format_input.py

import re
import sys
import os

# Add the project root to sys.path
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))

from location.IP_Checker import get_all_details

def append_severity_definition(log_text):
    severity_definitions = {
        "Information": "The event provides useful context but is not critical.",
        "Notice": "Signifies noteworthy event that do not require immediate action.",
        "Warning": "Indicates potential issue that should be addressed and should be investigated before escalation.",
        "Error": "Indicates a problem that needs to be resolved and impacts system functionality but doesn't cause immediate service disruption.",
        "Critical": "Indicates a severe issue that causes significant loss of service and requires immediate attention.",
    }

    match = re.search(r"Severity:\s*(\S+)", log_text)
    if match:
        severity = match.group(1)
        definition = severity_definitions.get(severity)
        if definition:
            log_text = re.sub(
                r"(Severity:\s*" + re.escape(severity) + r")\n",
                r"\1\n    - Severity Definition: " + definition + "\n",
                log_text,
            )
    return log_text


def format_sophos_row(row):
    def get_value(key, default="Unknown"):
        return row.get(key, default)

    return f"""
- Device Information
    - Device Name: {get_value("device_name")}
    - Device Model: {get_value("device_model")}
    - Device Serial ID: {get_value("device_serial_id")}

- Connection Details
    - Source IP: {get_value("src_ip")}
    - Source Country: {get_value("src_country", "Unknown") if get_value("src_country") != 'R1' else "Unknown"}
    - Destination IP: {get_value("dst_ip")}
    - Destination Country: {get_value("dst_country", "Unknown") if get_value("dst_country") != 'R1' else "Unknown"}
    - Protocol: {get_value("protocol")}
    - Source Port: {get_value("src_port")}
    - Destination Port: {get_value("dst_port")}
    - Timestamp: {get_value("timestamp")}

- Log Information
    - Log Type: {get_value("log_type")}
    - Log Component: {get_value("log_component")}
    - Log Subtype: {get_value("log_subtype")}
    - Severity: {get_value("severity")}

- Additional Information
    - Heartbeat Status: {get_value("hb_status")}
    - Application Resolved By: {get_value("app_resolved_by")}
    - Application Is Cloud: {get_value("app_is_cloud")}
"""


def format_azure_sign_in_logs(data_row):
    def get_value(key, default="Unknown"):
        return data_row.get(key, default)

    device_detail = (
        f"\n- Device Detail:"
        f"\n Device ID: {get_value('deviceDetail_deviceId')}"
        f"\n Display Name: {get_value('deviceDetail_displayName')}"
        f"\n Operating System: {get_value('deviceDetail_operatingSystem')}"
        f"\n Browser: {get_value('deviceDetail_browser')}"
        f"\n Compliance: {get_value('deviceDetail_isCompliant')}"
        f"\n Managed: {get_value('deviceDetail_isManaged')}"
        f"\n Trust Type: {get_value('deviceDetail_trustType')}"
    )

    location = (
        f"\n- Location:"
        f"\n City: {get_value('location_city')}"
        f"\n State: {get_value('location_state')}"
        f"\n Country/Region: {get_value('location_countryOrRegion')}"
        f"\n Latitude: {get_value('location_geoCoordinates_latitude')}"
        f"\n Longitude: {get_value('location_geoCoordinates_longitude')}"
    )

    return (
        f"Created Date: {get_value('createdDateTime')}\n"
        f"User: {get_value('userDisplayName')}\n"
        f"User Principal Name: {get_value('userPrincipalName')}\n"
        f"User ID: {get_value('userId')}\n"
        f"Application ID: {get_value('appId')}\n"
        f"Application Display Name: {get_value('appDisplayName')}\n"
        f"IP Address: {get_value('ipAddress')}\n"
        f"More information about Location:{get_all_details({get_value('ipAddress')})}"
        f"Client App Used: {get_value('clientAppUsed')}\n"
        f"Conditional Access Status: {get_value('conditionalAccessStatus')}\n"
        f"{device_detail}\n"
        f"{location}\n"
        f"- Status: {get_value('status_additionalDetails')}\n"
    )


def format_palo_alto_logs(data_row):
    def get_value(key, default="Unknown"):
        return data_row.get(key, default)

    core_identifiers = (
        f"Source: {get_value('src')}\n"
        f"Destination: {get_value('dest')}\n"
        f"Source IP: {get_value('src_ip')}\n"
        f"Destination IP: {get_value('dest_ip')}\n"
        f"Source Port: {get_value('src_port')}\n"
        f"Destination Port: {get_value('dest_port')}\n"
        f"Protocol: {get_value('protocol')}\n"
    )

    traffic_volume = (
        f"Bytes: {get_value('bytes')}\n"
        f"Bytes In: {get_value('bytes_in')}\n"
        f"Bytes Out: {get_value('bytes_out')}\n"
        f"Packets: {get_value('packets')}\n"
        f"Packets In: {get_value('packets_in')}\n"
        f"Packets Out: {get_value('packets_out')}\n"
    )

    temporal_info = (
        f"Start Time: {get_value('start_time')}\n"
        f"Date: {get_value('date_year')}-{get_value('date_month')}-{get_value('date_mday')} "
        f"{get_value('date_hour')}:{get_value('date_minute')}:{get_value('date_second')}\n"
        f"Duration: {get_value('duration')}\n"
    )

    network_device_info = (
        f"Source Zone: {get_value('src_zone')}\n"
        f"Destination Zone: {get_value('dest_zone')}\n"
        f"Source Interface: {get_value('src_interface')}\n"
        f"Destination Interface: {get_value('dest_interface')}\n"
        f"Device ID: {get_value('dvc')}\n"
        f"Device Name: {get_value('dvc_name')}\n"
    )

    app_user_info = (
        f"Application: {get_value('application')}\n"
        f"User: {get_value('user')}\n"
        f"User Agent: {get_value('user_agent')}\n"
    )

    security_info = (
        f"Action: {get_value('action')}\n"
        f"Severity: {get_value('severity')}\n"
        f"Threat: {get_value('threat')}\n"
        f"Threat Category: {get_value('threat_category')}\n"
        f"Signature: {get_value('signature')}\n"
        f"Signature ID: {get_value('signature_id')}\n"
    )

    return (
        f"{core_identifiers}\n"
        f"{traffic_volume}\n"
        f"{temporal_info}\n"
        f"{network_device_info}\n"
        f"{app_user_info}\n"
        f"{security_info}\n"
    )

def format_office365_logs(data_row):
    def get_value(key, default="Unknown"):
        return data_row.get(key, default)

    actor_info = (
        f"- Actor Information:\n"
        f"    - User ID: {get_value('UserId')}\n"
        f"    - User Key: {get_value('UserKey')}\n"
        f"    - User Type: {get_value('UserType')}\n"
        f"    - User Principal Name: {get_value('UserPrincipalName')}\n"
        f"    - Actor IP Address: {get_value('ActorIpAddress')}\n"
    )

    device_info = (
        f"- Device Information:\n"
        f"    - Client IP: {get_value('ClientIP')}\n"
        f"    - Client App ID: {get_value('ClientAppId')}\n"
        f"    - Client App Name: {get_value('AppAccessContext.ClientAppName')}\n"
        f"    - Device ID: {get_value('DeviceId')}\n"
        f"    - Device Name: {get_value('DeviceName')}\n"
        f"    - Device Operating System: {get_value('DeviceOperatingSystem')}\n"
    )

    operation_info = (
        f"- Operation Information:\n"
        f"    - Operation: {get_value('Operation')}\n"
        f"    - Operation Properties: {get_value('OperationProperties')}\n"
        f"    - Object ID: {get_value('ObjectId')}\n"
        f"    - Object Type: {get_value('ObjectType')}\n"
        f"    - Object Name: {get_value('ObjectName')}\n"
    )

    policy_info = (
        f"- Policy Information:\n"
        f"    - Policy Details: {get_value('PolicyDetails')}\n"
        f"    - Policy Identifier: {get_value('PolicyIdentifierString')}\n"
        f"    - Policy Last Updated Time: {get_value('PolicyLastUpdatedTime')}\n"
    )

    event_info = (
        f"- Event Information:\n"
        f"    - Creation Time: {get_value('CreationTime')}\n"
        f"    - Result Status: {get_value('ResultStatus')}\n"
        f"    - Record Type: {get_value('RecordType')}\n"
        f"    - Request ID: {get_value('RequestId')}\n"
        f"    - Organization ID: {get_value('OrganizationId')}\n"
        f"    - Organization Name: {get_value('OrganizationName')}\n"
        f"    - Tenant ID: {get_value('TenantId')}\n"
    )

    additional_info = (
        f"- Additional Information:\n"
        f"    - App Display Name: {get_value('ApplicationDisplayName')}\n"
        f"    - User Agent: {get_value('UserAgent')}\n"
        f"    - Session ID: {get_value('SessionId')}\n"
    )

    return (
        f"{actor_info}\n"
        f"{device_info}\n"
        f"{operation_info}\n"
        f"{policy_info}\n"
        f"{event_info}\n"
        f"{additional_info}\n"
    )


def flatten_json(json_data, parent_key="", separator="_"):
    def _flatten(obj, parent_key=""):
        items = {}
        for k, v in obj.items():
            new_key = f"{parent_key}{separator}{k}" if parent_key else k
            if isinstance(v, dict):
                items.update(_flatten(v, new_key))
            else:
                items[new_key] = v
        return items

    return _flatten(json_data, parent_key)

def detect_log_type(log_data):
    if "device_name" in log_data and "src_ip" in log_data and "dst_ip" in log_data:
        return "sophos"
    elif "userPrincipalName" in log_data and "ipAddress" in log_data:
        return "azure-sign-in"
    elif "src" in log_data and "dest" in log_data and "severity" in log_data:
        return "palo-alto"
    elif "UserId" in log_data and "ClientIP" in log_data and "Operation" in log_data:
        return "office365"
    else:
        return "Unknown"