From 39e6cbd656db40fbc87304bb0b741df000a4f06a Mon Sep 17 00:00:00 2001
From: vh <vh@socprime.com>
Date: Thu, 9 Nov 2023 16:45:18 +0200
Subject: [PATCH] Clean Microsoft Sentinel functions

---
 .../microsoft/siem_functions/aggregation.py   | 40 -------------
 .../backends/microsoft/siem_functions/base.py | 26 ---------
 .../microsoft/siem_functions/search.py        | 56 -------------------
 .../backends/microsoft/siem_functions/sort.py | 17 ------
 .../microsoft/siem_functions/table.py         | 24 --------
 .../microsoft/siem_functions/where.py         |  8 ---
 6 files changed, 171 deletions(-)
 delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py
 delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/search.py
 delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/sort.py
 delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/table.py
 delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/where.py

diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py b/siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py
deleted file mode 100644
index f8f9c82d..00000000
--- a/siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py
+++ /dev/null
@@ -1,40 +0,0 @@
-from app.converter.core.models.functions.aggregation import AggregationExpression
-from app.converter.core.models.functions.types import AggregationType
-
-
-class AlaAggregationFunctionRender:
-
-    aggregation_type_map = {
-        AggregationType.SUM: 'sum',
-        AggregationType.MIN: 'min',
-        AggregationType.MAX: 'max',
-        AggregationType.AVG: 'avg'
-    }
-
-    def __init__(self, function: AggregationExpression):
-        self.function = function
-
-    def render(self):
-        result = 'summarize '
-        for field in self.function.fields:
-            if field.operation_type == AggregationType.COUNT:
-                query = field.fieldname
-            else:
-                query = f"{self.aggregation_type_map.get(field.operation_type)}({field.fieldname})"
-            if field.render_as:
-                if ' ' in field.render_as:
-                    render_as = f"['{field.render_as}']"
-                else:
-                    render_as = field.render_as
-                result += f'{render_as}={query}, '
-            else:
-                result += query
-        result = result.rstrip(' ').rstrip(',')
-        if self.function.group_by:
-            result += ' by '
-        for value in self.function.group_by:
-            result += f'{value}, '
-        
-        result = result.rstrip(' ').rstrip(',')
-
-        return result
diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/base.py b/siem-converter/app/converter/backends/microsoft/siem_functions/base.py
index c05e7619..487effbc 100644
--- a/siem-converter/app/converter/backends/microsoft/siem_functions/base.py
+++ b/siem-converter/app/converter/backends/microsoft/siem_functions/base.py
@@ -1,35 +1,9 @@
-from app.converter.backends.microsoft.siem_functions.aggregation import AlaAggregationFunctionRender
-from app.converter.backends.microsoft.siem_functions.search import AlaSearchFunctionRender
-from app.converter.backends.microsoft.siem_functions.sort import AlaSortFunctionRender
-from app.converter.backends.microsoft.siem_functions.table import AlaTableFunctionRender
 from app.converter.core.functions import Functions
-from app.converter.core.models.functions.aggregation import AggregationExpression
-from app.converter.core.models.functions.search import SearchExpression
-from app.converter.core.models.functions.sort import SortExpression
-from app.converter.core.models.functions.table import TableExpression
 from app.converter.core.models.functions.types import ParsedFunctions, NotSupportedFunction
 
 
 class MicroSoftQueryFunctions(Functions):
 
-    render_functions_map = {
-        SortExpression: AlaSortFunctionRender, 
-        SearchExpression: AlaSearchFunctionRender,
-        AggregationExpression: AlaAggregationFunctionRender,
-        TableExpression: AlaTableFunctionRender,
-        # WhereExpression: AlaWhereFunctionRender
-    }
-
-    def render(self, functions: list):
-        query = "| "
-        funcs = []
-        for function in functions:
-            if render_class := self.render_functions_map.get(type(function)):
-                funcs.append(render_class(function).render())
-        query += " | ".join(funcs)
-        query = query.rstrip(" ")
-        return query
-
     def parse(self, query: str):
         result = []
         functions = query.split(self.function_delimiter)
diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/search.py b/siem-converter/app/converter/backends/microsoft/siem_functions/search.py
deleted file mode 100644
index 9f4d4d4a..00000000
--- a/siem-converter/app/converter/backends/microsoft/siem_functions/search.py
+++ /dev/null
@@ -1,56 +0,0 @@
-from app.converter.core.models.functions.search import SearchExpression, SearchField, SearchValueType
-from app.converter.core.models.functions.types import ComparsionType
-from app.converter.core.operator_types.tokens import LogicalOperatorType
-
-
-class AlaSearchFunctionRender:
-    
-    search_expression_operator_map = {
-        LogicalOperatorType.AND: ' and ',
-        LogicalOperatorType.OR: ' or ',
-        LogicalOperatorType.NOT: ' not '
-    }
-    search_operator_map = {
-        ComparsionType.NOT_EQUAL: ' != ',
-        ComparsionType.EQUAL: '==',
-        ComparsionType.ILIKE: ':',
-        ComparsionType.GT: ' > ',
-        ComparsionType.LT: ' < '
-    }
-    sub_expression = "(%s)"
-
-    def __init__(self, function: SearchExpression):
-        self.function = function
-
-    def generate_field(self, field: SearchField):
-        if field.value == SearchValueType.ANY:
-            return f'"{field.fieldname}"'
-        else:
-            if field.fieldname:
-                operator = self.search_operator_map.get(field.operator)
-                return f'{field.fieldname}{operator}"{field.value}"'
-            else:
-                return f'"{field.value}"'
-    
-    def generate_expression(self, expression: SearchExpression):
-        res = []
-        for field in expression.fields:
-            if isinstance(field, SearchField):
-                res.append(self.generate_field(field))
-            elif isinstance(field, SearchExpression):
-                res.append(self.generate_expression(field))
-        operator = self.search_expression_operator_map.get(expression.operator)
-        query = self.sub_expression % operator.join(res)
-        if expression.operator == LogicalOperatorType.NOT:
-            return f'not{query}'
-        return query
-
-    def render(self):
-        res = []
-        for field in self.function.fields:
-            if isinstance(field, SearchField):
-                res.append(self.generate_field(field))
-            elif isinstance(field, SearchExpression):
-                res.append(self.generate_expression(field))
-        operator = self.search_expression_operator_map.get(self.function.operator)
-        return f'search {operator.join(res)}'
diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/sort.py b/siem-converter/app/converter/backends/microsoft/siem_functions/sort.py
deleted file mode 100644
index 502fc8c4..00000000
--- a/siem-converter/app/converter/backends/microsoft/siem_functions/sort.py
+++ /dev/null
@@ -1,17 +0,0 @@
-from app.converter.core.models.functions.sort import SortOrderType, SortExpression
-
-
-class AlaSortFunctionRender:
-
-    sort_order_map = {SortOrderType.DESC: "desc", SortOrderType.ASC: "asc"}
-
-    def __init__(self, function: SortExpression):
-        self.function = function
-
-    def render(self):
-        result = "sort by "
-        queries = []
-        for field in self.function.fields:
-            queries.append(f"{field.fieldname} {self.sort_order_map.get(field.order)}")
-        result += ", ".join(queries)
-        return result
diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/table.py b/siem-converter/app/converter/backends/microsoft/siem_functions/table.py
deleted file mode 100644
index b04ffc2d..00000000
--- a/siem-converter/app/converter/backends/microsoft/siem_functions/table.py
+++ /dev/null
@@ -1,24 +0,0 @@
-from app.converter.backends.microsoft.const import MICROSOFT_SENTINEL_QUERY_DETAILS
-from app.converter.core.exceptions.render import FunctionRenderException
-from app.converter.core.models.functions.table import TableExpression
-from app.converter.core.models.platform_details import PlatformDetails
-from app.converter.core.operator_types.tokens import OperatorType
-
-
-class AlaTableFunctionRender:
-    details: PlatformDetails = PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS)
-
-    def __init__(self, function: TableExpression):
-        self.function = function
-    
-    def render(self):
-        result = "project "
-        queries = []
-        for field in self.function.fields:
-            if field.operator != OperatorType.EQ:
-                raise FunctionRenderException(
-                    f'{self.details.name}: operator "project" not support modifier "{str(field.operator).split(".")[-1]}" in "{field.raw_fieldname}"'
-                )
-            queries.append(f"{field.fieldname}")
-        result += ", ".join(queries)
-        return result
\ No newline at end of file
diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/where.py b/siem-converter/app/converter/backends/microsoft/siem_functions/where.py
deleted file mode 100644
index 86c01c60..00000000
--- a/siem-converter/app/converter/backends/microsoft/siem_functions/where.py
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-class AlaWhereFunctionRender:
-    def __init__(self, function):
-        self.function = function
-    
-    def render(self):
-        a = 5
\ No newline at end of file

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/2.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/2.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/2.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/2.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>