Merge pull request #191 from UncoderIO/gis-8503

Gis 8503

Author: nazargesyk

uncoder-core/app/translator/platforms/splunk/__init__.py

@@ -1,5 +1,5 @@
 from app.translator.platforms.splunk.parsers.splunk import SplunkQueryParser  # noqa: F401
-from app.translator.platforms.splunk.parsers.splunk_alert import SplunkAlertParser  # noqa: F401
+from app.translator.platforms.splunk.parsers.splunk_alert import SplunkAlertParser, SplunkAlertYMLParser  # noqa: F401
 from app.translator.platforms.splunk.renders.splunk import SplunkQueryRender  # noqa: F401
 from app.translator.platforms.splunk.renders.splunk_alert import SplunkAlertRender  # noqa: F401
 from app.translator.platforms.splunk.renders.splunk_cti import SplunkCTI  # noqa: F401

uncoder-core/app/translator/platforms/splunk/const.py

@@ -42,5 +42,14 @@
     **PLATFORM_DETAILS,
 }
 
+SPLUNK_ALERT_YML_DETAILS = {
+    "platform_id": "splunk-spl-rule-yml",
+    "name": "Splunk Alert YML",
+    "platform_name": "Alert (SPL) YML",
+    "first_choice": 0,
+    **PLATFORM_DETAILS,
+}
+
 splunk_query_details = PlatformDetails(**SPLUNK_QUERY_DETAILS)
 splunk_alert_details = PlatformDetails(**SPLUNK_ALERT_DETAILS)
+splunk_alert_yml_details = PlatformDetails(**SPLUNK_ALERT_YML_DETAILS)

uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py

@@ -20,10 +20,11 @@
 
 from app.translator.core.custom_types.meta_info import SeverityType
 from app.translator.core.mitre import MitreConfig
+from app.translator.core.mixins.rule import YamlRuleMixin
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer, RawQueryContainer
 from app.translator.managers import parser_manager
-from app.translator.platforms.splunk.const import splunk_alert_details
+from app.translator.platforms.splunk.const import splunk_alert_details, splunk_alert_yml_details
 from app.translator.platforms.splunk.mapping import SplunkMappings, splunk_alert_mappings
 from app.translator.platforms.splunk.parsers.splunk import SplunkQueryParser
 
@@ -73,3 +74,45 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
                 mitre_attack=mitre_attack_container,
             ),
         )
+
+
+@parser_manager.register
+class SplunkAlertYMLParser(SplunkQueryParser, YamlRuleMixin):
+    details: PlatformDetails = splunk_alert_yml_details
+    mappings: SplunkMappings = splunk_alert_mappings
+    mitre_config: MitreConfig = MitreConfig()
+
+    def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
+        rule = self.load_rule(text)
+        mitre_attack_container = self.mitre_config.get_mitre_info(
+            techniques=rule.get("tags", {}).get("mitre_attack_id", [])
+        )
+        description = rule.get("description", "")
+        if rule.get("how_to_implement", ""):
+            description = f'{description} {rule.get("how_to_implement", "")}'
+        tags = rule.get("tags", {}).get("analytic_story", [])
+        if rule.get("type"):
+            tags.append(rule.get("type"))
+        false_positives = None
+        if rule.get("known_false_positives"):
+            false_positives = (
+                rule["known_false_positives"]
+                if isinstance(rule["known_false_positives"], list)
+                else [rule["known_false_positives"]]
+            )
+        return RawQueryContainer(
+            query=rule.get("search"),
+            language=language,
+            meta_info=MetaInfoContainer(
+                id_=rule.get("id"),
+                title=rule.get("name"),
+                date=rule.get("date"),
+                author=rule.get("author").split(", "),
+                status=rule.get("status"),
+                description=description,
+                false_positives=false_positives,
+                references=rule.get("references"),
+                mitre_attack=mitre_attack_container,
+                tags=tags,
+            ),
+        )