From 63960e4e2135264cedd0c2359af7a24a16546045 Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Wed, 21 Aug 2024 15:54:51 +0300
Subject: [PATCH 1/5] gis-8503 add SplunkAlertYMLParser
---
.../translator/platforms/splunk/__init__.py | 2 +-
.../app/translator/platforms/splunk/const.py | 9 ++++++
.../platforms/splunk/parsers/splunk_alert.py | 31 ++++++++++++++++++-
3 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/uncoder-core/app/translator/platforms/splunk/__init__.py b/uncoder-core/app/translator/platforms/splunk/__init__.py
index 01b538f9..21b1049b 100644
--- a/uncoder-core/app/translator/platforms/splunk/__init__.py
+++ b/uncoder-core/app/translator/platforms/splunk/__init__.py
@@ -1,5 +1,5 @@
from app.translator.platforms.splunk.parsers.splunk import SplunkQueryParser # noqa: F401
-from app.translator.platforms.splunk.parsers.splunk_alert import SplunkAlertParser # noqa: F401
+from app.translator.platforms.splunk.parsers.splunk_alert import SplunkAlertParser, SplunkAlertYMLParser # noqa: F401
from app.translator.platforms.splunk.renders.splunk import SplunkQueryRender # noqa: F401
from app.translator.platforms.splunk.renders.splunk_alert import SplunkAlertRender # noqa: F401
from app.translator.platforms.splunk.renders.splunk_cti import SplunkCTI # noqa: F401
diff --git a/uncoder-core/app/translator/platforms/splunk/const.py b/uncoder-core/app/translator/platforms/splunk/const.py
index abbd3433..48733d58 100644
--- a/uncoder-core/app/translator/platforms/splunk/const.py
+++ b/uncoder-core/app/translator/platforms/splunk/const.py
@@ -42,5 +42,14 @@
**PLATFORM_DETAILS,
}
+SPLUNK_ALERT_YML_DETAILS = {
+ "platform_id": "splunk-alert-yml",
+ "name": "Splunk Alert YML",
+ "platform_name": "Alert (SPL)",
+ "first_choice": 0,
+ **PLATFORM_DETAILS,
+}
+
splunk_query_details = PlatformDetails(**SPLUNK_QUERY_DETAILS)
splunk_alert_details = PlatformDetails(**SPLUNK_ALERT_DETAILS)
+splunk_alert_yml_details = PlatformDetails(**SPLUNK_ALERT_YML_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py b/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
index 944efcf7..5dc0229c 100644
--- a/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
+++ b/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
@@ -20,10 +20,11 @@
from app.translator.core.custom_types.meta_info import SeverityType
from app.translator.core.mitre import MitreConfig
+from app.translator.core.mixins.rule import YamlRuleMixin
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer, RawQueryContainer
from app.translator.managers import parser_manager
-from app.translator.platforms.splunk.const import splunk_alert_details
+from app.translator.platforms.splunk.const import splunk_alert_details, splunk_alert_yml_details
from app.translator.platforms.splunk.mapping import SplunkMappings, splunk_alert_mappings
from app.translator.platforms.splunk.parsers.splunk import SplunkQueryParser
@@ -73,3 +74,31 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
mitre_attack=mitre_attack_container,
),
)
+
+
+@parser_manager.register
+class SplunkAlertYMLParser(SplunkQueryParser, YamlRuleMixin):
+ details: PlatformDetails = splunk_alert_yml_details
+ mappings: SplunkMappings = splunk_alert_mappings
+ mitre_config: MitreConfig = MitreConfig()
+
+ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
+ rule = self.load_rule(text)
+ mitre_attack_container = self.mitre_config.get_mitre_info(
+ techniques=rule.get("tags", {}).get("mitre_attack_id", [])
+ )
+ return RawQueryContainer(
+ query=rule.get("search"),
+ language=language,
+ meta_info=MetaInfoContainer(
+ id_=rule.get("id"),
+ title=rule.get("name"),
+ date=rule.get("date"),
+ author=rule.get("author").split(", "),
+ status=rule.get("status"),
+ description=rule.get("description"),
+ false_positives=rule.get("known_false_positives"),
+ references=rule.get("references"),
+ mitre_attack=mitre_attack_container,
+ ),
+ )
From f74705e00a6e8343bb9c1e59487c950670b812a6 Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Wed, 21 Aug 2024 16:03:22 +0300
Subject: [PATCH 2/5] gis-8503 fix
---
uncoder-core/app/translator/platforms/splunk/const.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/uncoder-core/app/translator/platforms/splunk/const.py b/uncoder-core/app/translator/platforms/splunk/const.py
index 48733d58..e340af0d 100644
--- a/uncoder-core/app/translator/platforms/splunk/const.py
+++ b/uncoder-core/app/translator/platforms/splunk/const.py
@@ -45,7 +45,7 @@
SPLUNK_ALERT_YML_DETAILS = {
"platform_id": "splunk-alert-yml",
"name": "Splunk Alert YML",
- "platform_name": "Alert (SPL)",
+ "platform_name": "Alert (SPL) YML",
"first_choice": 0,
**PLATFORM_DETAILS,
}
From 161d9c8de0b5eeb6cbf8f3502c244d8ee5c53c5d Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Thu, 22 Aug 2024 16:03:14 +0300
Subject: [PATCH 3/5] gis-8503 fix
---
.../translator/platforms/splunk/parsers/splunk_alert.py | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py b/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
index 5dc0229c..d7e45416 100644
--- a/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
+++ b/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
@@ -87,6 +87,12 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
mitre_attack_container = self.mitre_config.get_mitre_info(
techniques=rule.get("tags", {}).get("mitre_attack_id", [])
)
+ description = rule.get("description", "")
+ if rule.get("how_to_implement", ""):
+ description = f'{description} {rule.get("how_to_implement", "")}'
+ tags = rule.get("tags", {}).get("analytic_story", [])
+ if rule.get("type"):
+ tags.append(rule.get("type"))
return RawQueryContainer(
query=rule.get("search"),
language=language,
@@ -96,9 +102,10 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
date=rule.get("date"),
author=rule.get("author").split(", "),
status=rule.get("status"),
- description=rule.get("description"),
+ description=description,
false_positives=rule.get("known_false_positives"),
references=rule.get("references"),
mitre_attack=mitre_attack_container,
+ tags=tags,
),
)
From 66d87d523663c10a97a766c57b395d81a219f7ef Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Mon, 26 Aug 2024 12:32:36 +0300
Subject: [PATCH 4/5] gis-8503 change splunk platform_id
---
uncoder-core/app/translator/platforms/splunk/const.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/uncoder-core/app/translator/platforms/splunk/const.py b/uncoder-core/app/translator/platforms/splunk/const.py
index e340af0d..7d0bb15a 100644
--- a/uncoder-core/app/translator/platforms/splunk/const.py
+++ b/uncoder-core/app/translator/platforms/splunk/const.py
@@ -43,7 +43,7 @@
}
SPLUNK_ALERT_YML_DETAILS = {
- "platform_id": "splunk-alert-yml",
+ "platform_id": "splunk-spl-rule-yml",
"name": "Splunk Alert YML",
"platform_name": "Alert (SPL) YML",
"first_choice": 0,
From 51cdf695c826989bbdc2ae621a44eff83b6364f5 Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Wed, 28 Aug 2024 17:03:09 +0300
Subject: [PATCH 5/5] gis-8503 fix false_positive metainfo
---
.../translator/platforms/splunk/parsers/splunk_alert.py | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py b/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
index d7e45416..14656093 100644
--- a/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
+++ b/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
@@ -93,6 +93,13 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
tags = rule.get("tags", {}).get("analytic_story", [])
if rule.get("type"):
tags.append(rule.get("type"))
+ false_positives = None
+ if rule.get("known_false_positives"):
+ false_positives = (
+ rule["known_false_positives"]
+ if isinstance(rule["known_false_positives"], list)
+ else [rule["known_false_positives"]]
+ )
return RawQueryContainer(
query=rule.get("search"),
language=language,
@@ -103,7 +110,7 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
author=rule.get("author").split(", "),
status=rule.get("status"),
description=description,
- false_positives=rule.get("known_false_positives"),
+ false_positives=false_positives,
references=rule.get("references"),
mitre_attack=mitre_attack_container,
tags=tags,
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy