Second Attempt Pull request

README.md

@@ -71,6 +71,7 @@ Uncoder IO can be run on-prem without a need for an internet connection, thus su
 - FortiSIEM Rule - `fortisiem-rule`
 - LogRhythm Axon Rule - `axon-ads-rule`
 - LogRhythm Axon Query - `axon-ads-query`
+- LogRhythm SIEM Query - `siem-json-query`
 
 
 IOC-based queries can be generated in the following formats:

uncoder-core/app/translator/mappings/platforms/logrhythm_siem/default.yml

@@ -0,0 +1,309 @@
+platform: LogRhythm SIEM
+source: default
+
+
+field_mapping:
+  EventID: vendor_information.id
+  Channel: general_information.log_source.type_name
+  ComputerName: origin.host.name
+  FileName: object.file.name
+  ProcessId: object.process.id
+  Image: object.process.name
+  AccountEmail: unattributed.account.email_address
+  ContextInfo: general_information.raw_message
+  CurrentDirectory: object.process.path
+  ParentProcessId: object.process.parent_process.id
+  ParentImage: object.process.parent_process.path
+  ParentCommandLine: object.process.parent_process.command_line
+  TargetFilename: object.file.name
+  SourceIp: origin.host.ip_address.value
+  SourceHostname: origin.host.name
+  SourcePort: origin.host.network_port.value
+  DestinationIp: target.host.ip_address.value
+  DestinationHostname:
+    - target.host.name
+    - target.host.domain
+  DestinationPort: target.host.network_port.value
+  DestinationPortName: action.network.protocol.name
+  ImageLoaded: object.file.path
+  SignatureStatus: object.process.signature.status
+  SourceProcessId: object.process.id
+  SourceImage: object.process.name
+  Device: object.process.path
+  Destination: object.process.name
+  QueryName: action.dns.query
+  QueryStatus: action.dns.result
+  CommandName: object.process.command_line
+  CommandPath: object.process.path
+  HostApplication: object.script.command_line
+  HostName: origin.host.name
+  ScriptName: object.script.name
+  ScriptBlockText: object.script.command_line
+  ScriptBlockId: object.script.id
+  Application: object.process.name
+  ClientAddress: origin.host.ip_address.value
+  ClientName: origin.host.domain.name
+  DestAddress: target.host.ip_address.value
+  DestPort: target.host.network_port.value
+  IpAddress: origin.host.ip_address.value
+  IpPort: origin.host.network_port.value
+  NewProcessId: object.process.id
+  NewProcessName: object.process.name
+  ParentProcessName: object.process.parent_process.name
+  ProcessName: object.process.name
+  SourceAddress: origin.host.ip_address.value
+  WorkstationName: origin.host.name
+  destination.port: target.host.network_port.value
+  dst: target.host.ip_address.value
+  dst_ip: target.host.ip_address.value
+  dst_port: target.host.network_port.value
+  network_application:
+    - action.network.protocol.name
+    - object.url.protocol
+  network_protocol: action.network.protocol.name
+  proto: action.network.protocol.name
+  src: origin.host.ip_address.value
+  src_ip: origin.host.ip_address.value
+  src_port: origin.host.network_port.value
+  action: action.command
+  mqtt_action: action.command
+  smb_action: action.command
+  tunnel_action: action.command
+  arg: object.process.command_args
+  ftp_arg: object.process.command_args
+  mysql_arg: object.process.command_args
+  pop3_arg: object.process.command_args
+  client: origin.host.ip_address.value
+  command: action.command
+  ftp_command: action.command
+  irc_command: action.command
+  pop3_command: action.command
+  duration: action.duration
+  from: origin.account.email_address
+  kerberos_from: origin.account.email_address
+  smtp_from: origin.account.email_address
+  method: action.network.http_method
+  http_method: action.network.http_method
+  sip_method: action.network.http_method
+  name: object.file.name
+  smb_files_name: object.file.name
+  software_name: object.file.name
+  weird_name: object.file.name
+  path: object.file.path
+  smb_mapping_path: object.file.path
+  smb_files_path: object.file.path
+  smtp_files_path: object.file.path
+  password: object.file.name
+  reply_to: target.account.email_address
+  response_body_len: action.network.byte_information.received
+  request_body_len: action.network.byte_information.sent
+  rtt: action.duration
+  status_code: action.result.code
+  known_certs_subject: object.certificate.subject
+  sip_subject: object.email_message.subject
+  smtp_subject: object.email_message.subject
+  ssl_subject: object.certificate.subject
+  username: origin.account.name
+  uri: object.url.path
+  user: origin.account.name
+  user_agent: action.user_agent
+  http_user_agent: action.user_agent
+  gquic_user_agent: action.user_agent
+  sip_user_agent: action.user_agent
+  smtp_user_agent: action.user_agent
+  version: object.file.version
+  gquic_version: object.file.version
+  http_version: object.file.version
+  ntp_version: object.file.version
+  socks_version: object.file.version
+  snmp_version: object.file.version
+  ssh_version: object.file.version
+  tls_version: object.file.version
+  answer: action.dns.result
+  question_length: action.network.byte_information.total
+  record_type: action.dns.record_type
+  parent_domain: target.host.domain
+  cs-bytes: action.network.byte_information.received
+  r-dns: target.host.domain
+  sc-bytes: action.network.byte_information.received
+  sc-status: action.result.code
+  c-uri: object.url.complete
+  c-uri-extension: object.url.type
+  c-uri-query: object.url.query
+  c-uri-stem: object.url.path
+  c-useragent: action.user_agent
+  cs-host:
+    - target.host.name
+    - target.host.domain
+  cs-method: action.network.http_method
+  cs-version: object.file.version
+  uid: action.session.id
+  endpoint: origin.host.name
+  domain: target.host.domain
+  host_name: target.host.name
+  client_fqdn: origin.host.name
+  requested_addr: target.host.ip_address.value
+  server_addr: target.host.ip_address.value
+  qtype: action.dns.record_type
+  qtype_name: action.dns.record_type
+  query: action.dns.query
+  rcode_name: action.dns.result
+  md5: unattributed.hash.md5
+  sha1: unattributed.hash.sha1
+  sha256: unattributed.hash.sha256
+  sha512: unattributed.hash.sha512
+  filename: object.file.name
+  host:
+    - unattributed.host.name
+    - unattributed.host.ip_address.value
+  domainname: unattributed.host.name
+  hostname: unattributed.host.name
+  server_nb_computer_name: unattributed.host.name
+  server_tree_name: unattributed.host.name
+  server_dns_computer_name: unattributed.host.name
+  machine: unattributed.host.name
+  os: origin.host.os.platform
+  mac: unattributed.host.mac_address
+  result:
+    - action.result.message
+    - action.result.code
+    - action.result.reason
+  mailfrom: origin.account.email_address
+  rcptto: target.account.email_address
+  second_received: target.account.email_address
+  server_name: unattributed.host.name
+  c-ip: origin.host.ip_address.value
+  cs-uri: object.url.path
+  cs-uri-query: object.url.query
+  cs-uri-stem: object.url.path
+  clientip: origin.host.ip_address.value
+  clientIP: origin.host.ip_address.value
+  dest_domain:
+    - target.host.name
+    - target.host.domain
+  dest_ip: target.host.ip_address.value
+  dest_port: target.host.network_port.value
+  agent.version: object.file.version
+  destination.hostname:
+    - target.host.name
+    - target.host.domain
+  DestinationAddress:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+  DestinationIP: target.host.ip_address.value
+  dst-ip: target.host.ip_address.value
+  dstip: target.host.ip_address.value
+  dstport: target.host.ip_address.value
+  Host: target.host.name
+  HostVersion: object.file.version
+  http_host:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+  http_uri: object.url.path
+  http_url: object.url.complete
+  http.request.url-query-params: object.url.query
+  HttpMethod: action.network.http_method
+  in_url: object.url.path
+  post_url_parameter: object.url.path
+  Request_Url: object.url.complete
+  request_url: object.url.complete
+  request_URL: object.url.complete
+  RequestUrl: object.url.complete
+  resource.url: object.url.path
+  resource.URL: object.url.path
+  sc_status: action.result.code
+  sender_domain:
+    - target.host.name
+    - target.host.domain
+  service.response_code: action.result.code
+  source:
+    - origin.host.name
+    - origin.host.domain.name
+    - origin.host.ip_address.value
+  SourceAddr: origin.host.ip_address.value
+  SourceIP: origin.host.ip_address.value
+  SourceNetworkAddress: origin.host.ip_address.value
+  srcip: origin.host.ip_address.value
+  Status: action.result.code
+  status: action.result.code
+  url: object.url.path
+  URL: object.url.path
+  url_query: object.url.query
+  url.query: object.url.query
+  uri_path: object.url.path
+  user_agent.name: action.user_agent
+  user-agent: action.user_agent
+  User-Agent: action.user_agent
+  useragent: action.user_agent
+  UserAgent: action.user_agent
+  User_Agent: action.user_agent
+  web_dest:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  web.dest:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  Web.dest:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  web.host:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  Web.host:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+    - object.url.domain
+  web_method: action.network.http_method
+  Web_method: action.network.http_method
+  web.method: action.network.http_method
+  Web.method: action.network.http_method
+  web_src: origin.host.ip_address.value
+  web_status: action.result.code
+  Web_status: action.result.code
+  web.status: action.result.code
+  Web.status: action.result.code
+  web_uri: object.url.path
+  web_url: object.url.complete
+  destination.ip: target.host.ip_address.value
+  source.ip: origin.host.ip_address.value
+  source.port: origin.host.ip_address.value
+  Computer:
+    - target.host.name
+    - target.host.domain
+    - target.host.ip_address.value
+  OriginalFileName: object.file.name
+  User: origin.account.name
+  EventType: action.command
+  TargetObject:
+    - object.registry_object.key
+    - object.registry_object.path
+    - object.resource.name
+  CommandLine: object.process.command_line
+  type:
+    - action.command
+    - action.type
+    - action.session.type
+  a0:
+    - object.process.command_line
+    - object.process.command_args
+    - object.process.name
+  cs-user-agent: action.user_agent
+  blocked:
+    - action.message
+    - action.result.reason
+  cs-ip: origin.host.ip_address.value
+  SubjectLogonId: action.session.id
+  SubjectUserName: origin.account.name
+  SubjectUserSid: origin.account.id
+  SubjectDomainName: origin.account.domain

uncoder-core/app/translator/platforms/logrhythm_siem/__init__.py

@@ -0,0 +1,2 @@
+# from app.translator.platforms.logrhythm_siem.renders.logrhythm_siem_query import LogRhythmSiemQueryRender  # noqa: F401
+from app.translator.platforms.logrhythm_siem.renders.logrhythm_siem_rule import LogRhythmSiemRuleRender  # noqa: F401