Merge remote-tracking branch 'origin' into gis-8678

Author: oleksandr.volha

uncoder-core/app/translator/const.py

@@ -9,4 +9,4 @@
 
 CTI_IOCS_PER_QUERY_LIMIT = 25
 
-DEFAULT_VALUE_TYPE = Union[int, str, StrValue, list[Union[int, str, StrValue]]]
+DEFAULT_VALUE_TYPE = Union[bool, int, str, StrValue, list[Union[int, str, StrValue]]]

uncoder-core/app/translator/core/str_value_manager.py

@@ -130,6 +130,25 @@ def has_spec_symbols(self) -> bool:
         return any(isinstance(el, BaseSpecSymbol) for el in self.split_value)
 
 
+RE_STR_SPEC_SYMBOLS_MAP = {
+    "?": ReZeroOrOneQuantifier,
+    "*": ReZeroOrMoreQuantifier,
+    "+": ReOneOrMoreQuantifier,
+    "^": ReCaretSymbol,
+    "$": ReEndOfStrSymbol,
+    ".": ReAnySymbol,
+    "[": ReLeftSquareBracket,
+    "]": ReRightSquareBracket,
+    "(": ReLeftParenthesis,
+    ")": ReRightParenthesis,
+    "{": ReLeftCurlyBracket,
+    "}": ReRightCurlyBracket,
+    "|": ReOrOperator,
+    ",": ReCommaSymbol,
+    "-": ReHyphenSymbol,
+}
+
+
 CONTAINER_SPEC_SYMBOLS_MAP = {
     SingleSymbolWildCard: "?",
     UnboundLenWildCard: "*",

uncoder-core/app/translator/mappings/platforms/anomali/common.yml

@@ -0,0 +1,31 @@
+platform: Anomali
+description: Common field mapping
+
+field_mapping:
+  c-uri-query: url
+  c-useragent: user_agent
+  CommandLine: command_line
+  DestinationHostname: dest
+  DestinationIp: dest_ip
+  DestinationPort: dest_port
+  Details: reg_value_data
+  dst_ip: dest_ip
+  dst_port: dest_port
+  EventID: event_id
+  EventName: event_name
+  FileName: file_name
+  FilePath: file_path
+  Image: image
+  NewProcessName: image
+  OriginalFileName: original_file_name
+  ParentCommandLine: parent_command_line
+  ParentImage: parent_image
+  ParentProcessID: parent_process_id
+  Platform: platform
+  ProcessCommandLine: command_line
+  ProcessID: process_id
+  SourceImage: parent_image
+  SourcePort: src_port
+  TargetFilename: file_name
+  TargetObject: reg_key
+  UserAgent: user_agent

uncoder-core/app/translator/mappings/platforms/anomali/default.yml

@@ -0,0 +1,5 @@
+platform: Anomali
+source: default
+
+
+default_log_source: {}

uncoder-core/app/translator/platforms/anomali/__init__.py

@@ -0,0 +1 @@
+from app.translator.platforms.anomali.renders.anomali import AnomaliQueryRender  # noqa: F401

uncoder-core/app/translator/platforms/anomali/const.py

@@ -0,0 +1,11 @@
+from app.translator.core.models.platform_details import PlatformDetails
+
+ANOMALI_QUERY_DETAILS = {
+    "platform_id": "anomali-aql-query",
+    "name": "Anomali Security Analytics Query",
+    "group_name": "Anomali Security Analytics",
+    "platform_name": "Query",
+    "group_id": "anomali",
+}
+
+anomali_query_details = PlatformDetails(**ANOMALI_QUERY_DETAILS)

uncoder-core/app/translator/platforms/anomali/mapping.py

@@ -0,0 +1,18 @@
+from app.translator.core.mapping import BaseCommonPlatformMappings, LogSourceSignature
+from app.translator.platforms.anomali.const import anomali_query_details
+
+
+class AnomaliLogSourceSignature(LogSourceSignature):
+    def is_suitable(self) -> bool:
+        return True
+
+    def __str__(self) -> str:
+        return ""
+
+
+class AnomaliMappings(BaseCommonPlatformMappings):
+    def prepare_log_source_signature(self, mapping: dict) -> AnomaliLogSourceSignature:  # noqa: ARG002
+        return AnomaliLogSourceSignature()
+
+
+anomali_query_mappings = AnomaliMappings(platform_dir="anomali", platform_details=anomali_query_details)

uncoder-core/app/translator/platforms/anomali/renders/__init__.py

@@ -0,0 +1,100 @@
+"""
+Uncoder IO Community Edition License
+-----------------------------------------------------------------
+Copyright (c) 2024 SOC Prime, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-----------------------------------------------------------------
+"""
+from app.translator.const import DEFAULT_VALUE_TYPE
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.models.platform_details import PlatformDetails
+from app.translator.core.render import BaseFieldValueRender, PlatformQueryRender
+from app.translator.managers import render_manager
+from app.translator.platforms.anomali.const import anomali_query_details
+from app.translator.platforms.anomali.mapping import AnomaliMappings, anomali_query_mappings
+from app.translator.platforms.base.sql.str_value_manager import sql_str_value_manager
+
+
+class AnomaliFieldValueRender(BaseFieldValueRender):
+    details: PlatformDetails = anomali_query_details
+    str_value_manager = sql_str_value_manager
+
+    @staticmethod
+    def _wrap_str_value(value: str) -> str:
+        return f"'{value}'"
+
+    def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join([self.equal_modifier(field=field, value=v) for v in value])})"
+        return f"{field} = {self._pre_process_value(field, value, wrap_str=True)}"
+
+    def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join([self.not_equal_modifier(field=field, value=v) for v in value])})"
+        return f"{field} != {self._pre_process_value(field, value, wrap_str=True)}"
+
+    def less_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return f"{field} < {self._pre_process_value(field, value, wrap_str=True)}"
+
+    def less_or_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return f"{field} <= {self._pre_process_value(field, value, wrap_str=True)}"
+
+    def greater_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return f"{field} > {self._pre_process_value(field, value, wrap_str=True)}"
+
+    def greater_or_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return f"{field} >= {self._pre_process_value(field, value, wrap_str=True)}"
+
+    def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
+        return f"{field} like '%{self._pre_process_value(field, value)}%'"
+
+    def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
+        return f"{field} like '%{self._pre_process_value(field, value)}'"
+
+    def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.startswith_modifier(field=field, value=v) for v in value)})"
+        return f"{field} like '{self._pre_process_value(field, value)}%'"
+
+    def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
+        regex_str = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True)
+        return f"regexp_like({field}, {regex_str})"
+
+    def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return f'message contains "{self._pre_process_value(field, value)}"'
+
+
+@render_manager.register
+class AnomaliQueryRender(PlatformQueryRender):
+    details: PlatformDetails = anomali_query_details
+    mappings: AnomaliMappings = anomali_query_mappings
+
+    or_token = "OR"
+    and_token = "AND"
+    not_token = "NOT"
+
+    comment_symbol = "--"
+    is_single_line_comment = True
+
+    field_value_render = AnomaliFieldValueRender(or_token=or_token)
+
+    @staticmethod
+    def _finalize_search_query(query: str) -> str:
+        return f"| where {query}" if query else ""

uncoder-core/app/translator/platforms/anomali/renders/anomali.py

@@ -23,50 +23,19 @@
 from app.translator.core.custom_types.values import ValueType
 from app.translator.core.str_value_manager import (
     CONTAINER_SPEC_SYMBOLS_MAP,
+    RE_STR_SPEC_SYMBOLS_MAP,
     BaseSpecSymbol,
-    ReAnySymbol,
-    ReCaretSymbol,
-    ReCommaSymbol,
     ReDigitalSymbol,
-    ReEndOfStrSymbol,
-    ReHyphenSymbol,
-    ReLeftCurlyBracket,
-    ReLeftParenthesis,
-    ReLeftSquareBracket,
-    ReOneOrMoreQuantifier,
-    ReOrOperator,
-    ReRightCurlyBracket,
-    ReRightParenthesis,
-    ReRightSquareBracket,
     ReWhiteSpaceSymbol,
     ReWordBoundarySymbol,
     ReWordSymbol,
-    ReZeroOrMoreQuantifier,
-    ReZeroOrOneQuantifier,
     SingleSymbolWildCard,
     StrValue,
     StrValueManager,
     UnboundLenWildCard,
 )
 from app.translator.platforms.base.aql.escape_manager import aql_escape_manager
 
-RE_STR_SPEC_SYMBOLS_MAP = {
-    "?": ReZeroOrOneQuantifier,
-    "*": ReZeroOrMoreQuantifier,
-    "+": ReOneOrMoreQuantifier,
-    "^": ReCaretSymbol,
-    "$": ReEndOfStrSymbol,
-    ".": ReAnySymbol,
-    "[": ReLeftSquareBracket,
-    "]": ReRightSquareBracket,
-    "(": ReLeftParenthesis,
-    ")": ReRightParenthesis,
-    "{": ReLeftCurlyBracket,
-    "}": ReRightCurlyBracket,
-    "|": ReOrOperator,
-    ",": ReCommaSymbol,
-    "-": ReHyphenSymbol,
-}
 AQL_CONTAINER_SPEC_SYMBOLS_MAP = copy.copy(CONTAINER_SPEC_SYMBOLS_MAP)
 AQL_CONTAINER_SPEC_SYMBOLS_MAP.update({SingleSymbolWildCard: "_", UnboundLenWildCard: "%"})