upd

Author: tarnopolskyi

uncoder-core/app/translator/core/mixins/rule.py

@@ -1,5 +1,5 @@
 import json
-from typing import Optional, Union
+from typing import Union
 
 import xmltodict
 import yaml
@@ -29,7 +29,7 @@ def load_rule(text: str) -> dict:
         except yaml.YAMLError as err:
             raise InvalidYamlStructure(error=str(err)) from err
 
-    def parse_mitre_attack(self, tags: list[str]) -> Optional[MitreInfoContainer]:
+    def parse_mitre_attack(self, tags: list[str]) -> MitreInfoContainer:
         parsed_techniques = []
         parsed_tactics = []
         for tag in set(tags):

uncoder-core/app/translator/core/render.py

@@ -320,7 +320,7 @@ def wrap_with_meta_info(self, query: str, meta_info: Optional[MetaInfoContainer]
             meta_info_dict = {
                 "name: ": meta_info.title,
                 "uuid: ": meta_info.id,
-                "author: ": ", ".join(meta_info.author) if meta_info.author else "not defined in query/rule",
+                "author: ": meta_info.author_str or "not defined in query/rule",
                 "licence: ": meta_info.license,
             }
             query_meta_info = "\n".join(

uncoder-core/app/translator/platforms/elasticsearch/parsers/detection_rule.py

@@ -46,7 +46,7 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
                 title=rule.get("name"),
                 description=parsed_description.get("description") or rule.get("description"),
                 references=rule.get("references", []),
-                author=parsed_description.get("author") or rule.get("author", ""),
+                author=parsed_description.get("author") or rule.get("author"),
                 severity=rule.get("severity"),
                 license_=parsed_description.get("license"),
                 tags=rule.get("tags"),

uncoder-core/app/translator/platforms/forti_siem/renders/forti_siem_rule.py

@@ -39,7 +39,7 @@
 )
 from app.translator.platforms.forti_siem.mapping import FortiSiemMappings, forti_siem_rule_mappings
 from app.translator.platforms.forti_siem.str_value_manager import forti_siem_str_value_manager
-from app.translator.tools.utils import concatenate_str
+from app.translator.tools.utils import concatenate_str, get_rule_description_str
 
 _AUTOGENERATED_TEMPLATE = "Autogenerated FortiSIEM Rule"
 _EVENT_TYPE_FIELD = "eventType"
@@ -314,7 +314,12 @@ def finalize_query(
         title = meta_info.title or _AUTOGENERATED_TEMPLATE
         rule = rule.replace("<name_placeholder>", self.generate_rule_name(title))
         rule = rule.replace("<title_placeholder>", self.generate_title(title))
-        description = meta_info.description.replace("\n", " ") or _AUTOGENERATED_TEMPLATE
+        description = get_rule_description_str(
+            description=meta_info.description.replace("\n", " ") or _AUTOGENERATED_TEMPLATE,
+            author=meta_info.author,
+            license_=meta_info.license,
+            references=meta_info.references,
+        )
         rule = rule.replace("<description_placeholder>", description)
         rule = rule.replace("<incident_def_placeholder>", self.generate_event_type(title, meta_info.severity))
         args_list = self.get_args_list(fields.copy())

uncoder-core/app/translator/platforms/microsoft/parsers/microsoft_sentinel_rule.py

@@ -68,7 +68,7 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
                 timeframe=self.__parse_timeframe(rule.get("queryFrequency", "")),
                 severity=rule.get("severity", "medium"),
                 mitre_attack=mitre_attack,
-                author=parsed_description.get("author") or rule.get("author", ""),
+                author=parsed_description.get("author") or rule.get("author"),
                 license_=parsed_description.get("license"),
                 tags=tags,
                 references=parsed_description.get("references"),

uncoder-core/app/translator/platforms/sigma/parsers/sigma.py

@@ -79,7 +79,7 @@ def _get_meta_info(
             title=rule.get("title"),
             id_=rule.get("id"),
             description=rule.get("description"),
-            author=rule.get("author"),
+            author=rule.get("author", '').split(', '),
             date=rule.get("date"),
             output_table_fields=sigma_fields_tokens,
             query_fields=fields_tokens,

uncoder-core/app/translator/tools/utils.py

@@ -85,8 +85,8 @@ def parse_rule_description_str(description: str) -> dict:
     pattern = r"___name___:\s*(?P<value>.+)\."
     for key, name in keys_map.items():
         if search := re.search(pattern.replace("___name___", name), description):
-            if key == "author":
-                parsed[key] = [author.strip() for author in search.group("value").split(",")]
+            if key in ("author", "references"):
+                parsed[key] = [value.strip() for value in search.group("value").split(",")]
             else:
                 parsed[key] = search.group("value")
             description = description[: search.start()]