fix

Author: tarnopolskyi

uncoder-core/app/translator/core/mitre.py

@@ -145,4 +145,7 @@ def get_mitre_info(
         for technique in techniques or []:
             if technique_found := self.get_technique(technique_id=technique.lower()):
                 techniques_list.append(technique_found)
-        return MitreInfoContainer(tactics=tactics_list, techniques=techniques_list)
+        return MitreInfoContainer(
+            tactics=sorted(tactics_list, key=lambda x: x.name),
+            techniques=sorted(techniques_list, key=lambda x: x.technique_id),
+        )

uncoder-core/app/translator/core/mixins/rule.py

@@ -37,11 +37,10 @@ def parse_mitre_attack(self, tags: list[str]) -> MitreInfoContainer:
             if tag.startswith("attack."):
                 tag = tag[7::]
             if tag.startswith("t"):
-                if technique := self.mitre_config.get_technique(tag):
-                    parsed_techniques.append(technique)
-            elif tactic := self.mitre_config.get_tactic(tag):
-                parsed_tactics.append(tactic)
-        return MitreInfoContainer(tactics=parsed_tactics, techniques=parsed_techniques)
+                parsed_techniques.append(tag)
+            else:
+                parsed_tactics.append(tag)
+        return self.mitre_config.get_mitre_info(tactics=parsed_tactics, techniques=parsed_techniques)
 
 
 class XMLRuleMixin:

uncoder-core/app/translator/platforms/splunk/parsers/splunk_alert.py

@@ -19,8 +19,9 @@
 import re
 
 from app.translator.core.custom_types.meta_info import SeverityType
+from app.translator.core.mitre import MitreConfig
 from app.translator.core.models.platform_details import PlatformDetails
-from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer
+from app.translator.core.models.query_container import MetaInfoContainer, MitreInfoContainer, RawQueryContainer
 from app.translator.managers import parser_manager
 from app.translator.platforms.splunk.const import splunk_alert_details
 from app.translator.platforms.splunk.mapping import SplunkMappings, splunk_alert_mappings
@@ -31,12 +32,13 @@
 class SplunkAlertParser(SplunkQueryParser):
     details: PlatformDetails = splunk_alert_details
     mappings: SplunkMappings = splunk_alert_mappings
+    mitre_config: MitreConfig = MitreConfig()
 
     def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
         rule_id: str = ""
         rule_name: str = ""
         severity: str = ""
-        raw_mitre_attack: list[str] = []
+        mitre_attack_container: MitreInfoContainer = None
         if severity_match := re.search(r"alert\.severity\s*=\s*(\d+)", text):
             level_map = {
                 "1": SeverityType.low,
@@ -46,8 +48,12 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
             }
             severity = level_map.get(str(severity_match.group(1)), "low")
 
-        if mitre_attack_match := re.search(r'"mitre_attack":\s*\[(.*?)\]', text):
-            raw_mitre_attack = [attack.strip().strip('"').lower() for attack in mitre_attack_match.group(1).split(",")]
+        if mitre_attack_match := re.search(r"'mitre_attack':\s*\[(.*?)\]", text):
+            raw_mitre_attack = [attack.strip().strip("'") for attack in mitre_attack_match.group(1).split(",")]
+            mitre_attack_container = self.mitre_config.get_mitre_info(
+                tactics=[i.lower() for i in raw_mitre_attack if not i.lower().startswith("t")],
+                techniques=[i.lower() for i in raw_mitre_attack if i.lower().startswith("t")],
+            )
 
         if rule_id_match := re.search(r"Rule ID:\s*([\w-]+)", text):
             rule_id = rule_id_match.group(1)
@@ -64,6 +70,6 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
                 title=rule_name,
                 description=description,
                 severity=severity,
-                raw_mitre_attack=raw_mitre_attack,
+                mitre_attack=mitre_attack_container,
             ),
         )