Merge pull request #21 from UncoderIO/fix-translation-bugs

saltar-ua · web-flow · commit 81d771ade813 · 2023-12-04T14:23:34.000+02:00
fix small bugs which appear while translating
diff --git a/siem-converter/app/converter/core/parser.py b/siem-converter/app/converter/core/parser.py
@@ -24,6 +24,7 @@
 from app.converter.core.models.platform_details import PlatformDetails
 from app.converter.core.models.parser_output import SiemContainer, MetaInfoContainer
 from app.converter.core.tokenizer import QueryTokenizer, TOKEN_TYPE
+from app.converter.core.exceptions.parser import TokenizerGeneralException
 
 
 class Parser(ABC):
@@ -43,6 +44,8 @@ def get_tokens_and_source_mappings(self,
                                        query: str,
                                        log_sources: Dict[str, List[str]]
                                        ) -> Tuple[List[TOKEN_TYPE], List[SourceMapping]]:
+        if not query:
+            raise TokenizerGeneralException("Can't translate empty query. Please provide more details")
         tokens = self.tokenizer.tokenize(query=query)
         field_tokens = self.tokenizer.filter_tokens(tokens, Field)
         field_names = [field.source_name for field in field_tokens]
diff --git a/siem-converter/app/converter/platforms/chronicle/const.py b/siem-converter/app/converter/platforms/chronicle/const.py
@@ -8,6 +8,7 @@
     rule_id = "<rule_id_place_holder>"
     status = "<status_place_holder>"
     severity = "<severity_place_holder>"
+    falsepositives = "<falsepositives_place_holder>"
 
   events:
     <query_placeholder>
diff --git a/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py b/siem-converter/app/converter/platforms/chronicle/renders/chronicle_rule.py
@@ -95,4 +95,5 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met
         rule = rule.replace("<rule_id_place_holder>", meta_info.id)
         rule = rule.replace("<severity_place_holder>", meta_info.severity)
         rule = rule.replace("<status_place_holder>", meta_info.status)
+        rule = rule.replace("<falsepositives_place_holder>", ', '.join(meta_info.false_positives))
         return rule
diff --git a/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py b/siem-converter/app/converter/platforms/elasticsearch/renders/detection_rule.py
@@ -64,7 +64,7 @@ def finalize_query(self, prefix: str, query: str, functions: str, meta_info: Met
             "tags": meta_info.mitre_attack,
             "false_positives": meta_info.false_positives
         })
-        rule_str = json.dumps(rule, indent=4, sort_keys=False)
+        rule_str = json.dumps(rule, indent=4, sort_keys=False, ensure_ascii=False)
         if not_supported_functions:
             rendered_not_supported = self.render_not_supported_functions(not_supported_functions)
             return rule_str + rendered_not_supported
diff --git a/siem-converter/app/converter/platforms/sigma/parsers/sigma.py b/siem-converter/app/converter/platforms/sigma/parsers/sigma.py
@@ -19,7 +19,7 @@
 
 
 import re
-from typing import List
+from typing import List, Union
 
 from app.converter.platforms.sigma.const import SIGMA_RULE_DETAILS
 from app.converter.platforms.sigma.mapping import SigmaMappings, sigma_mappings
@@ -47,9 +47,16 @@ def __parse_mitre_attack(tags: List[str]) -> List[str]:
 
         return result
 
+    @staticmethod
+    def __parse_false_positives(false_positives: Union[str, List[str], None]) -> list:
+        if isinstance(false_positives, str):
+            return [i.strip() for i in false_positives.split(',')]
+        return false_positives
+
     def _get_meta_info(self, rule: dict, source_mapping_ids: List[str]) -> MetaInfoContainer:
         return MetaInfoContainer(
             title=rule.get("title"),
+            id_=rule.get('id'),
             description=rule.get("description"),
             author=rule.get("author"),
             date=rule.get("date"),
@@ -58,7 +65,7 @@ def _get_meta_info(self, rule: dict, source_mapping_ids: List[str]) -> MetaInfoC
             mitre_attack=self.__parse_mitre_attack(rule.get("tags", [])),
             severity=rule.get("level"),
             status=rule.get("status"),
-            false_positives=rule.get("falsepositives"),
+            false_positives=self.__parse_false_positives(rule.get("falsepositives")),
             source_mapping_ids=source_mapping_ids
         )
 
diff --git a/siem-converter/app/dictionaries/uncoder_meta_info_roota.json b/siem-converter/app/dictionaries/uncoder_meta_info_roota.json
@@ -55,7 +55,6 @@
       { "name": "logscale-lql-query", "description": "Falcon LogScale Query" },
       { "name": "mde-kql-query", "description": "Microsoft Defender for Endpoint Query" },
       { "name": "qradar-aql-query", "description": "IBM QRadar Query" },
-      { "name": "sigma-yml-rule", "description": "Sigma Rule" },
       { "name": "athena-sql-query", "description": "AWS Athena Query (Security Lake)" },
       { "name": "chronicle-yaral-query", "description": "Chronicle Security Query" }
     ]

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,6 @@`
`55`	`55`	`{ "name": "logscale-lql-query", "description": "Falcon LogScale Query" },`
`56`	`56`	`{ "name": "mde-kql-query", "description": "Microsoft Defender for Endpoint Query" },`
`57`	`57`	`{ "name": "qradar-aql-query", "description": "IBM QRadar Query" },`
`58`		`- { "name": "sigma-yml-rule", "description": "Sigma Rule" },`
`59`	`58`	`{ "name": "athena-sql-query", "description": "AWS Athena Query (Security Lake)" },`
`60`	`59`	`{ "name": "chronicle-yaral-query", "description": "Chronicle Security Query" }`
`61`	`60`	`]`