in utils/__init__.py [0:0]
def get_rule_metadata(match: YaraRuleMatch) -> Config:
"""
Parses metadata from YARA rule into dictionary under `rule` and
top-level keys suitable for inclusion under `threat.software` ECS schema.
At a minumum, it will contain the name of the rule.
"""
rule_info: Config = {}
software_info: Config = {}
rule_info["name"] = match.name
if match.meta:
_meta = match.meta
if _meta.get("author", None):
rule_info["author"] = _meta.get("author")
if _meta.get("id", None):
rule_info["id"] = _meta["id"]
if _meta.get("category_type", None):
rule_info["category"] = _meta["category_type"]
elif _meta.get("category", None):
rule_info["category"] = _meta["category"]
if _meta.get("description", None):
rule_info["description"] = _meta["description"]
if _meta.get("license", None):
rule_info["license"] = _meta["license"]
if _meta.get("reference", None):
rule_info["reference"] = _meta["reference"]
if _meta.get("ruleset", None):
rule_info["ruleset"] = _meta["ruleset"]
if _meta.get("version", None):
rule_info["version"] = _meta["version"]
elif _meta.get("rev", None):
rule_info["version"] = _meta["rev"]
if _meta.get("tlp", None):
rule_info["tlp"] = _meta["tlp"]
if _meta.get("threat_name", None):
software_info["name"] = _meta["threat_name"]
if _meta.get("os", None):
software_info["platforms"] = _meta["os"].split(",")
if _meta.get("arch", None):
software_info["architectures"] = _meta["arch"].split(",")
if _meta.get("reference", None):
software_info["reference"] = _meta["reference"]
software_info["rule"] = rule_info
return software_info