Merge branch 'main' into gis-8639

nazargesyk · nazargesyk · commit 2703d8aea1c6 · 2024-10-16T10:34:36.000+03:00
diff --git a/uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml
@@ -0,0 +1,41 @@
+platform: ElasticSearch ES|QL
+source: aws_cloudtrail
+log_source:
+  index: [logs-*]
+default_log_source:
+  index: logs-*
+field_mapping:
+  additionalEventdata: aws.cloudtrail.additional_eventdata
+  apiVersion: aws.cloudtrail.api_version
+  awsRegion: cloud.region
+  errorCode: aws.cloudtrail.error_code
+  errorMessage: aws.cloudtrail.error_message
+  eventID: event.id
+  eventName: event.action
+  eventSource: event.provider
+  eventTime: '@timestamp'
+  eventType: aws.cloudtrail.event_type
+  eventVersion: aws.cloudtrail.event_version
+  managementEvent: aws.cloudtrail.management_event
+  readOnly: aws.cloudtrail.read_only
+  requestID: aws.cloudtrail.request_id
+  requestParameters: aws.cloudtrail.request_parameters
+  resources.accountId: aws.cloudtrail.resources.account_id
+  resources.ARN: aws.cloudtrail.resources.arn
+  resources.type: aws.cloudtrail.resources.type
+  responseElements: aws.cloudtrail.response_elements
+  serviceEventDetails: aws.cloudtrail.service_event_details
+  sharedEventId: aws.cloudtrail.shared_event_id
+  sourceIPAddress: source.address
+  userAgent: user_agent
+  userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
+  userIdentity.accountId: cloud.account.id
+  userIdentity.arn: aws.cloudtrail.user_identity.arn
+  userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
+  userIdentity.principalId: user.id
+  userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
+  userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
+  userIdentity.sessionContext.sessionIssuer.userName: role.name
+  userIdentity.type: aws.cloudtrail.user_identity.type
+  userIdentity.userName: user.name
+  vpcEndpointId: aws.cloudtrail.vpc_endpoint_id
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -14,6 +14,8 @@ field_mapping:
     - DstPort
     - DestinationPort
     - remoteport
+  dst-hostname: DstHost
+  src-hostname: SrcHost
   src-port:
     - SourcePort
     - localport
@@ -94,11 +96,11 @@ field_mapping:
   Action: Action
   Workstation: Machine Identifier
   GroupMembership: Role Name
-  FileName: 
+  FileName:
     - Filename
     - File Name
     - Encoded Filename
-  RegistryKey: 
+  RegistryKey:
     - Registry Key
     - Target Object
   RegistryValue: RegistryValue
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
@@ -24,7 +24,7 @@ field_mapping:
     - ProcessName
   IntegrityLevel: IntegrityLevel
   ParentCommandLine: Parent Command
-  ParentImage: 
+  ParentImage:
     - Parent Process Path
     - ParentProcessName
   ParentUser: ParentUser
diff --git a/uncoder-core/app/translator/platforms/base/lucene/tokenizer.py b/uncoder-core/app/translator/platforms/base/lucene/tokenizer.py
@@ -38,6 +38,7 @@ class LuceneTokenizer(QueryTokenizer, ANDLogicOperatorMixin):
         ":>": OperatorType.GT,
         ":<": OperatorType.LT,
         ":": OperatorType.EQ,
+        "==": OperatorType.EQ,
     }
     multi_value_operators_map: ClassVar[dict[str, str]] = {":": OperatorType.EQ}
 
@@ -61,7 +62,7 @@ class LuceneTokenizer(QueryTokenizer, ANDLogicOperatorMixin):
 
     multi_value_pattern = rf"""\((?P<{ValueType.multi_value}>[:a-zA-Z\"\*0-9=+%#№;\-_\/\\'\,.$&^@!\(\[\]\s|]+)\)"""
     multi_value_check_pattern = r"___field___\s*___operator___\s*\("
-    multi_value_delimiter_pattern = r"\s+OR\s+"
+    multi_value_delimiter_pattern = r"\s+(?:OR|or)\s+"
 
     escape_manager = lucene_escape_manager
 
@@ -77,7 +78,9 @@ def create_field_value(field_name: str, operator: Identifier, value: Union[str,
 
     @staticmethod
     def clean_multi_value(value: str) -> str:
-        return value.strip('"') if value.startswith('"') and value.endswith('"') else value
+        value = value.replace("\n", "").replace("  ", "")
+        value = value.strip('"') if value.startswith('"') and value.endswith('"') else value
+        return value.strip()
 
     def get_operator_and_value(  # noqa: PLR0911
         self, match: re.Match, mapped_operator: str = OperatorType.EQ, operator: Optional[str] = None
diff --git a/uncoder-core/app/translator/platforms/base/spl/parsers/spl.py b/uncoder-core/app/translator/platforms/base/spl/parsers/spl.py
@@ -29,6 +29,7 @@
 
 class SplQueryParser(PlatformQueryParser):
     log_source_pattern = r"^___source_type___\s*=\s*(?:\"(?P<d_q_value>[%a-zA-Z_*:0-9\-/]+)\"|(?P<value>[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?"  # noqa: E501
+    rule_name_pattern = r"`(?P<name>(?:[:a-zA-Z*0-9=+%#\-_/,;`?~‘\'.<>$&^@!\]\[()\s])*)`"
     log_source_key_types = ("index", "source", "sourcetype", "sourcecategory")
 
     platform_functions: SplFunctions = None
@@ -53,6 +54,9 @@ def _parse_log_sources(self, query: str) -> tuple[dict[str, list[str]], str]:
         return log_sources, query
 
     def _parse_query(self, query: str) -> tuple[str, dict[str, list[str]], ParsedFunctions]:
+        if re.match(self.rule_name_pattern, query):
+            search = re.search(self.rule_name_pattern, query, flags=re.IGNORECASE)
+            query = query[:search.start()] + query[search.end():]
         query = query.strip()
         log_sources, query = self._parse_log_sources(query)
         query, functions = self.platform_functions.parse(query)
