from typing import Any, Dict, TypeAlias from malduck.yara import YaraRuleMatch Config: TypeAlias = Dict[str, Any] def get_rule_metadata(match: YaraRuleMatch) -> Config: """ Parses metadata from YARA rule into dictionary under `rule` and top-level keys suitable for inclusion under `threat.software` ECS schema. At a minumum, it will contain the name of the rule. """ rule_info: Config = {} software_info: Config = {} rule_info["name"] = match.name if match.meta: _meta = match.meta if _meta.get("author", None): rule_info["author"] = _meta.get("author") if _meta.get("id", None): rule_info["id"] = _meta["id"] if _meta.get("category_type", None): rule_info["category"] = _meta["category_type"] elif _meta.get("category", None): rule_info["category"] = _meta["category"] if _meta.get("description", None): rule_info["description"] = _meta["description"] if _meta.get("license", None): rule_info["license"] = _meta["license"] if _meta.get("reference", None): rule_info["reference"] = _meta["reference"] if _meta.get("ruleset", None): rule_info["ruleset"] = _meta["ruleset"] if _meta.get("version", None): rule_info["version"] = _meta["version"] elif _meta.get("rev", None): rule_info["version"] = _meta["rev"] if _meta.get("tlp", None): rule_info["tlp"] = _meta["tlp"] if _meta.get("threat_name", None): software_info["name"] = _meta["threat_name"] if _meta.get("os", None): software_info["platforms"] = _meta["os"].split(",") if _meta.get("arch", None): software_info["architectures"] = _meta["arch"].split(",") if _meta.get("reference", None): software_info["reference"] = _meta["reference"] software_info["rule"] = rule_info return software_info