gis-9099 add microsoft sentinel to one vendor flow

Author: nazargesyk

uncoder-core/app/translator/core/models/query_container.py

@@ -65,6 +65,8 @@ def __init__(
         date: Optional[str] = None,
         output_table_fields: Optional[list[Field]] = None,
         query_fields: Optional[list[Field]] = None,
+        function_fields: Optional[list[Field]] = None,
+        function_fields_map: Optional[dict[str, list[Field]]] = None,
         license_: Optional[str] = None,
         severity: Optional[str] = None,
         references: Optional[list[str]] = None,
@@ -76,7 +78,7 @@ def __init__(
         parsed_logsources: Optional[dict] = None,
         timeframe: Optional[timedelta] = None,
         query_period: Optional[timedelta] = None,
-        mitre_attack: MitreInfoContainer = MitreInfoContainer(),
+        mitre_attack: Optional[MitreInfoContainer] = None,
         raw_metainfo_container: Optional[RawMetaInfoContainer] = None,
     ) -> None:
         self.id = id_ or str(uuid.uuid4())
@@ -86,23 +88,25 @@ def __init__(
         self.risk_score = risk_score
         self.type_ = type_ or ""
         self.description = description or ""
-        self.author = [v.strip() for v in author] if author else []
+        self.author = [v.strip() for v in author] if author and author != [None] else []
         self.date = date or datetime.now().date().strftime("%Y-%m-%d")
         self.output_table_fields = output_table_fields or []
         self.query_fields = query_fields or []
+        self.function_fields = function_fields or []
+        self.function_fields_map = function_fields_map or {}
         self.license = license_ or "DRL 1.1"
         self.severity = severity or SeverityType.low
         self.references = references or []
         self.tags = tags or []
-        self.mitre_attack = mitre_attack or None
+        self.mitre_attack = mitre_attack or MitreInfoContainer()
         self.raw_mitre_attack = raw_mitre_attack or []
         self.status = status or "stable"
         self.false_positives = false_positives or []
         self._source_mapping_ids = source_mapping_ids or [DEFAULT_MAPPING_NAME]
         self.parsed_logsources = parsed_logsources or {}
         self.timeframe = timeframe
         self.query_period = query_period
-        self.raw_metainfo_container = raw_metainfo_container
+        self.raw_metainfo_container = raw_metainfo_container or RawMetaInfoContainer()
 
     @property
     def author_str(self) -> str:

uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel.py

@@ -22,6 +22,7 @@
 from app.translator.const import DEFAULT_VALUE_TYPE
 from app.translator.core.mapping import LogSourceSignature
 from app.translator.core.models.platform_details import PlatformDetails
+from app.translator.core.models.query_container import RawQueryContainer
 from app.translator.core.render import BaseFieldValueRender, PlatformQueryRender
 from app.translator.managers import render_manager
 from app.translator.platforms.microsoft.const import microsoft_sentinel_query_details
@@ -144,3 +145,6 @@ def generate_prefix(self, log_source_signature: LogSourceSignature, functions_pr
     @staticmethod
     def _finalize_search_query(query: str) -> str:
         return f"| where {query}" if query else ""
+
+    def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str:
+        return query_container.query

uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py

@@ -26,7 +26,7 @@
 from app.translator.core.custom_types.meta_info import SeverityType
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
-from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer
+from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer, RawQueryContainer
 from app.translator.managers import render_manager
 from app.translator.platforms.microsoft.const import DEFAULT_MICROSOFT_SENTINEL_RULE, microsoft_sentinel_rule_details
 from app.translator.platforms.microsoft.mapping import MicrosoftSentinelMappings, microsoft_sentinel_rule_mappings
@@ -107,7 +107,8 @@ def finalize_query(
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
-        query = super().finalize_query(prefix=prefix, query=query, functions=functions)
+        if not kwargs.get("raw_query", False):
+            query = super().finalize_query(prefix=prefix, query=query, functions=functions)
         rule = copy.deepcopy(DEFAULT_MICROSOFT_SENTINEL_RULE)
         rule["query"] = query
         rule["displayName"] = meta_info.title or _AUTOGENERATED_TEMPLATE
@@ -130,3 +131,8 @@ def finalize_query(
         json_rule = json.dumps(rule, indent=4, sort_keys=False)
         json_rule = self.wrap_with_unmapped_fields(json_rule, unmapped_fields)
         return self.wrap_with_not_supported_functions(json_rule, not_supported_functions)
+
+    def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str:
+        return self.finalize_query(
+            prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info, raw_query=True
+        )