NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit3f24987

authored

Merge pull request#191 from UncoderIO/gis-8503

Gis 8503

2 parents2c82341 +51cdf69 commit3f24987Copy full SHA for 3f24987

File tree

3 files changed

+54

-2

lines changed

uncoder-core/app/translator/platforms/splunk
- __init__.py
- const.py
- parsers
  - splunk_alert.py

3 files changed

+54

-2

lines changed

`‎uncoder-core/app/translator/platforms/splunk/init.py‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`fromapp.translator.platforms.splunk.parsers.splunkimportSplunkQueryParser# noqa: F401`
`2`		`-fromapp.translator.platforms.splunk.parsers.splunk_alertimportSplunkAlertParser# noqa: F401`
	`2`	`+fromapp.translator.platforms.splunk.parsers.splunk_alertimportSplunkAlertParser,SplunkAlertYMLParser# noqa: F401`
`3`	`3`	`fromapp.translator.platforms.splunk.renders.splunkimportSplunkQueryRender# noqa: F401`
`4`	`4`	`fromapp.translator.platforms.splunk.renders.splunk_alertimportSplunkAlertRender# noqa: F401`
`5`	`5`	`fromapp.translator.platforms.splunk.renders.splunk_ctiimportSplunkCTI# noqa: F401`

`‎uncoder-core/app/translator/platforms/splunk/const.py‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,5 +42,14 @@`
`42`	`42`	`**PLATFORM_DETAILS,`
`43`	`43`	`}`
`44`	`44`
	`45`	`+SPLUNK_ALERT_YML_DETAILS= {`
	`46`	`+"platform_id":"splunk-spl-rule-yml",`
	`47`	`+"name":"Splunk Alert YML",`
	`48`	`+"platform_name":"Alert (SPL) YML",`
	`49`	`+"first_choice":0,`
	`50`	`+**PLATFORM_DETAILS,`
	`51`	`+}`
	`52`	`+`
`45`	`53`	`splunk_query_details=PlatformDetails(**SPLUNK_QUERY_DETAILS)`
`46`	`54`	`splunk_alert_details=PlatformDetails(**SPLUNK_ALERT_DETAILS)`
	`55`	`+splunk_alert_yml_details=PlatformDetails(**SPLUNK_ALERT_YML_DETAILS)`

`‎uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py‎`

Lines changed: 44 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -20,10 +20,11 @@`
`20`	`20`
`21`	`21`	`fromapp.translator.core.custom_types.meta_infoimportSeverityType`
`22`	`22`	`fromapp.translator.core.mitreimportMitreConfig`
	`23`	`+fromapp.translator.core.mixins.ruleimportYamlRuleMixin`
`23`	`24`	`fromapp.translator.core.models.platform_detailsimportPlatformDetails`
`24`	`25`	`fromapp.translator.core.models.query_containerimportMetaInfoContainer,MitreInfoContainer,RawQueryContainer`
`25`	`26`	`fromapp.translator.managersimportparser_manager`
`26`		`-fromapp.translator.platforms.splunk.constimportsplunk_alert_details`
	`27`	`+fromapp.translator.platforms.splunk.constimportsplunk_alert_details,splunk_alert_yml_details`
`27`	`28`	`fromapp.translator.platforms.splunk.mappingimportSplunkMappings,splunk_alert_mappings`
`28`	`29`	`fromapp.translator.platforms.splunk.parsers.splunkimportSplunkQueryParser`
`29`	`30`
`@@ -73,3 +74,45 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:`
`73`	`74`	`mitre_attack=mitre_attack_container,`
`74`	`75`	`),`
`75`	`76`	`)`
	`77`	`+`
	`78`	`+`
	`79`	`+@parser_manager.register`
	`80`	`+classSplunkAlertYMLParser(SplunkQueryParser,YamlRuleMixin):`
	`81`	`+details:PlatformDetails=splunk_alert_yml_details`
	`82`	`+mappings:SplunkMappings=splunk_alert_mappings`
	`83`	`+mitre_config:MitreConfig=MitreConfig()`
	`84`	`+`
	`85`	`+defparse_raw_query(self,text:str,language:str)->RawQueryContainer:`
	`86`	`+rule=self.load_rule(text)`
	`87`	`+mitre_attack_container=self.mitre_config.get_mitre_info(`
	`88`	`+techniques=rule.get("tags", {}).get("mitre_attack_id", [])`
	`89`	`+ )`
	`90`	`+description=rule.get("description","")`
	`91`	`+ifrule.get("how_to_implement",""):`
	`92`	`+description=f'{description}{rule.get("how_to_implement","")}'`
	`93`	`+tags=rule.get("tags", {}).get("analytic_story", [])`
	`94`	`+ifrule.get("type"):`
	`95`	`+tags.append(rule.get("type"))`
	`96`	`+false_positives=None`
	`97`	`+ifrule.get("known_false_positives"):`
	`98`	`+false_positives= (`
	`99`	`+rule["known_false_positives"]`
	`100`	`+ifisinstance(rule["known_false_positives"],list)`
	`101`	`+else [rule["known_false_positives"]]`
	`102`	`+ )`
	`103`	`+returnRawQueryContainer(`
	`104`	`+query=rule.get("search"),`
	`105`	`+language=language,`
	`106`	`+meta_info=MetaInfoContainer(`
	`107`	`+id_=rule.get("id"),`
	`108`	`+title=rule.get("name"),`
	`109`	`+date=rule.get("date"),`
	`110`	`+author=rule.get("author").split(", "),`
	`111`	`+status=rule.get("status"),`
	`112`	`+description=description,`
	`113`	`+false_positives=false_positives,`
	`114`	`+references=rule.get("references"),`
	`115`	`+mitre_attack=mitre_attack_container,`
	`116`	`+tags=tags,`
	`117`	`+ ),`
	`118`	`+ )`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3f24987

File tree

3 files changed

3 files changed

`‎uncoder-core/app/translator/platforms/splunk/init.py‎`

`‎uncoder-core/app/translator/platforms/splunk/const.py‎`

`‎uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py‎`

0 commit comments

Movatterモバイル変換

File tree

3 files changed

3 files changed

‎uncoder-core/app/translator/platforms/splunk/__init__.py‎

‎uncoder-core/app/translator/platforms/splunk/const.py‎

‎uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py‎

0 commit comments

`‎uncoder-core/app/translator/platforms/splunk/init.py‎`

`‎uncoder-core/app/translator/platforms/splunk/const.py‎`

`‎uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py‎`