Skip to content

Commit 532bf3d

Browse files
nazargesyknazargesyk
committed
gis-9099 add microsoft sentinel to one vendor flow
1 parent 3e2c071 commit 532bf3d

File tree

2 files changed

+33
-6
lines changed

2 files changed

+33
-6
lines changed

uncoder-core/app/translator/platforms/microsoft/const.py

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,15 +19,18 @@
1919

2020
PLATFORM_DETAILS = {"group_id": "sentinel", "group_name": "Microsoft Sentinel"}
2121

22+
_SENTINEL_KQL_QUERY = "sentinel-kql-query"
23+
_SENTINEL_KQL_RULE = "sentinel-kql-rule"
24+
2225
MICROSOFT_SENTINEL_QUERY_DETAILS = {
23-
"platform_id": "sentinel-kql-query",
26+
"platform_id": _SENTINEL_KQL_QUERY,
2427
"name": "Microsoft Sentinel Query",
2528
"platform_name": "Query (Kusto)",
2629
**PLATFORM_DETAILS,
2730
}
2831

2932
MICROSOFT_SENTINEL_RULE_DETAILS = {
30-
"platform_id": "sentinel-kql-rule",
33+
"platform_id": _SENTINEL_KQL_RULE,
3134
"name": "Microsoft Sentinel Rule",
3235
"platform_name": "Rule (Kusto)",
3336
"first_choice": 0,
@@ -50,6 +53,8 @@
5053
"group_id": "microsoft-defender",
5154
}
5255

56+
MICROSOFT_QUERY_TYPES = {_SENTINEL_KQL_QUERY, _SENTINEL_KQL_RULE}
57+
5358
microsoft_defender_query_details = PlatformDetails(**MICROSOFT_DEFENDER_DETAILS)
5459
microsoft_sentinel_query_details = PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS)
5560
microsoft_sentinel_rule_details = PlatformDetails(**MICROSOFT_SENTINEL_RULE_DETAILS)

uncoder-core/app/translator/translator.py

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,16 @@
11
import logging
2-
from typing import Optional
2+
from collections import Counter
3+
from typing import Optional, Union
34

45
from app.translator.core.exceptions.core import UnsupportedPlatform
56
from app.translator.core.models.query_container import RawQueryContainer, TokenizedQueryContainer
6-
from app.translator.core.parser import QueryParser
7+
from app.translator.core.parser import PlatformQueryParser, QueryParser
78
from app.translator.core.render import QueryRender
89
from app.translator.managers import ParserManager, RenderManager, parser_manager, render_manager
910
from app.translator.platforms.elasticsearch.const import ELASTIC_QUERY_TYPES
11+
from app.translator.platforms.microsoft.const import MICROSOFT_QUERY_TYPES
12+
from app.translator.platforms.roota.parsers.roota import RootAParser
13+
from app.translator.platforms.sigma.mapping import sigma_rule_mappings
1014
from app.translator.tools.decorators import handle_translation_exceptions
1115

1216

@@ -32,18 +36,36 @@ def __get_render(self, target: str) -> QueryRender:
3236

3337
@staticmethod
3438
def __is_one_vendor_translation(source: str, target: str) -> bool:
35-
vendors_query_types = [ELASTIC_QUERY_TYPES]
39+
vendors_query_types = [ELASTIC_QUERY_TYPES, MICROSOFT_QUERY_TYPES]
3640
for vendor_query_types in vendors_query_types:
3741
if source in vendor_query_types and target in vendor_query_types:
3842
return True
3943

4044
return False
4145

42-
def parse_raw_query(self, text: str, source: str) -> tuple[QueryParser, RawQueryContainer]:
46+
def parse_raw_query(
47+
self, text: str, source: str
48+
) -> tuple[Union[PlatformQueryParser, RootAParser], RawQueryContainer]:
4349
parser = self.__get_parser(source)
4450
text = parser.remove_comments(text)
4551
return parser, parser.parse_raw_query(text, language=source)
4652

53+
def parse_meta_info(self, text: str, source: str) -> Union[dict, RawQueryContainer]:
54+
parser, raw_query_container = self.parse_raw_query(text=text, source=source)
55+
source_mappings = parser.get_source_mapping_ids_by_logsources(raw_query_container.query)
56+
log_sources = {"product": Counter(), "service": Counter(), "category": Counter()}
57+
sigma_source_mappings = sigma_rule_mappings.get_source_mappings_by_ids(
58+
[source_mapping.source_id for source_mapping in source_mappings], return_default=False
59+
)
60+
for sigma_source_mapping in sigma_source_mappings:
61+
if product := sigma_source_mapping.log_source_signature.log_sources.get("product"):
62+
log_sources["product"][product] += 1
63+
if service := sigma_source_mapping.log_source_signature.log_sources.get("service"):
64+
log_sources["service"][service] += 1
65+
if category := sigma_source_mapping.log_source_signature.log_sources.get("category"):
66+
log_sources["category"][category] += 1
67+
return log_sources, raw_query_container
68+
4769
@handle_translation_exceptions
4870
def __parse_incoming_data(
4971
self, text: str, source: str, target: Optional[str] = None

0 commit comments

Comments
 (0)