UncoderIO
diff --git a/‎translator/.gitignore
Lines changed: 0 additions & 4 deletions b/‎translator/.gitignore
Lines changed: 0 additions & 4 deletions
diff --git a/‎siem-converter/app/dictionaries/tactics.json renamed to ‎translator/app/dictionaries/tactics.json b/‎siem-converter/app/dictionaries/tactics.json renamed to ‎translator/app/dictionaries/tactics.json
diff --git a/‎siem-converter/app/dictionaries/techniques.json renamed to ‎translator/app/dictionaries/techniques.json b/‎siem-converter/app/dictionaries/techniques.json renamed to ‎translator/app/dictionaries/techniques.json
diff --git a/‎translator/app/translator/core/mitre.py
Lines changed: 1 addition & 0 deletions b/‎translator/app/translator/core/mitre.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎translator/app/translator/core/render.py
Lines changed: 12 additions & 5 deletions b/‎translator/app/translator/core/render.py
Lines changed: 12 additions & 5 deletions
diff --git a/‎translator/app/translator/platforms/logscale/renders/logscale.py
Lines changed: 19 additions & 12 deletions b/‎translator/app/translator/platforms/logscale/renders/logscale.py
Lines changed: 19 additions & 12 deletions
diff --git a/‎translator/app/translator/platforms/microsoft/siem_functions/__init__.py b/‎translator/app/translator/platforms/microsoft/siem_functions/__init__.py
diff --git a/‎translator/app/translator/platforms/microsoft/siem_functions/base.py
Lines changed: 0 additions & 20 deletions b/‎translator/app/translator/platforms/microsoft/siem_functions/base.py
Lines changed: 0 additions & 20 deletions
@@ -197,7 +197,3 @@ test_data
 
 # backup_logs
 .backup_logs
-
-# sigmac tests stuff
-tactics.json
-techniques.json
@@ -30,6 +30,7 @@ def __get_mitre_json(self) -> dict:
                 return json.loads(cti_json.read().decode())
         except HTTPError:
             return {}
+
     def update_mitre_config(self) -> None:
         if not (mitre_json := self.__get_mitre_json()):
             self.__load_mitre_configs_from_files()
 
@@ -194,14 +194,21 @@ def render_not_supported_functions(self, not_supported_functions: list) -> str:
     def wrap_with_comment(self, value: str) -> str:
         return f"{self.comment_symbol} {value}"
 
+    @staticmethod
+    def unique_queries(queries_map: Dict[str, str]) -> Dict[str, List[str]]:
+        unique_queries = {}
+        for source_id, query in queries_map.items():
+            unique_queries.setdefault(query, []).append(source_id)
+
+        return unique_queries
+
     def finalize(self, queries_map: Dict[str, str]) -> str:
-        unique_queries = set(queries_map.values())
         if len(set(queries_map.values())) == 1:
-            return next(iter(unique_queries))
-
+            return next(iter(queries_map.values()))
+        unique_queries = self.unique_queries(queries_map=queries_map)
         result = ""
-        for source_id, query in queries_map.items():
-            result = result + self.wrap_with_comment(source_id) + f"\n{query}\n\n"
+        for query, source_ids in unique_queries.items():
+            result = result + self.wrap_with_comment(", ".join(source_ids)) + f"\n{query}\n\n"
 
         return result
 
 
@@ -33,55 +33,62 @@ class LogScaleFieldValue(BaseQueryFieldValue):
 
     def apply_value(self, value: Union[str, int]) -> str:
         if isinstance(value, str) and '"' in value:
-            value = value.translate(str.maketrans({'"':  r'\"'}))
+            value = re.sub(r'(?<!\\)"', r'\"', value)
+        if isinstance(value, str) and '/' in value:
+            value = re.sub(r'(?<!\\)/', r'\/', value)
         return value
 
+    def apply_field_name(self, field_name: str) -> str:
+        if not field_name.isalpha():
+            return f'"{field_name}"'
+        return field_name
+
     def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join(self.equal_modifier(field=field, value=v) for v in value)})"
-        return f'{field}="{self.apply_value(value)}"'
+        return f'{self.apply_field_name(field_name=field)}=/{self.apply_value(value)}/i'
 
     def less_modifier(self, field: str, value: Union[int, str]) -> str:
-        return f'{field}<"{self.apply_value(value)}"'
+        return f'{self.apply_field_name(field_name=field)}<"{self.apply_value(value)}"'
 
     def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
-        return f'{field}<="{self.apply_value(value)}"'
+        return f'{self.apply_field_name(field_name=field)}<="{self.apply_value(value)}"'
 
     def greater_modifier(self, field: str, value: Union[int, str]) -> str:
-        return f'{field}>"{self.apply_value(value)}"'
+        return f'{self.apply_field_name(field_name=field)}>"{self.apply_value(value)}"'
 
     def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
-        return f'{field}>="{self.apply_value(value)}"'
+        return f'{self.apply_field_name(field_name=field)}>="{self.apply_value(value)}"'
 
     def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join([self.not_equal_modifier(field=field, value=v) for v in value])})"
-        return f'{field}!="{self.apply_value(value)}"'
+        return f'{self.apply_field_name(field_name=field)}!=/{self.apply_value(value)}/i'
 
     def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
-        return f'{field}="*{self.apply_value(value)}*"'
+        return f'{self.apply_field_name(field_name=field)}=/{self.apply_value(value)}/i'
 
     def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
-        return f'{field}="*{self.apply_value(value)}"'
+        return f'{self.apply_field_name(field_name=field)}=/{self.apply_value(value)}$/i'
 
     def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join(self.startswith_modifier(field=field, value=v) for v in value)})"
-        return f'{field}="{self.apply_value(value)}*"'
+        return f'{self.apply_field_name(field_name=field)}=/^{self.apply_value(value)}/i'
 
     def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
-        return f'{field}="/{self.apply_value(value)}/"'
+        return f'{self.apply_field_name(field_name=field)}=/{self.apply_value(value)}/'
 
     def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join(self.keywords(field=field, value=v) for v in value)})"
-        return f'"{self.apply_value(value)}"'
+        return f'/{self.apply_value(value)}/i'
 
 
 class LogScaleQueryRender(BaseQueryRender):