diff --git a/siem-converter/app/converter/backends/__init__.py b/siem-converter/app/converter/backends/__init__.py deleted file mode 100644 index 3d3a35cf..00000000 --- a/siem-converter/app/converter/backends/__init__.py +++ /dev/null @@ -1,122 +0,0 @@ -from app.converter.backends.athena.parsers.athena import AthenaParser -from app.converter.backends.athena.renders.athena import AthenaQueryRender -from app.converter.backends.athena.renders.athena_cti import AthenaCTI -from app.converter.backends.carbonblack.renders.carbonblack_cti import CarbonBlackCTI -from app.converter.backends.chronicle.parsers.chronicle import ChronicleParser -from app.converter.backends.chronicle.parsers.chronicle_rule import ChronicleRuleParser -from app.converter.backends.chronicle.renders.chronicle import ChronicleQueryRender -from app.converter.backends.chronicle.renders.chronicle_cti import ChronicleQueryCTI -from app.converter.backends.chronicle.renders.chronicle_rule import ChronicleSecurityRuleRender -from app.converter.backends.crowdstrike.parsers.crowdstrike import CrowdStrikeParser -from app.converter.backends.crowdstrike.renders.crowdstrike import CrowdStrikeQueryRender -from app.converter.backends.crowdstrike.renders.crowdstrike_cti import CrowdStrikeCTI -from app.converter.backends.elasticsearch.parsers.detection_rule import ElasticSearchRuleParser -from app.converter.backends.elasticsearch.parsers.elasticsearch import ElasticSearchParser -from app.converter.backends.elasticsearch.renders.detection_rule import ElasticSearchRuleRender -from app.converter.backends.elasticsearch.renders.elast_alert import ElastAlertRuleRender -from app.converter.backends.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender -from app.converter.backends.elasticsearch.renders.elasticsearch_cti import ElasticsearchCTI -from app.converter.backends.elasticsearch.renders.kibana import KibanaRuleRender -from app.converter.backends.elasticsearch.renders.xpack_watcher import XPackWatcherRuleRender -from app.converter.backends.fireeye_helix.renders.fireeye_helix_cti import FireeyeHelixCTI -from app.converter.backends.graylog.renders.graylog_cti import GraylogCTI -from app.converter.backends.logpoint.renders.logpoint_cti import LogpointCTI -from app.converter.backends.logscale.parsers.logscale import LogScaleParser -from app.converter.backends.logscale.parsers.logscale_alert import LogScaleAlertParser -from app.converter.backends.logscale.renders.logscale_cti import LogScaleCTI -from app.converter.backends.logscale.renders.logscale import LogScaleQueryRender -from app.converter.backends.logscale.renders.logscale_alert import LogScaleAlertRender -from app.converter.backends.microsoft.parsers.microsoft_defender import MicrosoftDefenderQueryParser -from app.converter.backends.microsoft.parsers.microsoft_sentinel import MicrosoftParser -from app.converter.backends.microsoft.parsers.microsoft_sentinel_rule import MicrosoftRuleParser -from app.converter.backends.microsoft.renders.microsoft_defender import MicrosoftDefenderQueryRender -from app.converter.backends.microsoft.renders.microsoft_defender_cti import MicrosoftDefenderCTI -from app.converter.backends.microsoft.renders.microsoft_sentinel import MicrosoftSentinelQueryRender -from app.converter.backends.microsoft.renders.microsoft_sentinel_cti import MicrosoftSentinelCTI -from app.converter.backends.microsoft.renders.microsoft_sentinel_rule import MicrosoftSentinelRuleRender -from app.converter.backends.opensearch.parsers.opensearch import OpenSearchParser -from app.converter.backends.opensearch.renders.opensearch import OpenSearchQueryRender -from app.converter.backends.opensearch.renders.opensearch_cti import OpenSearchCTI -from app.converter.backends.opensearch.renders.opensearch_rule import OpenSearchRuleRender -from app.converter.backends.qradar.parsers.qradar import QradarParser -from app.converter.backends.qradar.renders.qradar import QradarQueryRender -from app.converter.backends.qradar.renders.qradar_cti import QRadarCTI -from app.converter.backends.qualys.renders.qualys_cti import QualysCTI -from app.converter.backends.rsa_netwitness.renders.rsa_netwitness_cti import RSANetwitnessCTI -from app.converter.backends.securonix.renders.securonix_cti import SecuronixCTI -from app.converter.backends.sentinel_one.renders.s1_cti import S1EventsCTI -from app.converter.backends.sigma.parsers.sigma import SigmaParser -from app.converter.backends.sigma.renders.sigma import SigmaRender -from app.converter.backends.snowflake.renders.snowflake_cti import SnowflakeCTI -from app.converter.backends.splunk.parsers.splunk import SplunkParser -from app.converter.backends.splunk.parsers.splunk_alert import SplunkAlertParser -from app.converter.backends.splunk.renders.splunk import SplunkQueryRender -from app.converter.backends.splunk.renders.splunk_alert import SplunkAlertRender -from app.converter.backends.splunk.renders.splunk_cti import SplunkCTI -from app.converter.backends.sumo_logic.renders.sumologic_cti import SumologicCTI - -__ALL_RENDERS = ( - SigmaRender(), - MicrosoftSentinelQueryRender(), - MicrosoftSentinelRuleRender(), - MicrosoftDefenderQueryRender(), - QradarQueryRender(), - CrowdStrikeQueryRender(), - SplunkQueryRender(), - SplunkAlertRender(), - ChronicleQueryRender(), - ChronicleSecurityRuleRender(), - AthenaQueryRender(), - ElasticSearchQueryRender(), - LogScaleQueryRender(), - LogScaleAlertRender(), - ElasticSearchRuleRender(), - ElastAlertRuleRender(), - KibanaRuleRender(), - XPackWatcherRuleRender(), - OpenSearchQueryRender(), - OpenSearchRuleRender() -) - -__ALL_PARSERS = ( - AthenaParser(), - ChronicleParser(), - ChronicleRuleParser(), - SplunkParser(), - SplunkAlertParser(), - SigmaParser(), - QradarParser(), - MicrosoftParser(), - MicrosoftRuleParser(), - MicrosoftDefenderQueryParser(), - CrowdStrikeParser(), - LogScaleParser(), - LogScaleAlertParser(), - ElasticSearchParser(), - ElasticSearchRuleParser(), - OpenSearchParser() -) - - -__ALL_RENDERS_CTI = ( - MicrosoftSentinelCTI(), - MicrosoftDefenderCTI(), - QRadarCTI(), - SplunkCTI(), - ChronicleQueryCTI(), - CrowdStrikeCTI(), - SumologicCTI(), - ElasticsearchCTI(), - LogScaleCTI(), - OpenSearchCTI(), - FireeyeHelixCTI(), - CarbonBlackCTI(), - GraylogCTI(), - LogpointCTI(), - QualysCTI(), - RSANetwitnessCTI(), - S1EventsCTI(), - SecuronixCTI(), - SnowflakeCTI(), - AthenaCTI() -) diff --git a/siem-converter/app/converter/backends/elasticsearch/parsers/elasticsearch.py b/siem-converter/app/converter/backends/elasticsearch/parsers/elasticsearch.py deleted file mode 100644 index 72dbb438..00000000 --- a/siem-converter/app/converter/backends/elasticsearch/parsers/elasticsearch.py +++ /dev/null @@ -1,65 +0,0 @@ -""" -Uncoder IO Commercial Edition License ------------------------------------------------------------------ -Copyright (c) 2023 SOC Prime, Inc. - -This file is part of the Uncoder IO Commercial Edition ("CE") and is -licensed under the Uncoder IO Non-Commercial License (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - https://github.com/UncoderIO/UncoderIO/blob/main/LICENSE - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ------------------------------------------------------------------ -""" - -import re -from typing import List, Tuple, Dict - -from app.converter.backends.elasticsearch.const import elasticsearch_lucene_query_details -from app.converter.backends.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings -from app.converter.backends.elasticsearch.tokenizer import ElasticSearchTokenizer -from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer - - -class ElasticSearchParser(Parser): - details: PlatformDetails = elasticsearch_lucene_query_details - mappings: ElasticSearchMappings = elasticsearch_mappings - tokenizer = ElasticSearchTokenizer() - - log_source_pattern = r"___source_type___\s*(?:[:=])\s*(?:\"?(?P[%a-zA-Z_*:0-9\-/]+)\"|(?P[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?" - log_source_key_types = ("index", "event\.category") - - def _parse_log_sources(self, query: str) -> Tuple[str, Dict[str, List[str]]]: - log_sources = {} - for source_type in self.log_source_key_types: - pattern = self.log_source_pattern.replace('___source_type___', source_type) - while search := re.search(pattern, query, flags=re.IGNORECASE): - group_dict = search.groupdict() - value = group_dict.get("d_q_value") or group_dict.get("value") - log_sources.setdefault(source_type, []).append(value) - pos_start = search.start() - pos_end = search.end() - query = query[:pos_start] + query[pos_end:] - - return query, log_sources - - @staticmethod - def _get_meta_info(source_mapping_ids: List[str], meta_info: dict) -> MetaInfoContainer: - return MetaInfoContainer(source_mapping_ids=source_mapping_ids) - - def _parse_query(self, query: str) -> Tuple[str, Dict[str, List[str]]]: - return self._parse_log_sources(query) - - def parse(self, text: str) -> SiemContainer: - query, log_sources = self._parse_query(text) - tokens, source_mappings = self.get_tokens_and_source_mappings(query, log_sources) - return SiemContainer( - query=tokens, - meta_info=self._get_meta_info([source_mapping.source_id for source_mapping in source_mappings], {}), - ) diff --git a/siem-converter/app/converter/backends/elasticsearch/tokenizer.py b/siem-converter/app/converter/backends/elasticsearch/tokenizer.py deleted file mode 100644 index 069491ab..00000000 --- a/siem-converter/app/converter/backends/elasticsearch/tokenizer.py +++ /dev/null @@ -1,109 +0,0 @@ -""" -Uncoder IO Commercial Edition License ------------------------------------------------------------------ -Copyright (c) 2023 SOC Prime, Inc. - -This file is part of the Uncoder IO Commercial Edition ("CE") and is -licensed under the Uncoder IO Non-Commercial License (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - https://github.com/UncoderIO/UncoderIO/blob/main/LICENSE - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ------------------------------------------------------------------ -""" - -import re -from typing import Tuple, Union, List, Any - -from app.converter.core.exceptions.parser import TokenizerGeneralException -from app.converter.core.models.field import Keyword, Field -from app.converter.core.models.identifier import Identifier -from app.converter.core.tokenizer import QueryTokenizer -from app.converter.core.operator_types.tokens import OperatorType -from app.converter.tools.utils import get_match_group - - -class ElasticSearchTokenizer(QueryTokenizer): - field_pattern = r"(?P[a-zA-Z\.\-_]+)" - match_operator_pattern = r"(?:___field___\s*(?P:))\s*" - - num_value_pattern = r"(?P\d+(?:\.\d+)*)\s*" - double_quotes_value_pattern = r'"(?P(?:[:a-zA-Z\*0-9=+%#\-_/,\'\.$&^@!\(\)\{\}\s]|\\\"|\\)*)"\s*' - no_quotes_value_pattern = r"(?P(?:[a-zA-Z\*0-9=%#_/,\'\.$@]|\\\"|\\\\)+)\s*" - re_value_pattern = r"/(?P[:a-zA-Z\*0-9=+%#\\\-_\,\"\'\.$&^@!\(\)\{\}\[\]\s?]+)/\s*" - _value_pattern = fr"{num_value_pattern}|{re_value_pattern}|{no_quotes_value_pattern}|{double_quotes_value_pattern}" - keyword_pattern = r"(?P(?:[a-zA-Z\*0-9=%#_/,\'\.$@]|\\\"|\\\(|\\\)|\\\[|\\\]|\\\{|\\\}|\\\:|\\)+)(?:\s+|\)|$)" - - multi_value_pattern = r"""\((?P[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\[\]\s]+)\)""" - multi_value_check_pattern = r"___field___\s*___operator___\s*\(" - - wildcard_symbol = "*" - - operators_map = { - ":": OperatorType.EQ, - } - - def __init__(self): - super().__init__() - self.operators_map.update(super().operators_map) - - @staticmethod - def create_field(field_name: str, operator: Identifier, value: Union[str, List]) -> Field: - field_name = field_name.replace(".text", "") - field_name = field_name.replace(".keyword", "") - return Field(operator=operator, value=value, source_name=field_name) - - @staticmethod - def clean_quotes(value: Union[str, int]): - if isinstance(value, str): - return value.strip('"') - return value - - def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.EQ) -> Tuple[str, Any]: - if (num_value := get_match_group(match, group_name='num_value')) is not None: - return operator, num_value - - elif (re_value := get_match_group(match, group_name='re_value')) is not None: - return OperatorType.REGEX, re_value - - elif (n_q_value := get_match_group(match, group_name='n_q_value')) is not None: - return operator, n_q_value - - elif (d_q_value := get_match_group(match, group_name='d_q_value')) is not None: - return operator, d_q_value - - return super().get_operator_and_value(match) - - def search_value(self, query: str, operator: str, field_name: str) -> Tuple[str, str, Union[str, List[str]]]: - check_pattern = self.multi_value_check_pattern - check_regex = check_pattern.replace('___field___', field_name).replace('___operator___', operator) - if re.match(check_regex, query): - value_pattern = self.multi_value_pattern - is_multi = True - else: - value_pattern = self.value_pattern - is_multi = False - - field_value_pattern = self.get_field_value_pattern(operator, field_name) - field_value_pattern = field_value_pattern.replace("___value___", value_pattern) - field_value_regex = re.compile(field_value_pattern, re.IGNORECASE) - field_value_search = re.search(field_value_regex, query) - if field_value_search is None: - raise TokenizerGeneralException(error=f"Value couldn't be found in query part: {query}") - - operator, value = self.get_operator_and_value(field_value_search) - value = [self.clean_quotes(v) for v in re.split(r"\s+OR\s+", value)] if is_multi else value - pos = field_value_search.end() - return query[pos:], operator, value - - def search_keyword(self, query: str) -> Tuple[Keyword, str]: - keyword_search = re.search(self.keyword_pattern, query) - _, value = self.get_operator_and_value(keyword_search) - value = value.strip(self.wildcard_symbol) - keyword = Keyword(value=value) - pos = keyword_search.end() - 1 - return keyword, query[pos:] diff --git a/siem-converter/app/converter/backends/opensearch/mapping.py b/siem-converter/app/converter/backends/opensearch/mapping.py deleted file mode 100644 index 7aa6bece..00000000 --- a/siem-converter/app/converter/backends/opensearch/mapping.py +++ /dev/null @@ -1,44 +0,0 @@ -from typing import List, Optional - -from app.converter.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping, DEFAULT_MAPPING_NAME - - -class OpenSearchLogSourceSignature(LogSourceSignature): - def __init__(self, indices: Optional[List[str]], default_source: dict): - self.indices = set(indices or []) - self._default_source = default_source or {} - - def is_suitable(self, index: List[str]) -> bool: - return set(index).issubset(self.indices) - - def __str__(self) -> str: - return self._default_source.get("index", "") - - -class OpenSearchMappings(BasePlatformMappings): - def prepare_log_source_signature(self, mapping: dict) -> OpenSearchLogSourceSignature: - indices = mapping.get("log_source", {}).get("index") - default_log_source = mapping["default_log_source"] - return OpenSearchLogSourceSignature(indices=indices, default_source=default_log_source) - - def get_suitable_source_mappings(self, field_names: List[str], index: Optional[str]) -> List[SourceMapping]: - suitable_source_mappings = [] - for source_mapping in self._source_mappings.values(): - if source_mapping.source_id == DEFAULT_MAPPING_NAME: - continue - - log_source_signature: OpenSearchLogSourceSignature = source_mapping.log_source_signature - if index and log_source_signature.is_suitable(index=index): - if source_mapping.fields_mapping.is_suitable(field_names): - suitable_source_mappings.append(source_mapping) - else: - if source_mapping.fields_mapping.is_suitable(field_names): - suitable_source_mappings.append(source_mapping) - - if not suitable_source_mappings: - suitable_source_mappings = [self._source_mappings[DEFAULT_MAPPING_NAME]] - - return suitable_source_mappings - - -opensearch_mappings = OpenSearchMappings(platform_dir="opensearch") diff --git a/siem-converter/app/converter/converter.py b/siem-converter/app/converter/converter.py index eb4204d3..87652d46 100644 --- a/siem-converter/app/converter/converter.py +++ b/siem-converter/app/converter/converter.py @@ -1,6 +1,6 @@ import logging -from app.converter.backends.roota.parsers.roota import RootAParser +from app.converter.platforms.roota.parsers.roota import RootAParser from app.converter.core.exceptions.core import UnsupportedPlatform from app.converter.core.operator_types.output import SiemContainer from app.converter.managers import RenderManager, ParserManager, render_manager, parser_manager diff --git a/siem-converter/app/converter/core/render.py b/siem-converter/app/converter/core/render.py index e5e2dae9..cf2c97ba 100644 --- a/siem-converter/app/converter/core/render.py +++ b/siem-converter/app/converter/core/render.py @@ -99,7 +99,7 @@ def generate_prefix(self, log_source_signature: LogSourceSignature) -> str: return f"{str(log_source_signature)} {self.and_token}" return "" - def generate_functions(self, functions: list): + def generate_functions(self, functions: list) -> str: return "" def map_field(self, field: Field, source_mapping: SourceMapping) -> List[str]: @@ -147,7 +147,7 @@ def finalize_query(self, meta_info: MetaInfoContainer, source_mapping: SourceMapping = None, not_supported_functions: list = None) -> str: - query = self.query_pattern.format(prefix=prefix, query=query, functions=functions) + query = self.query_pattern.format(prefix=prefix, query=query, functions=functions).strip() if not_supported_functions: rendered_not_supported = self.render_not_supported_functions(not_supported_functions) return query + rendered_not_supported diff --git a/siem-converter/app/converter/managers.py b/siem-converter/app/converter/managers.py index cd5129c0..62bdd435 100644 --- a/siem-converter/app/converter/managers.py +++ b/siem-converter/app/converter/managers.py @@ -1,8 +1,8 @@ from abc import ABC -from app.converter.backends import __ALL_PARSERS as PARSERS -from app.converter.backends import __ALL_RENDERS as RENDERS -from app.converter.backends import __ALL_RENDERS_CTI as RENDERS_CTI +from app.converter.platforms import __ALL_PARSERS as PARSERS +from app.converter.platforms import __ALL_RENDERS as RENDERS +from app.converter.platforms import __ALL_RENDERS_CTI as RENDERS_CTI from app.converter.core.exceptions.core import UnsupportedRootAParser from app.models.translation import ConvertorPlatform diff --git a/siem-converter/app/converter/platforms/__init__.py b/siem-converter/app/converter/platforms/__init__.py new file mode 100644 index 00000000..ea79cde2 --- /dev/null +++ b/siem-converter/app/converter/platforms/__init__.py @@ -0,0 +1,122 @@ +from app.converter.platforms.athena.parsers.athena import AthenaParser +from app.converter.platforms.athena.renders.athena import AthenaQueryRender +from app.converter.platforms.athena.renders.athena_cti import AthenaCTI +from app.converter.platforms.carbonblack.renders.carbonblack_cti import CarbonBlackCTI +from app.converter.platforms.chronicle.parsers.chronicle import ChronicleParser +from app.converter.platforms.chronicle.parsers.chronicle_rule import ChronicleRuleParser +from app.converter.platforms.chronicle.renders.chronicle import ChronicleQueryRender +from app.converter.platforms.chronicle.renders.chronicle_cti import ChronicleQueryCTI +from app.converter.platforms.chronicle.renders.chronicle_rule import ChronicleSecurityRuleRender +from app.converter.platforms.crowdstrike.parsers.crowdstrike import CrowdStrikeParser +from app.converter.platforms.crowdstrike.renders.crowdstrike import CrowdStrikeQueryRender +from app.converter.platforms.crowdstrike.renders.crowdstrike_cti import CrowdStrikeCTI +from app.converter.platforms.elasticsearch.parsers.detection_rule import ElasticSearchRuleParser +from app.converter.platforms.elasticsearch.parsers.elasticsearch import ElasticSearchParser +from app.converter.platforms.elasticsearch.renders.detection_rule import ElasticSearchRuleRender +from app.converter.platforms.elasticsearch.renders.elast_alert import ElastAlertRuleRender +from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender +from app.converter.platforms.elasticsearch.renders.elasticsearch_cti import ElasticsearchCTI +from app.converter.platforms.elasticsearch.renders.kibana import KibanaRuleRender +from app.converter.platforms.elasticsearch.renders.xpack_watcher import XPackWatcherRuleRender +from app.converter.platforms.fireeye_helix.renders.fireeye_helix_cti import FireeyeHelixCTI +from app.converter.platforms.graylog.renders.graylog_cti import GraylogCTI +from app.converter.platforms.logpoint.renders.logpoint_cti import LogpointCTI +from app.converter.platforms.logscale.parsers.logscale import LogScaleParser +from app.converter.platforms.logscale.parsers.logscale_alert import LogScaleAlertParser +from app.converter.platforms.logscale.renders.logscale_cti import LogScaleCTI +from app.converter.platforms.logscale.renders.logscale import LogScaleQueryRender +from app.converter.platforms.logscale.renders.logscale_alert import LogScaleAlertRender +from app.converter.platforms.microsoft.parsers.microsoft_defender import MicrosoftDefenderQueryParser +from app.converter.platforms.microsoft.parsers.microsoft_sentinel import MicrosoftParser +from app.converter.platforms.microsoft.parsers.microsoft_sentinel_rule import MicrosoftRuleParser +from app.converter.platforms.microsoft.renders.microsoft_defender import MicrosoftDefenderQueryRender +from app.converter.platforms.microsoft.renders.microsoft_defender_cti import MicrosoftDefenderCTI +from app.converter.platforms.microsoft.renders.microsoft_sentinel import MicrosoftSentinelQueryRender +from app.converter.platforms.microsoft.renders.microsoft_sentinel_cti import MicrosoftSentinelCTI +from app.converter.platforms.microsoft.renders.microsoft_sentinel_rule import MicrosoftSentinelRuleRender +from app.converter.platforms.opensearch.parsers.opensearch import OpenSearchParser +from app.converter.platforms.opensearch.renders.opensearch import OpenSearchQueryRender +from app.converter.platforms.opensearch.renders.opensearch_cti import OpenSearchCTI +from app.converter.platforms.opensearch.renders.opensearch_rule import OpenSearchRuleRender +from app.converter.platforms.qradar.parsers.qradar import QradarParser +from app.converter.platforms.qradar.renders.qradar import QradarQueryRender +from app.converter.platforms.qradar.renders.qradar_cti import QRadarCTI +from app.converter.platforms.qualys.renders.qualys_cti import QualysCTI +from app.converter.platforms.rsa_netwitness.renders.rsa_netwitness_cti import RSANetwitnessCTI +from app.converter.platforms.securonix.renders.securonix_cti import SecuronixCTI +from app.converter.platforms.sentinel_one.renders.s1_cti import S1EventsCTI +from app.converter.platforms.sigma.parsers.sigma import SigmaParser +from app.converter.platforms.sigma.renders.sigma import SigmaRender +from app.converter.platforms.snowflake.renders.snowflake_cti import SnowflakeCTI +from app.converter.platforms.splunk.parsers.splunk import SplunkParser +from app.converter.platforms.splunk.parsers.splunk_alert import SplunkAlertParser +from app.converter.platforms.splunk.renders.splunk import SplunkQueryRender +from app.converter.platforms.splunk.renders.splunk_alert import SplunkAlertRender +from app.converter.platforms.splunk.renders.splunk_cti import SplunkCTI +from app.converter.platforms.sumo_logic.renders.sumologic_cti import SumologicCTI + +__ALL_RENDERS = ( + SigmaRender(), + MicrosoftSentinelQueryRender(), + MicrosoftSentinelRuleRender(), + MicrosoftDefenderQueryRender(), + QradarQueryRender(), + CrowdStrikeQueryRender(), + SplunkQueryRender(), + SplunkAlertRender(), + ChronicleQueryRender(), + ChronicleSecurityRuleRender(), + AthenaQueryRender(), + ElasticSearchQueryRender(), + LogScaleQueryRender(), + LogScaleAlertRender(), + ElasticSearchRuleRender(), + ElastAlertRuleRender(), + KibanaRuleRender(), + XPackWatcherRuleRender(), + OpenSearchQueryRender(), + OpenSearchRuleRender() +) + +__ALL_PARSERS = ( + AthenaParser(), + ChronicleParser(), + ChronicleRuleParser(), + SplunkParser(), + SplunkAlertParser(), + SigmaParser(), + QradarParser(), + MicrosoftParser(), + MicrosoftRuleParser(), + MicrosoftDefenderQueryParser(), + CrowdStrikeParser(), + LogScaleParser(), + LogScaleAlertParser(), + ElasticSearchParser(), + ElasticSearchRuleParser(), + OpenSearchParser() +) + + +__ALL_RENDERS_CTI = ( + MicrosoftSentinelCTI(), + MicrosoftDefenderCTI(), + QRadarCTI(), + SplunkCTI(), + ChronicleQueryCTI(), + CrowdStrikeCTI(), + SumologicCTI(), + ElasticsearchCTI(), + LogScaleCTI(), + OpenSearchCTI(), + FireeyeHelixCTI(), + CarbonBlackCTI(), + GraylogCTI(), + LogpointCTI(), + QualysCTI(), + RSANetwitnessCTI(), + S1EventsCTI(), + SecuronixCTI(), + SnowflakeCTI(), + AthenaCTI() +) diff --git a/siem-converter/app/converter/backends/athena/__init__.py b/siem-converter/app/converter/platforms/athena/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/athena/__init__.py rename to siem-converter/app/converter/platforms/athena/__init__.py diff --git a/siem-converter/app/converter/backends/athena/const.py b/siem-converter/app/converter/platforms/athena/const.py similarity index 100% rename from siem-converter/app/converter/backends/athena/const.py rename to siem-converter/app/converter/platforms/athena/const.py diff --git a/siem-converter/app/converter/backends/athena/mapping.py b/siem-converter/app/converter/platforms/athena/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/athena/mapping.py rename to siem-converter/app/converter/platforms/athena/mapping.py diff --git a/siem-converter/app/converter/backends/athena/mappings/__init__.py b/siem-converter/app/converter/platforms/athena/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/athena/mappings/__init__.py rename to siem-converter/app/converter/platforms/athena/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/athena/mappings/athena_cti.py b/siem-converter/app/converter/platforms/athena/mappings/athena_cti.py similarity index 100% rename from siem-converter/app/converter/backends/athena/mappings/athena_cti.py rename to siem-converter/app/converter/platforms/athena/mappings/athena_cti.py diff --git a/siem-converter/app/converter/backends/athena/parsers/__init__.py b/siem-converter/app/converter/platforms/athena/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/athena/parsers/__init__.py rename to siem-converter/app/converter/platforms/athena/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/athena/parsers/athena.py b/siem-converter/app/converter/platforms/athena/parsers/athena.py similarity index 91% rename from siem-converter/app/converter/backends/athena/parsers/athena.py rename to siem-converter/app/converter/platforms/athena/parsers/athena.py index c95061c5..f1cc04cf 100644 --- a/siem-converter/app/converter/backends/athena/parsers/athena.py +++ b/siem-converter/app/converter/platforms/athena/parsers/athena.py @@ -19,9 +19,9 @@ import re from typing import List, Tuple, Dict, Optional -from app.converter.backends.athena.const import athena_details -from app.converter.backends.athena.mapping import athena_mappings, AthenaMappings -from app.converter.backends.athena.tokenizer import AthenaTokenizer +from app.converter.platforms.athena.const import athena_details +from app.converter.platforms.athena.mapping import athena_mappings, AthenaMappings +from app.converter.platforms.athena.tokenizer import AthenaTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/backends/athena/renders/__init__.py b/siem-converter/app/converter/platforms/athena/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/athena/renders/__init__.py rename to siem-converter/app/converter/platforms/athena/renders/__init__.py diff --git a/siem-converter/app/converter/backends/athena/renders/athena.py b/siem-converter/app/converter/platforms/athena/renders/athena.py similarity index 95% rename from siem-converter/app/converter/backends/athena/renders/athena.py rename to siem-converter/app/converter/platforms/athena/renders/athena.py index 44ebba13..cf9b3dc3 100644 --- a/siem-converter/app/converter/backends/athena/renders/athena.py +++ b/siem-converter/app/converter/platforms/athena/renders/athena.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.athena.const import athena_details -from app.converter.backends.athena.mapping import AthenaMappings, athena_mappings +from app.converter.platforms.athena.const import athena_details +from app.converter.platforms.athena.mapping import AthenaMappings, athena_mappings from app.converter.core.exceptions.render import UnsupportedRenderMethod from app.converter.core.mapping import LogSourceSignature from app.converter.core.models.platform_details import PlatformDetails diff --git a/siem-converter/app/converter/backends/athena/renders/athena_cti.py b/siem-converter/app/converter/platforms/athena/renders/athena_cti.py similarity index 89% rename from siem-converter/app/converter/backends/athena/renders/athena_cti.py rename to siem-converter/app/converter/platforms/athena/renders/athena_cti.py index 45683c2d..f1da0734 100644 --- a/siem-converter/app/converter/backends/athena/renders/athena_cti.py +++ b/siem-converter/app/converter/platforms/athena/renders/athena_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.athena.const import athena_details -from app.converter.backends.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING +from app.converter.platforms.athena.const import athena_details +from app.converter.platforms.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/athena/tokenizer.py b/siem-converter/app/converter/platforms/athena/tokenizer.py similarity index 100% rename from siem-converter/app/converter/backends/athena/tokenizer.py rename to siem-converter/app/converter/platforms/athena/tokenizer.py diff --git a/siem-converter/app/converter/backends/carbonblack/__init__.py b/siem-converter/app/converter/platforms/base/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/carbonblack/__init__.py rename to siem-converter/app/converter/platforms/base/__init__.py diff --git a/siem-converter/app/converter/backends/carbonblack/mappings/__init__.py b/siem-converter/app/converter/platforms/base/lucene/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/carbonblack/mappings/__init__.py rename to siem-converter/app/converter/platforms/base/lucene/__init__.py diff --git a/siem-converter/app/converter/backends/elasticsearch/mapping.py b/siem-converter/app/converter/platforms/base/lucene/mapping.py similarity index 75% rename from siem-converter/app/converter/backends/elasticsearch/mapping.py rename to siem-converter/app/converter/platforms/base/lucene/mapping.py index 463c119f..d44700fa 100644 --- a/siem-converter/app/converter/backends/elasticsearch/mapping.py +++ b/siem-converter/app/converter/platforms/base/lucene/mapping.py @@ -3,7 +3,7 @@ from app.converter.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping, DEFAULT_MAPPING_NAME -class ElasticSearchLogSourceSignature(LogSourceSignature): +class LuceneLogSourceSignature(LogSourceSignature): def __init__(self, indices: Optional[List[str]], default_source: dict): self.indices = set(indices or []) self._default_source = default_source or {} @@ -15,11 +15,11 @@ def __str__(self) -> str: return self._default_source.get("index", "") -class ElasticSearchMappings(BasePlatformMappings): - def prepare_log_source_signature(self, mapping: dict) -> ElasticSearchLogSourceSignature: +class LuceneMappings(BasePlatformMappings): + def prepare_log_source_signature(self, mapping: dict) -> LuceneLogSourceSignature: indices = mapping.get("log_source", {}).get("index") default_log_source = mapping["default_log_source"] - return ElasticSearchLogSourceSignature(indices=indices, default_source=default_log_source) + return LuceneLogSourceSignature(indices=indices, default_source=default_log_source) def get_suitable_source_mappings(self, field_names: List[str], index: List[str] = None) -> List[SourceMapping]: suitable_source_mappings = [] @@ -27,7 +27,7 @@ def get_suitable_source_mappings(self, field_names: List[str], index: List[str] if source_mapping.source_id == DEFAULT_MAPPING_NAME: continue - log_source_signature: ElasticSearchLogSourceSignature = source_mapping.log_source_signature + log_source_signature: LuceneLogSourceSignature = source_mapping.log_source_signature if index and log_source_signature.is_suitable(index=index): if source_mapping.fields_mapping.is_suitable(field_names): suitable_source_mappings.append(source_mapping) @@ -39,6 +39,3 @@ def get_suitable_source_mappings(self, field_names: List[str], index: List[str] suitable_source_mappings = [self._source_mappings[DEFAULT_MAPPING_NAME]] return suitable_source_mappings - - -elasticsearch_mappings = ElasticSearchMappings(platform_dir="elasticsearch") diff --git a/siem-converter/app/converter/backends/carbonblack/renders/__init__.py b/siem-converter/app/converter/platforms/base/lucene/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/carbonblack/renders/__init__.py rename to siem-converter/app/converter/platforms/base/lucene/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/opensearch/parsers/opensearch.py b/siem-converter/app/converter/platforms/base/lucene/parsers/lucene.py similarity index 83% rename from siem-converter/app/converter/backends/opensearch/parsers/opensearch.py rename to siem-converter/app/converter/platforms/base/lucene/parsers/lucene.py index 1293176f..52ea134e 100644 --- a/siem-converter/app/converter/backends/opensearch/parsers/opensearch.py +++ b/siem-converter/app/converter/platforms/base/lucene/parsers/lucene.py @@ -19,18 +19,13 @@ import re from typing import List, Tuple, Dict -from app.converter.backends.opensearch.const import opensearch_query_details -from app.converter.backends.opensearch.mapping import OpenSearchMappings, opensearch_mappings -from app.converter.backends.opensearch.tokenizer import OpenSearchTokenizer -from app.converter.core.models.platform_details import PlatformDetails +from app.converter.platforms.base.lucene.tokenizer import LuceneTokenizer from app.converter.core.parser import Parser from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer -class OpenSearchParser(Parser): - details: PlatformDetails = opensearch_query_details - mappings: OpenSearchMappings = opensearch_mappings - tokenizer = OpenSearchTokenizer() +class LuceneParser(Parser): + tokenizer = LuceneTokenizer() log_source_pattern = r"___source_type___\s*(?:[:=])\s*(?:\"?(?P[%a-zA-Z_*:0-9\-/]+)\"|(?P[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?" log_source_key_types = ("index", "event\.category") diff --git a/siem-converter/app/converter/backends/chronicle/__init__.py b/siem-converter/app/converter/platforms/base/lucene/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/__init__.py rename to siem-converter/app/converter/platforms/base/lucene/renders/__init__.py diff --git a/siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch.py b/siem-converter/app/converter/platforms/base/lucene/renders/lucene.py similarity index 74% rename from siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch.py rename to siem-converter/app/converter/platforms/base/lucene/renders/lucene.py index d91aa991..3f73d180 100644 --- a/siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch.py +++ b/siem-converter/app/converter/platforms/base/lucene/renders/lucene.py @@ -18,20 +18,13 @@ """ from typing import Union -from app.converter.backends.elasticsearch.const import elasticsearch_lucene_query_details -from app.converter.backends.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings -from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.render import BaseQueryRender, BaseQueryFieldValue +from app.converter.core.render import BaseQueryRender +from app.converter.core.render import BaseQueryFieldValue -class ElasticSearchFieldValue(BaseQueryFieldValue): - details: PlatformDetails = elasticsearch_lucene_query_details +class LuceneFieldValue(BaseQueryFieldValue): def apply_value(self, value: Union[str, int]): - if isinstance(value, int): - return value - if " " in value: - return f'"{value}"'.replace(" ", r"\ ") return value def equal_modifier(self, field, value): @@ -72,22 +65,17 @@ def keywords(self, field, value): return self.apply_value(f"*{value}*") -class ElasticSearchQueryRender(BaseQueryRender): - details: PlatformDetails = elasticsearch_lucene_query_details - mappings: ElasticSearchMappings = elasticsearch_mappings +class LuceneQueryRender(BaseQueryRender): or_token = "OR" and_token = "AND" not_token = "NOT" - field_value_map = ElasticSearchFieldValue(or_token=or_token) query_pattern = "{query} {functions}" + comment_symbol = "//" is_multi_line_comment = True def generate_prefix(self, logsource: dict) -> str: return "" - def generate_functions(self, functions: list) -> str: - return "" - diff --git a/siem-converter/app/converter/backends/opensearch/tokenizer.py b/siem-converter/app/converter/platforms/base/lucene/tokenizer.py similarity index 97% rename from siem-converter/app/converter/backends/opensearch/tokenizer.py rename to siem-converter/app/converter/platforms/base/lucene/tokenizer.py index a9f0d795..3afd2316 100644 --- a/siem-converter/app/converter/backends/opensearch/tokenizer.py +++ b/siem-converter/app/converter/platforms/base/lucene/tokenizer.py @@ -15,8 +15,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ----------------------------------------------------------------- """ - import re + from typing import Tuple, Union, List, Any from app.converter.core.exceptions.parser import TokenizerGeneralException @@ -27,7 +27,7 @@ from app.converter.tools.utils import get_match_group -class OpenSearchTokenizer(QueryTokenizer): +class LuceneTokenizer(QueryTokenizer): field_pattern = r"(?P[a-zA-Z\.\-_]+)" match_operator_pattern = r"(?:___field___\s*(?P:))\s*" @@ -60,7 +60,7 @@ def create_field(field_name: str, operator: Identifier, value: Union[str, List]) @staticmethod def clean_quotes(value: Union[str, int]): if isinstance(value, str): - return value.strip('"') + return value.strip('"') if value.startswith('"') and value.endswith('"') else value return value def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.EQ) -> Tuple[str, Any]: diff --git a/siem-converter/app/converter/backends/chronicle/mappings/__init__.py b/siem-converter/app/converter/platforms/base/spl/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/mappings/__init__.py rename to siem-converter/app/converter/platforms/base/spl/__init__.py diff --git a/siem-converter/app/converter/backends/chronicle/parsers/__init__.py b/siem-converter/app/converter/platforms/base/spl/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/parsers/__init__.py rename to siem-converter/app/converter/platforms/base/spl/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/splunk/parsers/splunk.py b/siem-converter/app/converter/platforms/base/spl/parsers/spl.py similarity index 85% rename from siem-converter/app/converter/backends/splunk/parsers/splunk.py rename to siem-converter/app/converter/platforms/base/spl/parsers/spl.py index f1cd16ad..6d5afc62 100644 --- a/siem-converter/app/converter/backends/splunk/parsers/splunk.py +++ b/siem-converter/app/converter/platforms/base/spl/parsers/spl.py @@ -19,25 +19,19 @@ import re from typing import Tuple, List, Dict, Optional -from app.converter.backends.splunk.const import splunk_query_details -from app.converter.backends.splunk.mapping import SplunkMappings, splunk_mappings -from app.converter.backends.splunk.siem_functions import SplunkFunctions -from app.converter.backends.splunk.tokenizer import SplunkTokenizer +from app.converter.platforms.base.spl.tokenizer import SplTokenizer from app.converter.core.models.functions.types import ParsedFunctions -from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer -class SplunkParser(Parser): - details: PlatformDetails = splunk_query_details - siem_functions = SplunkFunctions() +class SplParser(Parser): + siem_functions = None log_source_pattern = r"___source_type___\s*=\s*(?:\"(?P[%a-zA-Z_*:0-9\-/]+)\"|(?P[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?" log_source_key_types = ("index", "source", "sourcetype", "sourcecategory") - mappings: SplunkMappings = splunk_mappings - tokenizer = SplunkTokenizer() + tokenizer = SplTokenizer() def _parse_log_sources(self, query: str) -> Tuple[Dict[str, List[str]], str]: log_sources = {} diff --git a/siem-converter/app/converter/backends/chronicle/renders/__init__.py b/siem-converter/app/converter/platforms/base/spl/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/renders/__init__.py rename to siem-converter/app/converter/platforms/base/spl/renders/__init__.py diff --git a/siem-converter/app/converter/backends/splunk/renders/splunk.py b/siem-converter/app/converter/platforms/base/spl/renders/spl.py similarity index 80% rename from siem-converter/app/converter/backends/splunk/renders/splunk.py rename to siem-converter/app/converter/platforms/base/spl/renders/spl.py index ae3414f5..b9dafb54 100644 --- a/siem-converter/app/converter/backends/splunk/renders/splunk.py +++ b/siem-converter/app/converter/platforms/base/spl/renders/spl.py @@ -17,15 +17,11 @@ ----------------------------------------------------------------- """ -from app.converter.backends.splunk.const import splunk_query_details -from app.converter.backends.splunk.mapping import SplunkMappings, splunk_mappings from app.converter.core.exceptions.render import UnsupportedRenderMethod -from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render import BaseQueryRender, BaseQueryFieldValue -class SplunkFieldValue(BaseQueryFieldValue): - details: PlatformDetails = splunk_query_details +class SplFieldValue(BaseQueryFieldValue): def equal_modifier(self, field, value): if isinstance(value, list): @@ -56,20 +52,14 @@ def regex_modifier(self, field, value): raise UnsupportedRenderMethod(platform_name=self.details.name, method="Regex Expression") -class SplunkQueryRender(BaseQueryRender): - details: PlatformDetails = splunk_query_details +class SplQueryRender(BaseQueryRender): or_token = "OR" and_token = "AND" not_token = "NOT" - field_value_map = SplunkFieldValue(or_token=or_token) query_pattern = "{prefix} {query} {functions}" comment_symbol = '```' - mappings: SplunkMappings = splunk_mappings - - def generate_functions(self, functions: list): - return "" def wrap_with_comment(self, value: str) -> str: return f"{self.comment_symbol} {value} {self.comment_symbol}" diff --git a/siem-converter/app/converter/backends/splunk/tokenizer.py b/siem-converter/app/converter/platforms/base/spl/tokenizer.py similarity index 98% rename from siem-converter/app/converter/backends/splunk/tokenizer.py rename to siem-converter/app/converter/platforms/base/spl/tokenizer.py index 82b07649..fc920181 100644 --- a/siem-converter/app/converter/backends/splunk/tokenizer.py +++ b/siem-converter/app/converter/platforms/base/spl/tokenizer.py @@ -24,7 +24,7 @@ from app.converter.tools.utils import get_match_group -class SplunkTokenizer(QueryTokenizer): +class SplTokenizer(QueryTokenizer): field_pattern = r"(?P[a-zA-Z\.\-_\{\}]+)" num_value_pattern = r"(?P\d+(?:\.\d+)*)\s*" double_quotes_value_pattern = r'"(?P(?:[:a-zA-Z\*0-9=+%#\-_/,;\'\.$&^@!\(\)\{\}\s]|\\\"|\\)*)"\s*' diff --git a/siem-converter/app/converter/backends/crowdstrike/__init__.py b/siem-converter/app/converter/platforms/carbonblack/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/crowdstrike/__init__.py rename to siem-converter/app/converter/platforms/carbonblack/__init__.py diff --git a/siem-converter/app/converter/backends/carbonblack/const.py b/siem-converter/app/converter/platforms/carbonblack/const.py similarity index 100% rename from siem-converter/app/converter/backends/carbonblack/const.py rename to siem-converter/app/converter/platforms/carbonblack/const.py diff --git a/siem-converter/app/converter/backends/crowdstrike/mappings/__init__.py b/siem-converter/app/converter/platforms/carbonblack/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/crowdstrike/mappings/__init__.py rename to siem-converter/app/converter/platforms/carbonblack/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/carbonblack/mappings/carbonblack_cti.py b/siem-converter/app/converter/platforms/carbonblack/mappings/carbonblack_cti.py similarity index 100% rename from siem-converter/app/converter/backends/carbonblack/mappings/carbonblack_cti.py rename to siem-converter/app/converter/platforms/carbonblack/mappings/carbonblack_cti.py diff --git a/siem-converter/app/converter/backends/crowdstrike/parsers/__init__.py b/siem-converter/app/converter/platforms/carbonblack/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/crowdstrike/parsers/__init__.py rename to siem-converter/app/converter/platforms/carbonblack/renders/__init__.py diff --git a/siem-converter/app/converter/backends/carbonblack/renders/carbonblack_cti.py b/siem-converter/app/converter/platforms/carbonblack/renders/carbonblack_cti.py similarity index 87% rename from siem-converter/app/converter/backends/carbonblack/renders/carbonblack_cti.py rename to siem-converter/app/converter/platforms/carbonblack/renders/carbonblack_cti.py index 01781f78..97db6d54 100644 --- a/siem-converter/app/converter/backends/carbonblack/renders/carbonblack_cti.py +++ b/siem-converter/app/converter/platforms/carbonblack/renders/carbonblack_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.carbonblack.const import CARBON_BLACK_QUERY_DETAILS -from app.converter.backends.carbonblack.mappings.carbonblack_cti import DEFAULT_CARBONBLACK_MAPPING +from app.converter.platforms.carbonblack.const import CARBON_BLACK_QUERY_DETAILS +from app.converter.platforms.carbonblack.mappings.carbonblack_cti import DEFAULT_CARBONBLACK_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/crowdstrike/renders/__init__.py b/siem-converter/app/converter/platforms/chronicle/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/crowdstrike/renders/__init__.py rename to siem-converter/app/converter/platforms/chronicle/__init__.py diff --git a/siem-converter/app/converter/backends/chronicle/const.py b/siem-converter/app/converter/platforms/chronicle/const.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/const.py rename to siem-converter/app/converter/platforms/chronicle/const.py diff --git a/siem-converter/app/converter/backends/chronicle/mapping.py b/siem-converter/app/converter/platforms/chronicle/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/mapping.py rename to siem-converter/app/converter/platforms/chronicle/mapping.py diff --git a/siem-converter/app/converter/backends/elasticsearch/__init__.py b/siem-converter/app/converter/platforms/chronicle/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/elasticsearch/__init__.py rename to siem-converter/app/converter/platforms/chronicle/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/chronicle/mappings/chronicle_cti.py b/siem-converter/app/converter/platforms/chronicle/mappings/chronicle_cti.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/mappings/chronicle_cti.py rename to siem-converter/app/converter/platforms/chronicle/mappings/chronicle_cti.py diff --git a/siem-converter/app/converter/backends/elasticsearch/mappings/__init__.py b/siem-converter/app/converter/platforms/chronicle/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/elasticsearch/mappings/__init__.py rename to siem-converter/app/converter/platforms/chronicle/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/chronicle/parsers/chronicle.py b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle.py similarity index 86% rename from siem-converter/app/converter/backends/chronicle/parsers/chronicle.py rename to siem-converter/app/converter/platforms/chronicle/parsers/chronicle.py index c4c83cb4..97e0183a 100644 --- a/siem-converter/app/converter/backends/chronicle/parsers/chronicle.py +++ b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle.py @@ -18,9 +18,9 @@ from typing import List -from app.converter.backends.chronicle.const import chronicle_query_details -from app.converter.backends.chronicle.mapping import chronicle_mappings, ChronicleMappings -from app.converter.backends.chronicle.tokenizer import ChronicleQueryTokenizer +from app.converter.platforms.chronicle.const import chronicle_query_details +from app.converter.platforms.chronicle.mapping import chronicle_mappings, ChronicleMappings +from app.converter.platforms.chronicle.tokenizer import ChronicleQueryTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/backends/chronicle/parsers/chronicle_rule.py b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle_rule.py similarity index 94% rename from siem-converter/app/converter/backends/chronicle/parsers/chronicle_rule.py rename to siem-converter/app/converter/platforms/chronicle/parsers/chronicle_rule.py index 9bc8ee1e..36c2fd38 100644 --- a/siem-converter/app/converter/backends/chronicle/parsers/chronicle_rule.py +++ b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle_rule.py @@ -19,9 +19,9 @@ import re from typing import List, Dict -from app.converter.backends.chronicle.const import chronicle_rule_details -from app.converter.backends.chronicle.mapping import ChronicleMappings, chronicle_mappings -from app.converter.backends.chronicle.tokenizer import ChronicleRuleTokenizer +from app.converter.platforms.chronicle.const import chronicle_rule_details +from app.converter.platforms.chronicle.mapping import ChronicleMappings, chronicle_mappings +from app.converter.platforms.chronicle.tokenizer import ChronicleRuleTokenizer from app.converter.core.exceptions.parser import TokenizerGeneralException from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser diff --git a/siem-converter/app/converter/backends/elasticsearch/parsers/__init__.py b/siem-converter/app/converter/platforms/chronicle/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/elasticsearch/parsers/__init__.py rename to siem-converter/app/converter/platforms/chronicle/renders/__init__.py diff --git a/siem-converter/app/converter/backends/chronicle/renders/chronicle.py b/siem-converter/app/converter/platforms/chronicle/renders/chronicle.py similarity index 94% rename from siem-converter/app/converter/backends/chronicle/renders/chronicle.py rename to siem-converter/app/converter/platforms/chronicle/renders/chronicle.py index d16127ce..d3c3b9dc 100644 --- a/siem-converter/app/converter/backends/chronicle/renders/chronicle.py +++ b/siem-converter/app/converter/platforms/chronicle/renders/chronicle.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.chronicle.const import chronicle_query_details -from app.converter.backends.chronicle.mapping import ChronicleMappings, chronicle_mappings +from app.converter.platforms.chronicle.const import chronicle_query_details +from app.converter.platforms.chronicle.mapping import ChronicleMappings, chronicle_mappings from app.converter.core.exceptions.render import UnsupportedRenderMethod from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render import BaseQueryRender, BaseQueryFieldValue diff --git a/siem-converter/app/converter/backends/chronicle/renders/chronicle_cti.py b/siem-converter/app/converter/platforms/chronicle/renders/chronicle_cti.py similarity index 88% rename from siem-converter/app/converter/backends/chronicle/renders/chronicle_cti.py rename to siem-converter/app/converter/platforms/chronicle/renders/chronicle_cti.py index d61777d8..0a4ada79 100644 --- a/siem-converter/app/converter/backends/chronicle/renders/chronicle_cti.py +++ b/siem-converter/app/converter/platforms/chronicle/renders/chronicle_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.chronicle.const import chronicle_query_details -from app.converter.backends.chronicle.mappings.chronicle_cti import DEFAULT_CHRONICLE_MAPPING +from app.converter.platforms.chronicle.const import chronicle_query_details +from app.converter.platforms.chronicle.mappings.chronicle_cti import DEFAULT_CHRONICLE_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/chronicle/renders/chronicle_rule.py b/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py similarity index 95% rename from siem-converter/app/converter/backends/chronicle/renders/chronicle_rule.py rename to siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py index b46cac1a..6a1c27b6 100644 --- a/siem-converter/app/converter/backends/chronicle/renders/chronicle_rule.py +++ b/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py @@ -19,8 +19,8 @@ import re -from app.converter.backends.chronicle.renders.chronicle import ChronicleFieldValue, ChronicleQueryRender -from app.converter.backends.chronicle.const import DEFAULT_CHRONICLE_SECURITY_RULE, chronicle_rule_details +from app.converter.platforms.chronicle.renders.chronicle import ChronicleFieldValue, ChronicleQueryRender +from app.converter.platforms.chronicle.const import DEFAULT_CHRONICLE_SECURITY_RULE, chronicle_rule_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/chronicle/tokenizer.py b/siem-converter/app/converter/platforms/chronicle/tokenizer.py similarity index 100% rename from siem-converter/app/converter/backends/chronicle/tokenizer.py rename to siem-converter/app/converter/platforms/chronicle/tokenizer.py diff --git a/siem-converter/app/converter/backends/elasticsearch/renders/__init__.py b/siem-converter/app/converter/platforms/crowdstrike/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/elasticsearch/renders/__init__.py rename to siem-converter/app/converter/platforms/crowdstrike/__init__.py diff --git a/siem-converter/app/converter/backends/crowdstrike/const.py b/siem-converter/app/converter/platforms/crowdstrike/const.py similarity index 100% rename from siem-converter/app/converter/backends/crowdstrike/const.py rename to siem-converter/app/converter/platforms/crowdstrike/const.py diff --git a/siem-converter/app/converter/backends/crowdstrike/mapping.py b/siem-converter/app/converter/platforms/crowdstrike/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/crowdstrike/mapping.py rename to siem-converter/app/converter/platforms/crowdstrike/mapping.py diff --git a/siem-converter/app/converter/backends/fireeye_helix/__init__.py b/siem-converter/app/converter/platforms/crowdstrike/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/fireeye_helix/__init__.py rename to siem-converter/app/converter/platforms/crowdstrike/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/crowdstrike/mappings/crowdstrike_cti.py b/siem-converter/app/converter/platforms/crowdstrike/mappings/crowdstrike_cti.py similarity index 100% rename from siem-converter/app/converter/backends/crowdstrike/mappings/crowdstrike_cti.py rename to siem-converter/app/converter/platforms/crowdstrike/mappings/crowdstrike_cti.py diff --git a/siem-converter/app/converter/backends/fireeye_helix/mappings/__init__.py b/siem-converter/app/converter/platforms/crowdstrike/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/fireeye_helix/mappings/__init__.py rename to siem-converter/app/converter/platforms/crowdstrike/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/crowdstrike/parsers/crowdstrike.py b/siem-converter/app/converter/platforms/crowdstrike/parsers/crowdstrike.py similarity index 73% rename from siem-converter/app/converter/backends/crowdstrike/parsers/crowdstrike.py rename to siem-converter/app/converter/platforms/crowdstrike/parsers/crowdstrike.py index e54a32bc..0c13b434 100644 --- a/siem-converter/app/converter/backends/crowdstrike/parsers/crowdstrike.py +++ b/siem-converter/app/converter/platforms/crowdstrike/parsers/crowdstrike.py @@ -15,19 +15,16 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ----------------------------------------------------------------- """ - -from app.converter.backends.crowdstrike.const import crowdstrike_query_details -from app.converter.backends.crowdstrike.mapping import CrowdstrikeMappings, crowdstrike_mappings -from app.converter.backends.crowdstrike.tokenizer import CrowdStrikeTokenizer -from app.converter.backends.splunk.parsers.splunk import SplunkParser +from app.converter.platforms.base.spl.parsers.spl import SplParser +from app.converter.platforms.crowdstrike.const import crowdstrike_query_details +from app.converter.platforms.crowdstrike.mapping import CrowdstrikeMappings, crowdstrike_mappings from app.converter.core.models.platform_details import PlatformDetails -class CrowdStrikeParser(SplunkParser): +class CrowdStrikeParser(SplParser): details: PlatformDetails = crowdstrike_query_details log_source_pattern = r"___source_type___\s*=\s*(?:\"(?P[%a-zA-Z_*:0-9\-/]+)\"|(?P[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?" log_source_key_types = ("event_simpleName",) mappings: CrowdstrikeMappings = crowdstrike_mappings - tokenizer = CrowdStrikeTokenizer() diff --git a/siem-converter/app/converter/backends/fireeye_helix/renders/__init__.py b/siem-converter/app/converter/platforms/crowdstrike/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/fireeye_helix/renders/__init__.py rename to siem-converter/app/converter/platforms/crowdstrike/renders/__init__.py diff --git a/siem-converter/app/converter/backends/crowdstrike/renders/crowdstrike.py b/siem-converter/app/converter/platforms/crowdstrike/renders/crowdstrike.py similarity index 75% rename from siem-converter/app/converter/backends/crowdstrike/renders/crowdstrike.py rename to siem-converter/app/converter/platforms/crowdstrike/renders/crowdstrike.py index 21eca7b8..67a342fe 100644 --- a/siem-converter/app/converter/backends/crowdstrike/renders/crowdstrike.py +++ b/siem-converter/app/converter/platforms/crowdstrike/renders/crowdstrike.py @@ -16,18 +16,17 @@ limitations under the License. ----------------------------------------------------------------- """ - -from app.converter.backends.crowdstrike.const import crowdstrike_query_details -from app.converter.backends.crowdstrike.mapping import CrowdstrikeMappings, crowdstrike_mappings -from app.converter.backends.splunk.renders.splunk import SplunkQueryRender, SplunkFieldValue +from app.converter.platforms.base.spl.renders.spl import SplFieldValue, SplQueryRender +from app.converter.platforms.crowdstrike.const import crowdstrike_query_details +from app.converter.platforms.crowdstrike.mapping import CrowdstrikeMappings, crowdstrike_mappings from app.converter.core.models.platform_details import PlatformDetails -class CrowdStrikeFieldValue(SplunkFieldValue): +class CrowdStrikeFieldValue(SplFieldValue): details = crowdstrike_query_details -class CrowdStrikeQueryRender(SplunkQueryRender): +class CrowdStrikeQueryRender(SplQueryRender): details: PlatformDetails = crowdstrike_query_details query_pattern = "{prefix} {query} {functions}" mappings: CrowdstrikeMappings = crowdstrike_mappings diff --git a/siem-converter/app/converter/backends/crowdstrike/renders/crowdstrike_cti.py b/siem-converter/app/converter/platforms/crowdstrike/renders/crowdstrike_cti.py similarity index 87% rename from siem-converter/app/converter/backends/crowdstrike/renders/crowdstrike_cti.py rename to siem-converter/app/converter/platforms/crowdstrike/renders/crowdstrike_cti.py index c6eff99a..dc7f5f8d 100644 --- a/siem-converter/app/converter/backends/crowdstrike/renders/crowdstrike_cti.py +++ b/siem-converter/app/converter/platforms/crowdstrike/renders/crowdstrike_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.crowdstrike.const import crowdstrike_query_details -from app.converter.backends.crowdstrike.mappings.crowdstrike_cti import DEFAULT_CROWDSTRIKE_MAPPING +from app.converter.platforms.crowdstrike.const import crowdstrike_query_details +from app.converter.platforms.crowdstrike.mappings.crowdstrike_cti import DEFAULT_CROWDSTRIKE_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/graylog/__init__.py b/siem-converter/app/converter/platforms/elasticsearch/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/graylog/__init__.py rename to siem-converter/app/converter/platforms/elasticsearch/__init__.py diff --git a/siem-converter/app/converter/backends/elasticsearch/const.py b/siem-converter/app/converter/platforms/elasticsearch/const.py similarity index 100% rename from siem-converter/app/converter/backends/elasticsearch/const.py rename to siem-converter/app/converter/platforms/elasticsearch/const.py diff --git a/siem-converter/app/converter/platforms/elasticsearch/mapping.py b/siem-converter/app/converter/platforms/elasticsearch/mapping.py new file mode 100644 index 00000000..4ac3efd6 --- /dev/null +++ b/siem-converter/app/converter/platforms/elasticsearch/mapping.py @@ -0,0 +1,8 @@ +from app.converter.platforms.base.lucene.mapping import LuceneMappings + + +class ElasticSearchMappings(LuceneMappings): + pass + + +elasticsearch_mappings = ElasticSearchMappings(platform_dir="elasticsearch") diff --git a/siem-converter/app/converter/backends/graylog/mappings/__init__.py b/siem-converter/app/converter/platforms/elasticsearch/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/graylog/mappings/__init__.py rename to siem-converter/app/converter/platforms/elasticsearch/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/elasticsearch/mappings/elasticsearch_cti_cti.py b/siem-converter/app/converter/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py similarity index 100% rename from siem-converter/app/converter/backends/elasticsearch/mappings/elasticsearch_cti_cti.py rename to siem-converter/app/converter/platforms/elasticsearch/mappings/elasticsearch_cti_cti.py diff --git a/siem-converter/app/converter/backends/graylog/renders/__init__.py b/siem-converter/app/converter/platforms/elasticsearch/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/graylog/renders/__init__.py rename to siem-converter/app/converter/platforms/elasticsearch/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/elasticsearch/parsers/detection_rule.py b/siem-converter/app/converter/platforms/elasticsearch/parsers/detection_rule.py similarity index 92% rename from siem-converter/app/converter/backends/elasticsearch/parsers/detection_rule.py rename to siem-converter/app/converter/platforms/elasticsearch/parsers/detection_rule.py index 4c4ab867..57fdcb5d 100644 --- a/siem-converter/app/converter/backends/elasticsearch/parsers/detection_rule.py +++ b/siem-converter/app/converter/platforms/elasticsearch/parsers/detection_rule.py @@ -18,8 +18,8 @@ from typing import List, Dict -from app.converter.backends.elasticsearch.const import elasticsearch_rule_details -from app.converter.backends.elasticsearch.parsers.elasticsearch import ElasticSearchParser +from app.converter.platforms.elasticsearch.const import elasticsearch_rule_details +from app.converter.platforms.elasticsearch.parsers.elasticsearch import ElasticSearchParser from app.converter.core.mixins.rule import JsonRuleMixin from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/platforms/elasticsearch/parsers/elasticsearch.py b/siem-converter/app/converter/platforms/elasticsearch/parsers/elasticsearch.py new file mode 100644 index 00000000..9dfa84f6 --- /dev/null +++ b/siem-converter/app/converter/platforms/elasticsearch/parsers/elasticsearch.py @@ -0,0 +1,27 @@ +""" +Uncoder IO Commercial Edition License +----------------------------------------------------------------- +Copyright (c) 2023 SOC Prime, Inc. + +This file is part of the Uncoder IO Commercial Edition ("CE") and is +licensed under the Uncoder IO Non-Commercial License (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://github.com/UncoderIO/UncoderIO/blob/main/LICENSE + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +----------------------------------------------------------------- +""" + +from app.converter.platforms.base.lucene.parsers.lucene import LuceneParser +from app.converter.platforms.elasticsearch.const import elasticsearch_lucene_query_details +from app.converter.platforms.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings +from app.converter.core.models.platform_details import PlatformDetails + + +class ElasticSearchParser(LuceneParser): + details: PlatformDetails = elasticsearch_lucene_query_details + mappings: ElasticSearchMappings = elasticsearch_mappings diff --git a/siem-converter/app/converter/backends/logpoint/__init__.py b/siem-converter/app/converter/platforms/elasticsearch/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logpoint/__init__.py rename to siem-converter/app/converter/platforms/elasticsearch/renders/__init__.py diff --git a/siem-converter/app/converter/backends/elasticsearch/renders/detection_rule.py b/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py similarity index 89% rename from siem-converter/app/converter/backends/elasticsearch/renders/detection_rule.py rename to siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py index 0d7809e8..a38c7c44 100644 --- a/siem-converter/app/converter/backends/elasticsearch/renders/detection_rule.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py @@ -20,9 +20,9 @@ import copy import json -from app.converter.backends.elasticsearch.const import ELASTICSEARCH_DETECTION_RULE, elasticsearch_rule_details -from app.converter.backends.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings -from app.converter.backends.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue +from app.converter.platforms.elasticsearch.const import ELASTICSEARCH_DETECTION_RULE, elasticsearch_rule_details +from app.converter.platforms.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings +from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/elasticsearch/renders/elast_alert.py b/siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py similarity index 89% rename from siem-converter/app/converter/backends/elasticsearch/renders/elast_alert.py rename to siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py index 4ab3d02a..1e02c210 100644 --- a/siem-converter/app/converter/backends/elasticsearch/renders/elast_alert.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py @@ -17,9 +17,9 @@ ----------------------------------------------------------------- """ -from app.converter.backends.elasticsearch.const import ELASTICSEARCH_ALERT, elastalert_details -from app.converter.backends.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings -from app.converter.backends.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue +from app.converter.platforms.elasticsearch.const import ELASTICSEARCH_ALERT, elastalert_details +from app.converter.platforms.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings +from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/platforms/elasticsearch/renders/elasticsearch.py b/siem-converter/app/converter/platforms/elasticsearch/renders/elasticsearch.py new file mode 100644 index 00000000..0d21cc8c --- /dev/null +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/elasticsearch.py @@ -0,0 +1,43 @@ +""" +Uncoder IO Community Edition License +----------------------------------------------------------------- +Copyright (c) 2023 SOC Prime, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +----------------------------------------------------------------- +""" +from typing import Union + +from app.converter.platforms.base.lucene.renders.lucene import LuceneQueryRender, LuceneFieldValue +from app.converter.platforms.elasticsearch.const import elasticsearch_lucene_query_details +from app.converter.platforms.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings +from app.converter.core.models.platform_details import PlatformDetails + + +class ElasticSearchFieldValue(LuceneFieldValue): + details: PlatformDetails = elasticsearch_lucene_query_details + + def apply_value(self, value: Union[str, int]): + if isinstance(value, int): + return value + if " " in value: + return f'"{value}"'.replace(" ", r"\ ") + return value + + +class ElasticSearchQueryRender(LuceneQueryRender): + details: PlatformDetails = elasticsearch_lucene_query_details + mappings: ElasticSearchMappings = elasticsearch_mappings + + or_token = "OR" + field_value_map = ElasticSearchFieldValue(or_token=or_token) diff --git a/siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch_cti.py b/siem-converter/app/converter/platforms/elasticsearch/renders/elasticsearch_cti.py similarity index 86% rename from siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch_cti.py rename to siem-converter/app/converter/platforms/elasticsearch/renders/elasticsearch_cti.py index c2a49b5d..ddee131e 100644 --- a/siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch_cti.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/elasticsearch_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.elasticsearch.const import elasticsearch_lucene_query_details -from app.converter.backends.elasticsearch.mappings.elasticsearch_cti_cti import DEFAULT_ELASTICSEARCH_MAPPING +from app.converter.platforms.elasticsearch.const import elasticsearch_lucene_query_details +from app.converter.platforms.elasticsearch.mappings.elasticsearch_cti_cti import DEFAULT_ELASTICSEARCH_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/elasticsearch/renders/kibana.py b/siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py similarity index 89% rename from siem-converter/app/converter/backends/elasticsearch/renders/kibana.py rename to siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py index 1b4927ed..2150642b 100644 --- a/siem-converter/app/converter/backends/elasticsearch/renders/kibana.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py @@ -20,9 +20,9 @@ import copy import json -from app.converter.backends.elasticsearch.const import KIBANA_SEARCH_SOURCE_JSON, KIBANA_RULE, kibana_rule_details -from app.converter.backends.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings -from app.converter.backends.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue +from app.converter.platforms.elasticsearch.const import KIBANA_SEARCH_SOURCE_JSON, KIBANA_RULE, kibana_rule_details +from app.converter.platforms.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings +from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/elasticsearch/renders/xpack_watcher.py b/siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py similarity index 89% rename from siem-converter/app/converter/backends/elasticsearch/renders/xpack_watcher.py rename to siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py index 13f97e29..0272f471 100644 --- a/siem-converter/app/converter/backends/elasticsearch/renders/xpack_watcher.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py @@ -20,9 +20,9 @@ import copy import json -from app.converter.backends.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings -from app.converter.backends.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue -from app.converter.backends.elasticsearch.const import XPACK_WATCHER_RULE, xpack_watcher_details +from app.converter.platforms.elasticsearch.mapping import ElasticSearchMappings, elasticsearch_mappings +from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue +from app.converter.platforms.elasticsearch.const import XPACK_WATCHER_RULE, xpack_watcher_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/platforms/elasticsearch/tokenizer.py b/siem-converter/app/converter/platforms/elasticsearch/tokenizer.py new file mode 100644 index 00000000..ca070eb4 --- /dev/null +++ b/siem-converter/app/converter/platforms/elasticsearch/tokenizer.py @@ -0,0 +1,22 @@ +""" +Uncoder IO Commercial Edition License +----------------------------------------------------------------- +Copyright (c) 2023 SOC Prime, Inc. + +This file is part of the Uncoder IO Commercial Edition ("CE") and is +licensed under the Uncoder IO Non-Commercial License (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://github.com/UncoderIO/UncoderIO/blob/main/LICENSE + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +----------------------------------------------------------------- +""" +from app.converter.platforms.base.lucene.tokenizer import LuceneTokenizer + + +class ElasticSearchTokenizer(LuceneTokenizer): + pass diff --git a/siem-converter/app/converter/backends/logpoint/mappings/__init__.py b/siem-converter/app/converter/platforms/fireeye_helix/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logpoint/mappings/__init__.py rename to siem-converter/app/converter/platforms/fireeye_helix/__init__.py diff --git a/siem-converter/app/converter/backends/fireeye_helix/const.py b/siem-converter/app/converter/platforms/fireeye_helix/const.py similarity index 100% rename from siem-converter/app/converter/backends/fireeye_helix/const.py rename to siem-converter/app/converter/platforms/fireeye_helix/const.py diff --git a/siem-converter/app/converter/backends/logpoint/renders/__init__.py b/siem-converter/app/converter/platforms/fireeye_helix/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logpoint/renders/__init__.py rename to siem-converter/app/converter/platforms/fireeye_helix/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/fireeye_helix/mappings/fireeye_helix.py b/siem-converter/app/converter/platforms/fireeye_helix/mappings/fireeye_helix.py similarity index 100% rename from siem-converter/app/converter/backends/fireeye_helix/mappings/fireeye_helix.py rename to siem-converter/app/converter/platforms/fireeye_helix/mappings/fireeye_helix.py diff --git a/siem-converter/app/converter/backends/logscale/__init__.py b/siem-converter/app/converter/platforms/fireeye_helix/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/__init__.py rename to siem-converter/app/converter/platforms/fireeye_helix/renders/__init__.py diff --git a/siem-converter/app/converter/backends/fireeye_helix/renders/fireeye_helix_cti.py b/siem-converter/app/converter/platforms/fireeye_helix/renders/fireeye_helix_cti.py similarity index 87% rename from siem-converter/app/converter/backends/fireeye_helix/renders/fireeye_helix_cti.py rename to siem-converter/app/converter/platforms/fireeye_helix/renders/fireeye_helix_cti.py index c2212266..79c1cfb1 100644 --- a/siem-converter/app/converter/backends/fireeye_helix/renders/fireeye_helix_cti.py +++ b/siem-converter/app/converter/platforms/fireeye_helix/renders/fireeye_helix_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.fireeye_helix.const import FIREEYE_HELIX_QUERY_DETAILS -from app.converter.backends.fireeye_helix.mappings.fireeye_helix import DEFAULT_FIREEYE_HELIX_MAPPING +from app.converter.platforms.fireeye_helix.const import FIREEYE_HELIX_QUERY_DETAILS +from app.converter.platforms.fireeye_helix.mappings.fireeye_helix import DEFAULT_FIREEYE_HELIX_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/logscale/mappings/__init__.py b/siem-converter/app/converter/platforms/graylog/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/mappings/__init__.py rename to siem-converter/app/converter/platforms/graylog/__init__.py diff --git a/siem-converter/app/converter/backends/graylog/const.py b/siem-converter/app/converter/platforms/graylog/const.py similarity index 100% rename from siem-converter/app/converter/backends/graylog/const.py rename to siem-converter/app/converter/platforms/graylog/const.py diff --git a/siem-converter/app/converter/backends/logscale/parsers/__init__.py b/siem-converter/app/converter/platforms/graylog/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/parsers/__init__.py rename to siem-converter/app/converter/platforms/graylog/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/graylog/mappings/graylog_cti.py b/siem-converter/app/converter/platforms/graylog/mappings/graylog_cti.py similarity index 100% rename from siem-converter/app/converter/backends/graylog/mappings/graylog_cti.py rename to siem-converter/app/converter/platforms/graylog/mappings/graylog_cti.py diff --git a/siem-converter/app/converter/backends/logscale/renders/__init__.py b/siem-converter/app/converter/platforms/graylog/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/renders/__init__.py rename to siem-converter/app/converter/platforms/graylog/renders/__init__.py diff --git a/siem-converter/app/converter/backends/graylog/renders/graylog_cti.py b/siem-converter/app/converter/platforms/graylog/renders/graylog_cti.py similarity index 88% rename from siem-converter/app/converter/backends/graylog/renders/graylog_cti.py rename to siem-converter/app/converter/platforms/graylog/renders/graylog_cti.py index 870ace46..97100e9f 100644 --- a/siem-converter/app/converter/backends/graylog/renders/graylog_cti.py +++ b/siem-converter/app/converter/platforms/graylog/renders/graylog_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.graylog.const import GRAYLOG_QUERY_DETAILS -from app.converter.backends.graylog.mappings.graylog_cti import DEFAULT_GRAYLOG_MAPPING +from app.converter.platforms.graylog.const import GRAYLOG_QUERY_DETAILS +from app.converter.platforms.graylog.mappings.graylog_cti import DEFAULT_GRAYLOG_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/microsoft/__init__.py b/siem-converter/app/converter/platforms/logpoint/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/__init__.py rename to siem-converter/app/converter/platforms/logpoint/__init__.py diff --git a/siem-converter/app/converter/backends/logpoint/const.py b/siem-converter/app/converter/platforms/logpoint/const.py similarity index 100% rename from siem-converter/app/converter/backends/logpoint/const.py rename to siem-converter/app/converter/platforms/logpoint/const.py diff --git a/siem-converter/app/converter/backends/microsoft/mappings/__init__.py b/siem-converter/app/converter/platforms/logpoint/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/mappings/__init__.py rename to siem-converter/app/converter/platforms/logpoint/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/logpoint/mappings/logpoint_cti.py b/siem-converter/app/converter/platforms/logpoint/mappings/logpoint_cti.py similarity index 100% rename from siem-converter/app/converter/backends/logpoint/mappings/logpoint_cti.py rename to siem-converter/app/converter/platforms/logpoint/mappings/logpoint_cti.py diff --git a/siem-converter/app/converter/backends/microsoft/parsers/__init__.py b/siem-converter/app/converter/platforms/logpoint/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/parsers/__init__.py rename to siem-converter/app/converter/platforms/logpoint/renders/__init__.py diff --git a/siem-converter/app/converter/backends/logpoint/renders/logpoint_cti.py b/siem-converter/app/converter/platforms/logpoint/renders/logpoint_cti.py similarity index 88% rename from siem-converter/app/converter/backends/logpoint/renders/logpoint_cti.py rename to siem-converter/app/converter/platforms/logpoint/renders/logpoint_cti.py index cef1954b..389844fe 100644 --- a/siem-converter/app/converter/backends/logpoint/renders/logpoint_cti.py +++ b/siem-converter/app/converter/platforms/logpoint/renders/logpoint_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.logpoint.const import LOGPOINT_QUERY_DETAILS -from app.converter.backends.logpoint.mappings.logpoint_cti import DEFAULT_LOGPOINT_MAPPING +from app.converter.platforms.logpoint.const import LOGPOINT_QUERY_DETAILS +from app.converter.platforms.logpoint.mappings.logpoint_cti import DEFAULT_LOGPOINT_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/microsoft/renders/__init__.py b/siem-converter/app/converter/platforms/logscale/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/renders/__init__.py rename to siem-converter/app/converter/platforms/logscale/__init__.py diff --git a/siem-converter/app/converter/backends/logscale/const.py b/siem-converter/app/converter/platforms/logscale/const.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/const.py rename to siem-converter/app/converter/platforms/logscale/const.py diff --git a/siem-converter/app/converter/backends/logscale/mapping.py b/siem-converter/app/converter/platforms/logscale/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/mapping.py rename to siem-converter/app/converter/platforms/logscale/mapping.py diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/__init__.py b/siem-converter/app/converter/platforms/logscale/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/siem_functions/__init__.py rename to siem-converter/app/converter/platforms/logscale/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/logscale/mappings/logscale_cti.py b/siem-converter/app/converter/platforms/logscale/mappings/logscale_cti.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/mappings/logscale_cti.py rename to siem-converter/app/converter/platforms/logscale/mappings/logscale_cti.py diff --git a/siem-converter/app/converter/backends/opensearch/__init__.py b/siem-converter/app/converter/platforms/logscale/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/opensearch/__init__.py rename to siem-converter/app/converter/platforms/logscale/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/logscale/parsers/logscale.py b/siem-converter/app/converter/platforms/logscale/parsers/logscale.py similarity index 86% rename from siem-converter/app/converter/backends/logscale/parsers/logscale.py rename to siem-converter/app/converter/platforms/logscale/parsers/logscale.py index 32d6ccae..13fa877f 100644 --- a/siem-converter/app/converter/backends/logscale/parsers/logscale.py +++ b/siem-converter/app/converter/platforms/logscale/parsers/logscale.py @@ -18,11 +18,11 @@ from typing import Tuple, List -from app.converter.backends.logscale.const import logscale_query_details -from app.converter.backends.logscale.mapping import logscale_mappings, LogScaleMappings -from app.converter.backends.logscale.siem_functions import LogScaleQueryFunctions +from app.converter.platforms.logscale.const import logscale_query_details +from app.converter.platforms.logscale.mapping import logscale_mappings, LogScaleMappings +from app.converter.platforms.logscale.siem_functions import LogScaleQueryFunctions from app.converter.core.models.functions.types import ParsedFunctions -from app.converter.backends.logscale.tokenizer import LogScaleTokenizer +from app.converter.platforms.logscale.tokenizer import LogScaleTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/backends/logscale/parsers/logscale_alert.py b/siem-converter/app/converter/platforms/logscale/parsers/logscale_alert.py similarity index 93% rename from siem-converter/app/converter/backends/logscale/parsers/logscale_alert.py rename to siem-converter/app/converter/platforms/logscale/parsers/logscale_alert.py index 8577293c..7a6484c7 100644 --- a/siem-converter/app/converter/backends/logscale/parsers/logscale_alert.py +++ b/siem-converter/app/converter/platforms/logscale/parsers/logscale_alert.py @@ -18,8 +18,8 @@ from typing import List -from app.converter.backends.logscale.const import logscale_alert_details -from app.converter.backends.logscale.parsers.logscale import LogScaleParser +from app.converter.platforms.logscale.const import logscale_alert_details +from app.converter.platforms.logscale.parsers.logscale import LogScaleParser from app.converter.core.mixins.rule import JsonRuleMixin from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/backends/opensearch/mappings/__init__.py b/siem-converter/app/converter/platforms/logscale/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/opensearch/mappings/__init__.py rename to siem-converter/app/converter/platforms/logscale/renders/__init__.py diff --git a/siem-converter/app/converter/backends/logscale/renders/logscale.py b/siem-converter/app/converter/platforms/logscale/renders/logscale.py similarity index 96% rename from siem-converter/app/converter/backends/logscale/renders/logscale.py rename to siem-converter/app/converter/platforms/logscale/renders/logscale.py index 5ea7188b..da9dcf4b 100644 --- a/siem-converter/app/converter/backends/logscale/renders/logscale.py +++ b/siem-converter/app/converter/platforms/logscale/renders/logscale.py @@ -18,8 +18,8 @@ """ from typing import Union -from app.converter.backends.logscale.const import logscale_query_details -from app.converter.backends.logscale.mapping import LogScaleMappings, logscale_mappings +from app.converter.platforms.logscale.const import logscale_query_details +from app.converter.platforms.logscale.mapping import LogScaleMappings, logscale_mappings from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/logscale/renders/logscale_alert.py b/siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py similarity index 92% rename from siem-converter/app/converter/backends/logscale/renders/logscale_alert.py rename to siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py index 5008327e..7e87c267 100644 --- a/siem-converter/app/converter/backends/logscale/renders/logscale_alert.py +++ b/siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py @@ -20,8 +20,8 @@ import copy import json -from app.converter.backends.logscale.renders.logscale import LogScaleQueryRender, LogScaleFieldValue -from app.converter.backends.logscale.const import DEFAULT_LOGSCALE_ALERT, logscale_alert_details +from app.converter.platforms.logscale.renders.logscale import LogScaleQueryRender, LogScaleFieldValue +from app.converter.platforms.logscale.const import DEFAULT_LOGSCALE_ALERT, logscale_alert_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/logscale/renders/logscale_cti.py b/siem-converter/app/converter/platforms/logscale/renders/logscale_cti.py similarity index 88% rename from siem-converter/app/converter/backends/logscale/renders/logscale_cti.py rename to siem-converter/app/converter/platforms/logscale/renders/logscale_cti.py index 0122b353..50c300aa 100644 --- a/siem-converter/app/converter/backends/logscale/renders/logscale_cti.py +++ b/siem-converter/app/converter/platforms/logscale/renders/logscale_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.logscale.const import logscale_query_details -from app.converter.backends.logscale.mappings.logscale_cti import DEFAULT_LOGSCALE_MAPPING +from app.converter.platforms.logscale.const import logscale_query_details +from app.converter.platforms.logscale.mappings.logscale_cti import DEFAULT_LOGSCALE_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/logscale/siem_functions/__init__.py b/siem-converter/app/converter/platforms/logscale/siem_functions/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/siem_functions/__init__.py rename to siem-converter/app/converter/platforms/logscale/siem_functions/__init__.py diff --git a/siem-converter/app/converter/backends/logscale/tokenizer.py b/siem-converter/app/converter/platforms/logscale/tokenizer.py similarity index 100% rename from siem-converter/app/converter/backends/logscale/tokenizer.py rename to siem-converter/app/converter/platforms/logscale/tokenizer.py diff --git a/siem-converter/app/converter/backends/opensearch/parsers/__init__.py b/siem-converter/app/converter/platforms/microsoft/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/opensearch/parsers/__init__.py rename to siem-converter/app/converter/platforms/microsoft/__init__.py diff --git a/siem-converter/app/converter/backends/microsoft/const.py b/siem-converter/app/converter/platforms/microsoft/const.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/const.py rename to siem-converter/app/converter/platforms/microsoft/const.py diff --git a/siem-converter/app/converter/backends/microsoft/mapping.py b/siem-converter/app/converter/platforms/microsoft/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/mapping.py rename to siem-converter/app/converter/platforms/microsoft/mapping.py diff --git a/siem-converter/app/converter/backends/opensearch/renders/__init__.py b/siem-converter/app/converter/platforms/microsoft/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/opensearch/renders/__init__.py rename to siem-converter/app/converter/platforms/microsoft/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/microsoft/mappings/mdatp_cti.py b/siem-converter/app/converter/platforms/microsoft/mappings/mdatp_cti.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/mappings/mdatp_cti.py rename to siem-converter/app/converter/platforms/microsoft/mappings/mdatp_cti.py diff --git a/siem-converter/app/converter/backends/microsoft/mappings/microsoft_sentinel_cti.py b/siem-converter/app/converter/platforms/microsoft/mappings/microsoft_sentinel_cti.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/mappings/microsoft_sentinel_cti.py rename to siem-converter/app/converter/platforms/microsoft/mappings/microsoft_sentinel_cti.py diff --git a/siem-converter/app/converter/backends/qradar/__init__.py b/siem-converter/app/converter/platforms/microsoft/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/qradar/__init__.py rename to siem-converter/app/converter/platforms/microsoft/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/microsoft/parsers/microsoft_defender.py b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_defender.py similarity index 78% rename from siem-converter/app/converter/backends/microsoft/parsers/microsoft_defender.py rename to siem-converter/app/converter/platforms/microsoft/parsers/microsoft_defender.py index f6fe1a17..bdce666d 100644 --- a/siem-converter/app/converter/backends/microsoft/parsers/microsoft_defender.py +++ b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_defender.py @@ -16,9 +16,9 @@ ----------------------------------------------------------------- """ -from app.converter.backends.microsoft.const import microsoft_defender_details -from app.converter.backends.microsoft.parsers.microsoft_sentinel import MicrosoftParser -from app.converter.backends.microsoft.mapping import microsoft_defender_mappings, MicrosoftDefenderMappings +from app.converter.platforms.microsoft.const import microsoft_defender_details +from app.converter.platforms.microsoft.parsers.microsoft_sentinel import MicrosoftParser +from app.converter.platforms.microsoft.mapping import microsoft_defender_mappings, MicrosoftDefenderMappings from app.converter.core.models.platform_details import PlatformDetails diff --git a/siem-converter/app/converter/backends/microsoft/parsers/microsoft_sentinel.py b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel.py similarity index 85% rename from siem-converter/app/converter/backends/microsoft/parsers/microsoft_sentinel.py rename to siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel.py index a3e311e2..32e210d4 100644 --- a/siem-converter/app/converter/backends/microsoft/parsers/microsoft_sentinel.py +++ b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel.py @@ -18,10 +18,10 @@ from typing import Tuple, List, Dict -from app.converter.backends.microsoft.const import microsoft_sentinel_query_details -from app.converter.backends.microsoft.siem_functions.base import MicroSoftQueryFunctions -from app.converter.backends.microsoft.mapping import MicrosoftSentinelMappings, microsoft_sentinel_mappings -from app.converter.backends.microsoft.tokenizer import MicrosoftSentinelTokenizer +from app.converter.platforms.microsoft.const import microsoft_sentinel_query_details +from app.converter.platforms.microsoft.siem_functions.base import MicroSoftQueryFunctions +from app.converter.platforms.microsoft.mapping import MicrosoftSentinelMappings, microsoft_sentinel_mappings +from app.converter.platforms.microsoft.tokenizer import MicrosoftSentinelTokenizer from app.converter.core.models.functions.types import ParsedFunctions from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser diff --git a/siem-converter/app/converter/backends/microsoft/parsers/microsoft_sentinel_rule.py b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel_rule.py similarity index 91% rename from siem-converter/app/converter/backends/microsoft/parsers/microsoft_sentinel_rule.py rename to siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel_rule.py index c3f438fa..156914ac 100644 --- a/siem-converter/app/converter/backends/microsoft/parsers/microsoft_sentinel_rule.py +++ b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel_rule.py @@ -18,8 +18,8 @@ from typing import List -from app.converter.backends.microsoft.const import microsoft_sentinel_rule_details -from app.converter.backends.microsoft.parsers.microsoft_sentinel import MicrosoftParser +from app.converter.platforms.microsoft.const import microsoft_sentinel_rule_details +from app.converter.platforms.microsoft.parsers.microsoft_sentinel import MicrosoftParser from app.converter.core.mixins.rule import JsonRuleMixin from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/backends/qradar/mappings/__init__.py b/siem-converter/app/converter/platforms/microsoft/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/qradar/mappings/__init__.py rename to siem-converter/app/converter/platforms/microsoft/renders/__init__.py diff --git a/siem-converter/app/converter/backends/microsoft/renders/microsoft_defender.py b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_defender.py similarity index 81% rename from siem-converter/app/converter/backends/microsoft/renders/microsoft_defender.py rename to siem-converter/app/converter/platforms/microsoft/renders/microsoft_defender.py index 944973a0..45030b4b 100644 --- a/siem-converter/app/converter/backends/microsoft/renders/microsoft_defender.py +++ b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_defender.py @@ -17,9 +17,9 @@ ----------------------------------------------------------------- """ -from app.converter.backends.microsoft.const import microsoft_defender_details -from app.converter.backends.microsoft.mapping import MicrosoftDefenderMappings, microsoft_defender_mappings -from app.converter.backends.microsoft.renders.microsoft_sentinel import MicrosoftSentinelQueryRender, \ +from app.converter.platforms.microsoft.const import microsoft_defender_details +from app.converter.platforms.microsoft.mapping import MicrosoftDefenderMappings, microsoft_defender_mappings +from app.converter.platforms.microsoft.renders.microsoft_sentinel import MicrosoftSentinelQueryRender, \ MicrosoftSentinelFieldValue from app.converter.core.models.platform_details import PlatformDetails diff --git a/siem-converter/app/converter/backends/microsoft/renders/microsoft_defender_cti.py b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_defender_cti.py similarity index 90% rename from siem-converter/app/converter/backends/microsoft/renders/microsoft_defender_cti.py rename to siem-converter/app/converter/platforms/microsoft/renders/microsoft_defender_cti.py index 3bcda64f..5463b716 100644 --- a/siem-converter/app/converter/backends/microsoft/renders/microsoft_defender_cti.py +++ b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_defender_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.microsoft.const import microsoft_defender_details -from app.converter.backends.microsoft.mappings.mdatp_cti import DEFAULT_MICROSOFT_DEFENDER_MAPPING +from app.converter.platforms.microsoft.const import microsoft_defender_details +from app.converter.platforms.microsoft.mappings.mdatp_cti import DEFAULT_MICROSOFT_DEFENDER_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel.py b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel.py similarity index 93% rename from siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel.py rename to siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel.py index b42f360f..47b4a27e 100644 --- a/siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel.py +++ b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel.py @@ -18,12 +18,12 @@ """ from typing import Union -from app.converter.backends.microsoft.const import microsoft_sentinel_query_details -from app.converter.backends.microsoft.mapping import MicrosoftSentinelMappings, microsoft_sentinel_mappings +from app.converter.platforms.microsoft.const import microsoft_sentinel_query_details +from app.converter.platforms.microsoft.mapping import MicrosoftSentinelMappings, microsoft_sentinel_mappings from app.converter.core.mapping import LogSourceSignature from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render import BaseQueryRender, BaseQueryFieldValue -from app.converter.backends.microsoft.siem_functions.base import MicroSoftQueryFunctions +from app.converter.platforms.microsoft.siem_functions.base import MicroSoftQueryFunctions class MicrosoftSentinelFieldValue(BaseQueryFieldValue): diff --git a/siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel_cti.py b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_cti.py similarity index 86% rename from siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel_cti.py rename to siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_cti.py index 86921eb4..d944a7a0 100644 --- a/siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel_cti.py +++ b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.microsoft.const import microsoft_sentinel_query_details -from app.converter.backends.microsoft.mappings.microsoft_sentinel_cti import DEFAULT_MICROSOFT_SENTINEL_MAPPING +from app.converter.platforms.microsoft.const import microsoft_sentinel_query_details +from app.converter.platforms.microsoft.mappings.microsoft_sentinel_cti import DEFAULT_MICROSOFT_SENTINEL_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel_rule.py b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py similarity index 93% rename from siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel_rule.py rename to siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py index 35185af4..78ad74c7 100644 --- a/siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel_rule.py +++ b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py @@ -21,11 +21,11 @@ import json import re -from app.converter.backends.microsoft.renders.microsoft_sentinel import ( +from app.converter.platforms.microsoft.renders.microsoft_sentinel import ( MicrosoftSentinelQueryRender, MicrosoftSentinelFieldValue ) -from app.converter.backends.microsoft.const import DEFAULT_MICROSOFT_SENTINEL_RULE, microsoft_sentinel_rule_details +from app.converter.platforms.microsoft.const import DEFAULT_MICROSOFT_SENTINEL_RULE, microsoft_sentinel_rule_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/qradar/parsers/__init__.py b/siem-converter/app/converter/platforms/microsoft/siem_functions/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/qradar/parsers/__init__.py rename to siem-converter/app/converter/platforms/microsoft/siem_functions/__init__.py diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/base.py b/siem-converter/app/converter/platforms/microsoft/siem_functions/base.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/siem_functions/base.py rename to siem-converter/app/converter/platforms/microsoft/siem_functions/base.py diff --git a/siem-converter/app/converter/backends/microsoft/tokenizer.py b/siem-converter/app/converter/platforms/microsoft/tokenizer.py similarity index 100% rename from siem-converter/app/converter/backends/microsoft/tokenizer.py rename to siem-converter/app/converter/platforms/microsoft/tokenizer.py diff --git a/siem-converter/app/converter/backends/qradar/renders/__init__.py b/siem-converter/app/converter/platforms/opensearch/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/qradar/renders/__init__.py rename to siem-converter/app/converter/platforms/opensearch/__init__.py diff --git a/siem-converter/app/converter/backends/opensearch/const.py b/siem-converter/app/converter/platforms/opensearch/const.py similarity index 100% rename from siem-converter/app/converter/backends/opensearch/const.py rename to siem-converter/app/converter/platforms/opensearch/const.py diff --git a/siem-converter/app/converter/platforms/opensearch/mapping.py b/siem-converter/app/converter/platforms/opensearch/mapping.py new file mode 100644 index 00000000..0c6b9e96 --- /dev/null +++ b/siem-converter/app/converter/platforms/opensearch/mapping.py @@ -0,0 +1,8 @@ +from app.converter.platforms.base.lucene.mapping import LuceneMappings + + +class OpenSearchMappings(LuceneMappings): + pass + + +opensearch_mappings = OpenSearchMappings(platform_dir="opensearch") diff --git a/siem-converter/app/converter/backends/qualys/__init__.py b/siem-converter/app/converter/platforms/opensearch/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/qualys/__init__.py rename to siem-converter/app/converter/platforms/opensearch/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/opensearch/mappings/opensearch_cti.py b/siem-converter/app/converter/platforms/opensearch/mappings/opensearch_cti.py similarity index 100% rename from siem-converter/app/converter/backends/opensearch/mappings/opensearch_cti.py rename to siem-converter/app/converter/platforms/opensearch/mappings/opensearch_cti.py diff --git a/siem-converter/app/converter/backends/qualys/mappings/__init__.py b/siem-converter/app/converter/platforms/opensearch/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/qualys/mappings/__init__.py rename to siem-converter/app/converter/platforms/opensearch/parsers/__init__.py diff --git a/siem-converter/app/converter/platforms/opensearch/parsers/opensearch.py b/siem-converter/app/converter/platforms/opensearch/parsers/opensearch.py new file mode 100644 index 00000000..5114327f --- /dev/null +++ b/siem-converter/app/converter/platforms/opensearch/parsers/opensearch.py @@ -0,0 +1,27 @@ +""" +Uncoder IO Commercial Edition License +----------------------------------------------------------------- +Copyright (c) 2023 SOC Prime, Inc. + +This file is part of the Uncoder IO Commercial Edition ("CE") and is +licensed under the Uncoder IO Non-Commercial License (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://github.com/UncoderIO/UncoderIO/blob/main/LICENSE + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +----------------------------------------------------------------- +""" + +from app.converter.platforms.base.lucene.parsers.lucene import LuceneParser +from app.converter.platforms.opensearch.const import opensearch_query_details +from app.converter.platforms.opensearch.mapping import OpenSearchMappings, opensearch_mappings +from app.converter.core.models.platform_details import PlatformDetails + + +class OpenSearchParser(LuceneParser): + details: PlatformDetails = opensearch_query_details + mappings: OpenSearchMappings = opensearch_mappings diff --git a/siem-converter/app/converter/backends/qualys/renders/__init__.py b/siem-converter/app/converter/platforms/opensearch/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/qualys/renders/__init__.py rename to siem-converter/app/converter/platforms/opensearch/renders/__init__.py diff --git a/siem-converter/app/converter/backends/opensearch/renders/opensearch.py b/siem-converter/app/converter/platforms/opensearch/renders/opensearch.py similarity index 78% rename from siem-converter/app/converter/backends/opensearch/renders/opensearch.py rename to siem-converter/app/converter/platforms/opensearch/renders/opensearch.py index c0b30ca9..58d9951b 100644 --- a/siem-converter/app/converter/backends/opensearch/renders/opensearch.py +++ b/siem-converter/app/converter/platforms/opensearch/renders/opensearch.py @@ -16,14 +16,13 @@ limitations under the License. ----------------------------------------------------------------- """ - -from app.converter.backends.opensearch.const import opensearch_query_details -from app.converter.backends.opensearch.mapping import OpenSearchMappings, opensearch_mappings +from app.converter.platforms.base.lucene.renders.lucene import LuceneQueryRender, LuceneFieldValue +from app.converter.platforms.opensearch.const import opensearch_query_details +from app.converter.platforms.opensearch.mapping import OpenSearchMappings, opensearch_mappings from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.render import BaseQueryRender, BaseQueryFieldValue -class OpenSearchFieldValue(BaseQueryFieldValue): +class OpenSearchFieldValue(LuceneFieldValue): details: PlatformDetails = opensearch_query_details def equal_modifier(self, field, value): @@ -61,22 +60,9 @@ def keywords(self, field, value): return f'"*{value}*"' -class OpenSearchQueryRender(BaseQueryRender): +class OpenSearchQueryRender(LuceneQueryRender): details: PlatformDetails = opensearch_query_details mappings: OpenSearchMappings = opensearch_mappings or_token = "OR" - and_token = "AND" - not_token = "NOT" - field_value_map = OpenSearchFieldValue(or_token=or_token) - query_pattern = "{query} {functions}" - comment_symbol = "//" - is_multi_line_comment = True - - def generate_prefix(self, logsource: dict) -> str: - return "" - - def generate_functions(self, functions: list) -> str: - return "" - diff --git a/siem-converter/app/converter/backends/opensearch/renders/opensearch_cti.py b/siem-converter/app/converter/platforms/opensearch/renders/opensearch_cti.py similarity index 87% rename from siem-converter/app/converter/backends/opensearch/renders/opensearch_cti.py rename to siem-converter/app/converter/platforms/opensearch/renders/opensearch_cti.py index 1c734fcc..9780f223 100644 --- a/siem-converter/app/converter/backends/opensearch/renders/opensearch_cti.py +++ b/siem-converter/app/converter/platforms/opensearch/renders/opensearch_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.opensearch.const import opensearch_query_details -from app.converter.backends.opensearch.mappings.opensearch_cti import DEFAULT_OPENSEARCH_MAPPING +from app.converter.platforms.opensearch.const import opensearch_query_details +from app.converter.platforms.opensearch.mappings.opensearch_cti import DEFAULT_OPENSEARCH_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/opensearch/renders/opensearch_rule.py b/siem-converter/app/converter/platforms/opensearch/renders/opensearch_rule.py similarity index 89% rename from siem-converter/app/converter/backends/opensearch/renders/opensearch_rule.py rename to siem-converter/app/converter/platforms/opensearch/renders/opensearch_rule.py index 916e6aff..7c24d0a8 100644 --- a/siem-converter/app/converter/backends/opensearch/renders/opensearch_rule.py +++ b/siem-converter/app/converter/platforms/opensearch/renders/opensearch_rule.py @@ -20,9 +20,9 @@ import copy import json -from app.converter.backends.opensearch.const import OPENSEARCH_RULE, opensearch_rule_details -from app.converter.backends.opensearch.mapping import OpenSearchMappings, opensearch_mappings -from app.converter.backends.opensearch.renders.opensearch import OpenSearchQueryRender, OpenSearchFieldValue +from app.converter.platforms.opensearch.const import OPENSEARCH_RULE, opensearch_rule_details +from app.converter.platforms.opensearch.mapping import OpenSearchMappings, opensearch_mappings +from app.converter.platforms.opensearch.renders.opensearch import OpenSearchQueryRender, OpenSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/crowdstrike/tokenizer.py b/siem-converter/app/converter/platforms/opensearch/tokenizer.py similarity index 86% rename from siem-converter/app/converter/backends/crowdstrike/tokenizer.py rename to siem-converter/app/converter/platforms/opensearch/tokenizer.py index 15e04aaf..ee8d4189 100644 --- a/siem-converter/app/converter/backends/crowdstrike/tokenizer.py +++ b/siem-converter/app/converter/platforms/opensearch/tokenizer.py @@ -15,9 +15,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ----------------------------------------------------------------- """ +from app.converter.platforms.base.lucene.tokenizer import LuceneTokenizer -from app.converter.backends.splunk.tokenizer import SplunkTokenizer - -class CrowdStrikeTokenizer(SplunkTokenizer): +class OpenSearchTokenizer(LuceneTokenizer): pass diff --git a/siem-converter/app/converter/backends/roota/__init__.py b/siem-converter/app/converter/platforms/qradar/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/roota/__init__.py rename to siem-converter/app/converter/platforms/qradar/__init__.py diff --git a/siem-converter/app/converter/backends/qradar/const.py b/siem-converter/app/converter/platforms/qradar/const.py similarity index 100% rename from siem-converter/app/converter/backends/qradar/const.py rename to siem-converter/app/converter/platforms/qradar/const.py diff --git a/siem-converter/app/converter/backends/qradar/mapping.py b/siem-converter/app/converter/platforms/qradar/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/qradar/mapping.py rename to siem-converter/app/converter/platforms/qradar/mapping.py diff --git a/siem-converter/app/converter/backends/roota/parsers/__init__.py b/siem-converter/app/converter/platforms/qradar/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/roota/parsers/__init__.py rename to siem-converter/app/converter/platforms/qradar/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/qradar/mappings/qradar_cti.py b/siem-converter/app/converter/platforms/qradar/mappings/qradar_cti.py similarity index 100% rename from siem-converter/app/converter/backends/qradar/mappings/qradar_cti.py rename to siem-converter/app/converter/platforms/qradar/mappings/qradar_cti.py diff --git a/siem-converter/app/converter/backends/rsa_netwitness/__init__.py b/siem-converter/app/converter/platforms/qradar/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/rsa_netwitness/__init__.py rename to siem-converter/app/converter/platforms/qradar/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/qradar/parsers/qradar.py b/siem-converter/app/converter/platforms/qradar/parsers/qradar.py similarity index 95% rename from siem-converter/app/converter/backends/qradar/parsers/qradar.py rename to siem-converter/app/converter/platforms/qradar/parsers/qradar.py index 3b184503..e9135e61 100644 --- a/siem-converter/app/converter/backends/qradar/parsers/qradar.py +++ b/siem-converter/app/converter/platforms/qradar/parsers/qradar.py @@ -19,10 +19,10 @@ import re from typing import Tuple, List, Union, Dict -from app.converter.backends.qradar.const import SINGLE_QUOTES_VALUE_PATTERN, NUM_VALUE_PATTERN, \ +from app.converter.platforms.qradar.const import SINGLE_QUOTES_VALUE_PATTERN, NUM_VALUE_PATTERN, \ qradar_query_details -from app.converter.backends.qradar.mapping import QradarMappings, qradar_mappings -from app.converter.backends.qradar.tokenizer import QradarTokenizer +from app.converter.platforms.qradar.mapping import QradarMappings, qradar_mappings +from app.converter.platforms.qradar.tokenizer import QradarTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/backends/rsa_netwitness/mappings/__init__.py b/siem-converter/app/converter/platforms/qradar/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/rsa_netwitness/mappings/__init__.py rename to siem-converter/app/converter/platforms/qradar/renders/__init__.py diff --git a/siem-converter/app/converter/backends/qradar/renders/qradar.py b/siem-converter/app/converter/platforms/qradar/renders/qradar.py similarity index 94% rename from siem-converter/app/converter/backends/qradar/renders/qradar.py rename to siem-converter/app/converter/platforms/qradar/renders/qradar.py index 116cee47..4cacf1aa 100644 --- a/siem-converter/app/converter/backends/qradar/renders/qradar.py +++ b/siem-converter/app/converter/platforms/qradar/renders/qradar.py @@ -19,8 +19,8 @@ from typing import Union, List -from app.converter.backends.qradar.const import qradar_query_details -from app.converter.backends.qradar.mapping import QradarLogSourceSignature, QradarMappings, qradar_mappings +from app.converter.platforms.qradar.const import qradar_query_details +from app.converter.platforms.qradar.mapping import QradarLogSourceSignature, QradarMappings, qradar_mappings from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render import BaseQueryRender, BaseQueryFieldValue diff --git a/siem-converter/app/converter/backends/qradar/renders/qradar_cti.py b/siem-converter/app/converter/platforms/qradar/renders/qradar_cti.py similarity index 89% rename from siem-converter/app/converter/backends/qradar/renders/qradar_cti.py rename to siem-converter/app/converter/platforms/qradar/renders/qradar_cti.py index 8f848a49..39ac6e67 100644 --- a/siem-converter/app/converter/backends/qradar/renders/qradar_cti.py +++ b/siem-converter/app/converter/platforms/qradar/renders/qradar_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.qradar.const import qradar_query_details -from app.converter.backends.qradar.mappings.qradar_cti import DEFAULT_QRADAR_MAPPING +from app.converter.platforms.qradar.const import qradar_query_details +from app.converter.platforms.qradar.mappings.qradar_cti import DEFAULT_QRADAR_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/qradar/tokenizer.py b/siem-converter/app/converter/platforms/qradar/tokenizer.py similarity index 97% rename from siem-converter/app/converter/backends/qradar/tokenizer.py rename to siem-converter/app/converter/platforms/qradar/tokenizer.py index f8494ea9..680d6a0b 100644 --- a/siem-converter/app/converter/backends/qradar/tokenizer.py +++ b/siem-converter/app/converter/platforms/qradar/tokenizer.py @@ -19,7 +19,7 @@ import re from typing import Tuple, Any -from app.converter.backends.qradar.const import UTF8_PAYLOAD_PATTERN, SINGLE_QUOTES_VALUE_PATTERN, NUM_VALUE_PATTERN +from app.converter.platforms.qradar.const import UTF8_PAYLOAD_PATTERN, SINGLE_QUOTES_VALUE_PATTERN, NUM_VALUE_PATTERN from app.converter.core.models.field import Keyword from app.converter.core.models.identifier import Identifier from app.converter.core.tokenizer import QueryTokenizer diff --git a/siem-converter/app/converter/backends/rsa_netwitness/renders/__init__.py b/siem-converter/app/converter/platforms/qualys/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/rsa_netwitness/renders/__init__.py rename to siem-converter/app/converter/platforms/qualys/__init__.py diff --git a/siem-converter/app/converter/backends/qualys/const.py b/siem-converter/app/converter/platforms/qualys/const.py similarity index 100% rename from siem-converter/app/converter/backends/qualys/const.py rename to siem-converter/app/converter/platforms/qualys/const.py diff --git a/siem-converter/app/converter/backends/securonix/__init__.py b/siem-converter/app/converter/platforms/qualys/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/securonix/__init__.py rename to siem-converter/app/converter/platforms/qualys/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/qualys/mappings/qualys_cti.py b/siem-converter/app/converter/platforms/qualys/mappings/qualys_cti.py similarity index 100% rename from siem-converter/app/converter/backends/qualys/mappings/qualys_cti.py rename to siem-converter/app/converter/platforms/qualys/mappings/qualys_cti.py diff --git a/siem-converter/app/converter/backends/securonix/mappings/__init__.py b/siem-converter/app/converter/platforms/qualys/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/securonix/mappings/__init__.py rename to siem-converter/app/converter/platforms/qualys/renders/__init__.py diff --git a/siem-converter/app/converter/backends/qualys/renders/qualys_cti.py b/siem-converter/app/converter/platforms/qualys/renders/qualys_cti.py similarity index 89% rename from siem-converter/app/converter/backends/qualys/renders/qualys_cti.py rename to siem-converter/app/converter/platforms/qualys/renders/qualys_cti.py index b3e0d79a..aec31146 100644 --- a/siem-converter/app/converter/backends/qualys/renders/qualys_cti.py +++ b/siem-converter/app/converter/platforms/qualys/renders/qualys_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.qualys.const import QUALYS_QUERY_DETAILS -from app.converter.backends.qualys.mappings.qualys_cti import DEFAULT_QUALYS_MAPPING +from app.converter.platforms.qualys.const import QUALYS_QUERY_DETAILS +from app.converter.platforms.qualys.mappings.qualys_cti import DEFAULT_QUALYS_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/securonix/renders/__init__.py b/siem-converter/app/converter/platforms/roota/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/securonix/renders/__init__.py rename to siem-converter/app/converter/platforms/roota/__init__.py diff --git a/siem-converter/app/converter/backends/roota/mapping.py b/siem-converter/app/converter/platforms/roota/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/roota/mapping.py rename to siem-converter/app/converter/platforms/roota/mapping.py diff --git a/siem-converter/app/converter/backends/sentinel_one/__init__.py b/siem-converter/app/converter/platforms/roota/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sentinel_one/__init__.py rename to siem-converter/app/converter/platforms/roota/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/roota/parsers/roota.py b/siem-converter/app/converter/platforms/roota/parsers/roota.py similarity index 100% rename from siem-converter/app/converter/backends/roota/parsers/roota.py rename to siem-converter/app/converter/platforms/roota/parsers/roota.py diff --git a/siem-converter/app/converter/backends/sentinel_one/mappings/__init__.py b/siem-converter/app/converter/platforms/rsa_netwitness/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sentinel_one/mappings/__init__.py rename to siem-converter/app/converter/platforms/rsa_netwitness/__init__.py diff --git a/siem-converter/app/converter/backends/rsa_netwitness/const.py b/siem-converter/app/converter/platforms/rsa_netwitness/const.py similarity index 100% rename from siem-converter/app/converter/backends/rsa_netwitness/const.py rename to siem-converter/app/converter/platforms/rsa_netwitness/const.py diff --git a/siem-converter/app/converter/backends/sentinel_one/renders/__init__.py b/siem-converter/app/converter/platforms/rsa_netwitness/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sentinel_one/renders/__init__.py rename to siem-converter/app/converter/platforms/rsa_netwitness/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/rsa_netwitness/mappings/rsa_netwitness_cti.py b/siem-converter/app/converter/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py similarity index 100% rename from siem-converter/app/converter/backends/rsa_netwitness/mappings/rsa_netwitness_cti.py rename to siem-converter/app/converter/platforms/rsa_netwitness/mappings/rsa_netwitness_cti.py diff --git a/siem-converter/app/converter/backends/sigma/__init__.py b/siem-converter/app/converter/platforms/rsa_netwitness/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sigma/__init__.py rename to siem-converter/app/converter/platforms/rsa_netwitness/renders/__init__.py diff --git a/siem-converter/app/converter/backends/rsa_netwitness/renders/rsa_netwitness_cti.py b/siem-converter/app/converter/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py similarity index 86% rename from siem-converter/app/converter/backends/rsa_netwitness/renders/rsa_netwitness_cti.py rename to siem-converter/app/converter/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py index e20a08f6..da389b09 100644 --- a/siem-converter/app/converter/backends/rsa_netwitness/renders/rsa_netwitness_cti.py +++ b/siem-converter/app/converter/platforms/rsa_netwitness/renders/rsa_netwitness_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.rsa_netwitness.const import RSA_NETWITNESS_QUERY_DETAILS -from app.converter.backends.rsa_netwitness.mappings.rsa_netwitness_cti import DEFAULT_RSA_NETWITNESS_MAPPING +from app.converter.platforms.rsa_netwitness.const import RSA_NETWITNESS_QUERY_DETAILS +from app.converter.platforms.rsa_netwitness.mappings.rsa_netwitness_cti import DEFAULT_RSA_NETWITNESS_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/sigma/models/__init__.py b/siem-converter/app/converter/platforms/securonix/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sigma/models/__init__.py rename to siem-converter/app/converter/platforms/securonix/__init__.py diff --git a/siem-converter/app/converter/backends/securonix/const.py b/siem-converter/app/converter/platforms/securonix/const.py similarity index 100% rename from siem-converter/app/converter/backends/securonix/const.py rename to siem-converter/app/converter/platforms/securonix/const.py diff --git a/siem-converter/app/converter/backends/sigma/parsers/__init__.py b/siem-converter/app/converter/platforms/securonix/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sigma/parsers/__init__.py rename to siem-converter/app/converter/platforms/securonix/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/securonix/mappings/securonix_cti.py b/siem-converter/app/converter/platforms/securonix/mappings/securonix_cti.py similarity index 100% rename from siem-converter/app/converter/backends/securonix/mappings/securonix_cti.py rename to siem-converter/app/converter/platforms/securonix/mappings/securonix_cti.py diff --git a/siem-converter/app/converter/backends/sigma/renders/__init__.py b/siem-converter/app/converter/platforms/securonix/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sigma/renders/__init__.py rename to siem-converter/app/converter/platforms/securonix/renders/__init__.py diff --git a/siem-converter/app/converter/backends/securonix/renders/securonix_cti.py b/siem-converter/app/converter/platforms/securonix/renders/securonix_cti.py similarity index 88% rename from siem-converter/app/converter/backends/securonix/renders/securonix_cti.py rename to siem-converter/app/converter/platforms/securonix/renders/securonix_cti.py index e1ab571c..ea631912 100644 --- a/siem-converter/app/converter/backends/securonix/renders/securonix_cti.py +++ b/siem-converter/app/converter/platforms/securonix/renders/securonix_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.securonix.const import SECURONIX_QUERY_DETAILS -from app.converter.backends.securonix.mappings.securonix_cti import DEFAULT_SECURONIX_MAPPING +from app.converter.platforms.securonix.const import SECURONIX_QUERY_DETAILS +from app.converter.platforms.securonix.mappings.securonix_cti import DEFAULT_SECURONIX_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/snowflake/__init__.py b/siem-converter/app/converter/platforms/sentinel_one/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/snowflake/__init__.py rename to siem-converter/app/converter/platforms/sentinel_one/__init__.py diff --git a/siem-converter/app/converter/backends/sentinel_one/const.py b/siem-converter/app/converter/platforms/sentinel_one/const.py similarity index 100% rename from siem-converter/app/converter/backends/sentinel_one/const.py rename to siem-converter/app/converter/platforms/sentinel_one/const.py diff --git a/siem-converter/app/converter/backends/snowflake/mappings/__init__.py b/siem-converter/app/converter/platforms/sentinel_one/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/snowflake/mappings/__init__.py rename to siem-converter/app/converter/platforms/sentinel_one/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/sentinel_one/mappings/s1_cti.py b/siem-converter/app/converter/platforms/sentinel_one/mappings/s1_cti.py similarity index 100% rename from siem-converter/app/converter/backends/sentinel_one/mappings/s1_cti.py rename to siem-converter/app/converter/platforms/sentinel_one/mappings/s1_cti.py diff --git a/siem-converter/app/converter/backends/snowflake/renders/__init__.py b/siem-converter/app/converter/platforms/sentinel_one/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/snowflake/renders/__init__.py rename to siem-converter/app/converter/platforms/sentinel_one/renders/__init__.py diff --git a/siem-converter/app/converter/backends/sentinel_one/renders/s1_cti.py b/siem-converter/app/converter/platforms/sentinel_one/renders/s1_cti.py similarity index 87% rename from siem-converter/app/converter/backends/sentinel_one/renders/s1_cti.py rename to siem-converter/app/converter/platforms/sentinel_one/renders/s1_cti.py index 8d6c07e1..63390496 100644 --- a/siem-converter/app/converter/backends/sentinel_one/renders/s1_cti.py +++ b/siem-converter/app/converter/platforms/sentinel_one/renders/s1_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.sentinel_one.const import SENTINEL_ONE_EVENTS_QUERY_DETAILS -from app.converter.backends.sentinel_one.mappings.s1_cti import DEFAULT_S1EVENTS_MAPPING +from app.converter.platforms.sentinel_one.const import SENTINEL_ONE_EVENTS_QUERY_DETAILS +from app.converter.platforms.sentinel_one.mappings.s1_cti import DEFAULT_S1EVENTS_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/splunk/__init__.py b/siem-converter/app/converter/platforms/sigma/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/__init__.py rename to siem-converter/app/converter/platforms/sigma/__init__.py diff --git a/siem-converter/app/converter/backends/sigma/const.py b/siem-converter/app/converter/platforms/sigma/const.py similarity index 100% rename from siem-converter/app/converter/backends/sigma/const.py rename to siem-converter/app/converter/platforms/sigma/const.py diff --git a/siem-converter/app/converter/backends/sigma/mapping.py b/siem-converter/app/converter/platforms/sigma/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/sigma/mapping.py rename to siem-converter/app/converter/platforms/sigma/mapping.py diff --git a/siem-converter/app/converter/backends/splunk/mappings/__init__.py b/siem-converter/app/converter/platforms/sigma/models/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/mappings/__init__.py rename to siem-converter/app/converter/platforms/sigma/models/__init__.py diff --git a/siem-converter/app/converter/backends/sigma/models/modifiers.py b/siem-converter/app/converter/platforms/sigma/models/modifiers.py similarity index 100% rename from siem-converter/app/converter/backends/sigma/models/modifiers.py rename to siem-converter/app/converter/platforms/sigma/models/modifiers.py diff --git a/siem-converter/app/converter/backends/splunk/parsers/__init__.py b/siem-converter/app/converter/platforms/sigma/parsers/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/parsers/__init__.py rename to siem-converter/app/converter/platforms/sigma/parsers/__init__.py diff --git a/siem-converter/app/converter/backends/sigma/parsers/sigma.py b/siem-converter/app/converter/platforms/sigma/parsers/sigma.py similarity index 93% rename from siem-converter/app/converter/backends/sigma/parsers/sigma.py rename to siem-converter/app/converter/platforms/sigma/parsers/sigma.py index a098c716..a9635a38 100644 --- a/siem-converter/app/converter/backends/sigma/parsers/sigma.py +++ b/siem-converter/app/converter/platforms/sigma/parsers/sigma.py @@ -21,9 +21,9 @@ import re from typing import List -from app.converter.backends.sigma.const import SIGMA_RULE_DETAILS -from app.converter.backends.sigma.mapping import SigmaMappings, sigma_mappings -from app.converter.backends.sigma.tokenizer import SigmaTokenizer, SigmaConditionTokenizer +from app.converter.platforms.sigma.const import SIGMA_RULE_DETAILS +from app.converter.platforms.sigma.mapping import SigmaMappings, sigma_mappings +from app.converter.platforms.sigma.tokenizer import SigmaTokenizer, SigmaConditionTokenizer from app.converter.core.exceptions.core import SigmaRuleValidationException from app.converter.core.mixins.rule import YamlRuleMixin from app.converter.core.models.field import Field diff --git a/siem-converter/app/converter/backends/splunk/renders/__init__.py b/siem-converter/app/converter/platforms/sigma/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/renders/__init__.py rename to siem-converter/app/converter/platforms/sigma/renders/__init__.py diff --git a/siem-converter/app/converter/backends/sigma/renders/sigma.py b/siem-converter/app/converter/platforms/sigma/renders/sigma.py similarity index 98% rename from siem-converter/app/converter/backends/sigma/renders/sigma.py rename to siem-converter/app/converter/platforms/sigma/renders/sigma.py index 651a0437..2ade383d 100644 --- a/siem-converter/app/converter/backends/sigma/renders/sigma.py +++ b/siem-converter/app/converter/platforms/sigma/renders/sigma.py @@ -21,8 +21,8 @@ import yaml -from app.converter.backends.sigma.const import SIGMA_RULE_DETAILS -from app.converter.backends.sigma.mapping import SigmaMappings, sigma_mappings, SigmaLogSourceSignature +from app.converter.platforms.sigma.const import SIGMA_RULE_DETAILS +from app.converter.platforms.sigma.mapping import SigmaMappings, sigma_mappings, SigmaLogSourceSignature from app.converter.core.compiler import DataStructureCompiler from app.converter.core.exceptions.core import StrictPlatformFieldException from app.converter.core.mapping import SourceMapping, DEFAULT_MAPPING_NAME diff --git a/siem-converter/app/converter/backends/sigma/tokenizer.py b/siem-converter/app/converter/platforms/sigma/tokenizer.py similarity index 99% rename from siem-converter/app/converter/backends/sigma/tokenizer.py rename to siem-converter/app/converter/platforms/sigma/tokenizer.py index 689e1ef9..9d16da6c 100644 --- a/siem-converter/app/converter/backends/sigma/tokenizer.py +++ b/siem-converter/app/converter/platforms/sigma/tokenizer.py @@ -19,7 +19,7 @@ import re from typing import Union, List -from app.converter.backends.sigma.models.modifiers import ModifierManager +from app.converter.platforms.sigma.models.modifiers import ModifierManager from app.converter.core.exceptions.parser import TokenizerGeneralException from app.converter.core.models.field import Field, Keyword from app.converter.core.models.identifier import Identifier diff --git a/siem-converter/app/converter/backends/sumo_logic/__init__.py b/siem-converter/app/converter/platforms/snowflake/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sumo_logic/__init__.py rename to siem-converter/app/converter/platforms/snowflake/__init__.py diff --git a/siem-converter/app/converter/backends/snowflake/const.py b/siem-converter/app/converter/platforms/snowflake/const.py similarity index 100% rename from siem-converter/app/converter/backends/snowflake/const.py rename to siem-converter/app/converter/platforms/snowflake/const.py diff --git a/siem-converter/app/converter/backends/sumo_logic/mappings/__init__.py b/siem-converter/app/converter/platforms/snowflake/mappings/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sumo_logic/mappings/__init__.py rename to siem-converter/app/converter/platforms/snowflake/mappings/__init__.py diff --git a/siem-converter/app/converter/backends/snowflake/mappings/snowflake_cti.py b/siem-converter/app/converter/platforms/snowflake/mappings/snowflake_cti.py similarity index 100% rename from siem-converter/app/converter/backends/snowflake/mappings/snowflake_cti.py rename to siem-converter/app/converter/platforms/snowflake/mappings/snowflake_cti.py diff --git a/siem-converter/app/converter/backends/sumo_logic/renders/__init__.py b/siem-converter/app/converter/platforms/snowflake/renders/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/sumo_logic/renders/__init__.py rename to siem-converter/app/converter/platforms/snowflake/renders/__init__.py diff --git a/siem-converter/app/converter/backends/snowflake/renders/snowflake_cti.py b/siem-converter/app/converter/platforms/snowflake/renders/snowflake_cti.py similarity index 88% rename from siem-converter/app/converter/backends/snowflake/renders/snowflake_cti.py rename to siem-converter/app/converter/platforms/snowflake/renders/snowflake_cti.py index 4cff7b82..666a034c 100644 --- a/siem-converter/app/converter/backends/snowflake/renders/snowflake_cti.py +++ b/siem-converter/app/converter/platforms/snowflake/renders/snowflake_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.snowflake.const import SNOWFLAKE_QUERY_DETAILS -from app.converter.backends.snowflake.mappings.snowflake_cti import DEFAULT_SNOWFLAKE_MAPPING +from app.converter.platforms.snowflake.const import SNOWFLAKE_QUERY_DETAILS +from app.converter.platforms.snowflake.mappings.snowflake_cti import DEFAULT_SNOWFLAKE_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/platforms/splunk/__init__.py b/siem-converter/app/converter/platforms/splunk/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/siem-converter/app/converter/backends/splunk/const.py b/siem-converter/app/converter/platforms/splunk/const.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/const.py rename to siem-converter/app/converter/platforms/splunk/const.py diff --git a/siem-converter/app/converter/backends/splunk/mapping.py b/siem-converter/app/converter/platforms/splunk/mapping.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/mapping.py rename to siem-converter/app/converter/platforms/splunk/mapping.py diff --git a/siem-converter/app/converter/platforms/splunk/mappings/__init__.py b/siem-converter/app/converter/platforms/splunk/mappings/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/siem-converter/app/converter/backends/splunk/mappings/splunk_cti.py b/siem-converter/app/converter/platforms/splunk/mappings/splunk_cti.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/mappings/splunk_cti.py rename to siem-converter/app/converter/platforms/splunk/mappings/splunk_cti.py diff --git a/siem-converter/app/converter/platforms/splunk/parsers/__init__.py b/siem-converter/app/converter/platforms/splunk/parsers/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/siem-converter/app/converter/platforms/splunk/parsers/splunk.py b/siem-converter/app/converter/platforms/splunk/parsers/splunk.py new file mode 100644 index 00000000..79a24f58 --- /dev/null +++ b/siem-converter/app/converter/platforms/splunk/parsers/splunk.py @@ -0,0 +1,33 @@ +""" +Uncoder IO Commercial Edition License +----------------------------------------------------------------- +Copyright (c) 2023 SOC Prime, Inc. + +This file is part of the Uncoder IO Commercial Edition ("CE") and is +licensed under the Uncoder IO Non-Commercial License (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://github.com/UncoderIO/UncoderIO/blob/main/LICENSE + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +----------------------------------------------------------------- +""" + +from app.converter.platforms.base.spl.parsers.spl import SplParser +from app.converter.platforms.splunk.const import splunk_query_details +from app.converter.platforms.splunk.mapping import SplunkMappings, splunk_mappings +from app.converter.platforms.splunk.siem_functions import SplunkFunctions +from app.converter.core.models.platform_details import PlatformDetails + + +class SplunkParser(SplParser): + details: PlatformDetails = splunk_query_details + siem_functions = SplunkFunctions() + + log_source_pattern = r"___source_type___\s*=\s*(?:\"(?P[%a-zA-Z_*:0-9\-/]+)\"|(?P[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?" + log_source_key_types = ("index", "source", "sourcetype", "sourcecategory") + + mappings: SplunkMappings = splunk_mappings diff --git a/siem-converter/app/converter/backends/splunk/parsers/splunk_alert.py b/siem-converter/app/converter/platforms/splunk/parsers/splunk_alert.py similarity index 92% rename from siem-converter/app/converter/backends/splunk/parsers/splunk_alert.py rename to siem-converter/app/converter/platforms/splunk/parsers/splunk_alert.py index 7a341697..3763720a 100644 --- a/siem-converter/app/converter/backends/splunk/parsers/splunk_alert.py +++ b/siem-converter/app/converter/platforms/splunk/parsers/splunk_alert.py @@ -19,8 +19,8 @@ import re from typing import List, Optional -from app.converter.backends.splunk.const import splunk_alert_details -from app.converter.backends.splunk.parsers.splunk import SplunkParser +from app.converter.platforms.splunk.const import splunk_alert_details +from app.converter.platforms.splunk.parsers.splunk import SplunkParser from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer diff --git a/siem-converter/app/converter/platforms/splunk/renders/__init__.py b/siem-converter/app/converter/platforms/splunk/renders/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/siem-converter/app/converter/platforms/splunk/renders/splunk.py b/siem-converter/app/converter/platforms/splunk/renders/splunk.py new file mode 100644 index 00000000..ebca22c0 --- /dev/null +++ b/siem-converter/app/converter/platforms/splunk/renders/splunk.py @@ -0,0 +1,35 @@ +""" +Uncoder IO Community Edition License +----------------------------------------------------------------- +Copyright (c) 2023 SOC Prime, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +----------------------------------------------------------------- +""" +from app.converter.platforms.base.spl.renders.spl import SplFieldValue, SplQueryRender +from app.converter.platforms.splunk.const import splunk_query_details +from app.converter.platforms.splunk.mapping import SplunkMappings, splunk_mappings +from app.converter.core.models.platform_details import PlatformDetails + + +class SplunkFieldValue(SplFieldValue): + details: PlatformDetails = splunk_query_details + + +class SplunkQueryRender(SplQueryRender): + details: PlatformDetails = splunk_query_details + + or_token = "OR" + + field_value_map = SplunkFieldValue(or_token=or_token) + mappings: SplunkMappings = splunk_mappings diff --git a/siem-converter/app/converter/backends/splunk/renders/splunk_alert.py b/siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py similarity index 92% rename from siem-converter/app/converter/backends/splunk/renders/splunk_alert.py rename to siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py index 9ac8f679..f16b9efd 100644 --- a/siem-converter/app/converter/backends/splunk/renders/splunk_alert.py +++ b/siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.splunk.renders.splunk import SplunkQueryRender, SplunkFieldValue -from app.converter.backends.splunk.const import DEFAULT_SPLUNK_ALERT, splunk_alert_details +from app.converter.platforms.splunk.renders.splunk import SplunkQueryRender, SplunkFieldValue +from app.converter.platforms.splunk.const import DEFAULT_SPLUNK_ALERT, splunk_alert_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.operator_types.output import MetaInfoContainer diff --git a/siem-converter/app/converter/backends/splunk/renders/splunk_cti.py b/siem-converter/app/converter/platforms/splunk/renders/splunk_cti.py similarity index 88% rename from siem-converter/app/converter/backends/splunk/renders/splunk_cti.py rename to siem-converter/app/converter/platforms/splunk/renders/splunk_cti.py index 7b6ebd89..1211e706 100644 --- a/siem-converter/app/converter/backends/splunk/renders/splunk_cti.py +++ b/siem-converter/app/converter/platforms/splunk/renders/splunk_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.splunk.const import splunk_query_details -from app.converter.backends.splunk.mappings.splunk_cti import DEFAULT_SPLUNK_MAPPING +from app.converter.platforms.splunk.const import splunk_query_details +from app.converter.platforms.splunk.mappings.splunk_cti import DEFAULT_SPLUNK_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/converter/backends/splunk/siem_functions/__init__.py b/siem-converter/app/converter/platforms/splunk/siem_functions/__init__.py similarity index 100% rename from siem-converter/app/converter/backends/splunk/siem_functions/__init__.py rename to siem-converter/app/converter/platforms/splunk/siem_functions/__init__.py diff --git a/siem-converter/app/converter/platforms/sumo_logic/__init__.py b/siem-converter/app/converter/platforms/sumo_logic/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/siem-converter/app/converter/backends/sumo_logic/const.py b/siem-converter/app/converter/platforms/sumo_logic/const.py similarity index 100% rename from siem-converter/app/converter/backends/sumo_logic/const.py rename to siem-converter/app/converter/platforms/sumo_logic/const.py diff --git a/siem-converter/app/converter/platforms/sumo_logic/mappings/__init__.py b/siem-converter/app/converter/platforms/sumo_logic/mappings/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/siem-converter/app/converter/backends/sumo_logic/mappings/sumologic_cti.py b/siem-converter/app/converter/platforms/sumo_logic/mappings/sumologic_cti.py similarity index 100% rename from siem-converter/app/converter/backends/sumo_logic/mappings/sumologic_cti.py rename to siem-converter/app/converter/platforms/sumo_logic/mappings/sumologic_cti.py diff --git a/siem-converter/app/converter/platforms/sumo_logic/renders/__init__.py b/siem-converter/app/converter/platforms/sumo_logic/renders/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/siem-converter/app/converter/backends/sumo_logic/renders/sumologic_cti.py b/siem-converter/app/converter/platforms/sumo_logic/renders/sumologic_cti.py similarity index 88% rename from siem-converter/app/converter/backends/sumo_logic/renders/sumologic_cti.py rename to siem-converter/app/converter/platforms/sumo_logic/renders/sumologic_cti.py index 66a76bc4..33773088 100644 --- a/siem-converter/app/converter/backends/sumo_logic/renders/sumologic_cti.py +++ b/siem-converter/app/converter/platforms/sumo_logic/renders/sumologic_cti.py @@ -17,8 +17,8 @@ ----------------------------------------------------------------- """ -from app.converter.backends.sumo_logic.const import SUMO_LOGIC_QUERY_DETAILS -from app.converter.backends.sumo_logic.mappings.sumologic_cti import DEFAULT_SUMOLOGIC_MAPPING +from app.converter.platforms.sumo_logic.const import SUMO_LOGIC_QUERY_DETAILS +from app.converter.platforms.sumo_logic.mappings.sumologic_cti import DEFAULT_SUMOLOGIC_MAPPING from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.render_cti import RenderCTI diff --git a/siem-converter/app/routers/translate.py b/siem-converter/app/routers/translate.py index 7b2bb179..0fd21f6f 100644 --- a/siem-converter/app/routers/translate.py +++ b/siem-converter/app/routers/translate.py @@ -76,7 +76,7 @@ def generate_all_translations( @st_router.get( "/platforms", tags=["siem_translate"], - description="Get converter backends", + description="Get converter platforms", ) @st_router.get("/platforms/", include_in_schema=False) def get_convertor_platforms() -> ConvertorPlatforms: @@ -86,7 +86,7 @@ def get_convertor_platforms() -> ConvertorPlatforms: @st_router.get( "/all_platforms", - description="Get Sigma, RootA and iocs backends", + description="Get Sigma, RootA and iocs platforms", ) @st_router.get("/all_platforms/", include_in_schema=False) def get_all_platforms() -> list: