gis-8503 add SplunkAlertYMLParser

nazargesyk · nazargesyk · commit 63960e4e2135 · 2024-08-21T15:54:51.000+03:00
diff --git a/uncoder-core/app/translator/platforms/splunk/__init__.py b/uncoder-core/app/translator/platforms/splunk/__init__.py
@@ -1,5 +1,5 @@
 from app.translator.platforms.splunk.parsers.splunk import SplunkQueryParser  # noqa: F401
-from app.translator.platforms.splunk.parsers.splunk_alert import SplunkAlertParser  # noqa: F401
+from app.translator.platforms.splunk.parsers.splunk_alert import SplunkAlertParser, SplunkAlertYMLParser  # noqa: F401
 from app.translator.platforms.splunk.renders.splunk import SplunkQueryRender  # noqa: F401
 from app.translator.platforms.splunk.renders.splunk_alert import SplunkAlertRender  # noqa: F401
 from app.translator.platforms.splunk.renders.splunk_cti import SplunkCTI  # noqa: F401
diff --git a/uncoder-core/app/translator/platforms/splunk/const.py b/uncoder-core/app/translator/platforms/splunk/const.py
@@ -42,5 +42,14 @@
     **PLATFORM_DETAILS,
 }
 
+SPLUNK_ALERT_YML_DETAILS = {
+    "platform_id": "splunk-alert-yml",
+    "name": "Splunk Alert YML",
+    "platform_name": "Alert (SPL)",
+    "first_choice": 0,
+    **PLATFORM_DETAILS,
+}
+
 splunk_query_details = PlatformDetails(**SPLUNK_QUERY_DETAILS)
 splunk_alert_details = PlatformDetails(**SPLUNK_ALERT_DETAILS)
+splunk_alert_yml_details = PlatformDetails(**SPLUNK_ALERT_YML_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py b/uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py
@@ -20,10 +20,11 @@
 
 from app.translator.core.custom_types.meta_info import SeverityType
 from app.translator.core.mitre import MitreConfig
+from app.translator.core.mixins.rule import YamlRuleMixin
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer, RawQueryContainer
 from app.translator.managers import parser_manager
-from app.translator.platforms.splunk.const import splunk_alert_details
+from app.translator.platforms.splunk.const import splunk_alert_details, splunk_alert_yml_details
 from app.translator.platforms.splunk.mapping import SplunkMappings, splunk_alert_mappings
 from app.translator.platforms.splunk.parsers.splunk import SplunkQueryParser
 
@@ -73,3 +74,31 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
                 mitre_attack=mitre_attack_container,
             ),
         )
+
+
+@parser_manager.register
+class SplunkAlertYMLParser(SplunkQueryParser, YamlRuleMixin):
+    details: PlatformDetails = splunk_alert_yml_details
+    mappings: SplunkMappings = splunk_alert_mappings
+    mitre_config: MitreConfig = MitreConfig()
+
+    def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
+        rule = self.load_rule(text)
+        mitre_attack_container = self.mitre_config.get_mitre_info(
+            techniques=rule.get("tags", {}).get("mitre_attack_id", [])
+        )
+        return RawQueryContainer(
+            query=rule.get("search"),
+            language=language,
+            meta_info=MetaInfoContainer(
+                id_=rule.get("id"),
+                title=rule.get("name"),
+                date=rule.get("date"),
+                author=rule.get("author").split(", "),
+                status=rule.get("status"),
+                description=rule.get("description"),
+                false_positives=rule.get("known_false_positives"),
+                references=rule.get("references"),
+                mitre_attack=mitre_attack_container,
+            ),
+        )
