|
20 | 20 |
|
21 | 21 | from app.translator.core.custom_types.meta_info import SeverityType |
22 | 22 | from app.translator.core.mitre import MitreConfig |
| 23 | +from app.translator.core.mixins.rule import YamlRuleMixin |
23 | 24 | from app.translator.core.models.platform_details import PlatformDetails |
24 | 25 | from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer, RawQueryContainer |
25 | 26 | from app.translator.managers import parser_manager |
26 | | -from app.translator.platforms.splunk.const import splunk_alert_details |
| 27 | +from app.translator.platforms.splunk.const import splunk_alert_details, splunk_alert_yml_details |
27 | 28 | from app.translator.platforms.splunk.mapping import SplunkMappings, splunk_alert_mappings |
28 | 29 | from app.translator.platforms.splunk.parsers.splunk import SplunkQueryParser |
29 | 30 |
|
@@ -73,3 +74,45 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer: |
73 | 74 | mitre_attack=mitre_attack_container, |
74 | 75 | ), |
75 | 76 | ) |
| 77 | + |
| 78 | + |
| 79 | +@parser_manager.register |
| 80 | +class SplunkAlertYMLParser(SplunkQueryParser, YamlRuleMixin): |
| 81 | + details: PlatformDetails = splunk_alert_yml_details |
| 82 | + mappings: SplunkMappings = splunk_alert_mappings |
| 83 | + mitre_config: MitreConfig = MitreConfig() |
| 84 | + |
| 85 | + def parse_raw_query(self, text: str, language: str) -> RawQueryContainer: |
| 86 | + rule = self.load_rule(text) |
| 87 | + mitre_attack_container = self.mitre_config.get_mitre_info( |
| 88 | + techniques=rule.get("tags", {}).get("mitre_attack_id", []) |
| 89 | + ) |
| 90 | + description = rule.get("description", "") |
| 91 | + if rule.get("how_to_implement", ""): |
| 92 | + description = f'{description} {rule.get("how_to_implement", "")}' |
| 93 | + tags = rule.get("tags", {}).get("analytic_story", []) |
| 94 | + if rule.get("type"): |
| 95 | + tags.append(rule.get("type")) |
| 96 | + false_positives = None |
| 97 | + if rule.get("known_false_positives"): |
| 98 | + false_positives = ( |
| 99 | + rule["known_false_positives"] |
| 100 | + if isinstance(rule["known_false_positives"], list) |
| 101 | + else [rule["known_false_positives"]] |
| 102 | + ) |
| 103 | + return RawQueryContainer( |
| 104 | + query=rule.get("search"), |
| 105 | + language=language, |
| 106 | + meta_info=MetaInfoContainer( |
| 107 | + id_=rule.get("id"), |
| 108 | + title=rule.get("name"), |
| 109 | + date=rule.get("date"), |
| 110 | + author=rule.get("author").split(", "), |
| 111 | + status=rule.get("status"), |
| 112 | + description=description, |
| 113 | + false_positives=false_positives, |
| 114 | + references=rule.get("references"), |
| 115 | + mitre_attack=mitre_attack_container, |
| 116 | + tags=tags, |
| 117 | + ), |
| 118 | + ) |
0 commit comments