Skip to content

Commit 532bf3d

Browse files
nazargesyknazargesyk
committed
gis-9099 add microsoft sentinel to one vendor flow
1 parent 3e2c071 commit 532bf3d

File tree

2 files changed

+33
-6
lines changed

2 files changed

+33
-6
lines changed

uncoder-core/app/translator/platforms/microsoft/const.py

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,15 +19,18 @@
1919

2020
PLATFORM_DETAILS = {"group_id": "sentinel", "group_name": "Microsoft Sentinel"}
2121

22+
_SENTINEL_KQL_QUERY = "sentinel-kql-query"
23+
_SENTINEL_KQL_RULE = "sentinel-kql-rule"
24+
2225
MICROSOFT_SENTINEL_QUERY_DETAILS = {
23-
"platform_id": "sentinel-kql-query",
26+
"platform_id": _SENTINEL_KQL_QUERY,
2427
"name": "Microsoft Sentinel Query",
2528
"platform_name": "Query (Kusto)",
2629
**PLATFORM_DETAILS,
2730
}
2831

2932
MICROSOFT_SENTINEL_RULE_DETAILS = {
30-
"platform_id": "sentinel-kql-rule",
33+
"platform_id": _SENTINEL_KQL_RULE,
3134
"name": "Microsoft Sentinel Rule",
3235
"platform_name": "Rule (Kusto)",
3336
"first_choice": 0,
@@ -50,6 +53,8 @@
5053
"group_id": "microsoft-defender",
5154
}
5255

56+
MICROSOFT_QUERY_TYPES = {_SENTINEL_KQL_QUERY, _SENTINEL_KQL_RULE}
57+
5358
microsoft_defender_query_details = PlatformDetails(**MICROSOFT_DEFENDER_DETAILS)
5459
microsoft_sentinel_query_details = PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS)
5560
microsoft_sentinel_rule_details = PlatformDetails(**MICROSOFT_SENTINEL_RULE_DETAILS)

uncoder-core/app/translator/translator.py

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,16 @@
11
import logging
2-
from typing import Optional
2+
from collections import Counter
3+
from typing import Optional, Union
34

45
from app.translator.core.exceptions.core import UnsupportedPlatform
56
from app.translator.core.models.query_container import RawQueryContainer, TokenizedQueryContainer
6-
from app.translator.core.parser import QueryParser
7+
from app.translator.core.parser import PlatformQueryParser, QueryParser
78
from app.translator.core.render import QueryRender
89
from app.translator.managers import ParserManager, RenderManager, parser_manager, render_manager
910
from app.translator.platforms.elasticsearch.const import ELASTIC_QUERY_TYPES
11+
from app.translator.platforms.microsoft.const import MICROSOFT_QUERY_TYPES
12+
from app.translator.platforms.roota.parsers.roota import RootAParser
13+
from app.translator.platforms.sigma.mapping import sigma_rule_mappings
1014
from app.translator.tools.decorators import handle_translation_exceptions
1115

1216

@@ -32,18 +36,36 @@ def __get_render(self, target: str) -> QueryRender:
3236

3337
@staticmethod
3438
def __is_one_vendor_translation(source: str, target: str) -> bool:
35-
vendors_query_types = [ELASTIC_QUERY_TYPES]
39+
vendors_query_types = [ELASTIC_QUERY_TYPES, MICROSOFT_QUERY_TYPES]
3640
for vendor_query_types in vendors_query_types:
3741
if source in vendor_query_types and target in vendor_query_types:
3842
return True
3943

4044
return False
4145

42-
def parse_raw_query(self, text: str, source: str) -> tuple[QueryParser, RawQueryContainer]:
46+
def parse_raw_query(
47+
self, text: str, source: str
48+
) -> tuple[Union[PlatformQueryParser, RootAParser], RawQueryContainer]:
4349
parser = self.__get_parser(source)
4450
text = parser.remove_comments(text)
4551
return parser, parser.parse_raw_query(text, language=source)
4652

53+
def parse_meta_info(self, text: str, source: str) -> Union[dict, RawQueryContainer]:
54+
parser, raw_query_container = self.parse_raw_query(text=text, source=source)
55+
source_mappings = parser.get_source_mapping_ids_by_logsources(raw_query_container.query)
56+
log_sources = {"product": Counter(), "service": Counter(), "category": Counter()}
57+
sigma_source_mappings = sigma_rule_mappings.get_source_mappings_by_ids(
58+
[source_mapping.source_id for source_mapping in source_mappings], return_default=False
59+
)
60+
for sigma_source_mapping in sigma_source_mappings:
61+
if product := sigma_source_mapping.log_source_signature.log_sources.get("product"):
62+
log_sources["product"][product] += 1
63+
if service := sigma_source_mapping.log_source_signature.log_sources.get("service"):
64+
log_sources["service"][service] += 1
65+
if category := sigma_source_mapping.log_source_signature.log_sources.get("category"):
66+
log_sources["category"][category] += 1
67+
return log_sources, raw_query_container
68+
4769
@handle_translation_exceptions
4870
def __parse_incoming_data(
4971
self, text: str, source: str, target: Optional[str] = None

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy