Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit682f473

Browse files
authored
Merge pull request#193 from UncoderIO/gis-8601
anomali render
2 parents4adffd5 +002430c commit682f473

File tree

15 files changed

+320
-76
lines changed

15 files changed

+320
-76
lines changed

‎uncoder-core/app/translator/const.py‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,4 +9,4 @@
99

1010
CTI_IOCS_PER_QUERY_LIMIT=25
1111

12-
DEFAULT_VALUE_TYPE=Union[int,str,StrValue,list[Union[int,str,StrValue]]]
12+
DEFAULT_VALUE_TYPE=Union[bool,int,str,StrValue,list[Union[int,str,StrValue]]]

‎uncoder-core/app/translator/core/render.py‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ def _map_bool_value(value: bool) -> str:
9090
def_pre_process_value(
9191
self,
9292
field:str,
93-
value:Union[int,str,StrValue],
93+
value:Union[bool,int,str,StrValue],
9494
value_type:str=ValueType.value,
9595
wrap_str:bool=False,
9696
wrap_int:bool=False,

‎uncoder-core/app/translator/core/str_value_manager.py‎

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,25 @@ def has_spec_symbols(self) -> bool:
130130
returnany(isinstance(el,BaseSpecSymbol)forelinself.split_value)
131131

132132

133+
RE_STR_SPEC_SYMBOLS_MAP= {
134+
"?":ReZeroOrOneQuantifier,
135+
"*":ReZeroOrMoreQuantifier,
136+
"+":ReOneOrMoreQuantifier,
137+
"^":ReCaretSymbol,
138+
"$":ReEndOfStrSymbol,
139+
".":ReAnySymbol,
140+
"[":ReLeftSquareBracket,
141+
"]":ReRightSquareBracket,
142+
"(":ReLeftParenthesis,
143+
")":ReRightParenthesis,
144+
"{":ReLeftCurlyBracket,
145+
"}":ReRightCurlyBracket,
146+
"|":ReOrOperator,
147+
",":ReCommaSymbol,
148+
"-":ReHyphenSymbol,
149+
}
150+
151+
133152
CONTAINER_SPEC_SYMBOLS_MAP= {
134153
SingleSymbolWildCard:"?",
135154
UnboundLenWildCard:"*",
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
platform:Anomali
2+
description:Common field mapping
3+
4+
field_mapping:
5+
c-uri-query:url
6+
c-useragent:user_agent
7+
CommandLine:command_line
8+
DestinationHostname:dest
9+
DestinationIp:dest_ip
10+
DestinationPort:dest_port
11+
Details:reg_value_data
12+
dst_ip:dest_ip
13+
dst_port:dest_port
14+
EventID:event_id
15+
EventName:event_name
16+
FileName:file_name
17+
FilePath:file_path
18+
Image:image
19+
NewProcessName:image
20+
OriginalFileName:original_file_name
21+
ParentCommandLine:parent_command_line
22+
ParentImage:parent_image
23+
ParentProcessID:parent_process_id
24+
Platform:platform
25+
ProcessCommandLine:command_line
26+
ProcessID:process_id
27+
SourceImage:parent_image
28+
SourcePort:src_port
29+
TargetFilename:file_name
30+
TargetObject:reg_key
31+
UserAgent:user_agent
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
platform:Anomali
2+
source:default
3+
4+
5+
default_log_source:{}
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
fromapp.translator.platforms.anomali.renders.anomaliimportAnomaliQueryRender# noqa: F401
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
fromapp.translator.core.models.platform_detailsimportPlatformDetails
2+
3+
ANOMALI_QUERY_DETAILS= {
4+
"platform_id":"anomali-aql-query",
5+
"name":"Anomali Security Analytics Query",
6+
"group_name":"Anomali Security Analytics",
7+
"platform_name":"Query",
8+
"group_id":"anomali",
9+
}
10+
11+
anomali_query_details=PlatformDetails(**ANOMALI_QUERY_DETAILS)
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
fromapp.translator.core.mappingimportBaseCommonPlatformMappings,LogSourceSignature
2+
fromapp.translator.platforms.anomali.constimportanomali_query_details
3+
4+
5+
classAnomaliLogSourceSignature(LogSourceSignature):
6+
defis_suitable(self)->bool:
7+
returnTrue
8+
9+
def__str__(self)->str:
10+
return""
11+
12+
13+
classAnomaliMappings(BaseCommonPlatformMappings):
14+
defprepare_log_source_signature(self,mapping:dict)->AnomaliLogSourceSignature:# noqa: ARG002
15+
returnAnomaliLogSourceSignature()
16+
17+
18+
anomali_query_mappings=AnomaliMappings(platform_dir="anomali",platform_details=anomali_query_details)

‎uncoder-core/app/translator/platforms/anomali/renders/__init__.py‎

Whitespace-only changes.
Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
"""
2+
Uncoder IO Community Edition License
3+
-----------------------------------------------------------------
4+
Copyright (c) 2024 SOC Prime, Inc.
5+
6+
Licensed under the Apache License, Version 2.0 (the "License");
7+
you may not use this file except in compliance with the License.
8+
You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing, software
13+
distributed under the License is distributed on an "AS IS" BASIS,
14+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15+
See the License for the specific language governing permissions and
16+
limitations under the License.
17+
-----------------------------------------------------------------
18+
"""
19+
fromapp.translator.constimportDEFAULT_VALUE_TYPE
20+
fromapp.translator.core.custom_types.valuesimportValueType
21+
fromapp.translator.core.models.platform_detailsimportPlatformDetails
22+
fromapp.translator.core.renderimportBaseFieldValueRender,PlatformQueryRender
23+
fromapp.translator.managersimportrender_manager
24+
fromapp.translator.platforms.anomali.constimportanomali_query_details
25+
fromapp.translator.platforms.anomali.mappingimportAnomaliMappings,anomali_query_mappings
26+
fromapp.translator.platforms.base.sql.str_value_managerimportsql_str_value_manager
27+
28+
29+
classAnomaliFieldValueRender(BaseFieldValueRender):
30+
details:PlatformDetails=anomali_query_details
31+
str_value_manager=sql_str_value_manager
32+
33+
@staticmethod
34+
def_wrap_str_value(value:str)->str:
35+
returnf"'{value}'"
36+
37+
defequal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
38+
ifisinstance(value,list):
39+
returnf"({self.or_token.join([self.equal_modifier(field=field,value=v)forvinvalue])})"
40+
returnf"{field} ={self._pre_process_value(field,value,wrap_str=True)}"
41+
42+
defnot_equal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
43+
ifisinstance(value,list):
44+
returnf"({self.or_token.join([self.not_equal_modifier(field=field,value=v)forvinvalue])})"
45+
returnf"{field} !={self._pre_process_value(field,value,wrap_str=True)}"
46+
47+
defless_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
48+
returnf"{field} <{self._pre_process_value(field,value,wrap_str=True)}"
49+
50+
defless_or_equal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
51+
returnf"{field} <={self._pre_process_value(field,value,wrap_str=True)}"
52+
53+
defgreater_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
54+
returnf"{field} >{self._pre_process_value(field,value,wrap_str=True)}"
55+
56+
defgreater_or_equal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
57+
returnf"{field} >={self._pre_process_value(field,value,wrap_str=True)}"
58+
59+
defcontains_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
60+
ifisinstance(value,list):
61+
returnf"({self.or_token.join(self.contains_modifier(field=field,value=v)forvinvalue)})"
62+
returnf"{field} like '%{self._pre_process_value(field,value)}%'"
63+
64+
defendswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
65+
ifisinstance(value,list):
66+
returnf"({self.or_token.join(self.endswith_modifier(field=field,value=v)forvinvalue)})"
67+
returnf"{field} like '%{self._pre_process_value(field,value)}'"
68+
69+
defstartswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
70+
ifisinstance(value,list):
71+
returnf"({self.or_token.join(self.startswith_modifier(field=field,value=v)forvinvalue)})"
72+
returnf"{field} like '{self._pre_process_value(field,value)}%'"
73+
74+
defregex_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
75+
ifisinstance(value,list):
76+
returnf"({self.or_token.join(self.regex_modifier(field=field,value=v)forvinvalue)})"
77+
regex_str=self._pre_process_value(field,value,value_type=ValueType.regex_value,wrap_str=True)
78+
returnf"regexp_like({field},{regex_str})"
79+
80+
defkeywords(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
81+
returnf'message contains "{self._pre_process_value(field,value)}"'
82+
83+
84+
@render_manager.register
85+
classAnomaliQueryRender(PlatformQueryRender):
86+
details:PlatformDetails=anomali_query_details
87+
mappings:AnomaliMappings=anomali_query_mappings
88+
89+
or_token="OR"
90+
and_token="AND"
91+
not_token="NOT"
92+
93+
comment_symbol="--"
94+
is_single_line_comment=True
95+
96+
field_value_render=AnomaliFieldValueRender(or_token=or_token)
97+
98+
@staticmethod
99+
def_finalize_search_query(query:str)->str:
100+
returnf"| where{query}"ifqueryelse""

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp