From 75f8cd5f8a6e056b526315f86fa5fd1d7bbdcab7 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Tue, 4 Jun 2024 16:41:58 +0300 Subject: [PATCH 1/2] gis-7581 Fix index field in elastic rule --- uncoder-core/app/translator/core/mapping.py | 4 ++++ .../app/translator/platforms/base/aql/escape_manager.py | 4 ++-- .../platforms/elasticsearch/renders/detection_rule.py | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py index 0ecccbc1..89eebade 100644 --- a/uncoder-core/app/translator/core/mapping.py +++ b/uncoder-core/app/translator/core/mapping.py @@ -20,6 +20,10 @@ def is_suitable(self, *args, **kwargs) -> bool: def __str__(self) -> str: raise NotImplementedError("Abstract method") + @property + def default_source(self) -> dict: + return self._default_source + class FieldMapping: def __init__(self, generic_field_name: str, platform_field_name: str): diff --git a/uncoder-core/app/translator/platforms/base/aql/escape_manager.py b/uncoder-core/app/translator/platforms/base/aql/escape_manager.py index 7eb64c22..f0f232f2 100644 --- a/uncoder-core/app/translator/platforms/base/aql/escape_manager.py +++ b/uncoder-core/app/translator/platforms/base/aql/escape_manager.py @@ -10,8 +10,8 @@ class AQLEscapeManager(EscapeManager): ValueType.value: [EscapeDetails(pattern=r"(')", escape_symbols=r"'\1")], ValueType.regex_value: [ EscapeDetails(pattern=r"([$^*+()\[\]{}|.?\-\\])", escape_symbols=r"\\\1"), - EscapeDetails(pattern=r"(')", escape_symbols=r"'\1") - ] + EscapeDetails(pattern=r"(')", escape_symbols=r"'\1"), + ], } diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py index 4e7face5..4fa1a2b0 100644 --- a/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py +++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py @@ -85,13 +85,14 @@ def finalize_query( query: str, functions: str, meta_info: Optional[MetaInfoContainer] = None, - source_mapping: Optional[SourceMapping] = None, # noqa: ARG002 + source_mapping: Optional[SourceMapping] = None, not_supported_functions: Optional[list] = None, *args, # noqa: ARG002 **kwargs, # noqa: ARG002 ) -> str: query = super().finalize_query(prefix=prefix, query=query, functions=functions) rule = copy.deepcopy(ELASTICSEARCH_DETECTION_RULE) + index = source_mapping.log_source_signature.default_source.get("index") rule.update( { "query": query, @@ -105,6 +106,7 @@ def finalize_query( "tags": meta_info.tags, "threat": self.__create_mitre_threat(meta_info.mitre_attack), "false_positives": meta_info.false_positives, + "index": [index] if index else [], } ) rule_str = json.dumps(rule, indent=4, sort_keys=False, ensure_ascii=False) From f27c9cf2d2d9642ac6b3b548765fad26df774281 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Thu, 13 Jun 2024 17:16:24 +0300 Subject: [PATCH 2/2] gis-7581 fix --- .../platforms/elasticsearch/renders/detection_rule.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py index 4fa1a2b0..8e1e9aec 100644 --- a/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py +++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py @@ -92,7 +92,7 @@ def finalize_query( ) -> str: query = super().finalize_query(prefix=prefix, query=query, functions=functions) rule = copy.deepcopy(ELASTICSEARCH_DETECTION_RULE) - index = source_mapping.log_source_signature.default_source.get("index") + index = source_mapping.log_source_signature.default_source.get("index") if source_mapping else None rule.update( { "query": query,