Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitebc3e81

Browse files
author
oleksandr.volha
committed
resolve conflicts
2 parentsa426828 +416f5ca commitebc3e81

File tree

11 files changed

+173
-8
lines changed

11 files changed

+173
-8
lines changed
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
platform:ElasticSearch ES|QL
2+
source:aws_cloudtrail
3+
log_source:
4+
index:[logs-*]
5+
default_log_source:
6+
index:logs-*
7+
field_mapping:
8+
additionalEventdata:aws.cloudtrail.additional_eventdata
9+
apiVersion:aws.cloudtrail.api_version
10+
awsRegion:cloud.region
11+
errorCode:aws.cloudtrail.error_code
12+
errorMessage:aws.cloudtrail.error_message
13+
eventID:event.id
14+
eventName:event.action
15+
eventSource:event.provider
16+
eventTime:'@timestamp'
17+
eventType:aws.cloudtrail.event_type
18+
eventVersion:aws.cloudtrail.event_version
19+
managementEvent:aws.cloudtrail.management_event
20+
readOnly:aws.cloudtrail.read_only
21+
requestID:aws.cloudtrail.request_id
22+
requestParameters:aws.cloudtrail.request_parameters
23+
resources.accountId:aws.cloudtrail.resources.account_id
24+
resources.ARN:aws.cloudtrail.resources.arn
25+
resources.type:aws.cloudtrail.resources.type
26+
responseElements:aws.cloudtrail.response_elements
27+
serviceEventDetails:aws.cloudtrail.service_event_details
28+
sharedEventId:aws.cloudtrail.shared_event_id
29+
sourceIPAddress:source.address
30+
userAgent:user_agent
31+
userIdentity.accessKeyId:aws.cloudtrail.user_identity.access_key_id
32+
userIdentity.accountId:cloud.account.id
33+
userIdentity.arn:aws.cloudtrail.user_identity.arn
34+
userIdentity.invokedBy:aws.cloudtrail.user_identity.invoked_by
35+
userIdentity.principalId:user.id
36+
userIdentity.sessionContext.attributes.creationDate:aws.cloudtrail.user_identity.session_context.creation_date
37+
userIdentity.sessionContext.attributes.mfaAuthenticated:aws.cloudtrail.user_identity.session_context.mfa_authenticated
38+
userIdentity.sessionContext.sessionIssuer.userName:role.name
39+
userIdentity.type:aws.cloudtrail.user_identity.type
40+
userIdentity.userName:user.name
41+
vpcEndpointId:aws.cloudtrail.vpc_endpoint_id

‎uncoder-core/app/translator/mappings/platforms/qradar/default.yml‎

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ field_mapping:
1414
-DstPort
1515
-DestinationPort
1616
-remoteport
17+
dst-hostname:DstHost
18+
src-hostname:SrcHost
1719
src-port:
1820
-SourcePort
1921
-localport
@@ -94,11 +96,11 @@ field_mapping:
9496
Action:Action
9597
Workstation:Machine Identifier
9698
GroupMembership:Role Name
97-
FileName:
99+
FileName:
98100
-Filename
99101
-File Name
100102
-Encoded Filename
101-
RegistryKey:
103+
RegistryKey:
102104
-Registry Key
103105
-Target Object
104106
RegistryValue:RegistryValue

‎uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ field_mapping:
2424
-ProcessName
2525
IntegrityLevel:IntegrityLevel
2626
ParentCommandLine:Parent Command
27-
ParentImage:
27+
ParentImage:
2828
-Parent Process Path
2929
-ParentProcessName
3030
ParentUser:ParentUser

‎uncoder-core/app/translator/platforms/base/lucene/tokenizer.py‎

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ class LuceneTokenizer(QueryTokenizer, ANDLogicOperatorMixin):
3838
":>":OperatorType.GT,
3939
":<":OperatorType.LT,
4040
":":OperatorType.EQ,
41+
"==":OperatorType.EQ,
4142
}
4243
multi_value_operators_map:ClassVar[dict[str,str]]= {":":OperatorType.EQ}
4344

@@ -61,7 +62,7 @@ class LuceneTokenizer(QueryTokenizer, ANDLogicOperatorMixin):
6162

6263
multi_value_pattern=rf"""\((?P<{ValueType.multi_value}>[:a-zA-Z\"\*0-9=+%#№;\-_\/\\'\,.$&^@!\(\[\]\s|]+)\)"""
6364
multi_value_check_pattern=r"___field___\s*___operator___\s*\("
64-
multi_value_delimiter_pattern=r"\s+OR\s+"
65+
multi_value_delimiter_pattern=r"\s+(?:OR|or)\s+"
6566

6667
escape_manager=lucene_escape_manager
6768

@@ -77,7 +78,9 @@ def create_field_value(field_name: str, operator: Identifier, value: Union[str,
7778

7879
@staticmethod
7980
defclean_multi_value(value:str)->str:
80-
returnvalue.strip('"')ifvalue.startswith('"')andvalue.endswith('"')elsevalue
81+
value=value.replace("\n","").replace(" ","")
82+
value=value.strip('"')ifvalue.startswith('"')andvalue.endswith('"')elsevalue
83+
returnvalue.strip()
8184

8285
defget_operator_and_value(# noqa: PLR0911
8386
self,match:re.Match,mapped_operator:str=OperatorType.EQ,operator:Optional[str]=None

‎uncoder-core/app/translator/platforms/base/spl/parsers/spl.py‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929

3030
classSplQueryParser(PlatformQueryParser):
3131
log_source_pattern=r"^___source_type___\s*=\s*(?:\"(?P<d_q_value>[%a-zA-Z_*:0-9\-/]+)\"|(?P<value>[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?"# noqa: E501
32+
rule_name_pattern=r"`(?P<name>(?:[:a-zA-Z*0-9=+%#\-_/,;`?~‘\'.<>$&^@!\]\[()\s])*)`"
3233
log_source_key_types= ("index","source","sourcetype","sourcecategory")
3334

3435
platform_functions:SplFunctions=None
@@ -53,6 +54,9 @@ def _parse_log_sources(self, query: str) -> tuple[dict[str, list[str]], str]:
5354
returnlog_sources,query
5455

5556
def_parse_query(self,query:str)->tuple[str,dict[str,list[str]],ParsedFunctions]:
57+
ifre.match(self.rule_name_pattern,query):
58+
search=re.search(self.rule_name_pattern,query,flags=re.IGNORECASE)
59+
query=query[:search.start()]+query[search.end():]
5660
query=query.strip()
5761
log_sources,query=self._parse_log_sources(query)
5862
query,functions=self.platform_functions.parse(query)

‎uncoder-core/app/translator/platforms/elasticsearch/__init__.py‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
ElasticSearchRuleTOMLParser,# noqa: F401
44
)
55
fromapp.translator.platforms.elasticsearch.parsers.elasticsearchimportElasticSearchQueryParser# noqa: F401
6+
fromapp.translator.platforms.elasticsearch.parsers.elasticsearch_eqlimportElasticSearchEQLQueryParser# noqa: F401
67
fromapp.translator.platforms.elasticsearch.renders.detection_ruleimportElasticSearchRuleRender# noqa: F401
78
fromapp.translator.platforms.elasticsearch.renders.elast_alertimportElastAlertRuleRender# noqa: F401
89
fromapp.translator.platforms.elasticsearch.renders.elasticsearchimportElasticSearchQueryRender# noqa: F401

‎uncoder-core/app/translator/platforms/elasticsearch/const.py‎

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
_ELASTIC_WATCHER_RULE="elastic-watcher-rule"
1212
_ELASTIC_ESQL_QUERY="elastic-esql-query"
1313
_ELASTIC_ESQL_RULE="elastic-esql-rule"
14+
_ELASTIC_EQL_QUERY="elastic-eql-query"
1415

1516
ELASTIC_QUERY_TYPES= {
1617
_ELASTIC_LUCENE_QUERY,
@@ -83,6 +84,13 @@
8384
**PLATFORM_DETAILS,
8485
}
8586

87+
ELASTICSEARCH_EQL_QUERY_DETAILS= {
88+
"platform_id":_ELASTIC_EQL_QUERY,
89+
"name":"Elasticsearch EQL Query",
90+
"platform_name":"Query (EQL)",
91+
**PLATFORM_DETAILS,
92+
}
93+
8694
elasticsearch_lucene_query_details=PlatformDetails(**ELASTICSEARCH_LUCENE_QUERY_DETAILS)
8795
elasticsearch_esql_query_details=PlatformDetails(**ELASTICSEARCH_ESQL_QUERY_DETAILS)
8896
elasticsearch_esql_rule_details=PlatformDetails(**ELASTICSEARCH_ESQL_RULE_DETAILS)
@@ -91,6 +99,7 @@
9199
elastalert_details=PlatformDetails(**ELASTALERT_DETAILS)
92100
kibana_rule_details=PlatformDetails(**KIBANA_DETAILS)
93101
xpack_watcher_details=PlatformDetails(**XPACK_WATCHER_DETAILS)
102+
elastic_eql_query_details=PlatformDetails(**ELASTICSEARCH_EQL_QUERY_DETAILS)
94103

95104
ELASTICSEARCH_DETECTION_RULE= {
96105
"description":"Autogenerated ElasticSearch Detection Rule.",

‎uncoder-core/app/translator/platforms/elasticsearch/mapping.py‎

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
fromapp.translator.platforms.elasticsearch.constimport (
33
elastalert_details,
44
elasticsearch_esql_query_details,
5+
elastic_eql_query_details,
56
elasticsearch_lucene_query_details,
67
elasticsearch_rule_details,
78
kibana_rule_details,
@@ -17,6 +18,7 @@
1718
elastalert_mappings=LuceneMappings(platform_dir="elasticsearch",platform_details=elastalert_details)
1819
kibana_rule_mappings=LuceneMappings(platform_dir="elasticsearch",platform_details=kibana_rule_details)
1920
xpack_watcher_mappings=LuceneMappings(platform_dir="elasticsearch",platform_details=xpack_watcher_details)
21+
elastic_eql_query_mappings=LuceneMappings(platform_dir="elasticsearch",platform_details=elastic_eql_query_details)
2022

2123

2224
classElasticESQLMappings(LuceneMappings):
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
importre
2+
3+
fromapp.translator.core.models.platform_detailsimportPlatformDetails
4+
fromapp.translator.core.models.query_containerimportRawQueryContainer,TokenizedQueryContainer
5+
fromapp.translator.core.parserimportPlatformQueryParser
6+
fromapp.translator.managersimportparser_manager
7+
fromapp.translator.platforms.base.lucene.mappingimportLuceneMappings
8+
fromapp.translator.platforms.elasticsearch.constimportelastic_eql_query_details
9+
fromapp.translator.platforms.elasticsearch.mappingimportelastic_eql_query_mappings
10+
fromapp.translator.platforms.elasticsearch.tokenizerimportElasticSearchEQLTokenizer
11+
12+
13+
@parser_manager.register_supported_by_roota
14+
classElasticSearchEQLQueryParser(PlatformQueryParser):
15+
details:PlatformDetails=elastic_eql_query_details
16+
tokenizer=ElasticSearchEQLTokenizer()
17+
mappings:LuceneMappings=elastic_eql_query_mappings
18+
query_delimiter_pattern=r"\swhere\s"
19+
20+
def_parse_query(self,query:str)->tuple[str,dict[str,list[str]]]:
21+
log_source= {"category": []}
22+
ifre.search(self.query_delimiter_pattern,query,flags=re.IGNORECASE):
23+
sp_query=re.split(self.query_delimiter_pattern,query,flags=re.IGNORECASE)
24+
ifsp_query[0].lower()!="all":
25+
log_source["category"].append(sp_query[0])
26+
returnsp_query[1],log_source
27+
returnquery,log_source
28+
29+
defparse(self,raw_query_container:RawQueryContainer)->TokenizedQueryContainer:
30+
query,log_sources=self._parse_query(raw_query_container.query)
31+
query_tokens=self.get_query_tokens(query)
32+
field_tokens=self.get_field_tokens(query_tokens)
33+
source_mappings=self.get_source_mappings(field_tokens,log_sources)
34+
meta_info=raw_query_container.meta_info
35+
meta_info.query_fields=field_tokens
36+
meta_info.source_mapping_ids= [source_mapping.source_idforsource_mappinginsource_mappings]
37+
returnTokenizedQueryContainer(tokens=query_tokens,meta_info=meta_info)

‎uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py‎

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,14 +28,14 @@
2828
fromapp.translator.platforms.elasticsearch.constimportelasticsearch_esql_query_details
2929
fromapp.translator.platforms.elasticsearch.mappingimportElasticESQLMappings,esql_query_mappings
3030
fromapp.translator.platforms.elasticsearch.str_value_managerimport (
31-
ESQLQueryStrValueManager,
32-
esql_query_str_value_manager
31+
ESQLStrValueManager,
32+
esql_str_value_manager
3333
)
3434

3535

3636
classESQLFieldValueRender(BaseFieldValueRender):
3737
details:PlatformDetails=elasticsearch_esql_query_details
38-
str_value_manager:ESQLQueryStrValueManager=esql_query_str_value_manager
38+
str_value_manager:ESQLStrValueManager=esql_str_value_manager
3939

4040
@staticmethod
4141
def_make_case_insensitive(value:str)->str:

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp