Merge pull request #197 from UncoderIO/gis-8762

fix qradar logsource parsing

Author: alexvolha

uncoder-core/app/translator/mappings/platforms/qradar/linux_network_connection.yml

@@ -8,7 +8,7 @@ log_source:
 
 default_log_source:
   devicetype: 11
-  category: [4012]
+  category: 4012
 
 field_mapping:
   CommandLine: Command

uncoder-core/app/translator/mappings/platforms/qradar/macos_network_connection.yml

@@ -8,7 +8,7 @@ log_source:
 
 default_log_source:
   devicetype: 102
-  category: [4012]
+  category: 4012
 
 field_mapping:
   CommandLine: Command

uncoder-core/app/translator/mappings/platforms/qradar/windows_network_connection.yml

@@ -9,7 +9,7 @@ log_source:
 
 default_log_source:
   devicetype: 12
-  category: [4012]
+  category: 4012
   qideventcategory: Microsoft-Windows-Sysmon/Operational
 
 field_mapping:

uncoder-core/app/translator/platforms/base/aql/mapping.py

@@ -39,7 +39,12 @@ def __str__(self) -> str:
     @property
     def extra_condition(self) -> str:
         default_source = self._default_source
-        return " AND ".join((f"{key}={value}" for key, value in default_source.items() if key != "table" and value))
+        extra = []
+        for key, value in default_source.items():
+            if key != "table" and value:
+                _condition = f"{key}={value}" if isinstance(value, int) else f"{key}='{value}'"
+                extra.append(_condition)
+        return " AND ".join(extra)
 
 
 class AQLMappings(BasePlatformMappings):
@@ -48,7 +53,7 @@ class AQLMappings(BasePlatformMappings):
 
     def prepare_log_source_signature(self, mapping: dict) -> AQLLogSourceSignature:
         log_source = mapping.get("log_source", {})
-        default_log_source = mapping.get("default_log_source")
+        default_log_source = mapping["default_log_source"]
         return AQLLogSourceSignature(
             device_types=log_source.get("devicetype"),
             categories=log_source.get("category"),

uncoder-core/app/translator/platforms/base/aql/parsers/aql.py

@@ -37,13 +37,13 @@ class AQLQueryParser(PlatformQueryParser):
     log_source_functions = ("LOGSOURCENAME", "LOGSOURCEGROUPNAME")
     log_source_function_pattern = r"\(?(?P<key>___func_name___\([a-zA-Z]+\))(?:\s+like\s+|\s+ilike\s+|\s*=\s*)'(?P<value>[%a-zA-Z\s]+)'\s*\)?\s+(?:and|or)?\s"  # noqa: E501
 
-    log_source_key_types = ("devicetype", "category", "qid", "qideventcategory", *LOG_SOURCE_FUNCTIONS_MAP.keys())
+    log_source_key_types = ("devicetype", "qideventcategory", "category", "qid", *LOG_SOURCE_FUNCTIONS_MAP.keys())
     log_source_pattern = rf"___source_type___(?:\s+like\s+|\s+ilike\s+|\s*=\s*)(?:{SINGLE_QUOTES_VALUE_PATTERN}|{NUM_VALUE_PATTERN})(?:\s+(?:and|or)\s+|\s+)?"  # noqa: E501
     num_value_pattern = r"[0-9]+"
     multi_num_log_source_pattern = (
         rf"___source_type___\s+in\s+\((?P<value>(?:{num_value_pattern}(?:\s*,\s*)?)+)\)(?:\s+(?:and|or)\s+|\s+)?"
     )
-    str_value_pattern = r"""(?:')(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')+)(?:')"""
+    str_value_pattern = r"""'(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')+)'"""
     multi_str_log_source_pattern = (
         rf"""___source_type___\s+in\s+\((?P<value>(?:{str_value_pattern}(?:\s*,\s*)?)+)\)(?:\s+(?:and|or)\s+|\s+)?"""
     )

uncoder-core/app/translator/platforms/sigma/parsers/sigma.py

@@ -18,7 +18,6 @@
 """
 
 from datetime import timedelta
-from re import I
 from typing import Optional, Union
 
 from app.translator.core.exceptions.core import SigmaRuleValidationException