From 39e6cbd656db40fbc87304bb0b741df000a4f06a Mon Sep 17 00:00:00 2001 From: vh Date: Thu, 9 Nov 2023 16:45:18 +0200 Subject: [PATCH] Clean Microsoft Sentinel functions --- .../microsoft/siem_functions/aggregation.py | 40 ------------- .../backends/microsoft/siem_functions/base.py | 26 --------- .../microsoft/siem_functions/search.py | 56 ------------------- .../backends/microsoft/siem_functions/sort.py | 17 ------ .../microsoft/siem_functions/table.py | 24 -------- .../microsoft/siem_functions/where.py | 8 --- 6 files changed, 171 deletions(-) delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/search.py delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/sort.py delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/table.py delete mode 100644 siem-converter/app/converter/backends/microsoft/siem_functions/where.py diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py b/siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py deleted file mode 100644 index f8f9c82d..00000000 --- a/siem-converter/app/converter/backends/microsoft/siem_functions/aggregation.py +++ /dev/null @@ -1,40 +0,0 @@ -from app.converter.core.models.functions.aggregation import AggregationExpression -from app.converter.core.models.functions.types import AggregationType - - -class AlaAggregationFunctionRender: - - aggregation_type_map = { - AggregationType.SUM: 'sum', - AggregationType.MIN: 'min', - AggregationType.MAX: 'max', - AggregationType.AVG: 'avg' - } - - def __init__(self, function: AggregationExpression): - self.function = function - - def render(self): - result = 'summarize ' - for field in self.function.fields: - if field.operation_type == AggregationType.COUNT: - query = field.fieldname - else: - query = f"{self.aggregation_type_map.get(field.operation_type)}({field.fieldname})" - if field.render_as: - if ' ' in field.render_as: - render_as = f"['{field.render_as}']" - else: - render_as = field.render_as - result += f'{render_as}={query}, ' - else: - result += query - result = result.rstrip(' ').rstrip(',') - if self.function.group_by: - result += ' by ' - for value in self.function.group_by: - result += f'{value}, ' - - result = result.rstrip(' ').rstrip(',') - - return result diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/base.py b/siem-converter/app/converter/backends/microsoft/siem_functions/base.py index c05e7619..487effbc 100644 --- a/siem-converter/app/converter/backends/microsoft/siem_functions/base.py +++ b/siem-converter/app/converter/backends/microsoft/siem_functions/base.py @@ -1,35 +1,9 @@ -from app.converter.backends.microsoft.siem_functions.aggregation import AlaAggregationFunctionRender -from app.converter.backends.microsoft.siem_functions.search import AlaSearchFunctionRender -from app.converter.backends.microsoft.siem_functions.sort import AlaSortFunctionRender -from app.converter.backends.microsoft.siem_functions.table import AlaTableFunctionRender from app.converter.core.functions import Functions -from app.converter.core.models.functions.aggregation import AggregationExpression -from app.converter.core.models.functions.search import SearchExpression -from app.converter.core.models.functions.sort import SortExpression -from app.converter.core.models.functions.table import TableExpression from app.converter.core.models.functions.types import ParsedFunctions, NotSupportedFunction class MicroSoftQueryFunctions(Functions): - render_functions_map = { - SortExpression: AlaSortFunctionRender, - SearchExpression: AlaSearchFunctionRender, - AggregationExpression: AlaAggregationFunctionRender, - TableExpression: AlaTableFunctionRender, - # WhereExpression: AlaWhereFunctionRender - } - - def render(self, functions: list): - query = "| " - funcs = [] - for function in functions: - if render_class := self.render_functions_map.get(type(function)): - funcs.append(render_class(function).render()) - query += " | ".join(funcs) - query = query.rstrip(" ") - return query - def parse(self, query: str): result = [] functions = query.split(self.function_delimiter) diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/search.py b/siem-converter/app/converter/backends/microsoft/siem_functions/search.py deleted file mode 100644 index 9f4d4d4a..00000000 --- a/siem-converter/app/converter/backends/microsoft/siem_functions/search.py +++ /dev/null @@ -1,56 +0,0 @@ -from app.converter.core.models.functions.search import SearchExpression, SearchField, SearchValueType -from app.converter.core.models.functions.types import ComparsionType -from app.converter.core.operator_types.tokens import LogicalOperatorType - - -class AlaSearchFunctionRender: - - search_expression_operator_map = { - LogicalOperatorType.AND: ' and ', - LogicalOperatorType.OR: ' or ', - LogicalOperatorType.NOT: ' not ' - } - search_operator_map = { - ComparsionType.NOT_EQUAL: ' != ', - ComparsionType.EQUAL: '==', - ComparsionType.ILIKE: ':', - ComparsionType.GT: ' > ', - ComparsionType.LT: ' < ' - } - sub_expression = "(%s)" - - def __init__(self, function: SearchExpression): - self.function = function - - def generate_field(self, field: SearchField): - if field.value == SearchValueType.ANY: - return f'"{field.fieldname}"' - else: - if field.fieldname: - operator = self.search_operator_map.get(field.operator) - return f'{field.fieldname}{operator}"{field.value}"' - else: - return f'"{field.value}"' - - def generate_expression(self, expression: SearchExpression): - res = [] - for field in expression.fields: - if isinstance(field, SearchField): - res.append(self.generate_field(field)) - elif isinstance(field, SearchExpression): - res.append(self.generate_expression(field)) - operator = self.search_expression_operator_map.get(expression.operator) - query = self.sub_expression % operator.join(res) - if expression.operator == LogicalOperatorType.NOT: - return f'not{query}' - return query - - def render(self): - res = [] - for field in self.function.fields: - if isinstance(field, SearchField): - res.append(self.generate_field(field)) - elif isinstance(field, SearchExpression): - res.append(self.generate_expression(field)) - operator = self.search_expression_operator_map.get(self.function.operator) - return f'search {operator.join(res)}' diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/sort.py b/siem-converter/app/converter/backends/microsoft/siem_functions/sort.py deleted file mode 100644 index 502fc8c4..00000000 --- a/siem-converter/app/converter/backends/microsoft/siem_functions/sort.py +++ /dev/null @@ -1,17 +0,0 @@ -from app.converter.core.models.functions.sort import SortOrderType, SortExpression - - -class AlaSortFunctionRender: - - sort_order_map = {SortOrderType.DESC: "desc", SortOrderType.ASC: "asc"} - - def __init__(self, function: SortExpression): - self.function = function - - def render(self): - result = "sort by " - queries = [] - for field in self.function.fields: - queries.append(f"{field.fieldname} {self.sort_order_map.get(field.order)}") - result += ", ".join(queries) - return result diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/table.py b/siem-converter/app/converter/backends/microsoft/siem_functions/table.py deleted file mode 100644 index b04ffc2d..00000000 --- a/siem-converter/app/converter/backends/microsoft/siem_functions/table.py +++ /dev/null @@ -1,24 +0,0 @@ -from app.converter.backends.microsoft.const import MICROSOFT_SENTINEL_QUERY_DETAILS -from app.converter.core.exceptions.render import FunctionRenderException -from app.converter.core.models.functions.table import TableExpression -from app.converter.core.models.platform_details import PlatformDetails -from app.converter.core.operator_types.tokens import OperatorType - - -class AlaTableFunctionRender: - details: PlatformDetails = PlatformDetails(**MICROSOFT_SENTINEL_QUERY_DETAILS) - - def __init__(self, function: TableExpression): - self.function = function - - def render(self): - result = "project " - queries = [] - for field in self.function.fields: - if field.operator != OperatorType.EQ: - raise FunctionRenderException( - f'{self.details.name}: operator "project" not support modifier "{str(field.operator).split(".")[-1]}" in "{field.raw_fieldname}"' - ) - queries.append(f"{field.fieldname}") - result += ", ".join(queries) - return result \ No newline at end of file diff --git a/siem-converter/app/converter/backends/microsoft/siem_functions/where.py b/siem-converter/app/converter/backends/microsoft/siem_functions/where.py deleted file mode 100644 index 86c01c60..00000000 --- a/siem-converter/app/converter/backends/microsoft/siem_functions/where.py +++ /dev/null @@ -1,8 +0,0 @@ - - -class AlaWhereFunctionRender: - def __init__(self, function): - self.function = function - - def render(self): - a = 5 \ No newline at end of file