NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commitc34e622

committed

parser, tokenizer, render fixes

1 parentc026f1d commitc34e622Copy full SHA for c34e622

File tree

19 files changed

+71

-63

lines changed

siem-converter/app/converter
- backends
  - athena
    - renders
      - athena.py
    - tokenizer.py
  - chronicle
    - tokenizer.py
  - elasticsearch
    - renders
      - elasticsearch.py
    - tokenizer.py
  - logscale
    - tokenizer.py
  - microsoft
    - renders
      - microsoft_sentinel.py
    - tokenizer.py
  - opensearch
    - renders
      - opensearch.py
    - tokenizer.py
  - qradar
    - const.py
    - renders
      - qradar.py
    - tokenizer.py
  - splunk
    - renders
      - splunk.py
      - splunk_alert.py
    - tokenizer.py
- core
  - models
    - field.py
  - render.py
- tools
  - decorators.py

19 files changed

+71

-63

lines changed

`‎siem-converter/app/converter/backends/athena/renders/athena.py‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,8 @@ class AthenaQueryRender(BaseQueryRender):`
`67`	`67`
`68`	`68`	`field_value_map=AthenaFieldValue(or_token=or_token)`
`69`	`69`	`query_pattern="{prefix} WHERE {query} {functions}"`
	`70`	`+comment_symbol="--"`
	`71`	`+is_multi_line_comment=True`
`70`	`72`
`71`	`73`	`defgenerate_prefix(self,log_source_signature:LogSourceSignature)->str:`
`72`	`74`	`table=str(log_source_signature)ifstr(log_source_signature)else"eventlog"`

`‎siem-converter/app/converter/backends/athena/tokenizer.py‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ class AthenaTokenizer(QueryTokenizer):`
`30`	`30`	`match_operator_pattern=r"""(?:___field___\s?(?P<match_operator>like\|in\|=\|>\|<\|>=\|<=\|<>\|!=))\s?"""`
`31`	`31`	`num_value_pattern=r"(?P<num_value>\d+(?:\.\d+))\s"`
`32`	`32`	`bool_value_pattern=r"(?P<bool_value>true\|false)\s*"`
`33`		`-single_quotes_value_pattern=r"""'(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\{\}\s]\|'')+)'"""`
	`33`	`+single_quotes_value_pattern=r"""'(?P<s_q_value>(?:[:a-zA-Z\0-9=+%#\-\/\\,_".$&^@!\{\}\s]\|''))'"""`
`34`	`34`	`_value_pattern=fr"{num_value_pattern}\|{bool_value_pattern}\|{single_quotes_value_pattern}"`
`35`	`35`	`multi_value_pattern=r"""$(?P<value>\d+(?:,\s\d+)\|'(?:[:a-zA-Z\0-9=+%#\-\/\\,_".$&^@!\($\{\}\s]\|'')'(?:,\s'(?:[:a-zA-Z\0-9=+%#\-\/\\,_".$&^@!\{\}\s]\|'')'))\)"""`
`36`	`36`
`@@ -49,13 +49,13 @@ def should_process_value_wildcard_symbols(operator: str) -> bool:`
`49`	`49`	`returnoperator.lower()in ("like",)`
`50`	`50`
`51`	`51`	`defget_operator_and_value(self,match:re.Match,operator:str=OperatorType.EQ)->Tuple[str,Any]:`
`52`		`-ifnum_value:=get_match_group(match,group_name='num_value'):`
	`52`	`+if(num_value:=get_match_group(match,group_name='num_value'))isnotNone:`
`53`	`53`	`returnoperator,num_value`
`54`	`54`
`55`		`-elifbool_value:=get_match_group(match,group_name='bool_value'):`
	`55`	`+elif(bool_value:=get_match_group(match,group_name='bool_value'))isnotNone:`
`56`	`56`	`returnoperator,bool_value`
`57`	`57`
`58`		`-elifs_q_value:=get_match_group(match,group_name='s_q_value'):`
	`58`	`+elif(s_q_value:=get_match_group(match,group_name='s_q_value'))isnotNone:`
`59`	`59`	`returnoperator,s_q_value`
`60`	`60`
`61`	`61`	`returnsuper().get_operator_and_value(match,operator)`

`‎siem-converter/app/converter/backends/chronicle/tokenizer.py‎`

Lines changed: 7 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,22 +31,22 @@ class ChronicleQueryTokenizer(QueryTokenizer):`
`31`	`31`	`num_value_pattern=r"(?P<num_value>\d+(?:\.\d+))\s"`
`32`	`32`	`bool_value_pattern=r"(?P<bool_value>true\|false)\s*"`
`33`	`33`	`double_quotes_value_pattern=r'"(?P<d_q_value>(?:[:a-zA-Z\0-9=+%#\-_/,\'\.$&^@!\{\}\s]\|\\\"\|\\\\))"\s*(?:nocase)?'`
`34`		`-re_value_pattern=r"/(?P<re_value>[:a-zA-Z\0-9=+%#\\\-_\,\"\'\.$&^@!\{\}\s?])/\s*(?:nocase)?"`
	`34`	`+re_value_pattern=r"/(?P<re_value>(?:\\\/\|[:a-zA-Z\0-9=+%#\\\-_\,\"\'\.$&^@!\{\}\s?])+)/\s(?:nocase)?"`
`35`	`35`	`_value_pattern=fr"{num_value_pattern}\|{bool_value_pattern}\|{double_quotes_value_pattern}\|{re_value_pattern}"`
`36`	`36`
`37`	`37`	`wildcard_symbol=".*"`
`38`	`38`
`39`	`39`	`defget_operator_and_value(self,match:re.Match,operator:str=OperatorType.EQ)->Tuple[str,Any]:`
`40`		`-ifnum_value:=get_match_group(match,group_name='num_value'):`
	`40`	`+if(num_value:=get_match_group(match,group_name='num_value'))isnotNone:`
`41`	`41`	`returnoperator,num_value`
`42`	`42`
`43`		`-elifbool_value:=get_match_group(match,group_name='bool_value'):`
	`43`	`+elif(bool_value:=get_match_group(match,group_name='bool_value'))isnotNone:`
`44`	`44`	`returnoperator,bool_value`
`45`	`45`
`46`		`-elifd_q_value:=get_match_group(match,group_name='d_q_value'):`
	`46`	`+elif(d_q_value:=get_match_group(match,group_name='d_q_value'))isnotNone:`
`47`	`47`	`returnoperator,d_q_value`
`48`	`48`
`49`		`-elifre_value:=get_match_group(match,group_name='re_value'):`
	`49`	`+elif(re_value:=get_match_group(match,group_name='re_value'))isnotNone:`
`50`	`50`	`returnOperatorType.REGEX,re_value`
`51`	`51`
`52`	`52`	`returnsuper().get_operator_and_value(match,operator)`
`@@ -94,10 +94,10 @@ def search_field_value(self, query):`
`94`	`94`	`returnsuper().search_field_value(query=query)`
`95`	`95`
`96`	`96`	`defget_operator_and_value(self,match:re.Match,operator:str=OperatorType.EQ)->Tuple[str,Any]:`
`97`		`-ifd_q_value:=get_match_group(match,group_name='d_q_value'):`
	`97`	`+if(d_q_value:=get_match_group(match,group_name='d_q_value'))isnotNone:`
`98`	`98`	`returnoperator,d_q_value`
`99`	`99`
`100`		`-elifb_q_value:=get_match_group(match,group_name='b_q_value'):`
	`100`	`+elif(b_q_value:=get_match_group(match,group_name='b_q_value'))isnotNone:`
`101`	`101`	`returnoperator,b_q_value`
`102`	`102`
`103`	`103`	`returnsuper().get_operator_and_value(match,operator)`

`‎siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch.py‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,8 @@ class ElasticSearchQueryRender(BaseQueryRender):`
`82`	`82`
`83`	`83`	`field_value_map=ElasticSearchFieldValue(or_token=or_token)`
`84`	`84`	`query_pattern="{query} {functions}"`
	`85`	`+comment_symbol="//"`
	`86`	`+is_multi_line_comment=True`
`85`	`87`
`86`	`88`	`defgenerate_prefix(self,logsource:dict)->str:`
`87`	`89`	`return""`

`‎siem-converter/app/converter/backends/elasticsearch/tokenizer.py‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,16 +64,16 @@ def clean_quotes(value: Union[str, int]):`
`64`	`64`	`returnvalue`
`65`	`65`
`66`	`66`	`defget_operator_and_value(self,match:re.Match,operator:str=OperatorType.EQ)->Tuple[str,Any]:`
`67`		`-ifnum_value:=get_match_group(match,group_name='num_value'):`
	`67`	`+if(num_value:=get_match_group(match,group_name='num_value'))isnotNone:`
`68`	`68`	`returnoperator,num_value`
`69`	`69`
`70`		`-elifre_value:=get_match_group(match,group_name='re_value'):`
	`70`	`+elif(re_value:=get_match_group(match,group_name='re_value'))isnotNone:`
`71`	`71`	`returnOperatorType.REGEX,re_value`
`72`	`72`
`73`		`-elifn_q_value:=get_match_group(match,group_name='n_q_value'):`
	`73`	`+elif(n_q_value:=get_match_group(match,group_name='n_q_value'))isnotNone:`
`74`	`74`	`returnoperator,n_q_value`
`75`	`75`
`76`		`-elifd_q_value:=get_match_group(match,group_name='d_q_value'):`
	`76`	`+elif(d_q_value:=get_match_group(match,group_name='d_q_value'))isnotNone:`
`77`	`77`	`returnoperator,d_q_value`
`78`	`78`
`79`	`79`	`returnsuper().get_operator_and_value(match)`

`‎siem-converter/app/converter/backends/logscale/tokenizer.py‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,20 +30,20 @@ class LogScaleTokenizer(QueryTokenizer):`
`30`	`30`	`match_operator_pattern=r"""(?:___field___\s?(?P<match_operator>=\|!=))\s?"""`
`31`	`31`	`num_value_pattern=r"(?P<num_value>\d+(?:\.\d+))\s"`
`32`	`32`	`double_quotes_value_pattern=r'"(?P<d_q_value>(?:[:a-zA-Z\0-9=+%#\-_/,\'\.$&^@!\{\}\s]\|\\\"\|\\))"\s*'`
`33`		`-re_value_pattern=r"/(?P<re_value>[:a-zA-Z\0-9=+%#\\\-_\,\"\'\.$&^@!\{\}\s?])/i?\s*"`
	`33`	`+re_value_pattern=r"/(?P<re_value>[:a-zA-Z\0-9=+%#\\\-_\,\"\'\.$&^@!\{\}\s?]+)/i?\s"`
`34`	`34`	`_value_pattern=fr"""{num_value_pattern}\|{re_value_pattern}\|{double_quotes_value_pattern}"""`
`35`	`35`	`keyword_pattern=double_quotes_value_pattern`
`36`	`36`
`37`	`37`	`wildcard_symbol="*"`
`38`	`38`
`39`	`39`	`defget_operator_and_value(self,match:re.Match,operator:str=OperatorType.EQ)->Tuple[str,Any]:`
`40`		`-ifnum_value:=get_match_group(match,group_name='num_value'):`
	`40`	`+if(num_value:=get_match_group(match,group_name='num_value'))isnotNone:`
`41`	`41`	`returnoperator,num_value`
`42`	`42`
`43`		`-elifd_q_value:=get_match_group(match,group_name='d_q_value'):`
	`43`	`+elif(d_q_value:=get_match_group(match,group_name='d_q_value'))isnotNone:`
`44`	`44`	`returnoperator,d_q_value`
`45`	`45`
`46`		`-elifre_value:=get_match_group(match,group_name='re_value'):`
	`46`	`+elif(re_value:=get_match_group(match,group_name='re_value'))isnotNone:`
`47`	`47`	`returnOperatorType.REGEX,re_value`
`48`	`48`
`49`	`49`	`returnsuper().get_operator_and_value(match,operator)`

`‎siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel.py‎`

Lines changed: 13 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`limitations under the License.`
`17`	`17`	`-----------------------------------------------------------------`
`18`	`18`	`"""`
	`19`	`+fromtypingimportUnion`
`19`	`20`
`20`	`21`	`fromapp.converter.backends.microsoft.constimportmicrosoft_sentinel_query_details`
`21`	`22`	`fromapp.converter.backends.microsoft.mappingimportMicrosoftSentinelMappings,microsoft_sentinel_mappings`
`@@ -28,32 +29,36 @@`
`28`	`29`	`classMicrosoftSentinelFieldValue(BaseQueryFieldValue):`
`29`	`30`	`details:PlatformDetails=microsoft_sentinel_query_details`
`30`	`31`
	`32`	`+@staticmethod`
	`33`	`+def__escape_value(value:Union[int,str])->Union[int,str]:`
	`34`	`+returnvalue.replace("'","''")ifisinstance(value,str)elsevalue`
	`35`	`+`
`31`	`36`	`defequal_modifier(self,field,value):`
`32`	`37`	`ifisinstance(value,str):`
`33`		`-returnf"{field} =~ @'{value}'"`
	`38`	`+returnf"{field} =~ @'{self.__escape_value(value)}'"`
`34`	`39`	`elifisinstance(value,list):`
`35`		`-prepared_values=", ".join(f"@'{v}'"forvinvalue)`
	`40`	`+prepared_values=", ".join(f"@'{self.__escape_value(v)}'"forvinvalue)`
`36`	`41`	`operator="in~"ifall(isinstance(v,str)forvinvalue)else"in"`
`37`	`42`	`returnf'{field}{operator} ({prepared_values})'`
`38`	`43`	`returnf'{field} =={value}'`
`39`	`44`
`40`	`45`	`defcontains_modifier(self,field,value):`
`41`	`46`	`ifisinstance(value,list):`
`42`	`47`	`returnf"({self.or_token.join(self.contains_modifier(field=field,value=v)forvinvalue)})"`
`43`		`-returnf"{field} contains @'{value}'"`
	`48`	`+returnf"{field} contains @'{self.__escape_value(value)}'"`
`44`	`49`
`45`	`50`	`defendswith_modifier(self,field,value):`
`46`	`51`	`ifisinstance(value,list):`
`47`	`52`	`returnf"({self.or_token.join(self.endswith_modifier(field=field,value=v)forvinvalue)})"`
`48`		`-returnf"{field} endswith @'{value}'"`
	`53`	`+returnf"{field} endswith @'{self.__escape_value(value)}'"`
`49`	`54`
`50`	`55`	`defstartswith_modifier(self,field,value):`
`51`	`56`	`ifisinstance(value,list):`
`52`	`57`	`returnf"({self.or_token.join(self.startswith_modifier(field=field,value=v)forvinvalue)})"`
`53`		`-returnf"{field} startswith @'{value}'"`
	`58`	`+returnf"{field} startswith @'{self.__escape_value(value)}'"`
`54`	`59`
`55`	`60`	`def__regex_modifier(self,field,value):`
`56`		`-returnf"{field} matches regex @'(?i){value}'"`
	`61`	`+returnf"{field} matches regex @'(?i){self.__escape_value(value)}'"`
`57`	`62`
`58`	`63`	`defregex_modifier(self,field,value):`
`59`	`64`	`ifisinstance(value,list):`
`@@ -63,7 +68,7 @@ def regex_modifier(self, field, value):`
`63`	`68`	`defkeywords(self,field,value):`
`64`	`69`	`ifisinstance(value,list):`
`65`	`70`	`returnf"({self.or_token.join(self.keywords(field=field,value=v)forvinvalue)})"`
`66`		`-returnf"* contains @'{value}'"`
	`71`	`+returnf"* contains @'{self.__escape_value(value)}'"`
`67`	`72`
`68`	`73`
`69`	`74`	`classMicrosoftSentinelQueryRender(BaseQueryRender):`
`@@ -78,14 +83,11 @@ class MicrosoftSentinelQueryRender(BaseQueryRender):`
`78`	`83`
`79`	`84`	`mappings:MicrosoftSentinelMappings=microsoft_sentinel_mappings`
`80`	`85`	`comment_symbol="//"`
	`86`	`+is_multi_line_comment=True`
`81`	`87`
`82`	`88`	`defgenerate_prefix(self,log_source_signature:LogSourceSignature)->str:`
`83`	`89`	`returnstr(log_source_signature)`
`84`	`90`
`85`		`-defrender_not_supported_functions(self,not_supported_functions:list)->str:`
`86`		`-render_not_suported="\n".join([f'//{i}'foriinnot_supported_functions])`
`87`		`-return"\n\n"+f"//{self.unsupported_functions_text}"+render_not_suported`
`88`		`-`
`89`	`91`	`defgenerate_functions(self,functions:list)->str:`
`90`	`92`	`ifnotfunctions:`
`91`	`93`	`return""`

`‎siem-converter/app/converter/backends/microsoft/tokenizer.py‎`

Lines changed: 5 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ class MicrosoftSentinelTokenizer(QueryTokenizer, OperatorBasedMixin):`
`34`	`34`	`single_quotes_value_pattern=r"@?'(?P<s_q_value>(?:[:a-zA-Z\0-9=+%#\-_/,\"\.$&^@!\{\}\s]\|\\\'\|\\\\))'\s*"`
`35`	`35`	`str_value_pattern=fr"""{double_quotes_value_pattern}\|{single_quotes_value_pattern}"""`
`36`	`36`	`_value_pattern=fr"""{bool_value_pattern}\|{num_value_pattern}\|{str_value_pattern}"""`
`37`		`-multi_value_pattern=r"""$(?P<value>[:a-zA-Z\"\0-9=+%#\-_\/\\'\,.&^@!\(\s])$"""`
	`37`	`+multi_value_pattern=r"""$(?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\s]+)$"""`
`38`	`38`	`keyword_pattern=fr"\*\s+contains\s+(?:{str_value_pattern})"`
`39`	`39`
`40`	`40`	`multi_value_operators= ("in","in~")`
`@@ -50,16 +50,16 @@ def __init__(self, args, *kwargs):`
`50`	`50`	`self.operators_map.update(super().operators_map)`
`51`	`51`
`52`	`52`	`defget_operator_and_value(self,match:re.Match,operator:str=OperatorType.EQ)->Tuple[str,Any]:`
`53`		`-ifnum_value:=get_match_group(match,group_name='num_value'):`
	`53`	`+if(num_value:=get_match_group(match,group_name='num_value'))isnotNone:`
`54`	`54`	`returnoperator,num_value`
`55`	`55`
`56`		`-elifbool_value:=get_match_group(match,group_name='bool_value'):`
	`56`	`+elif(bool_value:=get_match_group(match,group_name='bool_value'))isnotNone:`
`57`	`57`	`returnoperator,bool_value`
`58`	`58`
`59`		`-elifd_q_value:=get_match_group(match,group_name='d_q_value'):`
	`59`	`+elif(d_q_value:=get_match_group(match,group_name='d_q_value'))isnotNone:`
`60`	`60`	`returnoperator,d_q_value`
`61`	`61`
`62`		`-elifs_q_value:=get_match_group(match,group_name='s_q_value'):`
	`62`	`+elif(s_q_value:=get_match_group(match,group_name='s_q_value'))isnotNone:`
`63`	`63`	`returnoperator,s_q_value`
`64`	`64`
`65`	`65`	`returnsuper().get_operator_and_value(match,operator)`

`‎siem-converter/app/converter/backends/opensearch/renders/opensearch.py‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,8 @@ class OpenSearchQueryRender(BaseQueryRender):`
`71`	`71`
`72`	`72`	`field_value_map=OpenSearchFieldValue(or_token=or_token)`
`73`	`73`	`query_pattern="{query} {functions}"`
	`74`	`+comment_symbol="//"`
	`75`	`+is_multi_line_comment=True`
`74`	`76`
`75`	`77`	`defgenerate_prefix(self,logsource:dict)->str:`
`76`	`78`	`return""`

`‎siem-converter/app/converter/backends/opensearch/tokenizer.py‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,16 +64,16 @@ def clean_quotes(value: Union[str, int]):`
`64`	`64`	`returnvalue`
`65`	`65`
`66`	`66`	`defget_operator_and_value(self,match:re.Match,operator:str=OperatorType.EQ)->Tuple[str,Any]:`
`67`		`-ifnum_value:=get_match_group(match,group_name='num_value'):`
	`67`	`+if(num_value:=get_match_group(match,group_name='num_value'))isnotNone:`
`68`	`68`	`returnoperator,num_value`
`69`	`69`
`70`		`-elifre_value:=get_match_group(match,group_name='re_value'):`
	`70`	`+elif(re_value:=get_match_group(match,group_name='re_value'))isnotNone:`
`71`	`71`	`returnOperatorType.REGEX,re_value`
`72`	`72`
`73`		`-elifn_q_value:=get_match_group(match,group_name='n_q_value'):`
	`73`	`+elif(n_q_value:=get_match_group(match,group_name='n_q_value'))isnotNone:`
`74`	`74`	`returnoperator,n_q_value`
`75`	`75`
`76`		`-elifd_q_value:=get_match_group(match,group_name='d_q_value'):`
	`76`	`+elif(d_q_value:=get_match_group(match,group_name='d_q_value'))isnotNone:`
`77`	`77`	`returnoperator,d_q_value`
`78`	`78`
`79`	`79`	`returnsuper().get_operator_and_value(match)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc34e622

File tree

19 files changed

19 files changed

`‎siem-converter/app/converter/backends/athena/renders/athena.py‎`

`‎siem-converter/app/converter/backends/athena/tokenizer.py‎`

`‎siem-converter/app/converter/backends/chronicle/tokenizer.py‎`

`‎siem-converter/app/converter/backends/elasticsearch/renders/elasticsearch.py‎`

`‎siem-converter/app/converter/backends/elasticsearch/tokenizer.py‎`

`‎siem-converter/app/converter/backends/logscale/tokenizer.py‎`

`‎siem-converter/app/converter/backends/microsoft/renders/microsoft_sentinel.py‎`

`‎siem-converter/app/converter/backends/microsoft/tokenizer.py‎`

`‎siem-converter/app/converter/backends/opensearch/renders/opensearch.py‎`

`‎siem-converter/app/converter/backends/opensearch/tokenizer.py‎`

0 commit comments