tools/sigma/backends/datadog.py

# Output backends for sigmac
# Copyright 2021 Datadog, Inc.

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from re import compile
from sigma.backends.base import SingleTextQueryBackend
from sigma.parser.condition import NodeSubexpression


class DatadogLogsBackend(SingleTextQueryBackend):
    """Converts Sigma rule into Datadog log search query."""

    identifier = "datadog-logs"
    active = True
    config_required = False

    andToken = " AND "
    orToken = " OR "
    notToken = "-"
    subExpression = "(%s)"
    listExpression = "(%s)"
    # List selection items are linked with a logical 'OR' per the Sigma specification:
    # https://github.com/SigmaHQ/sigma/wiki/Specification#lists.
    listSeparator = " OR "
    valueExpression = "%s"
    mapExpression = "%s:%s"
    nullExpression = "-%s:*"
    notNullExpression = "%s:*"

    # The escaped characters list comes from https://docs.datadoghq.com/logs/explorer/search_syntax/#escaping-of-special-characters.
    specialCharactersRegexp = compile(r'([+\-=&|><!(){}\[\]^"~?:\\/]+)')
    whitespacesRegexp = compile(r"\s")

    # Default tags taken from https://docs.datadoghq.com/getting_started/tagging/#introduction.
    tags = {}

    def __init__(self, sigmaconfig, backend_options=None):

        if sigmaconfig.config:
            self.dd_index = sigmaconfig.config.get("index")
            self.dd_service = sigmaconfig.config.get("service")
            self.dd_source = sigmaconfig.config.get("source")
            self.dd_env = sigmaconfig.config.get("env")
            self.tags = sigmaconfig.config.get("tags")

        # if backend_options defined, overwrite default config file (for retro-compatibility)
        if backend_options is None:
            backend_options = {}

        if "index" in backend_options:
            self.dd_index = backend_options["index"]

        if "service" in backend_options:
            self.dd_service = backend_options["service"]

        if "source" in backend_options:
            self.dd_source = backend_options["source"]

        if "env" in backend_options:
            self.dd_env = backend_options["env"]

        super().__init__(sigmaconfig)

    def generateQuery(self, parsed):
        nodes = []

        if hasattr(self, "dd_index") and self.dd_index != None:
            nodes.append(("index", self.dd_index))

        if hasattr(self, "dd_service") and self.dd_service != None:
            nodes.append(("service", self.dd_service))

        if hasattr(self, "dd_source") and self.dd_source != None:
            nodes.append(("source", self.dd_source))

        if hasattr(self, "dd_env") and self.dd_env != None:
            nodes.append(("env", self.dd_env))

        if type(parsed.parsedSearch) == NodeSubexpression:
            nodes.append(parsed.parsedSearch.items)
        else:
            nodes.append(parsed.parsedSearch)

        return self.generateANDNode(nodes)

    def cleanValue(self, val):
        if type(val) == int:
            return val
        else:
            # Whitespaces characters are replaced with a `?`.
            # Datadog also supports escaping whitespaces by double quoting
            # expression, but at the cost of losing the `*` pattern matching
            # syntax that we wanted to preserve.
            # Note that technically, `?` matches  **any** single character.
            return self.whitespacesRegexp.sub(
                # Special characters are escaped with a `\` which requires to be escaped
                # in Python as well (see https://docs.python.org/3/library/re.html).
                # This explains the unusual number of `\` in the following regex definition.
                "?", self.specialCharactersRegexp.sub("\\\\\g<1>", val)
            )

    def generateMapItemNode(self, node):
        key, value = node
        return super().generateMapItemNode(((self.wrap_key(key)), value))

    def generateNULLValueNode(self, node):
        return super().generateNULLValueNode((self.wrap_key(node)))

    def generateNotNULLValueNode(self, node):
        return super().generateNotNULLValueNode(self.wrap_key(node))

    def wrap_key(self, key):
        if key not in self.tags and key not in ['index', 'service', 'source', 'env']:
            # print("WARNING tag %s not converted" % format(key))
            return "@%s" % key
        elif key not in ['index', 'service', 'source', 'env']:
            return self.tags[key]
        else:
            return key
Add Copyright 2021-12-02 10:26:51 -05:00			`# Output backends for sigmac`
			`# Copyright 2021 Datadog, Inc.`

			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU Lesser General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`

			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU Lesser General Public License for more details.`

			`# You should have received a copy of the GNU Lesser General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

Update datadog sigmac 2022-09-28 08:30:03 -04:00			`from re import compile`
add datadog backend structure 2021-11-23 11:08:27 -05:00			`from sigma.backends.base import SingleTextQueryBackend`
Support null values 2021-11-29 16:13:23 +01:00			`from sigma.parser.condition import NodeSubexpression`
add datadog backend structure 2021-11-23 11:08:27 -05:00

fix naming and references 2021-12-01 16:08:00 -05:00			`class DatadogLogsBackend(SingleTextQueryBackend):`
address minor review comments 2021-12-03 12:41:49 -05:00			`"""Converts Sigma rule into Datadog log search query."""`
unset service case handling 2021-11-29 11:55:50 +01:00
specify datadog-logs backend 2021-12-01 15:11:51 -05:00			`identifier = "datadog-logs"`
add datadog backend structure 2021-11-23 11:08:27 -05:00			`active = True`
			`config_required = False`

			`andToken = " AND "`
			`orToken = " OR "`
			`notToken = "-"`
			`subExpression = "(%s)"`
Simple rules support 2021-11-23 17:51:03 +01:00			`listExpression = "(%s)"`
Comments 2021-12-21 12:17:13 +01:00			`# List selection items are linked with a logical 'OR' per the Sigma specification:`
			`# https://github.com/SigmaHQ/sigma/wiki/Specification#lists.`
Simple rules support 2021-11-23 17:51:03 +01:00			`listSeparator = " OR "`
Escape queries 2021-11-29 15:11:29 +01:00			`valueExpression = "%s"`
add datadog backend structure 2021-11-23 11:08:27 -05:00			`mapExpression = "%s:%s"`
Support null values 2021-11-29 16:13:23 +01:00			`nullExpression = "-%s:*"`
			`notNullExpression = "%s:*"`
Simple rules support 2021-11-23 17:51:03 +01:00
Escape queries 2021-11-29 15:11:29 +01:00			`# The escaped characters list comes from https://docs.datadoghq.com/logs/explorer/search_syntax/#escaping-of-special-characters.`
Update datadog sigmac 2022-09-28 08:30:03 -04:00			`specialCharactersRegexp = compile(r'([+\-=&\|><!(){}\[\]^"~?:\\/]+)')`
			`whitespacesRegexp = compile(r"\s")`
Escape queries 2021-11-29 15:11:29 +01:00
Use tags instead of facets 2021-12-15 17:26:45 +01:00			`# Default tags taken from https://docs.datadoghq.com/getting_started/tagging/#introduction.`
Update datadog sigmac 2022-09-28 08:30:03 -04:00			`tags = {}`
Handle facets and attributes 2021-11-29 17:23:23 +01:00
No mutable default argument 2021-12-21 12:02:31 +01:00			`def __init__(self, sigmaconfig, backend_options=None):`
Update datadog sigmac 2022-09-28 08:30:03 -04:00
			`if sigmaconfig.config:`
			`self.dd_index = sigmaconfig.config.get("index")`
			`self.dd_service = sigmaconfig.config.get("service")`
			`self.dd_source = sigmaconfig.config.get("source")`
			`self.dd_env = sigmaconfig.config.get("env")`
			`self.tags = sigmaconfig.config.get("tags")`

			`# if backend_options defined, overwrite default config file (for retro-compatibility)`
No mutable default argument 2021-12-21 12:02:31 +01:00			`if backend_options is None:`
			`backend_options = {}`

Support index backend option 2021-11-23 18:11:46 +01:00			`if "index" in backend_options:`
			`self.dd_index = backend_options["index"]`

Provide support for service backend-option 2021-12-02 10:21:40 -05:00			`if "service" in backend_options:`
			`self.dd_service = backend_options["service"]`

Add source as a backend option 2021-12-02 17:28:17 +01:00			`if "source" in backend_options:`
			`self.dd_source = backend_options["source"]`

Use tags instead of facets 2021-12-15 17:26:45 +01:00			`if "env" in backend_options:`
			`self.dd_env = backend_options["env"]`

Support index backend option 2021-11-23 18:11:46 +01:00			`super().__init__(sigmaconfig)`

Simple rules support 2021-11-23 17:51:03 +01:00			`def generateQuery(self, parsed):`
unset service case handling 2021-11-29 11:55:50 +01:00			`nodes = []`
Support index backend option 2021-11-23 18:11:46 +01:00
Update datadog sigmac 2022-09-28 08:30:03 -04:00			`if hasattr(self, "dd_index") and self.dd_index != None:`
Escape queries 2021-11-29 15:11:29 +01:00			`nodes.append(("index", self.dd_index))`
unset service case handling 2021-11-29 11:55:50 +01:00
Update datadog sigmac 2022-09-28 08:30:03 -04:00			`if hasattr(self, "dd_service") and self.dd_service != None:`
Escape queries 2021-11-29 15:11:29 +01:00			`nodes.append(("service", self.dd_service))`
unset service case handling 2021-11-29 11:55:50 +01:00
Update datadog sigmac 2022-09-28 08:30:03 -04:00			`if hasattr(self, "dd_source") and self.dd_source != None:`
Add source as a backend option 2021-12-02 17:28:17 +01:00			`nodes.append(("source", self.dd_source))`

Update datadog sigmac 2022-09-28 08:30:03 -04:00			`if hasattr(self, "dd_env") and self.dd_env != None:`
Use tags instead of facets 2021-12-15 17:26:45 +01:00			`nodes.append(("env", self.dd_env))`

Support null values 2021-11-29 16:13:23 +01:00			`if type(parsed.parsedSearch) == NodeSubexpression:`
			`nodes.append(parsed.parsedSearch.items)`
			`else:`
			`nodes.append(parsed.parsedSearch)`
Support index backend option 2021-11-23 18:11:46 +01:00
			`return self.generateANDNode(nodes)`
Escape queries 2021-11-29 15:11:29 +01:00
			`def cleanValue(self, val):`
			`if type(val) == int:`
			`return val`
			`else:`
Comments 2021-12-21 12:17:13 +01:00			# Whitespaces characters are replaced with a `?`.
			`# Datadog also supports escaping whitespaces by double quoting`
			# expression, but at the cost of losing the `*` pattern matching
			`# syntax that we wanted to preserve.`
			# Note that technically, `?` matches any single character.
Escape queries 2021-11-29 15:11:29 +01:00			`return self.whitespacesRegexp.sub(`
Comments 2021-12-21 12:17:13 +01:00			# Special characters are escaped with a `\` which requires to be escaped
			`# in Python as well (see https://docs.python.org/3/library/re.html).`
			# This explains the unusual number of `\` in the following regex definition.
Escape queries 2021-11-29 15:11:29 +01:00			`"?", self.specialCharactersRegexp.sub("\\\\\g<1>", val)`
			`)`
Handle facets and attributes 2021-11-29 17:23:23 +01:00
			`def generateMapItemNode(self, node):`
			`key, value = node`
			`return super().generateMapItemNode(((self.wrap_key(key)), value))`

			`def generateNULLValueNode(self, node):`
			`return super().generateNULLValueNode((self.wrap_key(node)))`

			`def generateNotNULLValueNode(self, node):`
			`return super().generateNotNULLValueNode(self.wrap_key(node))`

			`def wrap_key(self, key):`
Update datadog sigmac 2022-09-28 08:30:03 -04:00			`if key not in self.tags and key not in ['index', 'service', 'source', 'env']:`
			`# print("WARNING tag %s not converted" % format(key))`
Handle facets and attributes 2021-11-29 17:23:23 +01:00			`return "@%s" % key`
Update datadog sigmac 2022-09-28 08:30:03 -04:00			`elif key not in ['index', 'service', 'source', 'env']:`
			`return self.tags[key]`
Handle facets and attributes 2021-11-29 17:23:23 +01:00			`else:`
			`return key`