NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commitd5639ce

authored

Merge pull request#205 from UncoderIO/gis-8825

Gis 8825 added sentinel one power query render

2 parents1a50cff +ba9ee98 commitd5639ceCopy full SHA for d5639ce

File tree

21 files changed

+306

-5

lines changed

uncoder-core/app/translator
- mappings/platforms/sentinel_one
- platforms
  - carbonblack
    - const.py
    - renders
      - carbonblack_cti.py
  - elasticsearch/renders
    - elasticsearch_eql.py
  - microsoft/parsers
    - microsoft_sentinel.py
  - sentinel_one
    - __init__.py
    - const.py
    - custom_types
      - __init__.py
      - values.py
    - escape_manager.py
    - mapping.py
    - renders
      - s1_cti.py
      - sentinel_one_power_query.py
    - str_value_manager.py

21 files changed

+306

-5

lines changed

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/default.yml‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:default`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/dns.yml‎`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,12 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:dns`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+Image:src.process.image.path`
	`6`	`+CommandLine:src.process.cmdline`
	`7`	`+ParentImage:src.process.parent.image.path`
	`8`	`+ParentCommandLine:src.process.parent.cmdline`
	`9`	`+query:event.dns.request`
	`10`	`+answer:event.dns.response`
	`11`	`+QueryName:event.dns.request`
	`12`	`+record_type:event.dns.response`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/linux_file_event.yml‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:linux_file_event`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+Image:src.process.image.path`
	`6`	`+CommandLine:src.process.cmdline`
	`7`	`+ParentImage:src.process.parent.image.path`
	`8`	`+ParentCommandLine:src.process.parent.cmdline`
	`9`	`+TargetFilename:tgt.file.path`
	`10`	`+SourceFilename:tgt.file.oldPath`
	`11`	`+User:src.process.use`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_image_load.yml‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,9 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:windows_image_load`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+Image:Image`
	`6`	`+ImageLoaded:ImageLoaded`
	`7`	`+SignatureStatus:SignatureStatus`
	`8`	`+OriginalFileName:OriginalFileName`
	`9`	`+Signed:Signed`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_network_connection.yml‎`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,21 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:windows_network_connection`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+Image:src.process.image.path`
	`6`	`+CommandLine:src.process.cmdline`
	`7`	`+ParentImage:src.process.parent.image.path`
	`8`	`+ParentCommandLine:src.process.parent.cmdline`
	`9`	`+DestinationHostname:`
	`10`	`+ -url.address`
	`11`	`+ -event.dns.request`
	`12`	`+DestinationPort:dst.port.number`
	`13`	`+DestinationIp:dst.ip.address`
	`14`	`+User:src.process.user`
	`15`	`+SourceIp:src.ip.address`
	`16`	`+SourcePort:src.port.number`
	`17`	`+Protocol:NetProtocolName`
	`18`	`+dst_ip:dst.ip.address`
	`19`	`+src_ip:src.ip.address`
	`20`	`+dst_port:dst.port.number`
	`21`	`+src_port:src.port.number`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_pipe_created.yml‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,9 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:windows_pipe_created`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+PipeName:namedPipe.name`
	`6`	`+Image:src.process.image.path`
	`7`	`+CommandLine:src.process.cmdline`
	`8`	`+ParentImage:src.process.parent.image.path`
	`9`	`+ParentCommandLine:src.process.parent.cmdline`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_process_creation.yml‎`

Lines changed: 21 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,21 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:windows_process_creation`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+ProcessId:tgt.process.pid`
	`6`	`+Image:tgt.process.image.path`
	`7`	`+Description:tgt.process.displayName`
	`8`	`+Publisher:tgt.process.publisher`
	`9`	`+Product:tgt.process.displayName`
	`10`	`+Company:tgt.process.publisher`
	`11`	`+CommandLine:tgt.process.cmdline`
	`12`	`+CurrentDirectory:tgt.process.image.path`
	`13`	`+User:tgt.process.user`
	`14`	`+TerminalSessionId:tgt.process.sessionid`
	`15`	`+IntegrityLevel:tgt.process.integrityLevel`
	`16`	`+md5:tgt.process.image.md5`
	`17`	`+sha1:tgt.process.image.sha1`
	`18`	`+sha256:tgt.process.image.sha256`
	`19`	`+ParentProcessId:src.process.pid`
	`20`	`+ParentImage:src.process.image.path`
	`21`	`+ParentCommandLine:src.process.cmdline`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_registry_event.yml‎`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,10 @@`
	`1`	`+platform:Sentinel One Power Query`
	`2`	`+source:windows_registry_event`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+Image:src.process.image.path`
	`6`	`+CommandLine:src.process.cmdline`
	`7`	`+ParentImage:src.process.parent.image.path`
	`8`	`+ParentCommandLine:src.process.parent.cmdline`
	`9`	`+TargetObject:registry.keyPath`
	`10`	`+Details:registry.value`

`‎uncoder-core/app/translator/platforms/carbonblack/const.py‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`"platform_name":"Query (Cloud)",`
`9`	`9`	`}`
`10`	`10`
	`11`	`+`
`11`	`12`	`DEFAULT_CARBONBLACK_CTI_MAPPING= {`
`12`	`13`	`"SourceIP":"netconn_local_ipv4",`
`13`	`14`	`"DestinationIP":"netconn_ipv4",`

`‎uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@`
`23`	`23`	`fromapp.translator.platforms.carbonblack.constimportDEFAULT_CARBONBLACK_CTI_MAPPING,carbonblack_query_details`
`24`	`24`
`25`	`25`
	`26`	`+`
`26`	`27`	`@render_cti_manager.register`
`27`	`28`	`classCarbonBlackCTI(RenderCTI):`
`28`	`29`	`details:PlatformDetails=carbonblack_query_details`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd5639ce

File tree

21 files changed

21 files changed

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/default.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/dns.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/linux_file_event.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_image_load.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_network_connection.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_pipe_created.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_process_creation.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_registry_event.yml‎`

`‎uncoder-core/app/translator/platforms/carbonblack/const.py‎`

`‎uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py‎`

0 commit comments