def resolve(self, key, value, sigmaparser):
targets = self._targets(sigmaparser)
if len(targets
) == 0: # no matching condition, try with default mapping
if self.default != None:
targets = self.default
if len(
targets
) == 1: # result set contains only one target, return mapped item (like SimpleFieldMapping)
if value is None:
return ConditionNULLValue(val=list(targets)[0])
else:
return (list(targets)[0], value)
elif len(
targets
) > 1: # result set contains multiple targets, return all linked as OR condition (like MultiFieldMapping)
cond = ConditionOR()
for target in targets:
if value is None:
cond.add(ConditionNULLValue(val=target))
else:
cond.add((target, value))
return NodeSubexpression(cond)
else: # no mapping found
if value is None:
return ConditionNULLValue(val=key)
else:
return (key, value)
def resolve(self, key, value, sigmaparser):
# build list of matching target mappings
targets = set()
for condfield in self.conditions:
if condfield in sigmaparser.values:
rulefieldvalues = sigmaparser.values[condfield]
for condvalue in self.conditions[condfield]:
if condvalue in rulefieldvalues:
targets.update(self.conditions[condfield][condvalue])
if len(targets
) == 0: # no matching condition, try with default mapping
if self.default != None:
targets = self.default
if len(
targets
) == 1: # result set contains only one target, return mapped item (like SimpleFieldMapping)
return (targets.pop(), value)
elif len(
targets
) > 1: # result set contains multiple targets, return all linked as OR condition (like MultiFieldMapping)
cond = ConditionOR()
for target in targets:
cond.add((target, value))
return cond
else: # no mapping found
return (key, value)
def get_indexcond(self):
"""Get index condition if index field name is configured"""
cond = ConditionOR()
if self.indexfield:
for index in self.index:
cond.add((self.indexfield, index))
return cond
else:
return None
def get_indexcond(self):
"""Get index condition if index field name is configured"""
cond = ConditionOR()
if self.indexfield:
for index in self.index:
cond.add((self.indexfield, index))
return cond
else:
return None
def resolve(self, key, value, sigmaparser):
if type(self.fieldmappings) == str: # one field mapping
return (self.fieldmappings, value)
elif isinstance(self.fieldmappings, SimpleFieldMapping):
return self.fieldmappings.resolve(key, value, sigmaparser)
elif type(self.fieldmappings) == set:
cond = ConditionOR()
for mapping in self.fieldmappings:
if type(mapping) == str:
cond.add((mapping, value))
elif isinstance(mapping, SimpleFieldMapping):
cond.add(mapping.resolve(key, value, sigmaparser))
return NodeSubexpression(cond)
def resolve(self, key, value, sigmaparser):
if type(self.fieldmappings) == str: # one field mapping
return (self.fieldmappings, value)
elif isinstance(self.fieldmappings, ConditionalFieldMapping):
logsource = sigmaparser.parsedyaml.get("logsource")
condition = self.fieldmappings.conditions
for source_type, logsource_item in logsource.items():
if condition.get(source_type) and condition.get(source_type, {}).get(logsource_item):
new_field = condition.get(source_type, {}).get(logsource_item)
self.fieldmappings.default = new_field
return self.fieldmappings.resolve(self.fieldmappings.source, value, sigmaparser)
elif isinstance(self.fieldmappings, SimpleFieldMapping):
return self.fieldmappings.resolve(key, value, sigmaparser)
elif type(self.fieldmappings) == set:
cond = ConditionOR()
for mapping in self.fieldmappings:
if type(mapping) == str:
cond.add((mapping, value))
elif isinstance(mapping, SimpleFieldMapping):
cond.add(mapping.resolve(key, value, sigmaparser))
return NodeSubexpression(cond)
def resolve(self, key, value, sigmaparser):
"""Returns multiple target field names as OR condition"""
cond = ConditionOR()
for fieldname in self.target:
cond.add((fieldname, value))
return NodeSubexpression(cond)