fix

tarnopolskyi · tarnopolskyi · commit 13998c555e0f · 2024-07-30T11:10:33.000+02:00
diff --git a/uncoder-core/app/translator/core/mixins/rule.py b/uncoder-core/app/translator/core/mixins/rule.py
@@ -41,8 +41,7 @@ def parse_mitre_attack(self, tags: list[str]) -> Optional[MitreInfoContainer]:
                     parsed_techniques.append(technique)
             elif tactic := self.mitre_config.get_tactic(tag):
                 parsed_tactics.append(tactic)
-        if parsed_techniques or parsed_tactics:
-            return MitreInfoContainer(tactics=parsed_tactics, techniques=parsed_techniques)
+        return MitreInfoContainer(tactics=parsed_tactics, techniques=parsed_techniques)
 
 
 class XMLRuleMixin:
diff --git a/uncoder-core/app/translator/core/models/query_container.py b/uncoder-core/app/translator/core/models/query_container.py
@@ -46,13 +46,13 @@ def __init__(
         severity: Optional[str] = None,
         references: Optional[list[str]] = None,
         tags: Optional[list[str]] = None,
-        mitre_attack: Optional[MitreInfoContainer] = None,
         raw_mitre_attack: Optional[list[str]] = None,
         status: Optional[str] = None,
         false_positives: Optional[list[str]] = None,
         source_mapping_ids: Optional[list[str]] = None,
         parsed_logsources: Optional[dict] = None,
         timeframe: Optional[timedelta] = None,
+        mitre_attack: MitreInfoContainer = MitreInfoContainer(),
     ) -> None:
         self.id = id_ or str(uuid.uuid4())
         self.title = title or ""
diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py
@@ -320,7 +320,7 @@ def wrap_with_meta_info(self, query: str, meta_info: Optional[MetaInfoContainer]
             meta_info_dict = {
                 "name: ": meta_info.title,
                 "uuid: ": meta_info.id,
-                "author: ": meta_info.author if meta_info.author else "not defined in query/rule",
+                "author: ": ", ".join(meta_info.author) if meta_info.author else "not defined in query/rule",
                 "licence: ": meta_info.license,
             }
             query_meta_info = "\n".join(
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/detection_rule.py
@@ -33,6 +33,7 @@
     ElasticSearchFieldValue,
     ElasticSearchQueryRender,
 )
+from app.translator.tools.utils import get_rule_description_str
 
 _AUTOGENERATED_TEMPLATE = "Autogenerated Elastic Rule"
 
@@ -94,10 +95,14 @@ def finalize_query(
         query = super().finalize_query(prefix=prefix, query=query, functions=functions)
         rule = copy.deepcopy(ELASTICSEARCH_DETECTION_RULE)
         index = source_mapping.log_source_signature.default_source.get("index") if source_mapping else None
+        description_str = get_rule_description_str(
+            description=meta_info.description or rule["description"] or _AUTOGENERATED_TEMPLATE,
+            license_=meta_info.license,
+        )
         rule.update(
             {
                 "query": query,
-                "description": meta_info.description or rule["description"] or _AUTOGENERATED_TEMPLATE,
+                "description": description_str,
                 "name": meta_info.title or _AUTOGENERATED_TEMPLATE,
                 "rule_id": meta_info.id,
                 "author": meta_info.author,
diff --git a/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py b/uncoder-core/app/translator/platforms/microsoft/renders/microsoft_sentinel_rule.py
@@ -24,7 +24,7 @@
 from app.translator.core.custom_types.meta_info import SeverityType
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.platform_details import PlatformDetails
-from app.translator.core.models.query_container import MetaInfoContainer
+from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer
 from app.translator.managers import render_manager
 from app.translator.platforms.microsoft.const import DEFAULT_MICROSOFT_SENTINEL_RULE, microsoft_sentinel_rule_details
 from app.translator.platforms.microsoft.mapping import MicrosoftSentinelMappings, microsoft_sentinel_rule_mappings
@@ -54,14 +54,14 @@ class MicrosoftSentinelRuleRender(MicrosoftSentinelQueryRender):
     or_token = "or"
     field_value_render = MicrosoftSentinelRuleFieldValueRender(or_token=or_token)
 
-    def __create_mitre_threat(self, meta_info: MetaInfoContainer) -> tuple[list, list]:
+    def __create_mitre_threat(self, mitre_attack: MitreInfoContainer) -> tuple[list, list]:
         tactics = set()
         techniques = []
 
-        for tactic in meta_info.mitre_attack.tactics:
+        for tactic in mitre_attack.tactics:
             tactics.add(tactic.name)
 
-        for technique in meta_info.mitre_attack.techniques:
+        for technique in mitre_attack.techniques:
             if technique.tactic:
                 for tactic in technique.tactic:
                     tactics.add(tactic)
@@ -91,7 +91,7 @@ def finalize_query(
             license_=meta_info.license,
         )
         rule["severity"] = _SEVERITIES_MAP.get(meta_info.severity, SeverityType.medium)
-        mitre_tactics, mitre_techniques = self.__create_mitre_threat(meta_info=meta_info)
+        mitre_tactics, mitre_techniques = self.__create_mitre_threat(mitre_attack=meta_info.mitre_attack)
         rule["tactics"] = mitre_tactics
         rule["techniques"] = mitre_techniques
         json_rule = json.dumps(rule, indent=4, sort_keys=False)
diff --git a/uncoder-core/app/translator/platforms/sigma/renders/sigma.py b/uncoder-core/app/translator/platforms/sigma/renders/sigma.py
@@ -37,6 +37,7 @@
 from app.translator.platforms.sigma.models.group import Group
 from app.translator.platforms.sigma.models.operator import AND, NOT, OR
 from app.translator.platforms.sigma.str_value_manager import sigma_str_value_manager
+from app.translator.tools.utils import get_rule_description_str
 
 _AUTOGENERATED_TEMPLATE = "Autogenerated Sigma Rule"
 
@@ -288,10 +289,15 @@ def generate_from_tokenized_query_container(self, query_container: TokenizedQuer
         rendered_functions = self.platform_functions.render(query_container.functions.functions, source_mapping)
         not_supported_functions = query_container.functions.not_supported + rendered_functions.not_supported
 
+        description_str = get_rule_description_str(
+            description=meta_info.description or _AUTOGENERATED_TEMPLATE,
+            license_=meta_info.license
+        )
+
         rule = {
             "title": meta_info.title or _AUTOGENERATED_TEMPLATE,
             "id": meta_info.id,
-            "description": meta_info.description or _AUTOGENERATED_TEMPLATE,
+            "description": description_str,
             "status": "experimental",
             "author": meta_info.author,
             "references": meta_info.references,

Original file line number	Diff line number	Diff line change
`@@ -320,7 +320,7 @@ def wrap_with_meta_info(self, query: str, meta_info: Optional[MetaInfoContainer]`
`320`	`320`	`meta_info_dict = {`
`321`	`321`	`"name: ": meta_info.title,`
`322`	`322`	`"uuid: ": meta_info.id,`
`323`		`- "author: ": meta_info.author if meta_info.author else "not defined in query/rule",`
	`323`	`+ "author: ": ", ".join(meta_info.author) if meta_info.author else "not defined in query/rule",`
`324`	`324`	`"licence: ": meta_info.license,`
`325`	`325`	`}`
`326`	`326`	`query_meta_info = "\n".join(`