From 8ef36aa5f74b0bb0a06749fbf87dd001babf2cf9 Mon Sep 17 00:00:00 2001
From: Oleksandr Volha <alexandervolha@gmail.com>
Date: Wed, 25 Sep 2024 12:26:13 +0300
Subject: [PATCH 1/3] fix qradar logsource parsing

---
 uncoder-core/app/translator/platforms/base/aql/parsers/aql.py | 4 ++--
 uncoder-core/app/translator/platforms/sigma/parsers/sigma.py  | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py b/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py
index 8d6fc601..5b3a7041 100644
--- a/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py
+++ b/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py
@@ -37,13 +37,13 @@ class AQLQueryParser(PlatformQueryParser):
     log_source_functions = ("LOGSOURCENAME", "LOGSOURCEGROUPNAME")
     log_source_function_pattern = r"\(?(?P<key>___func_name___\([a-zA-Z]+\))(?:\s+like\s+|\s+ilike\s+|\s*=\s*)'(?P<value>[%a-zA-Z\s]+)'\s*\)?\s+(?:and|or)?\s"  # noqa: E501
 
-    log_source_key_types = ("devicetype", "category", "qid", "qideventcategory", *LOG_SOURCE_FUNCTIONS_MAP.keys())
+    log_source_key_types = ("devicetype", "qideventcategory", "category", "qid", *LOG_SOURCE_FUNCTIONS_MAP.keys())
     log_source_pattern = rf"___source_type___(?:\s+like\s+|\s+ilike\s+|\s*=\s*)(?:{SINGLE_QUOTES_VALUE_PATTERN}|{NUM_VALUE_PATTERN})(?:\s+(?:and|or)\s+|\s+)?"  # noqa: E501
     num_value_pattern = r"[0-9]+"
     multi_num_log_source_pattern = (
         rf"___source_type___\s+in\s+\((?P<value>(?:{num_value_pattern}(?:\s*,\s*)?)+)\)(?:\s+(?:and|or)\s+|\s+)?"
     )
-    str_value_pattern = r"""(?:')(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')+)(?:')"""
+    str_value_pattern = r"""'(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')+)'"""
     multi_str_log_source_pattern = (
         rf"""___source_type___\s+in\s+\((?P<value>(?:{str_value_pattern}(?:\s*,\s*)?)+)\)(?:\s+(?:and|or)\s+|\s+)?"""
     )
diff --git a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py
index d4a2d83c..384b7a30 100644
--- a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py
+++ b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py
@@ -18,7 +18,6 @@
 """
 
 from datetime import timedelta
-from re import I
 from typing import Optional, Union
 
 from app.translator.core.exceptions.core import SigmaRuleValidationException

From ae3e840d5372a3356d7fba7dd74dac62928219f6 Mon Sep 17 00:00:00 2001
From: Oleksandr Volha <alexandervolha@gmail.com>
Date: Wed, 25 Sep 2024 13:19:44 +0300
Subject: [PATCH 2/3] fix

---
 .../app/translator/platforms/base/aql/mapping.py         | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/uncoder-core/app/translator/platforms/base/aql/mapping.py b/uncoder-core/app/translator/platforms/base/aql/mapping.py
index 984b85f2..55222a0a 100644
--- a/uncoder-core/app/translator/platforms/base/aql/mapping.py
+++ b/uncoder-core/app/translator/platforms/base/aql/mapping.py
@@ -39,7 +39,12 @@ def __str__(self) -> str:
     @property
     def extra_condition(self) -> str:
         default_source = self._default_source
-        return " AND ".join((f"{key}={value}" for key, value in default_source.items() if key != "table" and value))
+        extra = []
+        for key, value in default_source.items():
+            if key != "table" and value:
+                _condition = f"{key}={value}" if isinstance(value, int) else f"{key}='{value}'"
+                extra.append(_condition)
+        return " AND ".join(extra)
 
 
 class AQLMappings(BasePlatformMappings):
@@ -48,7 +53,7 @@ class AQLMappings(BasePlatformMappings):
 
     def prepare_log_source_signature(self, mapping: dict) -> AQLLogSourceSignature:
         log_source = mapping.get("log_source", {})
-        default_log_source = mapping.get("default_log_source")
+        default_log_source = mapping["default_log_source"]
         return AQLLogSourceSignature(
             device_types=log_source.get("devicetype"),
             categories=log_source.get("category"),

From e142d2f1ed00aac560a38d5b9bc35ce020b3e771 Mon Sep 17 00:00:00 2001
From: Oleksandr Volha <alexandervolha@gmail.com>
Date: Wed, 25 Sep 2024 14:49:37 +0300
Subject: [PATCH 3/3] fix qradar mapping

---
 .../mappings/platforms/qradar/linux_network_connection.yml      | 2 +-
 .../mappings/platforms/qradar/macos_network_connection.yml      | 2 +-
 .../mappings/platforms/qradar/windows_network_connection.yml    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml
index 273926e7..7b1725ea 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml
@@ -8,7 +8,7 @@ log_source:
 
 default_log_source:
   devicetype: 11
-  category: [4012]
+  category: 4012
 
 field_mapping:
   CommandLine: Command
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml
index 6d92be11..5fb908cd 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml
@@ -8,7 +8,7 @@ log_source:
 
 default_log_source:
   devicetype: 102
-  category: [4012]
+  category: 4012
 
 field_mapping:
   CommandLine: Command
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml
index 3be44b3d..b65b7571 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml
@@ -9,7 +9,7 @@ log_source:
 
 default_log_source:
   devicetype: 12
-  category: [4012]
+  category: 4012
   qideventcategory: Microsoft-Windows-Sysmon/Operational
 
 field_mapping:

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/197.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/197.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/197.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/197.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>