UncoderIO
diff --git a/‎.gitignore‎
Lines changed: 7 additions & 0 deletions b/‎.gitignore‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 21 additions & 0 deletions b/‎docker-compose.yml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎siem-converter/.gitignore‎
Lines changed: 203 additions & 0 deletions b/‎siem-converter/.gitignore‎
Lines changed: 203 additions & 0 deletions
diff --git a/‎siem-converter/Dockerfile‎
Lines changed: 9 additions & 0 deletions b/‎siem-converter/Dockerfile‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎siem-converter/app/__init__.py‎ b/‎siem-converter/app/__init__.py‎
diff --git a/‎siem-converter/app/converter/__init__.py‎ b/‎siem-converter/app/converter/__init__.py‎
diff --git a/‎siem-converter/app/converter/backends/__init__.py‎
Lines changed: 122 additions & 0 deletions b/‎siem-converter/app/converter/backends/__init__.py‎
Lines changed: 122 additions & 0 deletions
diff --git a/‎siem-converter/app/converter/backends/athena/__init__.py‎ b/‎siem-converter/app/converter/backends/athena/__init__.py‎
diff --git a/‎siem-converter/app/converter/backends/athena/const.py‎
Lines changed: 12 additions & 0 deletions b/‎siem-converter/app/converter/backends/athena/const.py‎
Lines changed: 12 additions & 0 deletions
@@ -0,0 +1,7 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# misc
+.DS_Store
+*.pem
+
+/.idea
@@ -0,0 +1,21 @@
+version: '3'
+services:
+  uncoder-os:
+    build:
+      context: './uncoder-os/'
+    container_name: uncoder-os
+    restart: always
+    environment:
+      - HOST=0.0.0.0
+    ports:
+      - '4010:4010'
+  siem-converter:
+    build:
+      context: './siem-converter/'
+    container_name: siem-converter
+    restart: always
+    environment:
+      - HOST=0.0.0.0
+      - PORT=8000
+    ports:
+      - '8000:8000'
@@ -0,0 +1,203 @@
+# OS generated files
+.DS_Store?
+ehthumbs.db
+Icon?
+Thumbs.db
+*.DS_Store
+.DS_Store
+.gitmodules
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+# Python venv
+venv/
+
+# Pycharm IDE
+.idea/
+
+# Python compile files
+__pycache__/
+*.pyc
+
+# Config files
+*.ini
+
+*.env
+
+# Logs
+*.log
+
+# Temp dirs or files
+sigma_git/
+!tmp/.gitkeep
+
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Visual Studio Code Environment
+.vscode/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# Temp file (deploy_key gitlab)
+deploy_key
+keys/
+
+# temp test files
+test_data
+
+# backup_logs
+.backup_logs
+
+# sigmac tests stuff
+tactics.json
+techniques.json
@@ -0,0 +1,9 @@
+FROM python:3.9-alpine
+RUN apk add --update --no-cache linux-headers build-base python3-dev libffi-dev
+WORKDIR /siem_converter
+COPY . .
+RUN pip install --upgrade pip && \
+    python -m pip install --upgrade setuptools && \
+    pip install --trusted-host=pypi.python.org --trusted-host=pypi.org --trusted-host=files.pythonhosted.org --no-cache-dir -Ur requirements.txt
+EXPOSE 8000
+CMD ["python", "server.py"]
@@ -0,0 +1,122 @@
+from app.converter.backends.athena.parsers.athena import AthenaParser
+from app.converter.backends.athena.renders.athena import AthenaQueryRender
+from app.converter.backends.athena.renders.athena_cti import AthenaCTI
+from app.converter.backends.carbonblack.renders.carbonblack_cti import CarbonBlackCTI
+from app.converter.backends.chronicle.parsers.chronicle import ChronicleParser
+from app.converter.backends.chronicle.parsers.chronicle_rule import ChronicleRuleParser
+from app.converter.backends.chronicle.renders.chronicle import ChronicleQueryRender
+from app.converter.backends.chronicle.renders.chronicle_cti import ChronicleQueryCTI
+from app.converter.backends.chronicle.renders.chronicle_rule import ChronicleSecurityRuleRender
+from app.converter.backends.crowdstrike.parsers.crowdstrike import CrowdStrikeParser
+from app.converter.backends.crowdstrike.renders.crowdstrike import CrowdStrikeQueryRender
+from app.converter.backends.crowdstrike.renders.crowdstrike_cti import CrowdStrikeCTI
+from app.converter.backends.elasticsearch.parsers.detection_rule import ElasticSearchRuleParser
+from app.converter.backends.elasticsearch.parsers.elasticsearch import ElasticSearchParser
+from app.converter.backends.elasticsearch.renders.detection_rule import ElasticSearchRuleRender
+from app.converter.backends.elasticsearch.renders.elast_alert import ElastAlertRuleRender
+from app.converter.backends.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender
+from app.converter.backends.elasticsearch.renders.elasticsearch_cti import ElasticsearchCTI
+from app.converter.backends.elasticsearch.renders.kibana import KibanaRuleRender
+from app.converter.backends.elasticsearch.renders.xpack_watcher import XPackWatcherRuleRender
+from app.converter.backends.fireeye_helix.renders.fireeye_helix_cti import FireeyeHelixCTI
+from app.converter.backends.graylog.renders.graylog_cti import GraylogCTI
+from app.converter.backends.logpoint.renders.logpoint_cti import LogpointCTI
+from app.converter.backends.logscale.parsers.logscale import LogScaleParser
+from app.converter.backends.logscale.parsers.logscale_alert import LogScaleAlertParser
+from app.converter.backends.logscale.renders.logscale_cti import LogScaleCTI
+from app.converter.backends.logscale.renders.logscale import LogScaleQueryRender
+from app.converter.backends.logscale.renders.logscale_alert import LogScaleAlertRender
+from app.converter.backends.microsoft.parsers.microsoft_defender import MicrosoftDefenderQueryParser
+from app.converter.backends.microsoft.parsers.microsoft_sentinel import MicrosoftParser
+from app.converter.backends.microsoft.parsers.microsoft_sentinel_rule import MicrosoftRuleParser
+from app.converter.backends.microsoft.renders.microsoft_defender import MicrosoftDefenderQueryRender
+from app.converter.backends.microsoft.renders.microsoft_defender_cti import MicrosoftDefenderCTI
+from app.converter.backends.microsoft.renders.microsoft_sentinel import MicrosoftSentinelQueryRender
+from app.converter.backends.microsoft.renders.microsoft_sentinel_cti import MicrosoftSentinelCTI
+from app.converter.backends.microsoft.renders.microsoft_sentinel_rule import MicrosoftSentinelRuleRender
+from app.converter.backends.opensearch.parsers.opensearch import OpenSearchParser
+from app.converter.backends.opensearch.renders.opensearch import OpenSearchQueryRender
+from app.converter.backends.opensearch.renders.opensearch_cti import OpenSearchCTI
+from app.converter.backends.opensearch.renders.opensearch_rule import OpenSearchRuleRender
+from app.converter.backends.qradar.parsers.qradar import QradarParser
+from app.converter.backends.qradar.renders.qradar import QradarQueryRender
+from app.converter.backends.qradar.renders.qradar_cti import QRadarCTI
+from app.converter.backends.qualys.renders.qualys_cti import QualysCTI
+from app.converter.backends.rsa_netwitness.renders.rsa_netwitness_cti import RSANetwitnessCTI
+from app.converter.backends.securonix.renders.securonix_cti import SecuronixCTI
+from app.converter.backends.sentinel_one.renders.s1_cti import S1EventsCTI
+from app.converter.backends.sigma.parsers.sigma import SigmaParser
+from app.converter.backends.sigma.renders.sigma import SigmaRender
+from app.converter.backends.snowflake.renders.snowflake_cti import SnowflakeCTI
+from app.converter.backends.splunk.parsers.splunk import SplunkParser
+from app.converter.backends.splunk.parsers.splunk_alert import SplunkAlertParser
+from app.converter.backends.splunk.renders.splunk import SplunkQueryRender
+from app.converter.backends.splunk.renders.splunk_alert import SplunkAlertRender
+from app.converter.backends.splunk.renders.splunk_cti import SplunkCTI
+from app.converter.backends.sumo_logic.renders.sumologic_cti import SumologicCTI
+
+__ALL_RENDERS = (
+    SigmaRender(),
+    MicrosoftSentinelQueryRender(),
+    MicrosoftSentinelRuleRender(),
+    MicrosoftDefenderQueryRender(),
+    QradarQueryRender(),
+    CrowdStrikeQueryRender(),
+    SplunkQueryRender(),
+    SplunkAlertRender(),
+    ChronicleQueryRender(),
+    ChronicleSecurityRuleRender(),
+    AthenaQueryRender(),
+    ElasticSearchQueryRender(),
+    LogScaleQueryRender(),
+    LogScaleAlertRender(),
+    ElasticSearchRuleRender(),
+    ElastAlertRuleRender(),
+    KibanaRuleRender(),
+    XPackWatcherRuleRender(),
+    OpenSearchQueryRender(),
+    OpenSearchRuleRender()
+)
+
+__ALL_PARSERS = (
+    AthenaParser(),
+    ChronicleParser(),
+    ChronicleRuleParser(),
+    SplunkParser(),
+    SplunkAlertParser(),
+    SigmaParser(),
+    QradarParser(),
+    MicrosoftParser(),
+    MicrosoftRuleParser(),
+    MicrosoftDefenderQueryParser(),
+    CrowdStrikeParser(),
+    LogScaleParser(),
+    LogScaleAlertParser(),
+    ElasticSearchParser(),
+    ElasticSearchRuleParser(),
+    OpenSearchParser()
+)
+
+
+__ALL_RENDERS_CTI = (
+        MicrosoftSentinelCTI(),
+        MicrosoftDefenderCTI(),
+        QRadarCTI(),
+        SplunkCTI(),
+        ChronicleQueryCTI(),
+        CrowdStrikeCTI(),
+        SumologicCTI(),
+        ElasticsearchCTI(),
+        LogScaleCTI(),
+        OpenSearchCTI(),
+        FireeyeHelixCTI(),
+        CarbonBlackCTI(),
+        GraylogCTI(),
+        LogpointCTI(),
+        QualysCTI(),
+        RSANetwitnessCTI(),
+        S1EventsCTI(),
+        SecuronixCTI(),
+        SnowflakeCTI(),
+        AthenaCTI()
+)
@@ -0,0 +1,12 @@
+from app.converter.core.models.platform_details import PlatformDetails
+
+ATHENA_QUERY_DETAILS = {
+    "siem_type": "athena-sql-query",
+    "name": "AWS Athena Query",
+    "group_name": "AWS Athena",
+    "platform_name": "Query",
+    "group_id": "athena",
+    "alt_platform_name": "OCSF"
+}
+
+athena_details = PlatformDetails(**ATHENA_QUERY_DETAILS)
-Original file line number
+Diff line change
@@ @@ -0,0 +1,7 @@ @@
 +# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
++
 +# misc
 +.DS_Store
 +*.pem
++
 +/.idea