From 19f4372f4dd583bda48ed374b92afc09d5ea2649 Mon Sep 17 00:00:00 2001 From: Oleksandr Volha Date: Tue, 28 Nov 2023 09:45:30 +0200 Subject: [PATCH] files structure refactoring --- siem-converter/app/converter/converter.py | 2 +- .../core/{operator_types => custom_types}/__init__.py | 0 .../core/{operator_types => custom_types}/tokens.py | 6 ------ siem-converter/app/converter/core/mixins/operator.py | 2 +- siem-converter/app/converter/core/models/field.py | 2 +- .../app/converter/core/models/functions/table.py | 2 +- siem-converter/app/converter/core/models/identifier.py | 8 ++++++-- .../output.py => models/parser_output.py} | 0 siem-converter/app/converter/core/parser.py | 2 +- siem-converter/app/converter/core/render.py | 4 ++-- siem-converter/app/converter/core/tokenizer.py | 4 ++-- .../app/converter/platforms/athena/parsers/athena.py | 2 +- .../app/converter/platforms/athena/tokenizer.py | 2 +- .../converter/platforms/base/lucene/parsers/lucene.py | 2 +- .../app/converter/platforms/base/lucene/tokenizer.py | 2 +- .../app/converter/platforms/base/spl/parsers/spl.py | 2 +- .../app/converter/platforms/base/spl/tokenizer.py | 2 +- .../converter/platforms/chronicle/parsers/chronicle.py | 2 +- .../platforms/chronicle/parsers/chronicle_rule.py | 2 +- .../platforms/chronicle/renders/chronicle_rule.py | 2 +- .../app/converter/platforms/chronicle/tokenizer.py | 2 +- .../platforms/elasticsearch/parsers/detection_rule.py | 2 +- .../platforms/elasticsearch/renders/detection_rule.py | 2 +- .../platforms/elasticsearch/renders/elast_alert.py | 2 +- .../platforms/elasticsearch/renders/kibana.py | 2 +- .../platforms/elasticsearch/renders/xpack_watcher.py | 2 +- .../converter/platforms/logscale/parsers/logscale.py | 2 +- .../platforms/logscale/parsers/logscale_alert.py | 2 +- .../converter/platforms/logscale/renders/logscale.py | 2 +- .../platforms/logscale/renders/logscale_alert.py | 2 +- .../app/converter/platforms/logscale/tokenizer.py | 2 +- .../platforms/microsoft/parsers/microsoft_sentinel.py | 2 +- .../microsoft/parsers/microsoft_sentinel_rule.py | 2 +- .../microsoft/renders/microsoft_sentinel_rule.py | 3 +-- .../app/converter/platforms/microsoft/tokenizer.py | 2 +- .../platforms/opensearch/renders/opensearch_rule.py | 2 +- .../app/converter/platforms/qradar/parsers/qradar.py | 2 +- .../app/converter/platforms/qradar/tokenizer.py | 2 +- .../app/converter/platforms/roota/parsers/roota.py | 2 +- .../{core => platforms/sigma/models}/compiler.py | 6 +++--- .../{core => platforms/sigma}/models/group.py | 4 +--- .../app/converter/platforms/sigma/models/modifiers.py | 2 +- .../{core => platforms/sigma}/models/operator.py | 2 +- .../app/converter/platforms/sigma/parsers/sigma.py | 2 +- .../app/converter/platforms/sigma/renders/sigma.py | 10 +++++----- .../app/converter/platforms/sigma/tokenizer.py | 2 +- .../converter/platforms/splunk/parsers/splunk_alert.py | 2 +- .../converter/platforms/splunk/renders/splunk_alert.py | 2 +- 48 files changed, 58 insertions(+), 63 deletions(-) rename siem-converter/app/converter/core/{operator_types => custom_types}/__init__.py (100%) rename siem-converter/app/converter/core/{operator_types => custom_types}/tokens.py (80%) rename siem-converter/app/converter/core/{operator_types/output.py => models/parser_output.py} (100%) rename siem-converter/app/converter/{core => platforms/sigma/models}/compiler.py (92%) rename siem-converter/app/converter/{core => platforms/sigma}/models/group.py (93%) rename siem-converter/app/converter/{core => platforms/sigma}/models/operator.py (93%) diff --git a/siem-converter/app/converter/converter.py b/siem-converter/app/converter/converter.py index 87652d46..5d1baefb 100644 --- a/siem-converter/app/converter/converter.py +++ b/siem-converter/app/converter/converter.py @@ -2,7 +2,7 @@ from app.converter.platforms.roota.parsers.roota import RootAParser from app.converter.core.exceptions.core import UnsupportedPlatform -from app.converter.core.operator_types.output import SiemContainer +from app.converter.core.models.parser_output import SiemContainer from app.converter.managers import RenderManager, ParserManager, render_manager, parser_manager from app.converter.tools.decorators import handle_translation_exceptions diff --git a/siem-converter/app/converter/core/operator_types/__init__.py b/siem-converter/app/converter/core/custom_types/__init__.py similarity index 100% rename from siem-converter/app/converter/core/operator_types/__init__.py rename to siem-converter/app/converter/core/custom_types/__init__.py diff --git a/siem-converter/app/converter/core/operator_types/tokens.py b/siem-converter/app/converter/core/custom_types/tokens.py similarity index 80% rename from siem-converter/app/converter/core/operator_types/tokens.py rename to siem-converter/app/converter/core/custom_types/tokens.py index c491fe1a..74206dca 100644 --- a/siem-converter/app/converter/core/operator_types/tokens.py +++ b/siem-converter/app/converter/core/custom_types/tokens.py @@ -14,7 +14,6 @@ class OperatorType(CustomEnum): GTE = ">=" EQ = "=" NEQ = "!=" - COLON = ":" CONTAINS = "contains" STARTSWITH = "startswith" ENDSWITH = "endswith" @@ -25,8 +24,3 @@ class OperatorType(CustomEnum): class GroupType(CustomEnum): L_PAREN = "(" R_PAREN = ")" - GROUP = "group" - - -class ValidTokens(LogicalOperatorType, OperatorType, GroupType): - pass diff --git a/siem-converter/app/converter/core/mixins/operator.py b/siem-converter/app/converter/core/mixins/operator.py index 39a3e27f..fca93a97 100644 --- a/siem-converter/app/converter/core/mixins/operator.py +++ b/siem-converter/app/converter/core/mixins/operator.py @@ -19,7 +19,7 @@ from typing import Union, List, Tuple from app.converter.core.models.identifier import Identifier -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType class WildCardMixin: diff --git a/siem-converter/app/converter/core/models/field.py b/siem-converter/app/converter/core/models/field.py index e881cf3b..61864ee0 100644 --- a/siem-converter/app/converter/core/models/field.py +++ b/siem-converter/app/converter/core/models/field.py @@ -2,7 +2,7 @@ from app.converter.core.mapping import SourceMapping from app.converter.core.models.identifier import Identifier -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType class Field: diff --git a/siem-converter/app/converter/core/models/functions/table.py b/siem-converter/app/converter/core/models/functions/table.py index c8127df3..d4647682 100644 --- a/siem-converter/app/converter/core/models/functions/table.py +++ b/siem-converter/app/converter/core/models/functions/table.py @@ -1,4 +1,4 @@ -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType class TableField: diff --git a/siem-converter/app/converter/core/models/identifier.py b/siem-converter/app/converter/core/models/identifier.py index c62c6bdb..aa0f6f28 100644 --- a/siem-converter/app/converter/core/models/identifier.py +++ b/siem-converter/app/converter/core/models/identifier.py @@ -1,12 +1,16 @@ from dataclasses import dataclass -from app.converter.core.operator_types.tokens import ValidTokens +from app.converter.core.custom_types.tokens import LogicalOperatorType, OperatorType, GroupType + + +class _IdentifierTokenType(LogicalOperatorType, OperatorType, GroupType): + pass @dataclass class Identifier: def __init__(self, *, token_type: str) -> None: - if token_type not in ValidTokens: + if token_type not in _IdentifierTokenType: raise Exception(f"Unexpected token type: {token_type}") self.token_type = token_type diff --git a/siem-converter/app/converter/core/operator_types/output.py b/siem-converter/app/converter/core/models/parser_output.py similarity index 100% rename from siem-converter/app/converter/core/operator_types/output.py rename to siem-converter/app/converter/core/models/parser_output.py diff --git a/siem-converter/app/converter/core/parser.py b/siem-converter/app/converter/core/parser.py index 778cda88..ec2ff1bc 100644 --- a/siem-converter/app/converter/core/parser.py +++ b/siem-converter/app/converter/core/parser.py @@ -22,7 +22,7 @@ from app.converter.core.mapping import BasePlatformMappings, SourceMapping from app.converter.core.models.field import Field from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer from app.converter.core.tokenizer import QueryTokenizer, TOKEN_TYPE diff --git a/siem-converter/app/converter/core/render.py b/siem-converter/app/converter/core/render.py index cf2c97ba..966c80bd 100644 --- a/siem-converter/app/converter/core/render.py +++ b/siem-converter/app/converter/core/render.py @@ -26,8 +26,8 @@ from app.converter.core.models.field import Field, Keyword from app.converter.core.models.functions.types import ParsedFunctions from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer -from app.converter.core.operator_types.tokens import LogicalOperatorType, OperatorType, GroupType +from app.converter.core.models.parser_output import MetaInfoContainer +from app.converter.core.custom_types.tokens import LogicalOperatorType, OperatorType, GroupType class BaseQueryFieldValue(ABC): diff --git a/siem-converter/app/converter/core/tokenizer.py b/siem-converter/app/converter/core/tokenizer.py index 6dab969c..0ced3889 100644 --- a/siem-converter/app/converter/core/tokenizer.py +++ b/siem-converter/app/converter/core/tokenizer.py @@ -27,8 +27,8 @@ from app.converter.core.mapping import SourceMapping, DEFAULT_MAPPING_NAME, BasePlatformMappings from app.converter.core.models.field import Field, Keyword from app.converter.core.models.identifier import Identifier -from app.converter.core.models.group import GroupType -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.platforms.sigma.models.group import GroupType +from app.converter.core.custom_types.tokens import OperatorType from app.converter.tools.utils import get_match_group TOKEN_TYPE = Union[Field, Keyword, Identifier] diff --git a/siem-converter/app/converter/platforms/athena/parsers/athena.py b/siem-converter/app/converter/platforms/athena/parsers/athena.py index f1cc04cf..e6309d96 100644 --- a/siem-converter/app/converter/platforms/athena/parsers/athena.py +++ b/siem-converter/app/converter/platforms/athena/parsers/athena.py @@ -24,7 +24,7 @@ from app.converter.platforms.athena.tokenizer import AthenaTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class AthenaParser(Parser): diff --git a/siem-converter/app/converter/platforms/athena/tokenizer.py b/siem-converter/app/converter/platforms/athena/tokenizer.py index 4ce65d6d..8debdd11 100644 --- a/siem-converter/app/converter/platforms/athena/tokenizer.py +++ b/siem-converter/app/converter/platforms/athena/tokenizer.py @@ -21,7 +21,7 @@ from app.converter.core.models.identifier import Identifier from app.converter.core.tokenizer import QueryTokenizer -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/base/lucene/parsers/lucene.py b/siem-converter/app/converter/platforms/base/lucene/parsers/lucene.py index 52ea134e..d0c51284 100644 --- a/siem-converter/app/converter/platforms/base/lucene/parsers/lucene.py +++ b/siem-converter/app/converter/platforms/base/lucene/parsers/lucene.py @@ -21,7 +21,7 @@ from app.converter.platforms.base.lucene.tokenizer import LuceneTokenizer from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class LuceneParser(Parser): diff --git a/siem-converter/app/converter/platforms/base/lucene/tokenizer.py b/siem-converter/app/converter/platforms/base/lucene/tokenizer.py index 3afd2316..0ac47881 100644 --- a/siem-converter/app/converter/platforms/base/lucene/tokenizer.py +++ b/siem-converter/app/converter/platforms/base/lucene/tokenizer.py @@ -23,7 +23,7 @@ from app.converter.core.models.field import Keyword, Field from app.converter.core.models.identifier import Identifier from app.converter.core.tokenizer import QueryTokenizer -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/base/spl/parsers/spl.py b/siem-converter/app/converter/platforms/base/spl/parsers/spl.py index 6d5afc62..834d612f 100644 --- a/siem-converter/app/converter/platforms/base/spl/parsers/spl.py +++ b/siem-converter/app/converter/platforms/base/spl/parsers/spl.py @@ -22,7 +22,7 @@ from app.converter.platforms.base.spl.tokenizer import SplTokenizer from app.converter.core.models.functions.types import ParsedFunctions from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class SplParser(Parser): diff --git a/siem-converter/app/converter/platforms/base/spl/tokenizer.py b/siem-converter/app/converter/platforms/base/spl/tokenizer.py index fc920181..e0207cd7 100644 --- a/siem-converter/app/converter/platforms/base/spl/tokenizer.py +++ b/siem-converter/app/converter/platforms/base/spl/tokenizer.py @@ -20,7 +20,7 @@ from typing import Tuple, Any from app.converter.core.tokenizer import QueryTokenizer -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/chronicle/parsers/chronicle.py b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle.py index 97e0183a..9ab4b12d 100644 --- a/siem-converter/app/converter/platforms/chronicle/parsers/chronicle.py +++ b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle.py @@ -23,7 +23,7 @@ from app.converter.platforms.chronicle.tokenizer import ChronicleQueryTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class ChronicleParser(Parser): diff --git a/siem-converter/app/converter/platforms/chronicle/parsers/chronicle_rule.py b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle_rule.py index 36c2fd38..fc08dfe7 100644 --- a/siem-converter/app/converter/platforms/chronicle/parsers/chronicle_rule.py +++ b/siem-converter/app/converter/platforms/chronicle/parsers/chronicle_rule.py @@ -25,7 +25,7 @@ from app.converter.core.exceptions.parser import TokenizerGeneralException from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class ChronicleRuleParser(Parser): diff --git a/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py b/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py index 6a1c27b6..1a485f60 100644 --- a/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py +++ b/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py @@ -23,7 +23,7 @@ from app.converter.platforms.chronicle.const import DEFAULT_CHRONICLE_SECURITY_RULE, chronicle_rule_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer from app.converter.tools.utils import concatenate_str, get_author_str _AUTOGENERATED_TITLE = "Autogenerated Chronicle Security rule" diff --git a/siem-converter/app/converter/platforms/chronicle/tokenizer.py b/siem-converter/app/converter/platforms/chronicle/tokenizer.py index a9427911..618d0704 100644 --- a/siem-converter/app/converter/platforms/chronicle/tokenizer.py +++ b/siem-converter/app/converter/platforms/chronicle/tokenizer.py @@ -21,7 +21,7 @@ from app.converter.core.exceptions.parser import TokenizerGeneralException from app.converter.core.tokenizer import QueryTokenizer -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/elasticsearch/parsers/detection_rule.py b/siem-converter/app/converter/platforms/elasticsearch/parsers/detection_rule.py index 57fdcb5d..b8e7d6b1 100644 --- a/siem-converter/app/converter/platforms/elasticsearch/parsers/detection_rule.py +++ b/siem-converter/app/converter/platforms/elasticsearch/parsers/detection_rule.py @@ -22,7 +22,7 @@ from app.converter.platforms.elasticsearch.parsers.elasticsearch import ElasticSearchParser from app.converter.core.mixins.rule import JsonRuleMixin from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class ElasticSearchRuleParser(ElasticSearchParser, JsonRuleMixin): diff --git a/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py b/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py index a38c7c44..7b6bb031 100644 --- a/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py @@ -25,7 +25,7 @@ from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer from app.converter.tools.utils import concatenate_str, get_mitre_attack_str diff --git a/siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py b/siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py index 1e02c210..a07cac49 100644 --- a/siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/elast_alert.py @@ -22,7 +22,7 @@ from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer from app.converter.tools.utils import get_author_str, concatenate_str, get_mitre_attack_str, get_licence_str diff --git a/siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py b/siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py index 2150642b..6303b6fe 100644 --- a/siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/kibana.py @@ -25,7 +25,7 @@ from app.converter.platforms.elasticsearch.renders.elasticsearch import ElasticSearchQueryRender, ElasticSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer from app.converter.tools.utils import concatenate_str, get_author_str, get_licence_str, get_mitre_attack_str, \ get_rule_id_str, get_references_str diff --git a/siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py b/siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py index 0272f471..98f1bc21 100644 --- a/siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py +++ b/siem-converter/app/converter/platforms/elasticsearch/renders/xpack_watcher.py @@ -25,7 +25,7 @@ from app.converter.platforms.elasticsearch.const import XPACK_WATCHER_RULE, xpack_watcher_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer from app.converter.tools.utils import concatenate_str, get_author_str, get_licence_str, get_mitre_attack_str diff --git a/siem-converter/app/converter/platforms/logscale/parsers/logscale.py b/siem-converter/app/converter/platforms/logscale/parsers/logscale.py index 13fa877f..d7beb82a 100644 --- a/siem-converter/app/converter/platforms/logscale/parsers/logscale.py +++ b/siem-converter/app/converter/platforms/logscale/parsers/logscale.py @@ -25,7 +25,7 @@ from app.converter.platforms.logscale.tokenizer import LogScaleTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class LogScaleParser(Parser): diff --git a/siem-converter/app/converter/platforms/logscale/parsers/logscale_alert.py b/siem-converter/app/converter/platforms/logscale/parsers/logscale_alert.py index 7a6484c7..c2584d84 100644 --- a/siem-converter/app/converter/platforms/logscale/parsers/logscale_alert.py +++ b/siem-converter/app/converter/platforms/logscale/parsers/logscale_alert.py @@ -22,7 +22,7 @@ from app.converter.platforms.logscale.parsers.logscale import LogScaleParser from app.converter.core.mixins.rule import JsonRuleMixin from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class LogScaleAlertParser(LogScaleParser, JsonRuleMixin): diff --git a/siem-converter/app/converter/platforms/logscale/renders/logscale.py b/siem-converter/app/converter/platforms/logscale/renders/logscale.py index da9dcf4b..b01ca8ce 100644 --- a/siem-converter/app/converter/platforms/logscale/renders/logscale.py +++ b/siem-converter/app/converter/platforms/logscale/renders/logscale.py @@ -22,7 +22,7 @@ from app.converter.platforms.logscale.mapping import LogScaleMappings, logscale_mappings from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer from app.converter.core.render import BaseQueryRender, BaseQueryFieldValue diff --git a/siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py b/siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py index 7e87c267..89341497 100644 --- a/siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py +++ b/siem-converter/app/converter/platforms/logscale/renders/logscale_alert.py @@ -24,7 +24,7 @@ from app.converter.platforms.logscale.const import DEFAULT_LOGSCALE_ALERT, logscale_alert_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer _AUTOGENERATED_TITLE = "Autogenerated Falcon LogScale Alert" diff --git a/siem-converter/app/converter/platforms/logscale/tokenizer.py b/siem-converter/app/converter/platforms/logscale/tokenizer.py index 3c02dcd6..dd665c7b 100644 --- a/siem-converter/app/converter/platforms/logscale/tokenizer.py +++ b/siem-converter/app/converter/platforms/logscale/tokenizer.py @@ -21,7 +21,7 @@ from app.converter.core.models.field import Keyword, Field from app.converter.core.models.identifier import Identifier -from app.converter.core.operator_types.tokens import GroupType, LogicalOperatorType, OperatorType +from app.converter.core.custom_types.tokens import GroupType, LogicalOperatorType, OperatorType from app.converter.core.tokenizer import QueryTokenizer from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel.py b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel.py index 32e210d4..dac5851e 100644 --- a/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel.py +++ b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel.py @@ -25,7 +25,7 @@ from app.converter.core.models.functions.types import ParsedFunctions from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class MicrosoftParser(Parser): diff --git a/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel_rule.py b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel_rule.py index 156914ac..5b884140 100644 --- a/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel_rule.py +++ b/siem-converter/app/converter/platforms/microsoft/parsers/microsoft_sentinel_rule.py @@ -22,7 +22,7 @@ from app.converter.platforms.microsoft.parsers.microsoft_sentinel import MicrosoftParser from app.converter.core.mixins.rule import JsonRuleMixin from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class MicrosoftRuleParser(MicrosoftParser, JsonRuleMixin): diff --git a/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py index 78ad74c7..80c69551 100644 --- a/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py +++ b/siem-converter/app/converter/platforms/microsoft/renders/microsoft_sentinel_rule.py @@ -19,7 +19,6 @@ import copy import json -import re from app.converter.platforms.microsoft.renders.microsoft_sentinel import ( MicrosoftSentinelQueryRender, @@ -28,7 +27,7 @@ from app.converter.platforms.microsoft.const import DEFAULT_MICROSOFT_SENTINEL_RULE, microsoft_sentinel_rule_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer from app.converter.tools.utils import concatenate_str, get_author_str, get_licence_str diff --git a/siem-converter/app/converter/platforms/microsoft/tokenizer.py b/siem-converter/app/converter/platforms/microsoft/tokenizer.py index 4eafb3f6..e0f57842 100644 --- a/siem-converter/app/converter/platforms/microsoft/tokenizer.py +++ b/siem-converter/app/converter/platforms/microsoft/tokenizer.py @@ -21,7 +21,7 @@ from app.converter.core.mixins.operator import OperatorBasedMixin from app.converter.core.tokenizer import QueryTokenizer -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/opensearch/renders/opensearch_rule.py b/siem-converter/app/converter/platforms/opensearch/renders/opensearch_rule.py index 7c24d0a8..38fc8f11 100644 --- a/siem-converter/app/converter/platforms/opensearch/renders/opensearch_rule.py +++ b/siem-converter/app/converter/platforms/opensearch/renders/opensearch_rule.py @@ -25,7 +25,7 @@ from app.converter.platforms.opensearch.renders.opensearch import OpenSearchQueryRender, OpenSearchFieldValue from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer SEVERITIES_MAP = {"informational": "5", "low": "4", "medium": "3", "high": "2", "critical": "1"} diff --git a/siem-converter/app/converter/platforms/qradar/parsers/qradar.py b/siem-converter/app/converter/platforms/qradar/parsers/qradar.py index e9135e61..3382ecb3 100644 --- a/siem-converter/app/converter/platforms/qradar/parsers/qradar.py +++ b/siem-converter/app/converter/platforms/qradar/parsers/qradar.py @@ -25,7 +25,7 @@ from app.converter.platforms.qradar.tokenizer import QradarTokenizer from app.converter.core.models.platform_details import PlatformDetails from app.converter.core.parser import Parser -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/qradar/tokenizer.py b/siem-converter/app/converter/platforms/qradar/tokenizer.py index 680d6a0b..fe36f8ad 100644 --- a/siem-converter/app/converter/platforms/qradar/tokenizer.py +++ b/siem-converter/app/converter/platforms/qradar/tokenizer.py @@ -23,7 +23,7 @@ from app.converter.core.models.field import Keyword from app.converter.core.models.identifier import Identifier from app.converter.core.tokenizer import QueryTokenizer -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.custom_types.tokens import OperatorType from app.converter.tools.utils import get_match_group diff --git a/siem-converter/app/converter/platforms/roota/parsers/roota.py b/siem-converter/app/converter/platforms/roota/parsers/roota.py index c7690d64..28519cb8 100644 --- a/siem-converter/app/converter/platforms/roota/parsers/roota.py +++ b/siem-converter/app/converter/platforms/roota/parsers/roota.py @@ -18,7 +18,7 @@ from app.converter.core.exceptions.core import UnsupportedRootAParser, RootARuleValidationException from app.converter.core.mixins.rule import YamlRuleMixin -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer from app.converter.core.parser import Parser from app.converter.managers import parser_manager diff --git a/siem-converter/app/converter/core/compiler.py b/siem-converter/app/converter/platforms/sigma/models/compiler.py similarity index 92% rename from siem-converter/app/converter/core/compiler.py rename to siem-converter/app/converter/platforms/sigma/models/compiler.py index e7522b92..a69c948c 100644 --- a/siem-converter/app/converter/core/compiler.py +++ b/siem-converter/app/converter/platforms/sigma/models/compiler.py @@ -17,10 +17,10 @@ """ from app.converter.core.models.field import Field, Keyword -from app.converter.core.models.group import Group +from app.converter.platforms.sigma.models.group import Group from app.converter.core.models.identifier import Identifier -from app.converter.core.models.operator import Operator, NOT -from app.converter.core.operator_types.tokens import LogicalOperatorType, GroupType +from app.converter.platforms.sigma.models.operator import Operator, NOT +from app.converter.core.custom_types.tokens import LogicalOperatorType, GroupType class DataStructureCompiler: diff --git a/siem-converter/app/converter/core/models/group.py b/siem-converter/app/converter/platforms/sigma/models/group.py similarity index 93% rename from siem-converter/app/converter/core/models/group.py rename to siem-converter/app/converter/platforms/sigma/models/group.py index d78eb8e8..b61c50d4 100644 --- a/siem-converter/app/converter/core/models/group.py +++ b/siem-converter/app/converter/platforms/sigma/models/group.py @@ -1,9 +1,7 @@ -from app.converter.core.models.operator import OR, AND, NOT -from app.converter.core.operator_types.tokens import GroupType +from app.converter.platforms.sigma.models.operator import OR, AND, NOT class Group: - token_type = GroupType.GROUP parent_group = [] sub_group = None last_field = None diff --git a/siem-converter/app/converter/platforms/sigma/models/modifiers.py b/siem-converter/app/converter/platforms/sigma/models/modifiers.py index 847258ce..6d1f1d83 100644 --- a/siem-converter/app/converter/platforms/sigma/models/modifiers.py +++ b/siem-converter/app/converter/platforms/sigma/models/modifiers.py @@ -2,7 +2,7 @@ from app.converter.core.models.field import Field from app.converter.core.models.identifier import Identifier -from app.converter.core.operator_types.tokens import LogicalOperatorType, OperatorType, GroupType +from app.converter.core.custom_types.tokens import LogicalOperatorType, OperatorType, GroupType class ModifierManager: diff --git a/siem-converter/app/converter/core/models/operator.py b/siem-converter/app/converter/platforms/sigma/models/operator.py similarity index 93% rename from siem-converter/app/converter/core/models/operator.py rename to siem-converter/app/converter/platforms/sigma/models/operator.py index c59c24f2..7c60f4d9 100644 --- a/siem-converter/app/converter/core/models/operator.py +++ b/siem-converter/app/converter/platforms/sigma/models/operator.py @@ -1,6 +1,6 @@ from abc import ABC -from app.converter.core.operator_types.tokens import LogicalOperatorType +from app.converter.core.custom_types.tokens import LogicalOperatorType class BaseOperator(ABC): diff --git a/siem-converter/app/converter/platforms/sigma/parsers/sigma.py b/siem-converter/app/converter/platforms/sigma/parsers/sigma.py index a9635a38..b41a38f8 100644 --- a/siem-converter/app/converter/platforms/sigma/parsers/sigma.py +++ b/siem-converter/app/converter/platforms/sigma/parsers/sigma.py @@ -28,7 +28,7 @@ from app.converter.core.mixins.rule import YamlRuleMixin from app.converter.core.models.field import Field from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class SigmaParser(YamlRuleMixin): diff --git a/siem-converter/app/converter/platforms/sigma/renders/sigma.py b/siem-converter/app/converter/platforms/sigma/renders/sigma.py index 2ade383d..a1dd5c17 100644 --- a/siem-converter/app/converter/platforms/sigma/renders/sigma.py +++ b/siem-converter/app/converter/platforms/sigma/renders/sigma.py @@ -23,16 +23,16 @@ from app.converter.platforms.sigma.const import SIGMA_RULE_DETAILS from app.converter.platforms.sigma.mapping import SigmaMappings, sigma_mappings, SigmaLogSourceSignature -from app.converter.core.compiler import DataStructureCompiler +from app.converter.platforms.sigma.models.compiler import DataStructureCompiler from app.converter.core.exceptions.core import StrictPlatformFieldException from app.converter.core.mapping import SourceMapping, DEFAULT_MAPPING_NAME from app.converter.core.models.field import Field, Keyword from app.converter.core.models.functions.types import ParsedFunctions -from app.converter.core.models.group import Group -from app.converter.core.models.operator import OR, AND, NOT +from app.converter.platforms.sigma.models.group import Group +from app.converter.platforms.sigma.models.operator import OR, AND, NOT from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer -from app.converter.core.operator_types.tokens import OperatorType +from app.converter.core.models.parser_output import MetaInfoContainer +from app.converter.core.custom_types.tokens import OperatorType class SigmaRender: diff --git a/siem-converter/app/converter/platforms/sigma/tokenizer.py b/siem-converter/app/converter/platforms/sigma/tokenizer.py index 9d16da6c..b73e8515 100644 --- a/siem-converter/app/converter/platforms/sigma/tokenizer.py +++ b/siem-converter/app/converter/platforms/sigma/tokenizer.py @@ -23,7 +23,7 @@ from app.converter.core.exceptions.parser import TokenizerGeneralException from app.converter.core.models.field import Field, Keyword from app.converter.core.models.identifier import Identifier -from app.converter.core.operator_types.tokens import GroupType, LogicalOperatorType +from app.converter.core.custom_types.tokens import GroupType, LogicalOperatorType from app.converter.core.tokenizer import QueryTokenizer diff --git a/siem-converter/app/converter/platforms/splunk/parsers/splunk_alert.py b/siem-converter/app/converter/platforms/splunk/parsers/splunk_alert.py index 3763720a..74fab0b0 100644 --- a/siem-converter/app/converter/platforms/splunk/parsers/splunk_alert.py +++ b/siem-converter/app/converter/platforms/splunk/parsers/splunk_alert.py @@ -22,7 +22,7 @@ from app.converter.platforms.splunk.const import splunk_alert_details from app.converter.platforms.splunk.parsers.splunk import SplunkParser from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import SiemContainer, MetaInfoContainer +from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer class SplunkAlertParser(SplunkParser): diff --git a/siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py b/siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py index f16b9efd..dc80a8e3 100644 --- a/siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py +++ b/siem-converter/app/converter/platforms/splunk/renders/splunk_alert.py @@ -21,7 +21,7 @@ from app.converter.platforms.splunk.const import DEFAULT_SPLUNK_ALERT, splunk_alert_details from app.converter.core.mapping import SourceMapping from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.output import MetaInfoContainer +from app.converter.core.models.parser_output import MetaInfoContainer _AUTOGENERATED_TITLE = "Autogenerated Splunk Alert"