Add Exabeam New-Scale platform support

README.md

@@ -71,6 +71,9 @@ Uncoder IO can be run on-prem without a need for an internet connection, thus su
 - FortiSIEM Rule - `fortisiem-rule`
 - LogRhythm Axon Rule - `axon-ads-rule`
 - LogRhythm Axon Query - `axon-ads-query`
+- Exabeam New-Scale EQL Query - `exabeam-eql-query`
+- Exabeam New-Scale Analytics Rule - `exabeam-analytics-rule`
+- Exabeam New-Scale Correlation Rule - `exabeam-correlation-rule`
 
 
 IOC-based queries can be generated in the following formats:
@@ -95,6 +98,7 @@ IOC-based queries can be generated in the following formats:
 - Snowflake Query - `snowflake`
 - Sumo Logic Query - `sumologic`
 - VMware Carbon Black Query (Cloud) - `carbonblack`
+- Exabeam New-Scale EQL Query - `exabeam-eql-query`
 
 The following types of IOCs are supported:  
 - Hash  
@@ -113,7 +117,7 @@ TODO list of languages we will support shortly:
 - Databricks
 - Cribl
 - ~FortiSIEM~ :white_check_mark:
-- Exabeam
+- ~Exabeam~ :white_check_mark:
 - Palo Alto Cortex XSOAR
 - ~ElastAlert~ :white_check_mark: 
 - FireEye OpenIOC

uncoder-core/app/translator/core/models/platform_details.py

@@ -12,3 +12,4 @@ class PlatformDetails:
     alt_platform_name: Optional[str] = "Default"
     alt_platform: Optional[str] = "regular"
     first_choice: Optional[int] = 1
+    file_extension: Optional[str] = "txt"

uncoder-core/app/translator/mappings/platforms/exabeam/default.yml

@@ -0,0 +1,118 @@
+platform: Exabeam
+source: default
+
+default_log_source:
+  table: events
+
+log_source:
+  table: events
+
+field_mapping:
+  # Sigma standard field names to Exabeam CIM2
+  CommandLine: process_command_line
+  Image: process_path
+  ParentImage: parent_process_path
+  ParentCommandLine: parent_process_command_line
+  ProcessId: process_id
+  ParentProcessId: parent_process_id
+  OriginalFileName: process_original_file_name
+  User: user
+  Computer: src_host
+  EventID: event_id
+
+  # File event fields
+  TargetFilename: file_path
+  TargetFileName: file_path
+  FileName: file_name
+  FilePath: file_path
+
+  # Registry fields  
+  TargetObject: registry_path
+  Details: registry_value_data
+  RegistryKey: registry_key
+  RegistryValue: registry_value_name
+
+  # Network connection fields
+  DestinationIp: dest_ip
+  DestinationPort: dest_port
+  SourceIp: src_ip
+  SourcePort: src_port
+  Initiated: network_initiated
+  DestinationHostname: dest_host
+  RemoteAddress: dest_ip
+  RemotePort: dest_port
+
+  # PowerShell fields
+  ScriptBlockText: powershell_script_content
+
+  # Additional process fields
+  Company: process_company
+  Product: process_product
+  FileDescription: process_description
+  ProductVersion: process_product_version
+
+  # Service fields
+  ServiceName: service_name
+  ServiceFileName: service_path
+
+  # Authentication fields
+  SubjectUserName: user
+  TargetUserName: dest_user
+  WorkstationName: src_host
+  IpAddress: src_ip
+
+  # Universal CIM2 fields
+  time: timestamp
+  vendor: vendor
+  product: product
+  activity_type: activity_type
+  outcome: outcome
+  subject: user
+  host: src_host
+
+  # Process creation
+  process.name: process_name
+  process.pid: process_id
+  process.command_line: process_command_line
+  process.parent.name: parent_process_name
+  process.parent.pid: parent_process_id
+  process.parent.command_line: parent_process_command_line
+
+  # User/Authentication  
+  user.name: user
+  user.domain: user_domain
+  source.user.name: src_user
+  target.user.name: dest_user
+
+  # Network
+  source.ip: src_ip
+  destination.ip: dest_ip
+  source.port: src_port
+  destination.port: dest_port
+  network.protocol: protocol
+  source.domain: src_host
+  destination.domain: dest_host
+  url.original: url
+
+  # File
+  file.name: file_name
+  file.path: file_path
+  file.directory: file_directory
+  file.hash.md5: file_hash
+  file.hash.sha1: file_hash
+  file.hash.sha256: file_hash
+  file.hash.sha512: file_hash
+
+  # Registry (Windows)
+  registry.key: registry_key
+  registry.value: registry_value_name
+  registry.data: registry_value_data
+
+  # Event ID mapping
+  event.code: event_id
+  event.action: activity
+
+  # Service/System
+  service.name: service_name
+  winlog.channel: log_name
+  winlog.event_id: event_id

uncoder-core/app/translator/mappings/platforms/exabeam/windows_network_connection.yml

@@ -0,0 +1,53 @@
+platform: Exabeam
+source: windows_network_connection
+
+conditions:
+  event.category: 'network'
+
+log_source:
+  table: [events, network_events]
+
+default_log_source:
+  table: events
+
+field_mapping:
+  # Sigma network field names to Exabeam CIM2
+  SourceIp: src_ip
+  DestinationIp: dest_ip
+  SourcePort: src_port
+  DestinationPort: dest_port
+  SourceAddress: src_ip
+  DestinationAddress: dest_ip
+  RemoteAddress: dest_ip
+  RemotePort: dest_port
+  Protocol: protocol
+  Initiated: network_initiated
+  Image: process_path
+  User: user
+  ProcessId: process_id
+
+  # Network connection fields
+  source.ip: src_ip
+  destination.ip: dest_ip
+  source.port: src_port
+  destination.port: dest_port
+  network.protocol: protocol
+  network.direction: direction
+
+  # Process context
+  process.name: process_name
+  process.pid: process_id
+  process.executable: process_path
+
+  # User context
+  user.name: user
+  user.domain: user_domain
+
+  # Host context
+  host.name: src_host
+  destination.domain: dest_host
+
+  # Event context
+  winlog.event_id: event_id
+  "@timestamp": timestamp
+  time: timestamp

uncoder-core/app/translator/mappings/platforms/exabeam/windows_process_creation.yml

@@ -0,0 +1,58 @@
+platform: Exabeam
+source: windows_process_creation
+
+conditions:
+  event.category: 'process'
+
+log_source:
+  activity_type: process-create
+
+default_log_source:
+  activity_type: process-create
+
+field_mapping:
+  # Sigma field mappings to Exabeam CIM2 fields
+  CommandLine: process_command_line
+  Image: process_path
+  ParentImage: parent_process_path
+  ParentCommandLine: parent_process_command_line
+  ProcessId: process_id
+  ParentProcessId: parent_process_id
+  ProcessGuid: process_guid
+  ParentProcessGuid: parent_process_guid
+  UtcTime: timestamp
+  CreationUtcTime: timestamp
+  User: user
+  ParentUser: parent_process_user
+  IntegrityLevel: process_integrity_level
+  CurrentDirectory: process_working_directory
+  LogonId: logon_id
+  LogonGuid: logon_guid
+  TerminalSessionId: terminal_session_id
+  OriginalFileName: process_original_file_name
+  Company: process_company
+  Product: process_product
+  Description: process_description
+  FileVersion: process_file_version
+  Hashes: process_hash
+  md5: process_hash
+  sha1: process_hash
+  sha256: process_hash
+  IMPHASH: process_imphash
+  RuleName: rule_name
+
+  # File and registry fields
+  TargetFilename: file_path
+  TargetObject: registry_path
+
+  # System fields
+  EventID: event_id
+  Computer: src_host
+  SubjectUserName: user
+  TargetUserName: dest_user
+
+  # Network fields
+  SourceIp: src_ip
+  DestinationIp: dest_ip
+  DestinationPort: dest_port
+  SourcePort: src_port

uncoder-core/app/translator/platforms/exabeam/__init__.py

@@ -0,0 +1,4 @@
+from app.translator.platforms.exabeam.renders.exabeam import ExabeamEQLQueryRender  # noqa: F401
+from app.translator.platforms.exabeam.renders.exabeam import ExabeamAnalyticsRuleRender  # noqa: F401
+from app.translator.platforms.exabeam.renders.exabeam import ExabeamCorrelationRuleRender  # noqa: F401
+from app.translator.platforms.exabeam.renders.exabeam_cti import ExabeamCTI  # noqa: F401

uncoder-core/app/translator/platforms/exabeam/const.py

@@ -0,0 +1,118 @@
+"""
+Uncoder IO Community Edition License
+-----------------------------------------------------------------
+Copyright (c) 2024 SOC Prime, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-----------------------------------------------------------------
+"""
+
+from app.translator.core.custom_types.meta_info import SeverityType
+from app.translator.core.models.platform_details import PlatformDetails
+
+PLATFORM_DETAILS = {"group_id": "exabeam", "group_name": "Exabeam New-Scale", "alt_platform_name": "Default"}
+
+_EXABEAM_EQL_QUERY = "exabeam-eql-query"
+_EXABEAM_ANALYTICS_RULE = "exabeam-analytics-rule"
+_EXABEAM_CORRELATION_RULE = "exabeam-correlation-rule"
+
+EXABEAM_QUERY_TYPES = {
+    _EXABEAM_EQL_QUERY,
+    _EXABEAM_ANALYTICS_RULE,
+    _EXABEAM_CORRELATION_RULE,
+}
+
+EXABEAM_EQL_QUERY_DETAILS = {
+    "platform_id": _EXABEAM_EQL_QUERY,
+    "name": "Exabeam EQL Query",
+    "platform_name": "Search Query (EQL)",
+    "file_extension": "txt",
+    **PLATFORM_DETAILS,
+}
+
+EXABEAM_ANALYTICS_RULE_DETAILS = {
+    "platform_id": _EXABEAM_ANALYTICS_RULE,
+    "name": "Exabeam Analytics Rule",
+    "platform_name": "Analytics Rule (JSON)",
+    "file_extension": "json",
+    **PLATFORM_DETAILS,
+}
+
+EXABEAM_CORRELATION_RULE_DETAILS = {
+    "platform_id": _EXABEAM_CORRELATION_RULE,
+    "name": "Exabeam Correlation Rule",
+    "platform_name": "Correlation Rule (JSON)",
+    "file_extension": "json",
+    **PLATFORM_DETAILS,
+}
+
+exabeam_eql_query_details = PlatformDetails(**EXABEAM_EQL_QUERY_DETAILS)
+exabeam_analytics_rule_details = PlatformDetails(**EXABEAM_ANALYTICS_RULE_DETAILS)
+exabeam_correlation_rule_details = PlatformDetails(**EXABEAM_CORRELATION_RULE_DETAILS)
+
+EXABEAM_ANALYTICS_RULE_TEMPLATE = {
+    "version": "1",
+    "ruleDefinitions": [{
+        "templateId": "",
+        "name": "",
+        "description": "",
+        "applicableEvents": [{"activity_type": ""}],
+        "detectionReason": "",
+        "type": "factFeature",
+        "mitre": [],
+        "useCases": [],
+        "value": "true",
+        "actOnCondition": "",
+        "suppressThreshold": "10 minutes",
+        "trainOnCondition": "true",
+        "suppressScope": "JoinIfExists(EntityId('type: User && direction: Source'), EntityId('type: Device && direction: Source'))",
+        "familyId": "",
+        "ruleGroupId": "",
+        "severity": "Medium"
+    }]
+}
+
+EXABEAM_CORRELATION_RULE_TEMPLATE = {
+    "version": "1",
+    "ruleDefinitions": [{
+        "name": "",
+        "description": "",
+        "useCase": "",
+        "mitre": [],
+        "sequencesExecution": "CREATION_ORDER",
+        "severity": "medium",
+        "sequencesConfig": {
+            "sequences": [{
+                "name": "",
+                "query": "",
+                "condition": {"triggerOnAnyMatch": True},
+                "id": ""
+            }],
+            "commonProperties": None,
+            "outcomes": None
+        }
+    }]
+}
+
+DEFAULT_EXABEAM_CTI_MAPPING = {
+    "DestinationIP": "dest_ip",
+    "SourceIP": "src_ip", 
+    "HashSha512": "file_hash",
+    "HashSha256": "file_hash",
+    "HashMd5": "file_hash",
+    "Emails": "user",
+    "Domain": "dest_host",
+    "HashSha1": "file_hash",
+    "Files": "file_name",
+    "URL": "url",
+}