NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit0e5e0ca

authored

Merge pull request#217 from UncoderIO/gis-9099

Gis 9099 add microsoft sentinel to one vendor flow

2 parentsa749460 +e25af9b commit0e5e0caCopy full SHA for 0e5e0ca

File tree

5 files changed

+49

-12

lines changed

uncoder-core/app/translator
- core/models
  - query_container.py
- platforms/microsoft
  - const.py
  - renders
    - microsoft_sentinel.py
    - microsoft_sentinel_rule.py
- translator.py

5 files changed

+49

-12

lines changed

`‎uncoder-core/app/translator/core/models/query_container.py‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ def __init__(`
`78`	`78`	`parsed_logsources:Optional[dict]=None,`
`79`	`79`	`timeframe:Optional[timedelta]=None,`
`80`	`80`	`query_period:Optional[timedelta]=None,`
`81`		`-mitre_attack:MitreInfoContainer=MitreInfoContainer(),`
	`81`	`+mitre_attack:Optional[MitreInfoContainer]=None,`
`82`	`82`	`raw_metainfo_container:Optional[RawMetaInfoContainer]=None,`
`83`	`83`	`)->None:`
`84`	`84`	`self.id=id_orstr(uuid.uuid4())`
`@@ -88,7 +88,7 @@ def __init__(`
`88`	`88`	`self.risk_score=risk_score`
`89`	`89`	`self.type_=type_or""`
`90`	`90`	`self.description=descriptionor""`
`91`		`-self.author= [v.strip()forvinauthor]ifauthorelse []`
	`91`	`+self.author= [v.strip()forvinauthor]ifauthorandauthor!= [None]else []`
`92`	`92`	`self.date=dateordatetime.now().date().strftime("%Y-%m-%d")`
`93`	`93`	`self.output_table_fields=output_table_fieldsor []`
`94`	`94`	`self.query_fields=query_fieldsor []`
`@@ -98,15 +98,15 @@ def __init__(`
`98`	`98`	`self.severity=severityorSeverityType.low`
`99`	`99`	`self.references=referencesor []`
`100`	`100`	`self.tags=tagsor []`
`101`		`-self.mitre_attack=mitre_attackorNone`
	`101`	`+self.mitre_attack=mitre_attackorMitreInfoContainer()`
`102`	`102`	`self.raw_mitre_attack=raw_mitre_attackor []`
`103`	`103`	`self.status=statusor"stable"`
`104`	`104`	`self.false_positives=false_positivesor []`
`105`	`105`	`self._source_mapping_ids=source_mapping_idsor [DEFAULT_MAPPING_NAME]`
`106`	`106`	`self.parsed_logsources=parsed_logsourcesor {}`
`107`	`107`	`self.timeframe=timeframe`
`108`	`108`	`self.query_period=query_period`
`109`		`-self.raw_metainfo_container=raw_metainfo_container`
	`109`	`+self.raw_metainfo_container=raw_metainfo_containerorRawMetaInfoContainer()`
`110`	`110`
`111`	`111`	`@property`
`112`	`112`	`defauthor_str(self)->str:`

`‎uncoder-core/app/translator/platforms/microsoft/const.py‎`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,15 +19,18 @@`
`19`	`19`
`20`	`20`	`PLATFORM_DETAILS= {"group_id":"sentinel","group_name":"Microsoft Sentinel"}`
`21`	`21`
	`22`	`+_SENTINEL_KQL_QUERY="sentinel-kql-query"`
	`23`	`+_SENTINEL_KQL_RULE="sentinel-kql-rule"`
	`24`	`+`
`22`	`25`	`MICROSOFT_SENTINEL_QUERY_DETAILS= {`
`23`		`-"platform_id":"sentinel-kql-query",`
	`26`	`+"platform_id":_SENTINEL_KQL_QUERY,`
`24`	`27`	`"name":"Microsoft Sentinel Query",`
`25`	`28`	`"platform_name":"Query (Kusto)",`
`26`	`29`	`**PLATFORM_DETAILS,`
`27`	`30`	`}`
`28`	`31`
`29`	`32`	`MICROSOFT_SENTINEL_RULE_DETAILS= {`
`30`		`-"platform_id":"sentinel-kql-rule",`
	`33`	`+"platform_id":_SENTINEL_KQL_RULE,`
`31`	`34`	`"name":"Microsoft Sentinel Rule",`
`32`	`35`	`"platform_name":"Rule (Kusto)",`
`33`	`36`	`"first_choice":0,`
`@@ -50,6 +53,8 @@`
`50`	`53`	`"group_id":"microsoft-defender",`
`51`	`54`	`}`
`52`	`55`
	`56`	`+MICROSOFT_SENTINEL_QUERY_TYPES= {_SENTINEL_KQL_QUERY,_SENTINEL_KQL_RULE}`
	`57`	`+`
`53`	`58`	`microsoft_defender_query_details=PlatformDetails(**MICROSOFT_DEFENDER_DETAILS)`
`54`	`59`	`microsoft_sentinel_query_details=PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS)`
`55`	`60`	`microsoft_sentinel_rule_details=PlatformDetails(**MICROSOFT_SENTINEL_RULE_DETAILS)`

`‎uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel.py‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`fromapp.translator.constimportDEFAULT_VALUE_TYPE`
`23`	`23`	`fromapp.translator.core.mappingimportLogSourceSignature`
`24`	`24`	`fromapp.translator.core.models.platform_detailsimportPlatformDetails`
	`25`	`+fromapp.translator.core.models.query_containerimportRawQueryContainer`
`25`	`26`	`fromapp.translator.core.renderimportBaseFieldValueRender,PlatformQueryRender`
`26`	`27`	`fromapp.translator.managersimportrender_manager`
`27`	`28`	`fromapp.translator.platforms.microsoft.constimportmicrosoft_sentinel_query_details`
`@@ -144,3 +145,6 @@ def generate_prefix(self, log_source_signature: LogSourceSignature, functions_pr`
`144`	`145`	`@staticmethod`
`145`	`146`	`def_finalize_search_query(query:str)->str:`
`146`	`147`	`returnf"\| where{query}"ifqueryelse""`
	`148`	`+`
	`149`	`+defgenerate_from_raw_query_container(self,query_container:RawQueryContainer)->str:`
	`150`	`+returnquery_container.query`

`‎uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py‎`

Lines changed: 8 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@`
`26`	`26`	`fromapp.translator.core.custom_types.meta_infoimportSeverityType`
`27`	`27`	`fromapp.translator.core.mappingimportSourceMapping`
`28`	`28`	`fromapp.translator.core.models.platform_detailsimportPlatformDetails`
`29`		`-fromapp.translator.core.models.query_containerimportMetaInfoContainer,MitreInfoContainer`
	`29`	`+fromapp.translator.core.models.query_containerimportMetaInfoContainer,MitreInfoContainer,RawQueryContainer`
`30`	`30`	`fromapp.translator.managersimportrender_manager`
`31`	`31`	`fromapp.translator.platforms.microsoft.constimportDEFAULT_MICROSOFT_SENTINEL_RULE,microsoft_sentinel_rule_details`
`32`	`32`	`fromapp.translator.platforms.microsoft.mappingimportMicrosoftSentinelMappings,microsoft_sentinel_rule_mappings`
`@@ -107,7 +107,8 @@ def finalize_query(`
`107`	`107`	`*args,# noqa: ARG002`
`108`	`108`	`**kwargs,# noqa: ARG002`
`109`	`109`	`)->str:`
`110`		`-query=super().finalize_query(prefix=prefix,query=query,functions=functions)`
	`110`	`+ifnotkwargs.get("raw_query",False):`
	`111`	`+query=super().finalize_query(prefix=prefix,query=query,functions=functions)`
`111`	`112`	`rule=copy.deepcopy(DEFAULT_MICROSOFT_SENTINEL_RULE)`
`112`	`113`	`rule["query"]=query`
`113`	`114`	`rule["displayName"]=meta_info.titleor_AUTOGENERATED_TEMPLATE`
`@@ -130,3 +131,8 @@ def finalize_query(`
`130`	`131`	`json_rule=json.dumps(rule,indent=4,sort_keys=False)`
`131`	`132`	`json_rule=self.wrap_with_unmapped_fields(json_rule,unmapped_fields)`
`132`	`133`	`returnself.wrap_with_not_supported_functions(json_rule,not_supported_functions)`
	`134`	`+`
	`135`	`+defgenerate_from_raw_query_container(self,query_container:RawQueryContainer)->str:`
	`136`	`+returnself.finalize_query(`
	`137`	`+prefix="",query=query_container.query,functions="",meta_info=query_container.meta_info,raw_query=True`
	`138`	`+ )`

`‎uncoder-core/app/translator/translator.py‎`

Lines changed: 26 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,16 @@`
`1`	`1`	`importlogging`
`2`		`-fromtypingimportOptional`
	`2`	`+fromcollectionsimportCounter`
	`3`	`+fromtypingimportOptional,Union`
`3`	`4`
`4`	`5`	`fromapp.translator.core.exceptions.coreimportUnsupportedPlatform`
`5`	`6`	`fromapp.translator.core.models.query_containerimportRawQueryContainer,TokenizedQueryContainer`
`6`		`-fromapp.translator.core.parserimportQueryParser`
	`7`	`+fromapp.translator.core.parserimportPlatformQueryParser,QueryParser`
`7`	`8`	`fromapp.translator.core.renderimportQueryRender`
`8`	`9`	`fromapp.translator.managersimportParserManager,RenderManager,parser_manager,render_manager`
`9`	`10`	`fromapp.translator.platforms.elasticsearch.constimportELASTIC_QUERY_TYPES`
	`11`	`+fromapp.translator.platforms.microsoft.constimportMICROSOFT_SENTINEL_QUERY_TYPES`
	`12`	`+fromapp.translator.platforms.roota.parsers.rootaimportRootAParser`
	`13`	`+fromapp.translator.platforms.sigma.mappingimportsigma_rule_mappings`
`10`	`14`	`fromapp.translator.tools.decoratorsimporthandle_translation_exceptions`
`11`	`15`
`12`	`16`
`@@ -32,18 +36,36 @@ def __get_render(self, target: str) -> QueryRender:`
`32`	`36`
`33`	`37`	`@staticmethod`
`34`	`38`	`def__is_one_vendor_translation(source:str,target:str)->bool:`
`35`		`-vendors_query_types= [ELASTIC_QUERY_TYPES]`
	`39`	`+vendors_query_types= [ELASTIC_QUERY_TYPES,MICROSOFT_SENTINEL_QUERY_TYPES]`
`36`	`40`	`forvendor_query_typesinvendors_query_types:`
`37`	`41`	`ifsourceinvendor_query_typesandtargetinvendor_query_types:`
`38`	`42`	`returnTrue`
`39`	`43`
`40`	`44`	`returnFalse`
`41`	`45`
`42`		`-defparse_raw_query(self,text:str,source:str)->tuple[QueryParser,RawQueryContainer]:`
	`46`	`+defparse_raw_query(`
	`47`	`+self,text:str,source:str`
	`48`	`+ )->tuple[Union[PlatformQueryParser,RootAParser],RawQueryContainer]:`
`43`	`49`	`parser=self.__get_parser(source)`
`44`	`50`	`text=parser.remove_comments(text)`
`45`	`51`	`returnparser,parser.parse_raw_query(text,language=source)`
`46`	`52`
	`53`	`+defparse_meta_info(self,text:str,source:str)->Union[dict,RawQueryContainer]:`
	`54`	`+parser,raw_query_container=self.parse_raw_query(text=text,source=source)`
	`55`	`+source_mappings=parser.get_source_mapping_ids_by_logsources(raw_query_container.query)`
	`56`	`+log_sources= {"product":Counter(),"service":Counter(),"category":Counter()}`
	`57`	`+sigma_source_mappings=sigma_rule_mappings.get_source_mappings_by_ids(`
	`58`	`+ [source_mapping.source_idforsource_mappinginsource_mappings],return_default=False`
	`59`	`+ )`
	`60`	`+forsigma_source_mappinginsigma_source_mappings:`
	`61`	`+ifproduct:=sigma_source_mapping.log_source_signature.log_sources.get("product"):`
	`62`	`+log_sources["product"][product]+=1`
	`63`	`+ifservice:=sigma_source_mapping.log_source_signature.log_sources.get("service"):`
	`64`	`+log_sources["service"][service]+=1`
	`65`	`+ifcategory:=sigma_source_mapping.log_source_signature.log_sources.get("category"):`
	`66`	`+log_sources["category"][category]+=1`
	`67`	`+returnlog_sources,raw_query_container`
	`68`	`+`
`47`	`69`	`@handle_translation_exceptions`
`48`	`70`	`def__parse_incoming_data(`
`49`	`71`	`self,text:str,source:str,target:Optional[str]=None`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0e5e0ca

File tree

5 files changed

5 files changed

`‎uncoder-core/app/translator/core/models/query_container.py‎`

`‎uncoder-core/app/translator/platforms/microsoft/const.py‎`

`‎uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel.py‎`

`‎uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py‎`

`‎uncoder-core/app/translator/translator.py‎`

0 commit comments