gis-8825 added sentinel one power query render

nazargesyk · nazargesyk · commit d87ec7621602 · 2024-10-17T15:03:02.000+03:00
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/__init__.py b/uncoder-core/app/translator/platforms/sentinel_one/__init__.py
@@ -1 +1,4 @@
 from app.translator.platforms.sentinel_one.renders.s1_cti import S1EventsCTI  # noqa: F401
+from app.translator.platforms.sentinel_one.renders.sentinel_one_power_query import (
+    SentinelOnePowerQueryRender,  # noqa: F401
+)
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/const.py b/uncoder-core/app/translator/platforms/sentinel_one/const.py
@@ -1,6 +1,5 @@
 from app.translator.core.models.platform_details import PlatformDetails
 
-
 PLATFORM_DETAILS = {"group_id": "sentinel-one", "group_name": "SentinelOne"}
 
 SENTINEL_ONE_EVENTS_QUERY_DETAILS = {
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py b/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py
@@ -0,0 +1,15 @@
+from typing import ClassVar
+
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.escape_manager import EscapeManager
+from app.translator.core.models.escape_details import EscapeDetails
+
+
+class SentinelOnePowerQueryEscapeManager(EscapeManager):
+    escape_map: ClassVar[dict[str, list[EscapeDetails]]] = {
+        ValueType.value: [EscapeDetails(pattern=r"\\", escape_symbols=r"\\\\")],
+        ValueType.regex_value: [EscapeDetails(pattern=r"\\", escape_symbols=r"\\\\")],
+    }
+
+
+sentinel_one_power_query_escape_manager = SentinelOnePowerQueryEscapeManager()
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/mapping.py b/uncoder-core/app/translator/platforms/sentinel_one/mapping.py
@@ -0,0 +1,20 @@
+from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature
+from app.translator.platforms.sentinel_one.const import sentinel_one_power_query_details
+
+
+class SentinelOnePowerQueryLogSourceSignature(LogSourceSignature):
+    def is_suitable(self) -> bool:
+        return True
+
+    def __str__(self) -> str:
+        return ""
+
+
+class SentinelOnePowerQueryMappings(BasePlatformMappings):
+    def prepare_log_source_signature(self, mapping: dict) -> SentinelOnePowerQueryLogSourceSignature:
+        ...
+
+
+sentinel_one_power_query_query_mappings = SentinelOnePowerQueryMappings(
+    platform_dir="sentinel_one", platform_details=sentinel_one_power_query_details
+)
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py b/uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py
@@ -0,0 +1,110 @@
+from typing import Union, Optional
+
+from app.translator.const import DEFAULT_VALUE_TYPE
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.mapping import LogSourceSignature
+from app.translator.core.models.platform_details import PlatformDetails
+from app.translator.core.render import BaseFieldValueRender, PlatformQueryRender
+from app.translator.core.str_value_manager import StrValueManager
+from app.translator.managers import render_manager
+from app.translator.platforms.sentinel_one.const import sentinel_one_power_query_details
+from app.translator.platforms.sentinel_one.mapping import (
+    SentinelOnePowerQueryMappings,
+    sentinel_one_power_query_query_mappings,
+)
+from app.translator.platforms.sentinel_one.str_value_manager import sentinel_one_power_query_str_value_manager
+
+
+class SentinelOnePowerQueryFieldValue(BaseFieldValueRender):
+    details: PlatformDetails = sentinel_one_power_query_details
+    str_value_manager: StrValueManager = sentinel_one_power_query_str_value_manager
+    list_token = ", "
+
+    @staticmethod
+    def _wrap_str_value(value: str) -> str:
+        return f'"{value}"'
+
+    def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True) for v in value
+            )
+            return f"{field} in ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)
+        return f"{field} = {value}"
+
+    def less_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field} < {value}"
+
+    def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field} <= {value}"
+
+    def greater_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field} > {value}"
+
+    def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field} >= {value}"
+
+    def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+                for v in value
+            )
+            return f"{field} != ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field} != {value}"
+
+    def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+                for v in value
+            )
+            return f"{field} contains ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value)
+        return f"{field} contains {value}"
+
+    def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return self.contains_modifier(field, value)
+
+    def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return self.contains_modifier(field, value)
+
+    def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self.str_value_manager.escape_manager.escape(
+                    self._pre_process_value(field, v, value_type=ValueType.regex_value, wrap_str=True, wrap_int=True),
+                    ValueType.regex_value,
+                )
+                for v in value
+            )
+            return f"{field} matches ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True, wrap_int=True)
+        value = self.str_value_manager.escape_manager.escape(value, ValueType.regex_value)
+        return f"{field} matches {value}"
+
+    def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: ARG002
+        return f'not ({field} matches "\\.*")'
+
+    def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: ARG002
+        return f'{field} matches "\\.*"'
+
+
+@render_manager.register
+class SentinelOnePowerQueryRender(PlatformQueryRender):
+    details: PlatformDetails = sentinel_one_power_query_details
+    mappings: SentinelOnePowerQueryMappings = sentinel_one_power_query_query_mappings
+    or_token = "or"
+    and_token = "and"
+    not_token = "not"
+    comment_symbol = "//"
+    field_value_render = SentinelOnePowerQueryFieldValue(or_token=or_token)
+
+    def generate_prefix(self, log_source_signature: Optional[LogSourceSignature], functions_prefix: str = "") -> str:
+        return "| columns "
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/str_value_manager.py b/uncoder-core/app/translator/platforms/sentinel_one/str_value_manager.py
@@ -0,0 +1,31 @@
+"""
+Uncoder IO Community Edition License
+-----------------------------------------------------------------
+Copyright (c) 2024 SOC Prime, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-----------------------------------------------------------------
+"""
+
+from app.translator.core.str_value_manager import StrValueManager
+from app.translator.platforms.sentinel_one.escape_manager import (
+    SentinelOnePowerQueryEscapeManager,
+    sentinel_one_power_query_escape_manager,
+)
+
+
+class SentinelOnePowerQueryStrValueManager(StrValueManager):
+    escape_manager: SentinelOnePowerQueryEscapeManager = sentinel_one_power_query_escape_manager
+
+
+sentinel_one_power_query_str_value_manager = SentinelOnePowerQueryStrValueManager()
