NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commita749460

authored

Merge pull request#220 from UncoderIO/gis-9071

GIS 9071 Added new platform Falco

2 parents4c4f244 +cca40d9 commita749460Copy full SHA for a749460

File tree

9 files changed

+249

-0

lines changed

uncoder-core/app/translator
- mappings/platforms/falco
  - aws_cloudtrail.yml
  - default.yml
- platforms/falco

9 files changed

+249

-0

lines changed

`‎uncoder-core/app/translator/mappings/platforms/falco/aws_cloudtrail.yml‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,8 @@`
	`1`	`+platform:Falco`
	`2`	`+source:aws_cloudtrail`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+eventSource:ct.src`
	`6`	`+eventName:ct.name`
	`7`	`+errorCode:ct.error`
	`8`	`+RequestParameters:json.value[/requestParameters]`

`‎uncoder-core/app/translator/mappings/platforms/falco/default.yml‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,6 @@`
	`1`	`+platform:Falco`
	`2`	`+source:default`
	`3`	`+`
	`4`	`+`
	`5`	`+field_mapping:`
	`6`	`+{}`

`‎uncoder-core/app/translator/platforms/falco/init.py‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+fromapp.translator.platforms.falco.renders.falcoimportFalcoRuleRender# noqa: F401`

`‎uncoder-core/app/translator/platforms/falco/const.py‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+fromapp.translator.core.models.platform_detailsimportPlatformDetails`
	`2`	`+`
	`3`	`+FALCO_RULE_DETAILS= {`
	`4`	`+"platform_id":"falco-yaml-rule",`
	`5`	`+"name":"Falco YAML Rule",`
	`6`	`+"platform_name":"Rule (YAML)",`
	`7`	`+"group_id":"falco",`
	`8`	`+"group_name":"Falco",`
	`9`	`+}`
	`10`	`+`
	`11`	`+falco_rule_details=PlatformDetails(**FALCO_RULE_DETAILS)`

`‎uncoder-core/app/translator/platforms/falco/escape_manager.py‎`

Lines changed: 17 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,17 @@`
	`1`	`+fromtypingimportClassVar`
	`2`	`+`
	`3`	`+fromapp.translator.core.custom_types.valuesimportValueType`
	`4`	`+fromapp.translator.core.escape_managerimportEscapeManager`
	`5`	`+fromapp.translator.core.models.escape_detailsimportEscapeDetails`
	`6`	`+`
	`7`	`+`
	`8`	`+classFalcoRuleEscapeManager(EscapeManager):`
	`9`	`+escape_map:ClassVar[dict[str,list[EscapeDetails]]]= {`
	`10`	`+ValueType.regex_value: [`
	`11`	`+EscapeDetails(pattern=r"([$^*+()\[\]{}\|.?\-\\])",escape_symbols=r"\\\1"),`
	`12`	`+EscapeDetails(pattern=r"(')",escape_symbols=r"'\1"),`
	`13`	`+ ]`
	`14`	`+ }`
	`15`	`+`
	`16`	`+`
	`17`	`+falco_rule_escape_manager=FalcoRuleEscapeManager()`

`‎uncoder-core/app/translator/platforms/falco/mapping.py‎`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,18 @@`
	`1`	`+fromapp.translator.core.mappingimportBaseStrictLogSourcesPlatformMappings,LogSourceSignature`
	`2`	`+fromapp.translator.platforms.falco.constimportfalco_rule_details`
	`3`	`+`
	`4`	`+`
	`5`	`+classFalcoRuleLogSourceSignature(LogSourceSignature):`
	`6`	`+def__str__(self)->str:`
	`7`	`+return""`
	`8`	`+`
	`9`	`+defis_suitable(self)->bool:`
	`10`	`+returnTrue`
	`11`	`+`
	`12`	`+`
	`13`	`+classFalcoRuleMappings(BaseStrictLogSourcesPlatformMappings):`
	`14`	`+defprepare_log_source_signature(self,mapping:dict)->FalcoRuleLogSourceSignature:# noqa: ARG002`
	`15`	`+returnFalcoRuleLogSourceSignature()`
	`16`	`+`
	`17`	`+`
	`18`	`+falco_rule_mappings=FalcoRuleMappings(platform_dir="falco",platform_details=falco_rule_details)`

`‎uncoder-core/app/translator/platforms/falco/renders/init.py‎`

Whitespace-only changes.

`‎uncoder-core/app/translator/platforms/falco/renders/falco.py‎`

Lines changed: 161 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,161 @@`
	`1`	`+"""`
	`2`	`+Uncoder IO Community Edition License`
	`3`	`+-----------------------------------------------------------------`
	`4`	`+Copyright (c) 2024 SOC Prime, Inc.`
	`5`	`+`
	`6`	`+Licensed under the Apache License, Version 2.0 (the "License");`
	`7`	`+you may not use this file except in compliance with the License.`
	`8`	`+You may obtain a copy of the License at`
	`9`	`+`
	`10`	`+ http://www.apache.org/licenses/LICENSE-2.0`
	`11`	`+`
	`12`	`+Unless required by applicable law or agreed to in writing, software`
	`13`	`+distributed under the License is distributed on an "AS IS" BASIS,`
	`14`	`+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
	`15`	`+See the License for the specific language governing permissions and`
	`16`	`+limitations under the License.`
	`17`	`+-----------------------------------------------------------------`
	`18`	`+"""`
	`19`	`+fromtypingimportClassVar,Optional`
	`20`	`+`
	`21`	`+importyaml`
	`22`	`+`
	`23`	`+fromapp.translator.constimportDEFAULT_VALUE_TYPE`
	`24`	`+fromapp.translator.core.custom_types.valuesimportValueType`
	`25`	`+fromapp.translator.core.mappingimportLogSourceSignature,SourceMapping`
	`26`	`+fromapp.translator.core.models.platform_detailsimportPlatformDetails`
	`27`	`+fromapp.translator.core.models.query_containerimportMetaInfoContainer`
	`28`	`+fromapp.translator.core.models.query_tokens.fieldimportField`
	`29`	`+fromapp.translator.core.renderimportBaseFieldValueRender,PlatformQueryRender`
	`30`	`+fromapp.translator.core.str_value_managerimportStrValueManager`
	`31`	`+fromapp.translator.managersimportrender_manager`
	`32`	`+fromapp.translator.platforms.falco.constimportfalco_rule_details`
	`33`	`+fromapp.translator.platforms.falco.mappingimportFalcoRuleMappings,falco_rule_mappings`
	`34`	`+fromapp.translator.platforms.falco.str_value_managerimportfalco_rule_str_value_manager`
	`35`	`+`
	`36`	`+`
	`37`	`+classFalcoRuleFieldValueRender(BaseFieldValueRender):`
	`38`	`+details=falco_rule_details`
	`39`	`+str_value_manager:StrValueManager=falco_rule_str_value_manager`
	`40`	`+`
	`41`	`+@staticmethod`
	`42`	`+def_wrap_str_value(value:str)->str:`
	`43`	`+returnf'"{value}"'`
	`44`	`+`
	`45`	`+@staticmethod`
	`46`	`+def_wrap_int_value(value:str)->str:`
	`47`	`+returnf'"{value}"'`
	`48`	`+`
	`49`	`+defequal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`50`	`+ifisinstance(value,list):`
	`51`	`+returnf"({self.or_token.join([self.equal_modifier(field=field,value=v)forvinvalue])})"`
	`52`	`+returnf"{field} ={self._pre_process_value(field,value,wrap_str=True)}"`
	`53`	`+`
	`54`	`+defnot_equal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`55`	`+ifisinstance(value,list):`
	`56`	`+returnf"({self.or_token.join([self.not_equal_modifier(field=field,value=v)forvinvalue])})"`
	`57`	`+returnf"{field} !={self._pre_process_value(field,value,wrap_str=True)}"`
	`58`	`+`
	`59`	`+defless_modifier(self,field:str,value:int)->str:`
	`60`	`+returnf"{field} <{self._pre_process_value(field,value)}"`
	`61`	`+`
	`62`	`+defless_or_equal_modifier(self,field:str,value:int)->str:`
	`63`	`+returnf"{field} <={self._pre_process_value(field,value)}"`
	`64`	`+`
	`65`	`+defgreater_modifier(self,field:str,value:int)->str:`
	`66`	`+returnf"{field} >{self._pre_process_value(field,value)}"`
	`67`	`+`
	`68`	`+defgreater_or_equal_modifier(self,field:str,value:int)->str:`
	`69`	`+returnf"{field} >={self._pre_process_value(field,value)}"`
	`70`	`+`
	`71`	`+defcontains_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`72`	`+ifisinstance(value,list):`
	`73`	`+returnf"({self.or_token.join([self.contains_modifier(field=field,value=v)forvinvalue])})"`
	`74`	`+value=self._pre_process_value(field,value,wrap_str=True,wrap_int=True)`
	`75`	`+returnf"{field} contains{value}"`
	`76`	`+`
	`77`	`+defendswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`78`	`+ifisinstance(value,list):`
	`79`	`+returnf"({self.or_token.join([self.endswith_modifier(field=field,value=v)forvinvalue])})"`
	`80`	`+value=self._pre_process_value(field,value,wrap_str=True,wrap_int=True)`
	`81`	`+returnf"{field} endswith{value}"`
	`82`	`+`
	`83`	`+defstartswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`84`	`+ifisinstance(value,list):`
	`85`	`+returnf"({self.or_token.join([self.startswith_modifier(field=field,value=v)forvinvalue])})"`
	`86`	`+value=self._pre_process_value(field,value,wrap_str=True,wrap_int=True)`
	`87`	`+returnf"{field} startswith{value}"`
	`88`	`+`
	`89`	`+defregex_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`90`	`+ifisinstance(value,list):`
	`91`	`+returnf"({self.or_token.join(self.regex_modifier(field=field,value=v)forvinvalue)})"`
	`92`	`+regex_str=self._pre_process_value(field,value,value_type=ValueType.regex_value)`
	`93`	`+returnf"{field} regex '{regex_str}'"`
	`94`	`+`
	`95`	`+defis_none(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`96`	`+ifisinstance(value,list):`
	`97`	`+returnf"({self.or_token.join(self.is_none(field=field,value=v)forvinvalue)})"`
	`98`	`+returnf"{field} exists"`
	`99`	`+`
	`100`	`+`
	`101`	`+@render_manager.register`
	`102`	`+classFalcoRuleRender(PlatformQueryRender):`
	`103`	`+details:PlatformDetails=falco_rule_details`
	`104`	`+mappings:FalcoRuleMappings=falco_rule_mappings`
	`105`	`+`
	`106`	`+or_token="or"`
	`107`	`+and_token="and"`
	`108`	`+not_token="not"`
	`109`	`+`
	`110`	`+comment_symbol="//"`
	`111`	`+`
	`112`	`+field_value_render=FalcoRuleFieldValueRender(or_token=or_token)`
	`113`	`+`
	`114`	`+priority_map:ClassVar[dict[str,str]]= {`
	`115`	`+"unspecified":"NOTICE",`
	`116`	`+"info":"INFORMATIONAL",`
	`117`	`+"low":"WARNING",`
	`118`	`+"medium":"ERROR",`
	`119`	`+"high":"ERROR",`
	`120`	`+"critical":"CRITICAL",`
	`121`	`+ }`
	`122`	`+`
	`123`	`+defgenerate_prefix(self,log_source_signature:Optional[LogSourceSignature],functions_prefix:str="")->str:# noqa: ARG002`
	`124`	`+return""`
	`125`	`+`
	`126`	`+defgenerate_output(self,fields:list[Field],unmapped_fields:list[str],source_mapping:SourceMapping)->str:`
	`127`	`+extra_fields= []`
	`128`	`+forfieldinfields:`
	`129`	`+iffield.source_nameinunmapped_fields:`
	`130`	`+extra_fields.append(field.source_name)`
	`131`	`+elifgeneric_field_name:=field.get_generic_field_name(source_mapping.source_id):`
	`132`	`+extra_field=source_mapping.fields_mapping.get_platform_field_name(generic_field_name)`
	`133`	`+ifextra_field:`
	`134`	`+extra_fields.append(extra_field)`
	`135`	`+extra_fields= [f"{field.replace('.','_')}=%{field}"forfieldinextra_fields]`
	`136`	`+returnf"shell in a container (container_name=%container.name{' '.join(extra_fields)})"`
	`137`	`+`
	`138`	`+deffinalize_query(`
	`139`	`+self,`
	`140`	`+prefix:str,`
	`141`	`+query:str,`
	`142`	`+functions:str,`
	`143`	`+meta_info:Optional[MetaInfoContainer]=None,`
	`144`	`+source_mapping:Optional[SourceMapping]=None,`
	`145`	`+not_supported_functions:Optional[list]=None,`
	`146`	`+unmapped_fields:Optional[list[str]]=None,`
	`147`	`+*args,# noqa: ARG002`
	`148`	`+**kwargs,# noqa: ARG002`
	`149`	`+ )->str:`
	`150`	`+query=self._join_query_parts(prefix,query,functions)`
	`151`	`+rule= {`
	`152`	`+"rule":meta_info.titleor"Falco Rule",`
	`153`	`+"condition":query,`
	`154`	`+"desc":meta_info.descriptionor"Falco Rule",`
	`155`	`+"output":self.generate_output(meta_info.query_fields,unmapped_fieldsor [],source_mapping),`
	`156`	`+"priority":self.priority_map.get(meta_info.severityor"medium"),`
	`157`	`+ }`
	`158`	`+rule_str=yaml.dump(rule,default_flow_style=False,sort_keys=False)`
	`159`	`+rule_str=self.wrap_with_meta_info(rule_str,meta_info)`
	`160`	`+rule_str=self.wrap_with_unmapped_fields(rule_str,unmapped_fields)`
	`161`	`+returnself.wrap_with_not_supported_functions(rule_str,not_supported_functions)`

`‎uncoder-core/app/translator/platforms/falco/str_value_manager.py‎`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,27 @@`
	`1`	`+"""`
	`2`	`+Uncoder IO Community Edition License`
	`3`	`+-----------------------------------------------------------------`
	`4`	`+Copyright (c) 2024 SOC Prime, Inc.`
	`5`	`+`
	`6`	`+Licensed under the Apache License, Version 2.0 (the "License");`
	`7`	`+you may not use this file except in compliance with the License.`
	`8`	`+You may obtain a copy of the License at`
	`9`	`+`
	`10`	`+ http://www.apache.org/licenses/LICENSE-2.0`
	`11`	`+`
	`12`	`+Unless required by applicable law or agreed to in writing, software`
	`13`	`+distributed under the License is distributed on an "AS IS" BASIS,`
	`14`	`+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
	`15`	`+See the License for the specific language governing permissions and`
	`16`	`+limitations under the License.`
	`17`	`+-----------------------------------------------------------------`
	`18`	`+"""`
	`19`	`+fromapp.translator.core.str_value_managerimportStrValueManager`
	`20`	`+fromapp.translator.platforms.falco.escape_managerimportFalcoRuleEscapeManager,falco_rule_escape_manager`
	`21`	`+`
	`22`	`+`
	`23`	`+classFalcoRuleStrValueManager(StrValueManager):`
	`24`	`+escape_manager:FalcoRuleEscapeManager=falco_rule_escape_manager`
	`25`	`+`
	`26`	`+`
	`27`	`+falco_rule_str_value_manager=FalcoRuleStrValueManager()`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita749460

File tree

9 files changed

9 files changed

`‎uncoder-core/app/translator/mappings/platforms/falco/aws_cloudtrail.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/falco/default.yml‎`

`‎uncoder-core/app/translator/platforms/falco/init.py‎`

`‎uncoder-core/app/translator/platforms/falco/const.py‎`

`‎uncoder-core/app/translator/platforms/falco/escape_manager.py‎`

`‎uncoder-core/app/translator/platforms/falco/mapping.py‎`

`‎uncoder-core/app/translator/platforms/falco/renders/init.py‎`

`‎uncoder-core/app/translator/platforms/falco/renders/falco.py‎`

`‎uncoder-core/app/translator/platforms/falco/str_value_manager.py‎`

0 commit comments