-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathQRadar-rules2csv.py
181 lines (141 loc) · 4.76 KB
/
QRadar-rules2csv.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# python3 script
import sys, os
import json, time
from xml.etree.ElementTree import ElementTree
import xml.etree.ElementTree as ET
import base64
import lxml.etree as etree
from array import array
from types import *
from html.parser import HTMLParser
from optparse import OptionParser
import pprint
class MyHTMLParser(HTMLParser):
def __init__(self):
HTMLParser.__init__(self)
self.recording = 0
self.data = []
self.test = []
def handle_starttag(self, tag, attrs):
self.recording = 1
self.data=''
def handle_endtag(self, tag):
self.recording -= 1
def handle_data(self, data):
self.testArray.append([testSeq,self.recording,data])
def main():
tree = ET.parse(sys.argv[1])
root = tree.getroot()
rule = []
htmlout=[]
global testSeq
for rule in root.findall('custom_rule'):
fullTestArray=[]
htmlTestArray=[]
htmlRuleDef=[]
parser = MyHTMLParser()
htmlGroupArray=[]
ruleUUID=rule.find('uuid').text
ruleID=rule.find('id').text
fgroupGet="fgroup_link[id='"+ruleID+"']"
fgroupGet="fgroup_link"
ruleOrigin=rule.find('origin').text
for fgroup_link in root.findall('fgroup_link[item_id="'+ruleID+'"]'):
if fgroup_link is None: print('Error')
fgroup_link_fgroup_id = fgroup_link.find('fgroup_id').text
fgroup_id = root.find('fgroup[id="'+fgroup_link_fgroup_id+'"]')
fgroup_name = fgroup_id.find('description').text
fgroup_parent_id = fgroup_id.find('parent_id')
fgroup_level_id=0
fgroup_level_id = fgroup_id.find('level_id').text
level=">"
htmlGroupArray.append('"'+level+str(fgroup_name)+'"')
while not fgroup_parent_id is None:
fgroup_id = root.find('fgroup[id="'+fgroup_parent_id.text+'"]') #find parent node
fgroup_name = fgroup_id.find('description').text #find name
fgroup_level_id=0
fgroup_level_id = fgroup_id.find('level_id').text
level=level+">"
fgroup_parent_id=fgroup_id.find('parent_id') #check if new node has parent
if not fgroup_parent_id is None:
htmlGroupArray.append('"'+level+str(fgroup_name)+'"')
detailedRuleData=base64.b64decode(rule.find('rule_data').text)
x = etree.fromstring(detailedRuleData)
m = etree.tostring(x, pretty_print = True)
drdroot = ET.fromstring(detailedRuleData)
ruleName=drdroot.find('name').text
ruleType=drdroot.get('type')
htmlRuleDef.append('"'+ruleName+'"')
htmlRuleDef.append('"'+ruleOrigin+'"')
htmlRuleDef.append('"'+ruleType+'"')
ruleIsBB=drdroot.get('buildingBlock')
if ruleIsBB is not None and ruleIsBB=='true':
htmlRuleDef.append('"BB"')
else:
htmlRuleDef.append('"Rule"')
ruleEnabled=drdroot.get('enabled')
if ruleEnabled=='true':
htmlruleEnabled='"Enabled"'
else:
htmlruleEnabled='"Disabled"'
htmlRuleDef.append(htmlruleEnabled)
htmlRuleDef.append('"'+ruleUUID+'"')
# start of ruletest definition
testDefinitions=drdroot.find('testDefinitions')
negateTextA=''
negateTextA=' [AND NOT] '
negateTextB=''
testSeq=-1
htmlTestArray=['"']
for elTests in testDefinitions.findall('test'):
teteststSeq=testSeq+1
testName=elTests.get('name')
testUUID=elTests.get('uid')
testNegate=str(elTests.get('negate'))
ruleText=str(elTests.find('text').text)
htmltest=''
if testNegate=="true" and testNegate is not None:
htmltest=''+negateTextA+''
else:
htmltest=''+negateTextB+''
negateTextA=' [AND NOT] '
negateTextB=' [AND] '
if isinstance(ruleText, str):
parser.close()
parser.testArray=[]
parse=str(parser.feed(ruleText))
oldx0=-1
oldx1=-1
for x in parser.testArray:
fullTestArray.append(x)
if str(x[0])!=oldx0:
oldx0=str(x[0])
if str(x[1])!=oldx1:
oldx1=int(x[1])
if oldx1==1:
htmltest=''+htmltest+''
htmltest=htmltest+''+str(x[2])+''
htmlTestArray.append(htmltest)
htmlTestArray.append('"')
actionDefinitions=drdroot.find('actions')
responsDefinitions=drdroot.find('responses')
responsHTML=[]
forceOffense='false'
if responsDefinitions is not None:
newevent=responsDefinitions.find('newevent')
if newevent is not None:
neweventqid = str(newevent.get('qid'))
LLC=str('LLC:'+str(newevent.get('lowLevelCategory')))
CRS=str('CRS:'+str(newevent.get('credibility'))+str(newevent.get('relevance'))+str(newevent.get('severity')))
forceOffense=str(newevent.get('forceOffenseCreation'))
if forceOffense is not None and forceOffense=='true':
htmlforceOffense='Offense'
else:
htmlforceOffense='No-Offense'
responsHTML.append(str('"QID:'+str(newevent.get('qid')))+'","'+htmlforceOffense+'","'+LLC+'","'+CRS+'"')
else:
responsHTML.append(str('"","","",""'))
print(','.join(htmlRuleDef)+','+','.join(htmlTestArray)+','+','.join(responsHTML)+','+','.join(htmlGroupArray))
print('END')
if __name__ == "__main__":
main()