From 8ef36aa5f74b0bb0a06749fbf87dd001babf2cf9 Mon Sep 17 00:00:00 2001 From: Oleksandr Volha Date: Wed, 25 Sep 2024 12:26:13 +0300 Subject: [PATCH 1/3] fix qradar logsource parsing --- uncoder-core/app/translator/platforms/base/aql/parsers/aql.py | 4 ++-- uncoder-core/app/translator/platforms/sigma/parsers/sigma.py | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py b/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py index 8d6fc601..5b3a7041 100644 --- a/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py +++ b/uncoder-core/app/translator/platforms/base/aql/parsers/aql.py @@ -37,13 +37,13 @@ class AQLQueryParser(PlatformQueryParser): log_source_functions = ("LOGSOURCENAME", "LOGSOURCEGROUPNAME") log_source_function_pattern = r"\(?(?P___func_name___\([a-zA-Z]+\))(?:\s+like\s+|\s+ilike\s+|\s*=\s*)'(?P[%a-zA-Z\s]+)'\s*\)?\s+(?:and|or)?\s" # noqa: E501 - log_source_key_types = ("devicetype", "category", "qid", "qideventcategory", *LOG_SOURCE_FUNCTIONS_MAP.keys()) + log_source_key_types = ("devicetype", "qideventcategory", "category", "qid", *LOG_SOURCE_FUNCTIONS_MAP.keys()) log_source_pattern = rf"___source_type___(?:\s+like\s+|\s+ilike\s+|\s*=\s*)(?:{SINGLE_QUOTES_VALUE_PATTERN}|{NUM_VALUE_PATTERN})(?:\s+(?:and|or)\s+|\s+)?" # noqa: E501 num_value_pattern = r"[0-9]+" multi_num_log_source_pattern = ( rf"___source_type___\s+in\s+\((?P(?:{num_value_pattern}(?:\s*,\s*)?)+)\)(?:\s+(?:and|or)\s+|\s+)?" ) - str_value_pattern = r"""(?:')(?P(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')+)(?:')""" + str_value_pattern = r"""'(?P(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')+)'""" multi_str_log_source_pattern = ( rf"""___source_type___\s+in\s+\((?P(?:{str_value_pattern}(?:\s*,\s*)?)+)\)(?:\s+(?:and|or)\s+|\s+)?""" ) diff --git a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py index d4a2d83c..384b7a30 100644 --- a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py +++ b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py @@ -18,7 +18,6 @@ """ from datetime import timedelta -from re import I from typing import Optional, Union from app.translator.core.exceptions.core import SigmaRuleValidationException From ae3e840d5372a3356d7fba7dd74dac62928219f6 Mon Sep 17 00:00:00 2001 From: Oleksandr Volha Date: Wed, 25 Sep 2024 13:19:44 +0300 Subject: [PATCH 2/3] fix --- .../app/translator/platforms/base/aql/mapping.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/uncoder-core/app/translator/platforms/base/aql/mapping.py b/uncoder-core/app/translator/platforms/base/aql/mapping.py index 984b85f2..55222a0a 100644 --- a/uncoder-core/app/translator/platforms/base/aql/mapping.py +++ b/uncoder-core/app/translator/platforms/base/aql/mapping.py @@ -39,7 +39,12 @@ def __str__(self) -> str: @property def extra_condition(self) -> str: default_source = self._default_source - return " AND ".join((f"{key}={value}" for key, value in default_source.items() if key != "table" and value)) + extra = [] + for key, value in default_source.items(): + if key != "table" and value: + _condition = f"{key}={value}" if isinstance(value, int) else f"{key}='{value}'" + extra.append(_condition) + return " AND ".join(extra) class AQLMappings(BasePlatformMappings): @@ -48,7 +53,7 @@ class AQLMappings(BasePlatformMappings): def prepare_log_source_signature(self, mapping: dict) -> AQLLogSourceSignature: log_source = mapping.get("log_source", {}) - default_log_source = mapping.get("default_log_source") + default_log_source = mapping["default_log_source"] return AQLLogSourceSignature( device_types=log_source.get("devicetype"), categories=log_source.get("category"), From e142d2f1ed00aac560a38d5b9bc35ce020b3e771 Mon Sep 17 00:00:00 2001 From: Oleksandr Volha Date: Wed, 25 Sep 2024 14:49:37 +0300 Subject: [PATCH 3/3] fix qradar mapping --- .../mappings/platforms/qradar/linux_network_connection.yml | 2 +- .../mappings/platforms/qradar/macos_network_connection.yml | 2 +- .../mappings/platforms/qradar/windows_network_connection.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml index 273926e7..7b1725ea 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml @@ -8,7 +8,7 @@ log_source: default_log_source: devicetype: 11 - category: [4012] + category: 4012 field_mapping: CommandLine: Command diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml index 6d92be11..5fb908cd 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml @@ -8,7 +8,7 @@ log_source: default_log_source: devicetype: 102 - category: [4012] + category: 4012 field_mapping: CommandLine: Command diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml index 3be44b3d..b65b7571 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml @@ -9,7 +9,7 @@ log_source: default_log_source: devicetype: 12 - category: [4012] + category: 4012 qideventcategory: Microsoft-Windows-Sysmon/Operational field_mapping: