upd

Author: tarnopolskyi

uncoder-core/app/translator/platforms/base/lucene/mapping.py

@@ -33,7 +33,7 @@ def get_suitable_source_mappings(
                 continue
 
             log_source_signature: LuceneLogSourceSignature = source_mapping.log_source_signature
-            if index and log_source_signature.is_suitable(index=index):
+            if index and log_source_signature.is_suitable(index=index):  # noqa: SIM102
                 if source_mapping.fields_mapping.is_suitable(field_names):
                     suitable_source_mappings.append(source_mapping)
 

uncoder-core/app/translator/platforms/elasticsearch/parsers/detection_rule.py

@@ -46,11 +46,11 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
             meta_info=MetaInfoContainer(
                 id_=rule.get("rule_id"),
                 title=rule.get("name"),
-                description=parsed_description["rule_description"] or rule.get("description"),
+                description=parsed_description.get("description") or rule.get("description"),
                 references=rule.get("references", []),
-                author=parsed_description["rule_author"],
+                author=parsed_description.get("author") or rule.get("author", ""),
                 severity=rule.get("severity"),
-                license_=parsed_description["rule_license"],
+                license_=parsed_description.get("license"),
                 tags=rule.get("tags"),
                 mitre_attack=mitre_attack if mitre_attack["tactics"] or mitre_attack["techniques"] else None,
             ),

uncoder-core/app/translator/platforms/logscale/parsers/logscale_alert.py

@@ -38,10 +38,10 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
             query=rule["query"]["queryString"],
             language=language,
             meta_info=MetaInfoContainer(
-                id_=parsed_description["rule_id"],
-                author=parsed_description["rule_author"],
-                references=parsed_description["rule_references"],
-                title=rule["name"],
-                description=parsed_description["rule_description"] or rule["description"],
+                id_=parsed_description.get("rule_id"),
+                author=parsed_description.get("author"),
+                references=parsed_description.get("references"),
+                title=rule.get("name"),
+                description=parsed_description.get("description") or rule.get("description"),
             ),
         )

uncoder-core/app/translator/platforms/microsoft/parsers/microsoft_sentinel_rule.py

@@ -56,11 +56,11 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
             language=language,
             meta_info=MetaInfoContainer(
                 title=rule.get("displayName"),
-                description=parsed_description["rule_description"] or rule.get("description"),
+                description=parsed_description.get("description") or rule.get("description"),
                 timeframe=self.__parse_timeframe(rule.get("queryFrequency", "")),
                 severity=rule.get("severity", "medium"),
                 mitre_attack=mitre_attack if mitre_attack["tactics"] or mitre_attack["techniques"] else None,
-                author=parsed_description["rule_author"],
-                license_=parsed_description["rule_license"],
+                author=parsed_description.get("author") or rule.get("author", ""),
+                license_=parsed_description.get("license"),
             ),
         )

uncoder-core/app/translator/platforms/roota/renders/roota.py

@@ -100,8 +100,11 @@ def __get_data_for_roota_render(
             return_only_first_query_ctx_var.set(prev_state_return_only_first_query_ctx_var)
             wrap_query_with_meta_info_ctx_var.set(prev_state_wrap_query_with_meta_info_ctx_var)
 
-            return (rule_query, rule_query_language,
-                    self.__normalize_log_source(log_source=tokenized_query_container.meta_info.parsed_logsources))
+            return (
+                rule_query,
+                rule_query_language,
+                self.__normalize_log_source(log_source=tokenized_query_container.meta_info.parsed_logsources),
+            )
         rule_query_language = raw_query_container.language.replace("rule", "query")
         rule_query = raw_query_container.query
         for source_mapping_id in tokenized_query_container.meta_info.source_mapping_ids:
@@ -150,6 +153,6 @@ def generate(
             rule["correlation"]["timeframe"] = self.__render_timeframe(tokenized_query_container.meta_info.timeframe)
 
         if rule_logsources:
-           rule["logsource"] = rule_logsources
+            rule["logsource"] = rule_logsources
 
         return yaml.dump(rule, Dumper=IndentedListDumper, default_flow_style=False, sort_keys=False, indent=4)

uncoder-core/app/translator/tools/utils.py

@@ -74,32 +74,19 @@ def get_rule_description_str(
 
 
 def parse_rule_description_str(description: str) -> dict:
-    rule_id: str = ""
-    rule_author: str = ""
-    rule_license: str = ""
-    rule_references: list[str] = []
-
-    rule_id_pattern = r"Rule ID:\s*([\w-]+)"
-    author_pattern = r"Author:\s*([^\.]+)"
-    license_pattern = r"License:\s*(.+?)\s"
-    reference_pattern = r"Reference:\s*([^\s]+)"
-
-    if rule_id_match := re.search(rule_id_pattern, description):
-        rule_id = rule_id_match.group(1)
-    if rule_author_match := re.search(author_pattern, description):
-        rule_author = rule_author_match.group(1).strip()
-    if rule_references_match := re.search(reference_pattern, description):
-        rule_references = [rule_references_match.group(1)]
-    if "License: DRL 1.1." in description:
-        rule_license = "DRL 1.1."
-    elif rule_license_match := re.search(license_pattern, description):
-        rule_license = rule_license_match.group(1)
-    description = re.sub(r"\s*(?:Author:|Rule ID:|License:|Reference:|$).*", "", description)
-
-    return {
-        "rule_id": rule_id,
-        "rule_license": rule_license,
-        "rule_description": description,
-        "rule_author": rule_author,
-        "rule_references": rule_references,
+    parsed = {}
+    keys_map = {
+        "references": "Reference",
+        "mitre_attack": "MITRE ATT&CK",
+        "license": "License",
+        "rule_id": "Rule ID",
+        "author": "Author",
     }
+    pattern = r"___name___:\s*(?P<value>.+)\."
+    for key, name in keys_map.items():
+        if search := re.search(pattern.replace("___name___", name), description):
+            parsed[key] = search.group("value")
+            description = description[: search.start()]
+
+    parsed["description"] = description.strip()
+    return parsed