NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commitd9e767d

committed

Merge branch 'main' into gis-8557

# Conflicts:#uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py

2 parents0395030 +bf008fe commitd9e767dCopy full SHA for d9e767d

File tree

22 files changed

+387

-121

lines changed

uncoder-core
- app/translator
  - const.py
  - core
    - str_value_manager.py
  - mappings/platforms/anomali
    - common.yml
    - default.yml
  - platforms
    - anomali
      - __init__.py
      - const.py
      - mapping.py
      - renders
        __init__.py
        anomali.py
    - base
      - aql
        str_value_manager.py
      - sql
        escape_manager.py
        str_value_manager.py
    - elasticsearch/renders
      - esql.py
    - palo_alto/functions
    - sigma
      - str_value_manager.py
  - translator.py
- requirements.txt
uncoder-os
- Dockerfile
- package.json
- src/pages/UncoderEditor
  - UncoderEditor.sass

22 files changed

+387

-121

lines changed

`‎uncoder-core/app/translator/const.py‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,4 +9,4 @@`
`9`	`9`
`10`	`10`	`CTI_IOCS_PER_QUERY_LIMIT=25`
`11`	`11`
`12`		`-DEFAULT_VALUE_TYPE=Union[int,str,StrValue,list[Union[int,str,StrValue]]]`
	`12`	`+DEFAULT_VALUE_TYPE=Union[bool,int,str,StrValue,list[Union[int,str,StrValue]]]`

`‎uncoder-core/app/translator/core/str_value_manager.py‎`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,25 @@ def has_spec_symbols(self) -> bool:`
`130`	`130`	`returnany(isinstance(el,BaseSpecSymbol)forelinself.split_value)`
`131`	`131`
`132`	`132`
	`133`	`+RE_STR_SPEC_SYMBOLS_MAP= {`
	`134`	`+"?":ReZeroOrOneQuantifier,`
	`135`	`+"*":ReZeroOrMoreQuantifier,`
	`136`	`+"+":ReOneOrMoreQuantifier,`
	`137`	`+"^":ReCaretSymbol,`
	`138`	`+"$":ReEndOfStrSymbol,`
	`139`	`+".":ReAnySymbol,`
	`140`	`+"[":ReLeftSquareBracket,`
	`141`	`+"]":ReRightSquareBracket,`
	`142`	`+"(":ReLeftParenthesis,`
	`143`	`+")":ReRightParenthesis,`
	`144`	`+"{":ReLeftCurlyBracket,`
	`145`	`+"}":ReRightCurlyBracket,`
	`146`	`+"\|":ReOrOperator,`
	`147`	`+",":ReCommaSymbol,`
	`148`	`+"-":ReHyphenSymbol,`
	`149`	`+}`
	`150`	`+`
	`151`	`+`
`133`	`152`	`CONTAINER_SPEC_SYMBOLS_MAP= {`
`134`	`153`	`SingleSymbolWildCard:"?",`
`135`	`154`	`UnboundLenWildCard:"*",`

`‎uncoder-core/app/translator/mappings/platforms/anomali/common.yml‎`

Lines changed: 31 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,31 @@`
	`1`	`+platform:Anomali`
	`2`	`+description:Common field mapping`
	`3`	`+`
	`4`	`+field_mapping:`
	`5`	`+c-uri-query:url`
	`6`	`+c-useragent:user_agent`
	`7`	`+CommandLine:command_line`
	`8`	`+DestinationHostname:dest`
	`9`	`+DestinationIp:dest_ip`
	`10`	`+DestinationPort:dest_port`
	`11`	`+Details:reg_value_data`
	`12`	`+dst_ip:dest_ip`
	`13`	`+dst_port:dest_port`
	`14`	`+EventID:event_id`
	`15`	`+EventName:event_name`
	`16`	`+FileName:file_name`
	`17`	`+FilePath:file_path`
	`18`	`+Image:image`
	`19`	`+NewProcessName:image`
	`20`	`+OriginalFileName:original_file_name`
	`21`	`+ParentCommandLine:parent_command_line`
	`22`	`+ParentImage:parent_image`
	`23`	`+ParentProcessID:parent_process_id`
	`24`	`+Platform:platform`
	`25`	`+ProcessCommandLine:command_line`
	`26`	`+ProcessID:process_id`
	`27`	`+SourceImage:parent_image`
	`28`	`+SourcePort:src_port`
	`29`	`+TargetFilename:file_name`
	`30`	`+TargetObject:reg_key`
	`31`	`+UserAgent:user_agent`

`‎uncoder-core/app/translator/mappings/platforms/anomali/default.yml‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+platform:Anomali`
	`2`	`+source:default`
	`3`	`+`
	`4`	`+`
	`5`	`+default_log_source:{}`

`‎uncoder-core/app/translator/platforms/anomali/init.py‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+fromapp.translator.platforms.anomali.renders.anomaliimportAnomaliQueryRender# noqa: F401`

`‎uncoder-core/app/translator/platforms/anomali/const.py‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+fromapp.translator.core.models.platform_detailsimportPlatformDetails`
	`2`	`+`
	`3`	`+ANOMALI_QUERY_DETAILS= {`
	`4`	`+"platform_id":"anomali-aql-query",`
	`5`	`+"name":"Anomali Security Analytics Query",`
	`6`	`+"group_name":"Anomali Security Analytics",`
	`7`	`+"platform_name":"Query",`
	`8`	`+"group_id":"anomali",`
	`9`	`+}`
	`10`	`+`
	`11`	`+anomali_query_details=PlatformDetails(**ANOMALI_QUERY_DETAILS)`

`‎uncoder-core/app/translator/platforms/anomali/mapping.py‎`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,18 @@`
	`1`	`+fromapp.translator.core.mappingimportBaseCommonPlatformMappings,LogSourceSignature`
	`2`	`+fromapp.translator.platforms.anomali.constimportanomali_query_details`
	`3`	`+`
	`4`	`+`
	`5`	`+classAnomaliLogSourceSignature(LogSourceSignature):`
	`6`	`+defis_suitable(self)->bool:`
	`7`	`+returnTrue`
	`8`	`+`
	`9`	`+def__str__(self)->str:`
	`10`	`+return""`
	`11`	`+`
	`12`	`+`
	`13`	`+classAnomaliMappings(BaseCommonPlatformMappings):`
	`14`	`+defprepare_log_source_signature(self,mapping:dict)->AnomaliLogSourceSignature:# noqa: ARG002`
	`15`	`+returnAnomaliLogSourceSignature()`
	`16`	`+`
	`17`	`+`
	`18`	`+anomali_query_mappings=AnomaliMappings(platform_dir="anomali",platform_details=anomali_query_details)`

`‎uncoder-core/app/translator/platforms/anomali/renders/init.py‎`

Whitespace-only changes.

`‎uncoder-core/app/translator/platforms/anomali/renders/anomali.py‎`

Lines changed: 100 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,100 @@`
	`1`	`+"""`
	`2`	`+Uncoder IO Community Edition License`
	`3`	`+-----------------------------------------------------------------`
	`4`	`+Copyright (c) 2024 SOC Prime, Inc.`
	`5`	`+`
	`6`	`+Licensed under the Apache License, Version 2.0 (the "License");`
	`7`	`+you may not use this file except in compliance with the License.`
	`8`	`+You may obtain a copy of the License at`
	`9`	`+`
	`10`	`+ http://www.apache.org/licenses/LICENSE-2.0`
	`11`	`+`
	`12`	`+Unless required by applicable law or agreed to in writing, software`
	`13`	`+distributed under the License is distributed on an "AS IS" BASIS,`
	`14`	`+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
	`15`	`+See the License for the specific language governing permissions and`
	`16`	`+limitations under the License.`
	`17`	`+-----------------------------------------------------------------`
	`18`	`+"""`
	`19`	`+fromapp.translator.constimportDEFAULT_VALUE_TYPE`
	`20`	`+fromapp.translator.core.custom_types.valuesimportValueType`
	`21`	`+fromapp.translator.core.models.platform_detailsimportPlatformDetails`
	`22`	`+fromapp.translator.core.renderimportBaseFieldValueRender,PlatformQueryRender`
	`23`	`+fromapp.translator.managersimportrender_manager`
	`24`	`+fromapp.translator.platforms.anomali.constimportanomali_query_details`
	`25`	`+fromapp.translator.platforms.anomali.mappingimportAnomaliMappings,anomali_query_mappings`
	`26`	`+fromapp.translator.platforms.base.sql.str_value_managerimportsql_str_value_manager`
	`27`	`+`
	`28`	`+`
	`29`	`+classAnomaliFieldValueRender(BaseFieldValueRender):`
	`30`	`+details:PlatformDetails=anomali_query_details`
	`31`	`+str_value_manager=sql_str_value_manager`
	`32`	`+`
	`33`	`+@staticmethod`
	`34`	`+def_wrap_str_value(value:str)->str:`
	`35`	`+returnf"'{value}'"`
	`36`	`+`
	`37`	`+defequal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`38`	`+ifisinstance(value,list):`
	`39`	`+returnf"({self.or_token.join([self.equal_modifier(field=field,value=v)forvinvalue])})"`
	`40`	`+returnf"{field} ={self._pre_process_value(field,value,wrap_str=True)}"`
	`41`	`+`
	`42`	`+defnot_equal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`43`	`+ifisinstance(value,list):`
	`44`	`+returnf"({self.or_token.join([self.not_equal_modifier(field=field,value=v)forvinvalue])})"`
	`45`	`+returnf"{field} !={self._pre_process_value(field,value,wrap_str=True)}"`
	`46`	`+`
	`47`	`+defless_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`48`	`+returnf"{field} <{self._pre_process_value(field,value,wrap_str=True)}"`
	`49`	`+`
	`50`	`+defless_or_equal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`51`	`+returnf"{field} <={self._pre_process_value(field,value,wrap_str=True)}"`
	`52`	`+`
	`53`	`+defgreater_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`54`	`+returnf"{field} >{self._pre_process_value(field,value,wrap_str=True)}"`
	`55`	`+`
	`56`	`+defgreater_or_equal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`57`	`+returnf"{field} >={self._pre_process_value(field,value,wrap_str=True)}"`
	`58`	`+`
	`59`	`+defcontains_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`60`	`+ifisinstance(value,list):`
	`61`	`+returnf"({self.or_token.join(self.contains_modifier(field=field,value=v)forvinvalue)})"`
	`62`	`+returnf"{field} like '%{self._pre_process_value(field,value)}%'"`
	`63`	`+`
	`64`	`+defendswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`65`	`+ifisinstance(value,list):`
	`66`	`+returnf"({self.or_token.join(self.endswith_modifier(field=field,value=v)forvinvalue)})"`
	`67`	`+returnf"{field} like '%{self._pre_process_value(field,value)}'"`
	`68`	`+`
	`69`	`+defstartswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`70`	`+ifisinstance(value,list):`
	`71`	`+returnf"({self.or_token.join(self.startswith_modifier(field=field,value=v)forvinvalue)})"`
	`72`	`+returnf"{field} like '{self._pre_process_value(field,value)}%'"`
	`73`	`+`
	`74`	`+defregex_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`75`	`+ifisinstance(value,list):`
	`76`	`+returnf"({self.or_token.join(self.regex_modifier(field=field,value=v)forvinvalue)})"`
	`77`	`+regex_str=self._pre_process_value(field,value,value_type=ValueType.regex_value,wrap_str=True)`
	`78`	`+returnf"regexp_like({field},{regex_str})"`
	`79`	`+`
	`80`	`+defkeywords(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
	`81`	`+returnf'message contains "{self._pre_process_value(field,value)}"'`
	`82`	`+`
	`83`	`+`
	`84`	`+@render_manager.register`
	`85`	`+classAnomaliQueryRender(PlatformQueryRender):`
	`86`	`+details:PlatformDetails=anomali_query_details`
	`87`	`+mappings:AnomaliMappings=anomali_query_mappings`
	`88`	`+`
	`89`	`+or_token="OR"`
	`90`	`+and_token="AND"`
	`91`	`+not_token="NOT"`
	`92`	`+`
	`93`	`+comment_symbol="--"`
	`94`	`+is_single_line_comment=True`
	`95`	`+`
	`96`	`+field_value_render=AnomaliFieldValueRender(or_token=or_token)`
	`97`	`+`
	`98`	`+@staticmethod`
	`99`	`+def_finalize_search_query(query:str)->str:`
	`100`	`+returnf"\| where{query}"ifqueryelse""`

`‎uncoder-core/app/translator/platforms/base/aql/str_value_manager.py‎`

Lines changed: 1 addition & 32 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,50 +23,19 @@`
`23`	`23`	`fromapp.translator.core.custom_types.valuesimportValueType`
`24`	`24`	`fromapp.translator.core.str_value_managerimport (`
`25`	`25`	`CONTAINER_SPEC_SYMBOLS_MAP,`
	`26`	`+RE_STR_SPEC_SYMBOLS_MAP,`
`26`	`27`	`BaseSpecSymbol,`
`27`		`-ReAnySymbol,`
`28`		`-ReCaretSymbol,`
`29`		`-ReCommaSymbol,`
`30`	`28`	`ReDigitalSymbol,`
`31`		`-ReEndOfStrSymbol,`
`32`		`-ReHyphenSymbol,`
`33`		`-ReLeftCurlyBracket,`
`34`		`-ReLeftParenthesis,`
`35`		`-ReLeftSquareBracket,`
`36`		`-ReOneOrMoreQuantifier,`
`37`		`-ReOrOperator,`
`38`		`-ReRightCurlyBracket,`
`39`		`-ReRightParenthesis,`
`40`		`-ReRightSquareBracket,`
`41`	`29`	`ReWhiteSpaceSymbol,`
`42`	`30`	`ReWordBoundarySymbol,`
`43`	`31`	`ReWordSymbol,`
`44`		`-ReZeroOrMoreQuantifier,`
`45`		`-ReZeroOrOneQuantifier,`
`46`	`32`	`SingleSymbolWildCard,`
`47`	`33`	`StrValue,`
`48`	`34`	`StrValueManager,`
`49`	`35`	`UnboundLenWildCard,`
`50`	`36`	`)`
`51`	`37`	`fromapp.translator.platforms.base.aql.escape_managerimportaql_escape_manager`
`52`	`38`
`53`		`-RE_STR_SPEC_SYMBOLS_MAP= {`
`54`		`-"?":ReZeroOrOneQuantifier,`
`55`		`-"*":ReZeroOrMoreQuantifier,`
`56`		`-"+":ReOneOrMoreQuantifier,`
`57`		`-"^":ReCaretSymbol,`
`58`		`-"$":ReEndOfStrSymbol,`
`59`		`-".":ReAnySymbol,`
`60`		`-"[":ReLeftSquareBracket,`
`61`		`-"]":ReRightSquareBracket,`
`62`		`-"(":ReLeftParenthesis,`
`63`		`-")":ReRightParenthesis,`
`64`		`-"{":ReLeftCurlyBracket,`
`65`		`-"}":ReRightCurlyBracket,`
`66`		`-"\|":ReOrOperator,`
`67`		`-",":ReCommaSymbol,`
`68`		`-"-":ReHyphenSymbol,`
`69`		`-}`
`70`	`39`	`AQL_CONTAINER_SPEC_SYMBOLS_MAP=copy.copy(CONTAINER_SPEC_SYMBOLS_MAP)`
`71`	`40`	`AQL_CONTAINER_SPEC_SYMBOLS_MAP.update({SingleSymbolWildCard:"_",UnboundLenWildCard:"%"})`
`72`	`41`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd9e767d

File tree

22 files changed

22 files changed

`‎uncoder-core/app/translator/const.py‎`

`‎uncoder-core/app/translator/core/str_value_manager.py‎`

`‎uncoder-core/app/translator/mappings/platforms/anomali/common.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/anomali/default.yml‎`

`‎uncoder-core/app/translator/platforms/anomali/init.py‎`

`‎uncoder-core/app/translator/platforms/anomali/const.py‎`

`‎uncoder-core/app/translator/platforms/anomali/mapping.py‎`

`‎uncoder-core/app/translator/platforms/anomali/renders/init.py‎`

`‎uncoder-core/app/translator/platforms/anomali/renders/anomali.py‎`

`‎uncoder-core/app/translator/platforms/base/aql/str_value_manager.py‎`

0 commit comments