Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Gis 8397 Add CarbonBlack render#224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
nazargesyk merged 2 commits intomainfromgis-8397_ref
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 0 additions & 88 deletionsuncoder-core/app/routers/meta_info.py
View file
Open in desktop

This file was deleted.

View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
platform: CarbonBlack
source: default
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
platform: CarbonBlack
source: linux_dns_query


field_mapping:
User:
- childproc_username
- process_username
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
platform: CarbonBlack
source: linux_network_connection


field_mapping:
DestinationHostname:
- netconn_domain
- netconn_proxy_domain
DestinationPort: netconn_port
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
platform: CarbonBlack
source: macos_dns_query


field_mapping:
User:
- childproc_username
- process_username
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
platform: CarbonBlack
source: macos_network_connection


field_mapping:
DestinationHostname:
- netconn_domain
- netconn_proxy_domain
DestinationPort: netconn_port
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
platform: CarbonBlack
source: windows_create_remote_thread


field_mapping:
SourceImage: parent_name
StartModule: modload_name
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
platform: CarbonBlack
source: windows_dns_query


field_mapping:
User:
- childproc_username
- process_username
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
platform: CarbonBlack
source: windows_file_event


field_mapping:
User:
- childproc_username
- process_username
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
platform: CarbonBlack
source: windows_image_load


field_mapping:
OriginalFileName: process_original_filename
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
platform: CarbonBlack
source: windows_network_connection


field_mapping:
DestinationHostname:
- netconn_domain
- netconn_proxy_domain
DestinationPort: netconn_port
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
platform: CarbonBlack
source: windows_process_creation


field_mapping:
Hashes:
- md5
- filewrite_md5
- childproc_md5
- parent_md5
User:
- childproc_username
- process_username
OriginalFileName: process_original_filename
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
platform: CarbonBlack
source: windows_registry_event


field_mapping:
TargetObject: regmod_name
User:
- childproc_username
- process_username
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
platform: CarbonBlack
source: windows_security


field_mapping:
AccountName:
- process_username
- childproc_username
ComputerName: device_name
NewProcessName: process_name
DeviceDescription:
- process_product_name
- process_product_version
- process_publisher
- process_file_description
DestPort: netconn_port
UserID: parent_name
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
platform: CarbonBlack
source: windows_sysmon



field_mapping:
CommandLine: process_cmdline
Image: process_name
ParentImage: parent_name
Company: process_publisher
Description:
- process_product_name
- process_product_version
- process_publisher
- process_file_description
DestinationHostname:
- netconn_domain
- netconn_proxy_domain
DestinationIp:
- netconn_ipv4
- netconn_ipv6
DestinationIsIpv6: ipaddr
Hashes:
- md5
- filewrite_md5
- childproc_md5
- parent_md5
IntegrityLevel: process_integrity_level
ParentCommandLine: parent_cmdline
Product:
- process_product_name
- process_file_description
SourceIp:
- netconn_ipv4
- netconn_ipv6
- netconn_local_ipv4
- netconn_local_ipv6
SourcePort: netconn_port
TargetFilename: filemod_name
User: childproc_username;process_username
OriginalFileName: process_original_filename
Signature:
- childproc_publisher
- filemod_publisher
- modload_publisher
- parent_publisher
- process_publisher
ImageLoaded: modload_name
StartModule: modload_name
TargetImage: filemod_name
FileVersion: process_product_version
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
from app.translator.platforms.carbonblack.renders.carbonblack import CarbonBlackQueryRender # noqa: F401
from app.translator.platforms.carbonblack.renders.carbonblack_cti import CarbonBlackCTI # noqa: F401
16 changes: 16 additions & 0 deletionsuncoder-core/app/translator/platforms/carbonblack/const.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,23 @@
from app.translator.core.models.platform_details import PlatformDetails

CARBON_BLACK_QUERY_DETAILS = {
"platform_id": "carbonblack",
"name": "Carbon Black Cloud",
"group_name": "VMware Carbon Black",
"group_id": "carbonblack-pack",
"platform_name": "Query (Cloud)",
}

DEFAULT_CARBONBLACK_CTI_MAPPING = {
"SourceIP": "netconn_local_ipv4",
"DestinationIP": "netconn_ipv4",
"Domain": "netconn_domain",
"URL": "netconn_domain",
"HashMd5": "hash",
"HashSha256": "hash",
"Files": "filemod_name",
"Emails": "process_username",
}


carbonblack_query_details = PlatformDetails(**CARBON_BLACK_QUERY_DETAILS)
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
from typing import ClassVar

from app.translator.core.custom_types.values import ValueType
from app.translator.core.escape_manager import EscapeManager
from app.translator.core.models.escape_details import EscapeDetails


class CarbonBlackEscapeManager(EscapeManager):
escape_map: ClassVar[dict[str, list[EscapeDetails]]] = {
ValueType.value: [
EscapeDetails(
pattern='([\s+\\-=&?!|(){}.\\[\\]^"~:/]|(?<!\\\\)\\\\(?![*?\\\\])|\\\\u|&&|\\|\\|)',
escape_symbols="\\\\\g<1>",
)
],
ValueType.regex_value: [EscapeDetails(pattern=r"([$^*+()\[\]{}|.?\-\\])", escape_symbols=r"\\\1")],
}


carbon_black_escape_manager = CarbonBlackEscapeManager()
18 changes: 18 additions & 0 deletionsuncoder-core/app/translator/platforms/carbonblack/mapping.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
from app.translator.core.mapping import BaseStrictLogSourcesPlatformMappings, LogSourceSignature
from app.translator.platforms.carbonblack.const import carbonblack_query_details


class CarbonBlackLogSourceSignature(LogSourceSignature):
def is_suitable(self) -> bool:
return True

def __str__(self) -> str:
return ""


class CarbonBlackMappings(BaseStrictLogSourcesPlatformMappings):
def prepare_log_source_signature(self, mapping: dict) -> CarbonBlackLogSourceSignature:
...


carbonblack_query_mappings = CarbonBlackMappings(platform_dir="carbonblack", platform_details=carbonblack_query_details)
Empty file.
View file
Open in desktop

This file was deleted.

Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp