforms/arcsight/default.yml‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+platform:ArcSight`
	`2`	`+source:default`
	`3`	`+`
	`4`	`+`
	`5`	`+default_log_source:{}`

`‎uncoder-core/app/translator/mappings/platforms/arcsight/linux_network_connection.yml‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,9 @@`
	`1`	`+platform:ArcSight`
	`2`	`+source:linux_network_connection`
	`3`	`+`
	`4`	`+`
	`5`	`+default_log_source:{}`
	`6`	`+`
	`7`	`+`
	`8`	`+field_mapping:`
	`9`	`+SourceHostname:sourceHostName`

`‎uncoder-core/app/translator/mappings/platforms/arcsight/macos_network_connection.yml‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,9 @@`
	`1`	`+platform:ArcSight`
	`2`	`+source:macos_network_connection`
	`3`	`+`
	`4`	`+`
	`5`	`+default_log_source:{}`
	`6`	`+`
	`7`	`+`
	`8`	`+field_mapping:`
	`9`	`+SourceHostname:sourceHostName`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9e0c582

File tree

83 files changed

Some content is hidden

83 files changed

`‎uncoder-core/app/translator/core/mapping.py‎`

`‎uncoder-core/app/translator/core/mixins/rule.py‎`

`‎uncoder-core/app/translator/core/mixins/tokens.py‎`

`‎uncoder-core/app/translator/core/models/query_container.py‎`

`‎uncoder-core/app/translator/core/render.py‎`

`‎uncoder-core/app/translator/mappings/platforms/anomali/common.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/arcsight/default.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/arcsight/linux_network_connection.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/arcsight/macos_network_connection.yml‎`

0 commit comments