merge

nazargesyk · nazargesyk · commit 6c0a56500be2 · 2024-12-17T17:34:09.000+02:00
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/default.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/default.yml
@@ -0,0 +1,2 @@
+platform: Sentinel One Power Query
+source: default
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/dns.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/dns.yml
@@ -0,0 +1,12 @@
+platform: Sentinel One Power Query
+source: dns
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  query: event.dns.request
+  answer: event.dns.response
+  QueryName: event.dns.request
+  record_type: event.dns.response
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/linux_file_event.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/linux_file_event.yml
@@ -0,0 +1,11 @@
+platform: Sentinel One Power Query
+source: linux_file_event
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  TargetFilename: tgt.file.path
+  SourceFilename: tgt.file.oldPath
+  User: src.process.use
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_image_load.yml
@@ -0,0 +1,9 @@
+platform: Sentinel One Power Query
+source: windows_image_load
+
+field_mapping:
+  Image: Image
+  ImageLoaded: ImageLoaded
+  SignatureStatus: SignatureStatus
+  OriginalFileName: OriginalFileName
+  Signed: Signed
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_network_connection.yml
@@ -0,0 +1,21 @@
+platform: Sentinel One Power Query
+source: windows_network_connection
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  DestinationHostname:
+    - url.address
+    - event.dns.request
+  DestinationPort: dst.port.number
+  DestinationIp: dst.ip.address
+  User: src.process.user
+  SourceIp: src.ip.address
+  SourcePort: src.port.number
+  Protocol: NetProtocolName
+  dst_ip: dst.ip.address
+  src_ip: src.ip.address
+  dst_port: dst.port.number
+  src_port: src.port.number
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_pipe_created.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_pipe_created.yml
@@ -0,0 +1,9 @@
+platform: Sentinel One Power Query
+source: windows_pipe_created
+
+field_mapping:
+  PipeName: namedPipe.name
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_process_creation.yml
@@ -0,0 +1,21 @@
+platform: Sentinel One Power Query
+source: windows_process_creation
+
+field_mapping:
+  ProcessId: tgt.process.pid
+  Image: tgt.process.image.path
+  Description: tgt.process.displayName
+  Publisher:  tgt.process.publisher
+  Product: tgt.process.displayName
+  Company: tgt.process.publisher
+  CommandLine: tgt.process.cmdline
+  CurrentDirectory: tgt.process.image.path
+  User: tgt.process.user
+  TerminalSessionId: tgt.process.sessionid
+  IntegrityLevel: tgt.process.integrityLevel
+  md5: tgt.process.image.md5
+  sha1: tgt.process.image.sha1
+  sha256: tgt.process.image.sha256
+  ParentProcessId: src.process.pid
+  ParentImage: src.process.image.path
+  ParentCommandLine: src.process.cmdline
diff --git a/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_registry_event.yml
@@ -0,0 +1,10 @@
+platform: Sentinel One Power Query
+source: windows_registry_event
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  TargetObject: registry.keyPath
+  Details: registry.value
diff --git a/uncoder-core/app/translator/platforms/carbonblack/const.py b/uncoder-core/app/translator/platforms/carbonblack/const.py
@@ -8,6 +8,7 @@
     "platform_name": "Query (Cloud)",
 }
 
+
 DEFAULT_CARBONBLACK_CTI_MAPPING = {
     "SourceIP": "netconn_local_ipv4",
     "DestinationIP": "netconn_ipv4",
diff --git a/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py b/uncoder-core/app/translator/platforms/carbonblack/renders/carbonblack_cti.py
@@ -23,6 +23,7 @@
 from app.translator.platforms.carbonblack.const import DEFAULT_CARBONBLACK_CTI_MAPPING, carbonblack_query_details
 
 
+
 @render_cti_manager.register
 class CarbonBlackCTI(RenderCTI):
     details: PlatformDetails = carbonblack_query_details
diff --git a/uncoder-core/app/translator/platforms/microsoft/parsers/microsoft_sentinel.py b/uncoder-core/app/translator/platforms/microsoft/parsers/microsoft_sentinel.py
@@ -16,6 +16,7 @@
 -----------------------------------------------------------------
 """
 
+
 from app.translator.core.models.functions.base import ParsedFunctions
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import RawQueryContainer, TokenizedQueryContainer
diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py
@@ -105,7 +105,7 @@ def finalize_query(
         not_supported_functions: Optional[list] = None,
         unmapped_fields: Optional[list[str]] = None,
         *args,  # noqa: ARG002
-        **kwargs,  # noqa: ARG002
+        **kwargs,
     ) -> str:
         if not kwargs.get("raw_query", False):
             query = super().finalize_query(prefix=prefix, query=query, functions=functions)
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/__init__.py b/uncoder-core/app/translator/platforms/sentinel_one/__init__.py
@@ -1 +1,4 @@
 from app.translator.platforms.sentinel_one.renders.s1_cti import S1EventsCTI  # noqa: F401
+from app.translator.platforms.sentinel_one.renders.sentinel_one_power_query import (
+    SentinelOnePowerQueryRender,  # noqa: F401
+)
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/const.py b/uncoder-core/app/translator/platforms/sentinel_one/const.py
@@ -29,6 +29,5 @@
     "Files": "TgtFilePath",
 }
 
-
 sentinel_one_events_query_details = PlatformDetails(**SENTINEL_ONE_EVENTS_QUERY_DETAILS)
 sentinel_one_power_query_details = PlatformDetails(**SENTINEL_ONE_POWER_QUERY_DETAILS)
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/custom_types/__init__.py b/uncoder-core/app/translator/platforms/sentinel_one/custom_types/__init__.py
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/custom_types/values.py b/uncoder-core/app/translator/platforms/sentinel_one/custom_types/values.py
@@ -0,0 +1,5 @@
+from app.translator.core.custom_types.values import ValueType
+
+
+class SentinelOneValueType(ValueType):
+    double_escape_regex_value = "d_e_re_value"
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py b/uncoder-core/app/translator/platforms/sentinel_one/escape_manager.py
@@ -0,0 +1,17 @@
+from typing import ClassVar
+
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.escape_manager import EscapeManager
+from app.translator.core.models.escape_details import EscapeDetails
+from app.translator.platforms.sentinel_one.custom_types.values import SentinelOneValueType
+
+
+class SentinelOnePowerQueryEscapeManager(EscapeManager):
+    escape_map: ClassVar[dict[str, list[EscapeDetails]]] = {
+        ValueType.value: [EscapeDetails(pattern=r"\\", escape_symbols=r"\\\\")],
+        ValueType.regex_value: [EscapeDetails(pattern=r"([$^*+()\[\]{}|.?\-\\])", escape_symbols=r"\\\1")],
+        SentinelOneValueType.double_escape_regex_value: [EscapeDetails(pattern=r"\\", escape_symbols=r"\\\\")],
+    }
+
+
+sentinel_one_power_query_escape_manager = SentinelOnePowerQueryEscapeManager()
diff --git a/uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py b/uncoder-core/app/translator/platforms/sentinel_one/renders/sentinel_one_power_query.py
@@ -0,0 +1,105 @@
+from typing import Union
+
+from app.translator.const import DEFAULT_VALUE_TYPE
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.models.platform_details import PlatformDetails
+from app.translator.core.render import BaseFieldValueRender, PlatformQueryRender
+from app.translator.core.str_value_manager import StrValueManager
+from app.translator.managers import render_manager
+from app.translator.platforms.sentinel_one.const import sentinel_one_power_query_details
+from app.translator.platforms.sentinel_one.mapping import (
+    SentinelOnePowerQueryMappings,
+    sentinel_one_power_query_query_mappings,
+)
+from app.translator.platforms.sentinel_one.str_value_manager import sentinel_one_power_query_str_value_manager
+
+
+class SentinelOnePowerQueryFieldValue(BaseFieldValueRender):
+    details: PlatformDetails = sentinel_one_power_query_details
+    str_value_manager: StrValueManager = sentinel_one_power_query_str_value_manager
+    list_token = ", "
+
+    @staticmethod
+    def _wrap_str_value(value: str) -> str:
+        return f'"{value}"'
+
+    def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True) for v in value
+            )
+            return f"{field} in ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)
+        return f"{field} = {value}"
+
+    def less_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)
+        return f"{field} < {value}"
+
+    def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)
+        return f"{field} <= {value}"
+
+    def greater_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)
+        return f"{field} > {value}"
+
+    def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)
+        return f"{field} >= {value}"
+
+    def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+                for v in value
+            )
+            return f"{field} != ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field} != {value}"
+
+    def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+                for v in value
+            )
+            return f"{field} contains ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True, wrap_int=True)
+        return f"{field} contains {value}"
+
+    def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return self.contains_modifier(field, value)
+
+    def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        return self.contains_modifier(field, value)
+
+    def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+        if isinstance(value, list):
+            values = self.list_token.join(
+                self.str_value_manager.escape_manager.escape(
+                    self._pre_process_value(field, v, value_type=ValueType.regex_value, wrap_str=True, wrap_int=True)
+                )
+                for v in value
+            )
+            return f"{field} matches ({values})"
+        value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True, wrap_int=True)
+        value = self.str_value_manager.escape_manager.escape(value)
+        return f"{field} matches {value}"
+
+    def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: ARG002
+        return f'not ({field} matches "\\.*")'
+
+    def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: ARG002
+        return f'{field} matches "\\.*"'
+
+
+@render_manager.register
+class SentinelOnePowerQueryRender(PlatformQueryRender):
+    details: PlatformDetails = sentinel_one_power_query_details
+    mappings: SentinelOnePowerQueryMappings = sentinel_one_power_query_query_mappings
+    or_token = "or"
+    and_token = "and"
+    not_token = "not"
+    comment_symbol = "//"
+    field_value_render = SentinelOnePowerQueryFieldValue(or_token=or_token)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+platform: Sentinel One Power Query`
	`2`	`+source: default`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`"platform_name": "Query (Cloud)",`
`9`	`9`	`}`
`10`	`10`
	`11`	`+`
`11`	`12`	`DEFAULT_CARBONBLACK_CTI_MAPPING = {`
`12`	`13`	`"SourceIP": "netconn_local_ipv4",`
`13`	`14`	`"DestinationIP": "netconn_ipv4",`