Merge pull request #163 from UncoderIO/gis-case-insensitive-sigma-mapping

tarnopolskyi · web-flow · commit 5a155522f6c6 · 2024-06-27T13:23:27.000+02:00
Gis case insensitive sigma mapping
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml
@@ -11,4 +11,4 @@ field_mapping:
   dns_query_name: xdm.network.dns.dns_question.name
   QueryName: xdm.network.dns.dns_question.name
   query: xdm.network.dns.dns_question.name
-  dns-record-type: xdm.network.dns.dns_question.type
+  dns-record-type: xdm.network.dns.dns_question.type
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -75,4 +75,4 @@ field_mapping:
   EventSeverity: EventSeverity
   Source: 
     - Source
-    - source
+    - source
diff --git a/uncoder-core/app/translator/platforms/sigma/mapping.py b/uncoder-core/app/translator/platforms/sigma/mapping.py
@@ -19,9 +19,9 @@ def __init__(
     def is_suitable(
         self, service: Optional[list[str]], product: Optional[list[str]], category: Optional[list[str]]
     ) -> bool:
-        product_match = set(product or []).issubset(self.products) if product else False
-        category_match = set(category or []).issubset(self.categories) if category else False
-        service_match = set(service or []).issubset(self.services) if service else False
+        product_match = set(product_.lower() for product_ in product or []).issubset(self.products) if product else False
+        category_match = set(category_.lower() for category_ in category or []).issubset(self.categories) if category else False
+        service_match = set(service_.lower() for service_ in service or [] or []).issubset(self.services) if service else False
         if not product and not service:
             return category_match
         return product_match and service_match or product_match and category_match

-Original file line number
+Diff line change
   EventSeverity: EventSeverity
   Source:
     - Source
 -    - source
 +    - source