From 6a5d631c79835ea050209da5a7e7408657086730 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Mon, 11 Nov 2024 09:41:09 +0200 Subject: [PATCH 1/2] gis-9121 fix sentinel one power query contains modifier --- .../renders/sentinel_one_power_query.py | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py diff --git a/uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py b/uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py new file mode 100644 index 00000000..ac6aa574 --- /dev/null +++ b/uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py @@ -0,0 +1,102 @@ +from typing import Union + +from app.translator.const import DEFAULT_VALUE_TYPE +from app.translator.core.custom_types.values import ValueType +from app.translator.core.models.platform_details import PlatformDetails +from app.translator.core.render import BaseFieldValueRender, PlatformQueryRender +from app.translator.core.str_value_manager import StrValueManager +from app.translator.managers import render_manager +from app.translator.platforms.sentinel_one.const import sentinel_one_power_query_details +from app.translator.platforms.sentinel_one.mapping import ( + SentinelOnePowerQueryMappings, + sentinel_one_power_query_query_mappings, +) +from app.translator.platforms.sentinel_one.str_value_manager import sentinel_one_power_query_str_value_manager + + +class SentinelOnePowerQueryFieldValue(BaseFieldValueRender): + details: PlatformDetails = sentinel_one_power_query_details + str_value_manager: StrValueManager = sentinel_one_power_query_str_value_manager + list_token = ", " + + @staticmethod + def _wrap_str_value(value: str) -> str: + return f'"{value}"' + + def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + values = self.list_token.join( + self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True) for v in value + ) + return f"{field} in ({values})" + value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True) + return f"{field} = {value}" + + def less_modifier(self, field: str, value: Union[int, str]) -> str: + value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True) + return f"{field} < {value}" + + def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str: + value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True) + return f"{field} <= {value}" + + def greater_modifier(self, field: str, value: Union[int, str]) -> str: + value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True) + return f"{field} > {value}" + + def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str: + value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True) + return f"{field} >= {value}" + + def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + values = self.list_token.join( + self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True, wrap_int=True) + for v in value + ) + return f"{field} != ({values})" + value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True) + return f"{field} != {value}" + + def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + values = self.list_token.join( + self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True, wrap_int=True) + for v in value + ) + return f"{field} contains ({values})" + value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True) + return f"{field} contains {value}" + + def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + return self.contains_modifier(field, value) + + def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + return self.contains_modifier(field, value) + + def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + values = self.list_token.join( + self._pre_process_value(field, v, value_type=ValueType.regex_value, wrap_str=True, wrap_int=True) + for v in value + ) + return f"{field} matches ({values})" + value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True, wrap_int=True) + return f"{field} matches {value}" + + def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: # noqa: ARG002 + return f'not ({field} matches "\\.*")' + + def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: # noqa: ARG002 + return f'{field} matches "\\.*"' + + +@render_manager.register +class SentinelOnePowerQueryRender(PlatformQueryRender): + details: PlatformDetails = sentinel_one_power_query_details + mappings: SentinelOnePowerQueryMappings = sentinel_one_power_query_query_mappings + or_token = "or" + and_token = "and" + not_token = "not" + comment_symbol = "//" + field_value_render = SentinelOnePowerQueryFieldValue(or_token=or_token) From 24dcab79405a9483c15bcdb9c832f39420c50178 Mon Sep 17 00:00:00 2001 From: Nazar Gesyk Date: Tue, 17 Dec 2024 17:02:00 +0200 Subject: [PATCH 2/2] gis-9123 SentineOne Power Query fixes --- .../app/translator/platforms/sentinel_one/const.py | 14 ++++++++++++++ .../sentinel_one/custom_types/__init__.py | 0 .../platforms/sentinel_one/custom_types/values.py | 5 ----- .../platforms/sentinel_one/escape_manager.py | 2 -- .../platforms/sentinel_one/mappings/__init__.py | 0 .../platforms/sentinel_one/mappings/s1_cti.py | 12 ------------ .../platforms/sentinel_one/renders/s1_cti.py | 5 ++--- 7 files changed, 16 insertions(+), 22 deletions(-) delete mode 100644 uncoder-core/app/translator/platforms/sentinel_one/custom_types/__init__.py delete mode 100644 uncoder-core/app/translator/platforms/sentinel_one/custom_types/values.py delete mode 100644 uncoder-core/app/translator/platforms/sentinel_one/mappings/__init__.py delete mode 100644 uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py diff --git a/uncoder-core/app/translator/platforms/sentinel_one/const.py b/uncoder-core/app/translator/platforms/sentinel_one/const.py index 869aff36..09dd07fe 100644 --- a/uncoder-core/app/translator/platforms/sentinel_one/const.py +++ b/uncoder-core/app/translator/platforms/sentinel_one/const.py @@ -16,5 +16,19 @@ **PLATFORM_DETAILS, } +DEFAULT_S1EVENTS_CTI_MAPPING = { + "SourceIP": "SrcIP", + "DestinationIP": "DstIP", + "Domain": "DNS", + "URL": "Url", + "HashMd5": "Md5", + "HashSha1": "Sha1", + "HashSha256": "Sha256", + "HashSha512": "Sha512", + "Emails": "emails", + "Files": "TgtFilePath", +} + + sentinel_one_events_query_details = PlatformDetails(**SENTINEL_ONE_EVENTS_QUERY_DETAILS) sentinel_one_power_query_details = PlatformDetails(**SENTINEL_ONE_POWER_QUERY_DETAILS) diff --git a/uncoder-core/app/translator/platforms/sentinel_one/custom_types/__init__.py b/uncoder-core/app/translator/platforms/sentinel_one/custom_types/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/sentinel_one/custom_types/values.py b/uncoder-core/app/translator/platforms/sentinel_one/custom_types/values.py deleted file mode 100644 index c009aa9a..00000000 --- a/uncoder-core/app/translator/platforms/sentinel_one/custom_types/values.py +++ /dev/null @@ -1,5 +0,0 @@ -from app.translator.core.custom_types.values import ValueType - - -class SentinelOneValueType(ValueType): - double_escape_regex_value = "d_e_re_value" diff --git a/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py b/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py index 04193dce..dc1658e9 100644 --- a/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py +++ b/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py @@ -3,14 +3,12 @@ from app.translator.core.custom_types.values import ValueType from app.translator.core.escape_manager import EscapeManager from app.translator.core.models.escape_details import EscapeDetails -from app.translator.platforms.sentinel_one.custom_types.values import SentinelOneValueType class SentinelOnePowerQueryEscapeManager(EscapeManager): escape_map: ClassVar[dict[str, list[EscapeDetails]]] = { ValueType.value: [EscapeDetails(pattern=r"\\", escape_symbols=r"\\\\")], ValueType.regex_value: [EscapeDetails(pattern=r"([$^*+()\[\]{}|.?\-\\])", escape_symbols=r"\\\1")], - SentinelOneValueType.double_escape_regex_value: [EscapeDetails(pattern=r"\\", escape_symbols=r"\\\\")], } diff --git a/uncoder-core/app/translator/platforms/sentinel_one/mappings/__init__.py b/uncoder-core/app/translator/platforms/sentinel_one/mappings/__init__.py deleted file mode 100644 index e69de29b..00000000 diff --git a/uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py b/uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py deleted file mode 100644 index 5af2678d..00000000 --- a/uncoder-core/app/translator/platforms/sentinel_one/mappings/s1_cti.py +++ /dev/null @@ -1,12 +0,0 @@ -DEFAULT_S1EVENTS_MAPPING = { - "SourceIP": "SrcIP", - "DestinationIP": "DstIP", - "Domain": "DNS", - "URL": "Url", - "HashMd5": "Md5", - "HashSha1": "Sha1", - "HashSha256": "Sha256", - "HashSha512": "Sha512", - "Emails": "emails", - "Files": "TgtFilePath", -} diff --git a/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py b/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py index 8c416a1d..a83702d9 100644 --- a/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py +++ b/uncoder-core/app/translator/platforms/sentinel_one/renders/s1_cti.py @@ -20,8 +20,7 @@ from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.render_cti import RenderCTI from app.translator.managers import render_cti_manager -from app.translator.platforms.sentinel_one.const import sentinel_one_events_query_details -from app.translator.platforms.sentinel_one.mappings.s1_cti import DEFAULT_S1EVENTS_MAPPING +from app.translator.platforms.sentinel_one.const import DEFAULT_S1EVENTS_CTI_MAPPING, sentinel_one_events_query_details @render_cti_manager.register @@ -35,4 +34,4 @@ class S1EventsCTI(RenderCTI): result_join: str = "" final_result_for_many: str = "({result})\n" final_result_for_one: str = "{result}\n" - default_mapping = DEFAULT_S1EVENTS_MAPPING + default_mapping = DEFAULT_S1EVENTS_CTI_MAPPING pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy