be able to import massive files like sysmon config from olaf

Author: Infinit3i

data/sysmon_conditions.py

@@ -31,6 +31,17 @@
     30: "File Blocked",
 }
 
+
 def get_event_xml_tag(event_id: int) -> str:
     name = SYS_MON_EVENTS.get(event_id, f"Event{event_id}")
-    return name.replace(" ", "")
+    return name.replace(" ", "")
+
+
+def get_event_id_from_xml_tag(xml_tag: str) -> int | None:
+    normalized = xml_tag.replace(" ", "").lower()
+
+    for event_id in SYS_MON_EVENTS:
+        if get_event_xml_tag(event_id).lower() == normalized:
+            return event_id
+
+    return None

data/sysmon_events.py

@@ -1,4 +1,5 @@
 from exporters.xml_exporter import export_config
+from importers.xml_importer import import_config
 from gui.rule_editor import RuleEditor
 from models.sysmon_config import SysmonConfig
 from data.sysmon_events import SYS_MON_EVENTS
@@ -20,9 +21,7 @@ def __init__(self) -> None:
 
         self.setWindowTitle("Sysmon Config Builder")
         self.setGeometry(100, 100, 1000, 600)
-        
         self.event_map = SYS_MON_EVENTS
-
         self.config = SysmonConfig()
 
         central_widget = QWidget()
@@ -45,16 +44,47 @@ def __init__(self) -> None:
         main_layout.addWidget(self.event_list, 1)
         main_layout.addWidget(self.rule_editor, 3)
 
+        button_layout = QHBoxLayout()
+
+        self.import_button = QPushButton("Import XML")
+        self.import_button.clicked.connect(self.import_xml)
+
         self.save_button = QPushButton("Save XML")
         self.save_button.clicked.connect(self.save_xml)
-        outer_layout.addWidget(self.save_button)
+
+        button_layout.addWidget(self.import_button)
+        button_layout.addWidget(self.save_button)
+
+        outer_layout.addLayout(button_layout)
 
         self.event_list.setCurrentRow(0)
 
     def on_event_selected(self, event_text: str) -> None:
         event_id_str, event_name = event_text.split(" - ", 1)
         self.rule_editor.set_event(int(event_id_str), event_name)
 
+    def import_xml(self) -> None:
+        file_path, _ = QFileDialog.getOpenFileName(
+            self,
+            "Import Sysmon Config",
+            "",
+            "XML Files (*.xml)",
+        )
+
+        if not file_path:
+            return
+
+        try:
+            imported_config = import_config(file_path)
+            self.config.events = imported_config.events
+            self.rule_editor.config = self.config
+            self.rule_editor.refresh_rules()
+        except Exception as exc:
+            QMessageBox.critical(self, "Import Failed", f"Failed to import XML:\n{exc}")
+            return
+
+        QMessageBox.information(self, "Success", f"Imported Sysmon config from:\n{file_path}")
+
     def save_xml(self) -> None:
         file_path, _ = QFileDialog.getSaveFileName(
             self,

gui/event_panel.py

@@ -0,0 +1,65 @@
+from xml.etree import ElementTree as ET
+
+from data.sysmon_events import SYS_MON_EVENTS, get_event_id_from_xml_tag
+from models.sysmon_config import RuleFilter, SysmonConfig
+
+
+def extract_rules_from_node(
+    node: ET.Element,
+    event_config,
+    rule_type: str,
+) -> None:
+    for child in node:
+        if child.tag == "Rule":
+            extract_rules_from_node(child, event_config, rule_type)
+            continue
+
+        if len(child) > 0:
+            extract_rules_from_node(child, event_config, rule_type)
+            continue
+
+        field_name = child.tag
+        condition = child.attrib.get("condition", "is")
+        value = (child.text or "").strip()
+
+        if not value:
+            continue
+
+        event_config.rules.append(
+            RuleFilter(
+                rule_type=rule_type,
+                field_name=field_name,
+                condition=condition,
+                value=value,
+            )
+        )
+
+
+def import_config(input_path: str) -> SysmonConfig:
+    tree = ET.parse(input_path)
+    root = tree.getroot()
+
+    config = SysmonConfig()
+
+    event_filtering = root.find("EventFiltering")
+    if event_filtering is None:
+        return config
+
+    for rule_group in event_filtering:
+        if rule_group.tag != "RuleGroup":
+            continue
+
+        for event_element in rule_group:
+            event_tag = event_element.tag
+            event_id = get_event_id_from_xml_tag(event_tag)
+
+            if event_id is None:
+                continue
+
+            event_name = SYS_MON_EVENTS.get(event_id, event_tag)
+            rule_type = event_element.attrib.get("onmatch", "include")
+
+            event_config = config.get_or_create_event(event_id, event_name)
+            extract_rules_from_node(event_element, event_config, rule_type)
+
+    return config