Merge pull request #222 from UncoderIO/gis-9137

Gis 9137 Create  IOCs sigma render

uncoder-core/app/routers/ioc_translate.py

@@ -4,11 +4,10 @@
 
 from app.models.ioc_translation import CTIPlatform, OneTranslationCTIData
 from app.models.translation import InfoMessage
-from app.translator.cti_translator import CTITranslator
+from app.translator.cti_translator import cti_translator
 from app.translator.tools.const import HashType, IocParsingRule, IOCType
 
 iocs_router = APIRouter()
-cti_translator = CTITranslator()
 
 
 @iocs_router.post("/iocs/translate", description="Parse IOCs from text.")

uncoder-core/app/translator/cti_translator.py

@@ -86,3 +86,6 @@ def __get_iocs_chunk(
     @classmethod
     def get_renders(cls) -> list:
         return cls.render_manager.get_platforms_details
+
+
+cti_translator = CTITranslator()

uncoder-core/app/translator/platforms/arcsight/const.py

@@ -9,4 +9,18 @@
     "alt_platform_name": "CEF",
 }
 
+
+DEFAULT_ARCSIGHT_CTI_MAPPING = {
+    "SourceIP": "sourceAddress",
+    "DestinationIP": "destinationAddress",
+    "Domain": "destinationDnsDomain",
+    "URL": "requestUrl",
+    "HashMd5": "fileHash",
+    "HashSha1": "fileHash",
+    "HashSha256": "fileHash",
+    "HashSha512": "fileHash",
+    "Emails": "sender-address",
+    "Files": "winlog.event_data.TargetFilename",
+}
+
 arcsight_query_details = PlatformDetails(**ARCSIGHT_QUERY_DETAILS)

uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py

@@ -1,15 +1,14 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.arcsight.const import arcsight_query_details
-from app.translator.platforms.arcsight.mappings.arcsight_cti import DEFAULT_ARCSIGHT_MAPPING
+from app.translator.platforms.arcsight.const import arcsight_query_details, DEFAULT_ARCSIGHT_CTI_MAPPING
 
 
 @render_cti_manager.register
 class ArcsightKeyword(RenderCTI):
     details: PlatformDetails = arcsight_query_details
 
-    default_mapping = DEFAULT_ARCSIGHT_MAPPING
+    default_mapping = DEFAULT_ARCSIGHT_CTI_MAPPING
     field_value_template: str = "{key} = {value}"
     or_operator: str = " OR "
     group_or_operator: str = " OR "

uncoder-core/app/translator/platforms/athena/const.py

@@ -9,4 +9,18 @@
     "alt_platform_name": "OCSF",
 }
 
+DEFAULT_ATHENA_CTI_MAPPING = {
+    "SourceIP": "src_endpoint",
+    "DestinationIP": "dst_endpoint",
+    "Domain": "dst_endpoint",
+    "URL": "http_request",
+    "HashMd5": "unmapped.file.hash.md5",
+    "HashSha1": "unmapped.file.hash.sha1",
+    "HashSha256": "unmapped.file.hash.sha256",
+    "HashSha512": "unmapped.file.hash.sha512",
+    "Email": "email",
+    "FileName": "file.name",
+}
+
+
 athena_query_details = PlatformDetails(**ATHENA_QUERY_DETAILS)

uncoder-core/app/translator/platforms/athena/renders/athena_cti.py

@@ -20,8 +20,7 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.athena.const import athena_query_details
-from app.translator.platforms.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING
+from app.translator.platforms.athena.const import DEFAULT_ATHENA_CTI_MAPPING, athena_query_details
 
 
 @render_cti_manager.register
@@ -35,4 +34,4 @@ class AthenaCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "SELECT * from eventlog where {result}\n"
     final_result_for_one: str = "SELECT * from eventlog where {result}\n"
-    default_mapping = DEFAULT_ATHENA_MAPPING
+    default_mapping = DEFAULT_ATHENA_CTI_MAPPING

uncoder-core/app/translator/platforms/chronicle/const.py

@@ -37,5 +37,17 @@
     **PLATFORM_DETAILS,
 }
 
+DEFAULT_CHRONICLE_CTI_MAPPING = {
+    "DestinationIP": "target.ip",
+    "SourceIP": "principal.ip",
+    "HashSha256": "target.file.sha256",
+    "HashMd5": "target.file.md5",
+    "Emails": "network.email.from",
+    "Domain": "target.hostname",
+    "HashSha1": "target.file.sha1",
+    "Files": "target.file.full_path",
+    "URL": "target.url",
+}
+
 chronicle_query_details = PlatformDetails(**CHRONICLE_QUERY_DETAILS)
 chronicle_rule_details = PlatformDetails(**CHRONICLE_RULE_DETAILS)

uncoder-core/app/translator/platforms/chronicle/renders/chronicle_cti.py

@@ -20,8 +20,7 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.chronicle.const import chronicle_query_details
-from app.translator.platforms.chronicle.mappings.chronicle_cti import DEFAULT_CHRONICLE_MAPPING
+from app.translator.platforms.chronicle.const import DEFAULT_CHRONICLE_CTI_MAPPING, chronicle_query_details
 
 
 @render_cti_manager.register
@@ -35,4 +34,4 @@ class ChronicleQueryCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "{result}\n"
     final_result_for_one: str = "{result}\n"
-    default_mapping = DEFAULT_CHRONICLE_MAPPING
+    default_mapping = DEFAULT_CHRONICLE_CTI_MAPPING

uncoder-core/app/translator/platforms/crowdstrike/const.py

@@ -8,4 +8,17 @@
     "group_name": "CrowdStrike Endpoint Security",
 }
 
+DEFAULT_CROWDSTRIKE_CTI_MAPPING = {
+    "DestinationIP": "RemoteAddressIP4",
+    "SourceIP": "LocalAddressIP4",
+    "HashSha256": "SHA256HashData",
+    "HashMd5": "MD5HashData",
+    "Emails": "emails",
+    "Domain": "DomainName",
+    "HashSha1": "SHA1HashData",
+    "Files": "TargetFileName",
+    "URL": "HttpUrl",
+}
+
+
 crowdstrike_query_details = PlatformDetails(**CROWDSTRIKE_QUERY_DETAILS)

uncoder-core/app/translator/platforms/crowdstrike/renders/crowdstrike_cti.py

@@ -20,8 +20,7 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.crowdstrike.const import crowdstrike_query_details
-from app.translator.platforms.crowdstrike.mappings.crowdstrike_cti import DEFAULT_CROWDSTRIKE_MAPPING
+from app.translator.platforms.crowdstrike.const import DEFAULT_CROWDSTRIKE_CTI_MAPPING, crowdstrike_query_details
 
 
 @render_cti_manager.register
@@ -35,4 +34,4 @@ class CrowdStrikeCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "({result})\n"
     final_result_for_one: str = "{result}\n"
-    default_mapping = DEFAULT_CROWDSTRIKE_MAPPING
+    default_mapping = DEFAULT_CROWDSTRIKE_CTI_MAPPING

uncoder-core/app/translator/platforms/elasticsearch/const.py

@@ -240,3 +240,16 @@
     "query": "",
     "actions": [],
 }
+
+DEFAULT_ELASTICSEARCH_CTI_MAPPING = {
+    "DestinationIP": "destination.ip",
+    "SourceIP": "source.ip",
+    "HashSha512": "file.hash.sha512",
+    "HashSha256": "file.hash.sha256",
+    "HashMd5": "file.hash.md5",
+    "Emails": "email.from.address",
+    "Domain": "destination.domain",
+    "HashSha1": "file.hash.sha1",
+    "Files": "file.name",
+    "URL": "url.original",
+}

uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_cti.py

@@ -20,8 +20,10 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.elasticsearch.const import elasticsearch_lucene_query_details
-from app.translator.platforms.elasticsearch.mappings.elasticsearch_cti_cti import DEFAULT_ELASTICSEARCH_MAPPING
+from app.translator.platforms.elasticsearch.const import (
+    DEFAULT_ELASTICSEARCH_CTI_MAPPING,
+    elasticsearch_lucene_query_details,
+)
 
 
 @render_cti_manager.register
@@ -35,4 +37,4 @@ class ElasticsearchCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "({result})\n"
     final_result_for_one: str = "{result}\n"
-    default_mapping = DEFAULT_ELASTICSEARCH_MAPPING
+    default_mapping = DEFAULT_ELASTICSEARCH_CTI_MAPPING

uncoder-core/app/translator/platforms/elasticsearch/renders/elasticsearch_eql.py

@@ -119,7 +119,6 @@ def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: AR
 
 
 @render_manager.register
-
 class ElasticSearchEQLQueryRender(ExtraConditionMixin, PlatformQueryRender):
     details: PlatformDetails = elastic_eql_query_details
     mappings: LuceneMappings = elastic_eql_query_mappings

uncoder-core/app/translator/platforms/fireeye_helix/const.py

@@ -5,3 +5,16 @@
     "group_id": "fireeye",
     "platform_name": "Query",
 }
+
+DEFAULT_FIREEYE_HELIX_CTI_MAPPING = {
+    "SourceIP": "~srcipv4",
+    "DestinationIP": "~dstipv4",
+    "Domain": "domain",
+    "URL": "url",
+    "HashMd5": "~hash",
+    "HashSha1": "~hash",
+    "HashSha256": "~hash",
+    "HashSha512": "~hash",
+    "Emails": "emails",
+    "Files": "filepath",
+}

uncoder-core/app/translator/platforms/fireeye_helix/renders/fireeye_helix_cti.py

@@ -20,8 +20,7 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.fireeye_helix.const import FIREEYE_HELIX_QUERY_DETAILS
-from app.translator.platforms.fireeye_helix.mappings.fireeye_helix import DEFAULT_FIREEYE_HELIX_MAPPING
+from app.translator.platforms.fireeye_helix.const import DEFAULT_FIREEYE_HELIX_CTI_MAPPING, FIREEYE_HELIX_QUERY_DETAILS
 
 
 @render_cti_manager.register
@@ -35,4 +34,4 @@ class FireeyeHelixCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "({result})\n"
     final_result_for_one: str = "{result}\n"
-    default_mapping = DEFAULT_FIREEYE_HELIX_MAPPING
+    default_mapping = DEFAULT_FIREEYE_HELIX_CTI_MAPPING

uncoder-core/app/translator/platforms/graylog/const.py

@@ -8,5 +8,18 @@
     "group_id": "graylog",
 }
 
+DEFAULT_GRAYLOG_CTI_MAPPING = {
+    "SourceIP": "source.ip",
+    "DestinationIP": "destination.ip",
+    "Domain": "destination.domain",
+    "URL": "url.original",
+    "HashMd5": "file.hash.md5",
+    "HashSha1": "file.hash.sha1",
+    "HashSha256": "file.hash.sha256",
+    "HashSha512": "file.hash.sha512",
+    "Emails": "emails",
+    "Files": "filePath",
+}
+
 
 graylog_query_details = PlatformDetails(**GRAYLOG_QUERY_DETAILS)

uncoder-core/app/translator/platforms/graylog/renders/graylog_cti.py

@@ -20,8 +20,7 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.graylog.const import GRAYLOG_QUERY_DETAILS
-from app.translator.platforms.graylog.mappings.graylog_cti import DEFAULT_GRAYLOG_MAPPING
+from app.translator.platforms.graylog.const import DEFAULT_GRAYLOG_CTI_MAPPING, GRAYLOG_QUERY_DETAILS
 
 
 @render_cti_manager.register
@@ -35,4 +34,4 @@ class GraylogCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "({result})\n"
     final_result_for_one: str = "{result}\n"
-    default_mapping = DEFAULT_GRAYLOG_MAPPING
+    default_mapping = DEFAULT_GRAYLOG_CTI_MAPPING

uncoder-core/app/translator/platforms/logpoint/const.py

@@ -5,3 +5,16 @@
     "platform_name": "Query",
     "group_id": "logpoint",
 }
+
+DEFAULT_LOGPOINT_CTI_MAPPING = {
+    "DestinationIP": "dst_ip",
+    "SourceIP": "src_ip",
+    "HashSha512": "hash",
+    "HashSha256": "hash",
+    "HashMd5": "hash",
+    "Emails": "emails",
+    "Domain": "host",
+    "HashSha1": "hash",
+    "Files": "files",
+    "URL": "url",
+}