NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit532bf3d

committed

gis-9099 add microsoft sentinel to one vendor flow

1 parent3e2c071 commit532bf3dCopy full SHA for 532bf3d

File tree

2 files changed

+33

-6

lines changed

uncoder-core/app/translator
- platforms/microsoft
  - const.py
- translator.py

2 files changed

+33

-6

lines changed

`‎uncoder-core/app/translator/platforms/microsoft/const.py‎`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,15 +19,18 @@`
`19`	`19`
`20`	`20`	`PLATFORM_DETAILS= {"group_id":"sentinel","group_name":"Microsoft Sentinel"}`
`21`	`21`
	`22`	`+_SENTINEL_KQL_QUERY="sentinel-kql-query"`
	`23`	`+_SENTINEL_KQL_RULE="sentinel-kql-rule"`
	`24`	`+`
`22`	`25`	`MICROSOFT_SENTINEL_QUERY_DETAILS= {`
`23`		`-"platform_id":"sentinel-kql-query",`
	`26`	`+"platform_id":_SENTINEL_KQL_QUERY,`
`24`	`27`	`"name":"Microsoft Sentinel Query",`
`25`	`28`	`"platform_name":"Query (Kusto)",`
`26`	`29`	`**PLATFORM_DETAILS,`
`27`	`30`	`}`
`28`	`31`
`29`	`32`	`MICROSOFT_SENTINEL_RULE_DETAILS= {`
`30`		`-"platform_id":"sentinel-kql-rule",`
	`33`	`+"platform_id":_SENTINEL_KQL_RULE,`
`31`	`34`	`"name":"Microsoft Sentinel Rule",`
`32`	`35`	`"platform_name":"Rule (Kusto)",`
`33`	`36`	`"first_choice":0,`
`@@ -50,6 +53,8 @@`
`50`	`53`	`"group_id":"microsoft-defender",`
`51`	`54`	`}`
`52`	`55`
	`56`	`+MICROSOFT_QUERY_TYPES= {_SENTINEL_KQL_QUERY,_SENTINEL_KQL_RULE}`
	`57`	`+`
`53`	`58`	`microsoft_defender_query_details=PlatformDetails(**MICROSOFT_DEFENDER_DETAILS)`
`54`	`59`	`microsoft_sentinel_query_details=PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS)`
`55`	`60`	`microsoft_sentinel_rule_details=PlatformDetails(**MICROSOFT_SENTINEL_RULE_DETAILS)`

`‎uncoder-core/app/translator/translator.py‎`

Lines changed: 26 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,16 @@`
`1`	`1`	`importlogging`
`2`		`-fromtypingimportOptional`
	`2`	`+fromcollectionsimportCounter`
	`3`	`+fromtypingimportOptional,Union`
`3`	`4`
`4`	`5`	`fromapp.translator.core.exceptions.coreimportUnsupportedPlatform`
`5`	`6`	`fromapp.translator.core.models.query_containerimportRawQueryContainer,TokenizedQueryContainer`
`6`		`-fromapp.translator.core.parserimportQueryParser`
	`7`	`+fromapp.translator.core.parserimportPlatformQueryParser,QueryParser`
`7`	`8`	`fromapp.translator.core.renderimportQueryRender`
`8`	`9`	`fromapp.translator.managersimportParserManager,RenderManager,parser_manager,render_manager`
`9`	`10`	`fromapp.translator.platforms.elasticsearch.constimportELASTIC_QUERY_TYPES`
	`11`	`+fromapp.translator.platforms.microsoft.constimportMICROSOFT_QUERY_TYPES`
	`12`	`+fromapp.translator.platforms.roota.parsers.rootaimportRootAParser`
	`13`	`+fromapp.translator.platforms.sigma.mappingimportsigma_rule_mappings`
`10`	`14`	`fromapp.translator.tools.decoratorsimporthandle_translation_exceptions`
`11`	`15`
`12`	`16`
`@@ -32,18 +36,36 @@ def __get_render(self, target: str) -> QueryRender:`
`32`	`36`
`33`	`37`	`@staticmethod`
`34`	`38`	`def__is_one_vendor_translation(source:str,target:str)->bool:`
`35`		`-vendors_query_types= [ELASTIC_QUERY_TYPES]`
	`39`	`+vendors_query_types= [ELASTIC_QUERY_TYPES,MICROSOFT_QUERY_TYPES]`
`36`	`40`	`forvendor_query_typesinvendors_query_types:`
`37`	`41`	`ifsourceinvendor_query_typesandtargetinvendor_query_types:`
`38`	`42`	`returnTrue`
`39`	`43`
`40`	`44`	`returnFalse`
`41`	`45`
`42`		`-defparse_raw_query(self,text:str,source:str)->tuple[QueryParser,RawQueryContainer]:`
	`46`	`+defparse_raw_query(`
	`47`	`+self,text:str,source:str`
	`48`	`+ )->tuple[Union[PlatformQueryParser,RootAParser],RawQueryContainer]:`
`43`	`49`	`parser=self.__get_parser(source)`
`44`	`50`	`text=parser.remove_comments(text)`
`45`	`51`	`returnparser,parser.parse_raw_query(text,language=source)`
`46`	`52`
	`53`	`+defparse_meta_info(self,text:str,source:str)->Union[dict,RawQueryContainer]:`
	`54`	`+parser,raw_query_container=self.parse_raw_query(text=text,source=source)`
	`55`	`+source_mappings=parser.get_source_mapping_ids_by_logsources(raw_query_container.query)`
	`56`	`+log_sources= {"product":Counter(),"service":Counter(),"category":Counter()}`
	`57`	`+sigma_source_mappings=sigma_rule_mappings.get_source_mappings_by_ids(`
	`58`	`+ [source_mapping.source_idforsource_mappinginsource_mappings],return_default=False`
	`59`	`+ )`
	`60`	`+forsigma_source_mappinginsigma_source_mappings:`
	`61`	`+ifproduct:=sigma_source_mapping.log_source_signature.log_sources.get("product"):`
	`62`	`+log_sources["product"][product]+=1`
	`63`	`+ifservice:=sigma_source_mapping.log_source_signature.log_sources.get("service"):`
	`64`	`+log_sources["service"][service]+=1`
	`65`	`+ifcategory:=sigma_source_mapping.log_source_signature.log_sources.get("category"):`
	`66`	`+log_sources["category"][category]+=1`
	`67`	`+returnlog_sources,raw_query_container`
	`68`	`+`
`47`	`69`	`@handle_translation_exceptions`
`48`	`70`	`def__parse_incoming_data(`
`49`	`71`	`self,text:str,source:str,target:Optional[str]=None`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit532bf3d

File tree

2 files changed

2 files changed

`‎uncoder-core/app/translator/platforms/microsoft/const.py‎`

`‎uncoder-core/app/translator/translator.py‎`

0 commit comments