Merge pull request #222 from UncoderIO/gis-9137

Gis 9137 Create  IOCs sigma render

Author: nazargesyk

uncoder-core/app/routers/ioc_translate.py

@@ -4,11 +4,10 @@
 
 from app.models.ioc_translation import CTIPlatform, OneTranslationCTIData
 from app.models.translation import InfoMessage
-from app.translator.cti_translator import CTITranslator
+from app.translator.cti_translator import cti_translator
 from app.translator.tools.const import HashType, IocParsingRule, IOCType
 
 iocs_router = APIRouter()
-cti_translator = CTITranslator()
 
 
 @iocs_router.post("/iocs/translate", description="Parse IOCs from text.")

uncoder-core/app/translator/cti_translator.py

@@ -86,3 +86,6 @@ def __get_iocs_chunk(
     @classmethod
     def get_renders(cls) -> list:
         return cls.render_manager.get_platforms_details
+
+
+cti_translator = CTITranslator()

uncoder-core/app/translator/platforms/arcsight/const.py

@@ -9,4 +9,18 @@
     "alt_platform_name": "CEF",
 }
 
+
+DEFAULT_ARCSIGHT_CTI_MAPPING = {
+    "SourceIP": "sourceAddress",
+    "DestinationIP": "destinationAddress",
+    "Domain": "destinationDnsDomain",
+    "URL": "requestUrl",
+    "HashMd5": "fileHash",
+    "HashSha1": "fileHash",
+    "HashSha256": "fileHash",
+    "HashSha512": "fileHash",
+    "Emails": "sender-address",
+    "Files": "winlog.event_data.TargetFilename",
+}
+
 arcsight_query_details = PlatformDetails(**ARCSIGHT_QUERY_DETAILS)

uncoder-core/app/translator/platforms/arcsight/mappings/__init__.py

@@ -1,15 +1,14 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.arcsight.const import arcsight_query_details
-from app.translator.platforms.arcsight.mappings.arcsight_cti import DEFAULT_ARCSIGHT_MAPPING
+from app.translator.platforms.arcsight.const import arcsight_query_details, DEFAULT_ARCSIGHT_CTI_MAPPING
 
 
 @render_cti_manager.register
 class ArcsightKeyword(RenderCTI):
     details: PlatformDetails = arcsight_query_details
 
-    default_mapping = DEFAULT_ARCSIGHT_MAPPING
+    default_mapping = DEFAULT_ARCSIGHT_CTI_MAPPING
     field_value_template: str = "{key} = {value}"
     or_operator: str = " OR "
     group_or_operator: str = " OR "

uncoder-core/app/translator/platforms/arcsight/mappings/arcsight_cti.py

@@ -9,4 +9,18 @@
     "alt_platform_name": "OCSF",
 }
 
+DEFAULT_ATHENA_CTI_MAPPING = {
+    "SourceIP": "src_endpoint",
+    "DestinationIP": "dst_endpoint",
+    "Domain": "dst_endpoint",
+    "URL": "http_request",
+    "HashMd5": "unmapped.file.hash.md5",
+    "HashSha1": "unmapped.file.hash.sha1",
+    "HashSha256": "unmapped.file.hash.sha256",
+    "HashSha512": "unmapped.file.hash.sha512",
+    "Email": "email",
+    "FileName": "file.name",
+}
+
+
 athena_query_details = PlatformDetails(**ATHENA_QUERY_DETAILS)

uncoder-core/app/translator/platforms/arcsight/renders/arcsight_cti.py

@@ -20,8 +20,7 @@
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render_cti import RenderCTI
 from app.translator.managers import render_cti_manager
-from app.translator.platforms.athena.const import athena_query_details
-from app.translator.platforms.athena.mappings.athena_cti import DEFAULT_ATHENA_MAPPING
+from app.translator.platforms.athena.const import DEFAULT_ATHENA_CTI_MAPPING, athena_query_details
 
 
 @render_cti_manager.register
@@ -35,4 +34,4 @@ class AthenaCTI(RenderCTI):
     result_join: str = ""
     final_result_for_many: str = "SELECT * from eventlog where {result}\n"
     final_result_for_one: str = "SELECT * from eventlog where {result}\n"
-    default_mapping = DEFAULT_ATHENA_MAPPING
+    default_mapping = DEFAULT_ATHENA_CTI_MAPPING