NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit7bd8d38

authored

Merge pull request#22 from UncoderIO/improve-rule-description-generating

improve rule description

2 parents81d771a +2d521fc commit7bd8d38Copy full SHA for 7bd8d38

File tree

7 files changed

+84

-37

lines changed

siem-converter/app/converter
- platforms
  - elasticsearch/renders
  - logscale/renders
    - logscale_alert.py
  - microsoft/renders
    - microsoft_sentinel_rule.py
  - splunk/renders
    - splunk_alert.py
- tools
  - utils.py

7 files changed

+84

-37

lines changed

`‎siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py‎`

Lines changed: 9 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@`
`23`	`23`	`fromapp.converter.core.mappingimportSourceMapping`
`24`	`24`	`fromapp.converter.core.models.platform_detailsimportPlatformDetails`
`25`	`25`	`fromapp.converter.core.models.parser_outputimportMetaInfoContainer`
`26`		`-fromapp.converter.tools.utilsimportget_author_str,concatenate_str,get_mitre_attack_str,get_licence_str`
	`26`	`+fromapp.converter.tools.utilsimportget_rule_description_str`
`27`	`27`
`28`	`28`
`29`	`29`	`SEVERITIES_MAP= {"informational":"5","low":"4","medium":"3","high":"2","critical":"1"}`
`@@ -48,11 +48,14 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met`
`48`	`48`	`source_mapping:SourceMapping=None,not_supported_functions:list=None):`
`49`	`49`	`query=super().finalize_query(prefix=prefix,query=query,functions=functions,meta_info=meta_info)`
`50`	`50`	`rule=ELASTICSEARCH_ALERT.replace("<query_placeholder>",query)`
`51`		`-description=concatenate_str(meta_info.description,get_author_str(meta_info.author))`
`52`		`-description=concatenate_str(description,get_licence_str(meta_info.license))`
`53`		`-description=concatenate_str(description,get_mitre_attack_str(meta_info.mitre_attack))`
`54`		`-`
`55`		`-rule=rule.replace("<description_place_holder>",description)`
	`51`	`+rule=rule.replace(`
	`52`	`+"<description_place_holder>",`
	`53`	`+get_rule_description_str(`
	`54`	`+description=meta_info.description,`
	`55`	`+license=meta_info.license,`
	`56`	`+mitre_attack=meta_info.mitre_attack`
	`57`	`+ )`
	`58`	`+ )`
`56`	`59`	`rule=rule.replace("<title_place_holder>",meta_info.title)`
`57`	`60`	`rule=rule.replace("<priority_place_holder>",SEVERITIES_MAP[meta_info.severity])`
`58`	`61`	`ifnot_supported_functions:`

`‎siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py‎`

Lines changed: 9 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,8 +26,7 @@`
`26`	`26`	`fromapp.converter.core.mappingimportSourceMapping`
`27`	`27`	`fromapp.converter.core.models.platform_detailsimportPlatformDetails`
`28`	`28`	`fromapp.converter.core.models.parser_outputimportMetaInfoContainer`
`29`		`-fromapp.converter.tools.utilsimportconcatenate_str,get_author_str,get_licence_str,get_mitre_attack_str, \`
`30`		`-get_rule_id_str,get_references_str`
	`29`	`+fromapp.converter.tools.utilsimportget_rule_description_str`
`31`	`30`
`32`	`31`
`33`	`32`	`classKibanaFieldValue(ElasticSearchFieldValue):`
`@@ -49,12 +48,14 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met`
`49`	`48`	`rule=copy.deepcopy(KIBANA_RULE)`
`50`	`49`	`rule["_source"]["kibanaSavedObjectMeta"]["searchSourceJSON"]=dumped_rule`
`51`	`50`	`rule["_source"]["title"]=meta_info.title`
`52`		`-description=meta_info.descriptionorrule["_source"]["description"]`
`53`		`-description=concatenate_str(description,get_author_str(meta_info.author))`
`54`		`-description=concatenate_str(description,get_rule_id_str(meta_info.id))`
`55`		`-description=concatenate_str(description,get_licence_str(meta_info.license))`
`56`		`-description=concatenate_str(description,get_references_str(meta_info.references))`
`57`		`-rule["_source"]["description"]=concatenate_str(description,get_mitre_attack_str(meta_info.mitre_attack))`
	`51`	`+rule["_source"]["description"]=get_rule_description_str(`
	`52`	`+description=meta_info.descriptionorrule["_source"]["description"],`
	`53`	`+author=meta_info.author,`
	`54`	`+rule_id=meta_info.id,`
	`55`	`+license=meta_info.license,`
	`56`	`+references=meta_info.references,`
	`57`	`+mitre_attack=meta_info.mitre_attack`
	`58`	`+ )`
`58`	`59`	`rule_str=json.dumps(rule,indent=4,sort_keys=False)`
`59`	`60`	`ifnot_supported_functions:`
`60`	`61`	`rendered_not_supported=self.render_not_supported_functions(not_supported_functions)`

`‎siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py‎`

Lines changed: 7 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@`
`26`	`26`	`fromapp.converter.core.mappingimportSourceMapping`
`27`	`27`	`fromapp.converter.core.models.platform_detailsimportPlatformDetails`
`28`	`28`	`fromapp.converter.core.models.parser_outputimportMetaInfoContainer`
`29`		`-fromapp.converter.tools.utilsimportconcatenate_str,get_author_str,get_licence_str,get_mitre_attack_str`
	`29`	`+fromapp.converter.tools.utilsimportget_rule_description_str`
`30`	`30`
`31`	`31`
`32`	`32`	`classXpackWatcherRuleFieldValue(ElasticSearchFieldValue):`
`@@ -43,13 +43,15 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met`
`43`	`43`	`source_mapping:SourceMapping=None,not_supported_functions:list=None):`
`44`	`44`	`query=super().finalize_query(prefix=prefix,query=query,functions=functions,meta_info=meta_info)`
`45`	`45`	`rule=copy.deepcopy(XPACK_WATCHER_RULE)`
`46`		`-description=concatenate_str(meta_info.description,get_author_str(meta_info.author))`
`47`		`-description=concatenate_str(description,get_licence_str(meta_info.license))`
`48`		`-description=concatenate_str(description,get_mitre_attack_str(meta_info.mitre_attack))`
`49`	`46`	`rule["metadata"].update({`
`50`	`47`	`"query":query,`
`51`	`48`	`"title":meta_info.title,`
`52`		`-"description":description,`
	`49`	`+"description":get_rule_description_str(`
	`50`	`+description=meta_info.description,`
	`51`	`+author=meta_info.author,`
	`52`	`+license=meta_info.license,`
	`53`	`+mitre_attack=meta_info.mitre_attack`
	`54`	`+ ),`
`53`	`55`	`"tags":meta_info.mitre_attack`
`54`	`56`	`})`
`55`	`57`	`rule["input"]["search"]["request"]["body"]["query"]["bool"]["must"][0]["query_string"]["query"]=query`

`‎siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py‎`

Lines changed: 7 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@`
`25`	`25`	`fromapp.converter.core.mappingimportSourceMapping`
`26`	`26`	`fromapp.converter.core.models.platform_detailsimportPlatformDetails`
`27`	`27`	`fromapp.converter.core.models.parser_outputimportMetaInfoContainer`
	`28`	`+fromapp.converter.tools.utilsimportget_rule_description_str`
`28`	`29`
`29`	`30`
`30`	`31`	`_AUTOGENERATED_TITLE="Autogenerated Falcon LogScale Alert"`
`@@ -44,10 +45,12 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met`
`44`	`45`	`rule=copy.deepcopy(DEFAULT_LOGSCALE_ALERT)`
`45`	`46`	`rule['query']['queryString']=query`
`46`	`47`	`rule['name']=meta_info.titleor_AUTOGENERATED_TITLE`
`47`		`-description=f"{meta_info.description}. Author:{meta_info.author}. License:{meta_info.license}."`
`48`		`-ifmeta_info.mitre_attack:`
`49`		`-description+=f" MITRE ATT&CK:{', '.join(meta_info.mitre_attack)}"`
`50`		`-rule['description']=description`
	`48`	`+rule['description']=get_rule_description_str(`
	`49`	`+description=meta_info.description,`
	`50`	`+license=meta_info.license,`
	`51`	`+mitre_attack=meta_info.mitre_attack,`
	`52`	`+author=meta_info.author`
	`53`	`+ )`
`51`	`54`
`52`	`55`	`json_query=json.dumps(rule,indent=4,sort_keys=False)`
`53`	`56`	`ifnot_supported_functions:`

`‎siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py‎`

Lines changed: 6 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`fromapp.converter.core.mappingimportSourceMapping`
`29`	`29`	`fromapp.converter.core.models.platform_detailsimportPlatformDetails`
`30`	`30`	`fromapp.converter.core.models.parser_outputimportMetaInfoContainer`
`31`		`-fromapp.converter.tools.utilsimportconcatenate_str,get_author_str,get_licence_str`
	`31`	`+fromapp.converter.tools.utilsimportget_rule_description_str`
`32`	`32`
`33`	`33`
`34`	`34`	`classMicrosoftSentinelRuleFieldValue(MicrosoftSentinelFieldValue):`
`@@ -46,10 +46,11 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met`
`46`	`46`	`rule=copy.deepcopy(DEFAULT_MICROSOFT_SENTINEL_RULE)`
`47`	`47`	`rule["query"]=query`
`48`	`48`	`rule["displayName"]=meta_info.title`
`49`		`-description=meta_info.descriptionorrule["description"]`
`50`		`-description=concatenate_str(description,get_author_str(meta_info.author))`
`51`		`-description=concatenate_str(description,get_licence_str(meta_info.license))`
`52`		`-rule["description"]=description`
	`49`	`+rule["description"]=get_rule_description_str(`
	`50`	`+description=meta_info.descriptionorrule["description"],`
	`51`	`+author=meta_info.author,`
	`52`	`+license=meta_info.license`
	`53`	`+ )`
`53`	`54`	`rule["severity"]=meta_info.severity`
`54`	`55`	`rule["techniques"]= [el.upper()forelinmeta_info.mitre_attack]`
`55`	`56`	`json_rule=json.dumps(rule,indent=4,sort_keys=False)`

`‎siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py‎`

Lines changed: 7 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`fromapp.converter.core.mappingimportSourceMapping`
`23`	`23`	`fromapp.converter.core.models.platform_detailsimportPlatformDetails`
`24`	`24`	`fromapp.converter.core.models.parser_outputimportMetaInfoContainer`
	`25`	`+fromapp.converter.tools.utilsimportget_rule_description_str`
`25`	`26`
`26`	`27`
`27`	`28`	`_AUTOGENERATED_TITLE="Autogenerated Splunk Alert"`
`@@ -43,11 +44,13 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met`
`43`	`44`	`rule=DEFAULT_SPLUNK_ALERT.replace("<query_place_holder>",query)`
`44`	`45`	`rule=rule.replace("<title_place_holder>",meta_info.titleor_AUTOGENERATED_TITLE)`
`45`	`46`	`rule=rule.replace("<severity_place_holder>",severity_map.get(meta_info.severity,"1"))`
	`47`	`+rule_description=get_rule_description_str(`
	`48`	`+description=meta_info.descriptionor'Autogenerated Splunk Alert.',`
	`49`	`+license=meta_info.license,`
	`50`	`+mitre_attack=meta_info.mitre_attack`
	`51`	`+ )`
	`52`	`+rule=rule.replace("<description_place_holder>",rule_description)`
`46`	`53`
`47`		`-description=f"{meta_info.descriptionor'Autogenerated Splunk Alert'}. License:{meta_info.license}."`
`48`		`-ifmeta_info.mitre_attack:`
`49`		`-description+=f" MITRE ATT&CK:{', '.join(meta_info.mitre_attack)}"`
`50`		`-rule=rule.replace("<description_place_holder>",description)`
`51`	`54`	`ifnot_supported_functions:`
`52`	`55`	`rendered_not_supported=self.render_not_supported_functions(not_supported_functions)`
`53`	`56`	`returnrule+rendered_not_supported`

`‎siem-converter/app/converter/tools/utils.py‎`

Lines changed: 39 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,20 +14,54 @@ def concatenate_str(str1: str, str2: str) -> str:`
`14`	`14`
`15`	`15`
`16`	`16`	`defget_mitre_attack_str(mitre_attack:List[str])->str:`
`17`		`-returnf"MITRE ATT&CK:{', '.join(mitre_attack).upper()}."ifmitre_attackelse""`
	`17`	`+returnf"MITRE ATT&CK:{', '.join(mitre_attack).upper()}."`
`18`	`18`
`19`	`19`
`20`	`20`	`defget_author_str(author:str)->str:`
`21`		`-returnf"Author:{author}."ifauthorelse""`
	`21`	`+returnf"Author:{author}."`
`22`	`22`
`23`	`23`
`24`		`-defget_licence_str(licence:str)->str:`
`25`		`-returnf"Licence:{licence}."`
	`24`	`+defget_license_str(license:str)->str:`
	`25`	`+license_str=f"License:{license}"`
	`26`	`+ifnotlicense_str.endswith('.'):`
	`27`	`+license_str+='.'`
	`28`	`+returnlicense_str`
`26`	`29`
	`30`	`+defget_description_str(description:str)->str:`
	`31`	`+ifnotdescription.endswith('.'):`
	`32`	`+description+='.'`
	`33`	`+returndescription`
`27`	`34`
`28`	`35`	`defget_rule_id_str(rule_id:str)->str:`
`29`	`36`	`returnf"Rule ID:{rule_id}."`
`30`	`37`
`31`	`38`
`32`	`39`	`defget_references_str(references:List[str])->str:`
`33`		`-returnf"References:{', '.join(references)}."ifreferenceselse""`
	`40`	`+returnf"References:{', '.join(references)}."`
	`41`	`+`
	`42`	`+defget_rule_description_str(`
	`43`	`+description:str,`
	`44`	`+author:str=None,`
	`45`	`+rule_id:str=None,`
	`46`	`+license:str=None,`
	`47`	`+mitre_attack:str=None,`
	`48`	`+references:str=None`
	`49`	`+)->str:`
	`50`	`+description_str=get_description_str(description)`
	`51`	`+author_str=get_author_str(author)ifauthorelseNone`
	`52`	`+rule_id=get_rule_id_str(rule_id)ifrule_idelseNone`
	`53`	`+license_str=get_license_str(license)iflicenseelseNone`
	`54`	`+mitre_attack=get_mitre_attack_str(mitre_attack)ifmitre_attackelseNone`
	`55`	`+references=get_references_str(references)ifreferenceselseNone`
	`56`	`+rule_description=description_str`
	`57`	`+ifauthor_str:`
	`58`	`+rule_description=concatenate_str(rule_description,author_str)`
	`59`	`+ifrule_id:`
	`60`	`+rule_description=concatenate_str(rule_description,rule_id)`
	`61`	`+iflicense_str:`
	`62`	`+rule_description=concatenate_str(rule_description,license_str)`
	`63`	`+ifmitre_attack:`
	`64`	`+rule_description=concatenate_str(rule_description,mitre_attack)`
	`65`	`+ifreferences:`
	`66`	`+rule_description=concatenate_str(rule_description,references)`
	`67`	`+returnrule_description`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7bd8d38

File tree

7 files changed

7 files changed

`‎siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py‎`

`‎siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py‎`

`‎siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py‎`

`‎siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py‎`

`‎siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py‎`

`‎siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py‎`

`‎siem-converter/app/converter/tools/utils.py‎`

0 commit comments