NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit4b54f66

authored

Merge pull request#166 from UncoderIO/gis-8036

predefined field processing

2 parents50a0bbf +a4ab1a3 commit4b54f66Copy full SHA for 4b54f66

File tree

17 files changed

+124

-39

lines changed

uncoder-core/app/translator
- core
  - custom_types
    - functions.py
    - predefined_fields.py
  - models
    - field.py
  - render.py
  - tokenizer.py
- mappings/platforms
  - palo_alto_cortex
    - dns.yml
    - linux_process_creation.yml
  - qradar
- platforms
  - logrhythm_axon/renders
    - logrhythm_axon_query.py
  - opensearch/renders
    - opensearch_rule.py
  - palo_alto
    - const.py
    - renders
      - cortex_xsiam.py

17 files changed

+124

-39

lines changed

`‎uncoder-core/app/translator/core/custom_types/functions.py‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ class FunctionType(CustomEnum):`
`15`	`15`	`latest="latest"`
`16`	`16`
`17`	`17`	`divide="divide"`
	`18`	`+multiply="multiply"`
`18`	`19`
`19`	`20`	`lower="lower"`
`20`	`21`	`split="split"`
`@@ -28,6 +29,7 @@ class FunctionType(CustomEnum):`
`28`	`29`	`bin="bin"`
`29`	`30`	`eval="eval"`
`30`	`31`	`fields="fields"`
	`32`	`+iploc="iploc"`
`31`	`33`	`join="join"`
`32`	`34`	`rename="rename"`
`33`	`35`	`search="search"`

`‎uncoder-core/app/translator/core/custom_types/predefined_fields.py‎`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,12 @@`
	`1`	`+fromapp.translator.tools.custom_enumimportCustomEnum`
	`2`	`+`
	`3`	`+`
	`4`	`+classIPLocationType(CustomEnum):`
	`5`	`+asn="ip_loc_asn"`
	`6`	`+asn_org="ip_loc_asn_org"`
	`7`	`+city="ip_loc_city"`
	`8`	`+continent="ip_loc_continent"`
	`9`	`+country="ip_loc_country"`
	`10`	`+lat_lon="ip_loc_lat_lon"`
	`11`	`+region="ip_loc_region"`
	`12`	`+timezone="ip_loc_timezone"`

`‎uncoder-core/app/translator/core/models/field.py‎`

Lines changed: 20 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,11 @@ def set_generic_names_map(self, source_mappings: list[SourceMapping], default_ma`
`37`	`37`	`self.__generic_names_map=generic_names_map`
`38`	`38`
`39`	`39`
	`40`	`+classPredefinedField:`
	`41`	`+def__init__(self,name:str):`
	`42`	`+self.name=name`
	`43`	`+`
	`44`	`+`
`40`	`45`	`classFieldField:`
`41`	`46`	`def__init__(`
`42`	`47`	`self,`
`@@ -46,10 +51,10 @@ def __init__(`
`46`	`51`	`is_alias_left:bool=False,`
`47`	`52`	`is_alias_right:bool=False,`
`48`	`53`	`):`
`49`		`-self.field_left=Field(source_name=source_name_left)`
	`54`	`+self.field_left=Field(source_name=source_name_left)ifnotis_alias_leftelseNone`
`50`	`55`	`self.alias_left=Alias(name=source_name_left)ifis_alias_leftelseNone`
`51`	`56`	`self.operator=operator`
`52`		`-self.field_right=Field(source_name=source_name_right)`
	`57`	`+self.field_right=Field(source_name=source_name_right)ifnotis_alias_rightelseNone`
`53`	`58`	`self.alias_right=Alias(name=source_name_right)ifis_alias_rightelseNone`
`54`	`59`
`55`	`60`
`@@ -60,11 +65,14 @@ def __init__(`
`60`	`65`	`operator:Identifier,`
`61`	`66`	`value:Union[int,str,StrValue,list,tuple],`
`62`	`67`	`is_alias:bool=False,`
	`68`	`+is_predefined_field:bool=False,`
`63`	`69`	`):`
`64`		`-self.field=Field(source_name=source_name)`
`65`		`-self.alias=None`
`66`		`-ifis_alias:`
`67`		`-self.alias=Alias(name=source_name)`
	`70`	`+# mapped by platform fields mapping`
	`71`	`+self.field=Field(source_name=source_name)ifnot (is_aliasoris_predefined_field)elseNone`
	`72`	`+# not mapped`
	`73`	`+self.alias=Alias(name=source_name)ifis_aliaselseNone`
	`74`	`+# mapped by platform predefined fields mapping`
	`75`	`+self.predefined_field=PredefinedField(name=source_name)ifis_predefined_fieldelseNone`
`68`	`76`
`69`	`77`	`self.operator=operator`
`70`	`78`	`self.values= []`
`@@ -96,10 +104,13 @@ def __add_value(self, value: Optional[Union[int, str, StrValue, list, tuple]]) -`
`96`	`104`	`self.values.append(value)`
`97`	`105`
`98`	`106`	`def__repr__(self):`
`99`		`-ifself.field:`
`100`		`-returnf"{self.field.source_name}{self.operator.token_type}{self.values}"`
	`107`	`+ifself.alias:`
	`108`	`+returnf"{self.alias.name}{self.operator.token_type}{self.values}"`
	`109`	`+`
	`110`	`+ifself.predefined_field:`
	`111`	`+returnf"{self.predefined_field.name}{self.operator.token_type}{self.values}"`
`101`	`112`
`102`		`-returnf"{self.alias.name}{self.operator.token_type}{self.values}"`
	`113`	`+returnf"{self.field.source_name}{self.operator.token_type}{self.values}"`
`103`	`114`
`104`	`115`
`105`	`116`	`classKeyword:`

`‎uncoder-core/app/translator/core/render.py‎`

Lines changed: 20 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@`
`31`	`31`	`fromapp.translator.core.exceptions.parserimportUnsupportedOperatorException`
`32`	`32`	`fromapp.translator.core.functionsimportPlatformFunctions`
`33`	`33`	`fromapp.translator.core.mappingimportDEFAULT_MAPPING_NAME,BasePlatformMappings,LogSourceSignature,SourceMapping`
`34`		`-fromapp.translator.core.models.fieldimportField,FieldField,FieldValue,Keyword`
	`34`	`+fromapp.translator.core.models.fieldimportField,FieldField,FieldValue,Keyword,PredefinedField`
`35`	`35`	`fromapp.translator.core.models.functions.baseimportFunction,RenderedFunctions`
`36`	`36`	`fromapp.translator.core.models.identifierimportIdentifier`
`37`	`37`	`fromapp.translator.core.models.platform_detailsimportPlatformDetails`
`@@ -218,7 +218,8 @@ class PlatformQueryRender(QueryRender):`
`218`	`218`	`field_field_render=BaseFieldFieldRender()`
`219`	`219`	`field_value_render=BaseFieldValueRender(or_token=or_token)`
`220`	`220`
`221`		`-raw_log_field_pattern_map:ClassVar[dict[str,str]]=None`
	`221`	`+predefined_fields_map:ClassVar[dict[str,str]]= {}`
	`222`	`+raw_log_field_patterns_map:ClassVar[dict[str,str]]= {}`
`222`	`223`
`223`	`224`	`def__init__(self):`
`224`	`225`	`super().__init__()`
`@@ -248,9 +249,23 @@ def map_field(self, field: Field, source_mapping: SourceMapping) -> list[str]:`
`248`	`249`
`249`	`250`	`returnmapped_fieldifmapped_fieldelse [generic_field_name]ifgeneric_field_nameelse [field.source_name]`
`250`	`251`
	`252`	`+defmap_predefined_field(self,predefined_field:PredefinedField)->str:`
	`253`	`+ifnot (mapped_predefined_field_name:=self.predefined_fields_map.get(predefined_field.name)):`
	`254`	`+ifself.is_strict_mapping:`
	`255`	`+raiseStrictPlatformException(field_name=predefined_field.name,platform_name=self.details.name)`
	`256`	`+`
	`257`	`+returnpredefined_field.name`
	`258`	`+`
	`259`	`+returnmapped_predefined_field_name`
	`260`	`+`
`251`	`261`	`defapply_token(self,token:Union[FieldValue,Keyword,Identifier],source_mapping:SourceMapping)->str:`
`252`	`262`	`ifisinstance(token,FieldValue):`
`253`		`-mapped_fields= [token.alias.name]iftoken.aliaselseself.map_field(token.field,source_mapping)`
	`263`	`+iftoken.alias:`
	`264`	`+mapped_fields= [token.alias.name]`
	`265`	`+eliftoken.predefined_field:`
	`266`	`+mapped_fields= [self.map_predefined_field(token.predefined_field)]`
	`267`	`+else:`
	`268`	`+mapped_fields=self.map_field(token.field,source_mapping)`
`254`	`269`	`joined=self.logical_operators_map[LogicalOperatorType.OR].join(`
`255`	`270`	`[`
`256`	`271`	`self.field_value_render.apply_field_value(field=field,operator=token.operator,value=token.value)`
`@@ -365,7 +380,7 @@ def generate_from_raw_query_container(self, query_container: RawQueryContainer)`
`365`	`380`	`)`
`366`	`381`
`367`	`382`	`defprocess_raw_log_field(self,field:str,field_type:str)->Optional[str]:`
`368`		`-ifraw_log_field_pattern:=self.raw_log_field_pattern_map.get(field_type):`
	`383`	`+ifraw_log_field_pattern:=self.raw_log_field_patterns_map.get(field_type):`
`369`	`384`	`returnraw_log_field_pattern.format(field=field)`
`370`	`385`
`371`	`386`	`defprocess_raw_log_field_prefix(self,field:str,source_mapping:SourceMapping)->Optional[list]:`
`@@ -379,7 +394,7 @@ def process_raw_log_field_prefix(self, field: str, source_mapping: SourceMapping`
`379`	`394`	`return [self.process_raw_log_field(field=field,field_type=raw_log_field_type)]`
`380`	`395`
`381`	`396`	`defgenerate_raw_log_fields(self,fields:list[Field],source_mapping:SourceMapping)->str:`
`382`		`-ifself.raw_log_field_pattern_mapisNone:`
	`397`	`+ifnotself.raw_log_field_patterns_map:`
`383`	`398`	`return""`
`384`	`399`	`defined_raw_log_fields= []`
`385`	`400`	`forfieldinfields:`

`‎uncoder-core/app/translator/core/tokenizer.py‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -332,12 +332,12 @@ def get_field_tokens_from_func_args( # noqa: PLR0912`
`332`	`332`	`ifisinstance(arg,Field):`
`333`	`333`	`result.append(arg)`
`334`	`334`	`elifisinstance(arg,FieldField):`
`335`		`-ifnotarg.alias_leftorarg.alias_left.name!=arg.field_left.source_name:`
	`335`	`+ifarg.field_left:`
`336`	`336`	`result.append(arg.field_left)`
`337`		`-ifnotarg.alias_rightorarg.alias_right.name!=arg.field_right.source_name:`
	`337`	`+ifarg.field_right:`
`338`	`338`	`result.append(arg.field_right)`
`339`	`339`	`elifisinstance(arg,FieldValue):`
`340`		`-ifnotarg.aliasorarg.alias.name!=arg.field.source_name:`
	`340`	`+ifarg.field:`
`341`	`341`	`result.append(arg.field)`
`342`	`342`	`elifisinstance(arg,GroupByFunction):`
`343`	`343`	`result.extend(self.get_field_tokens_from_func_args(args=arg.args))`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,4 @@ field_mapping:`
`11`	`11`	`dns_query_name:xdm.network.dns.dns_question.name`
`12`	`12`	`QueryName:xdm.network.dns.dns_question.name`
`13`	`13`	`query:xdm.network.dns.dns_question.name`
`14`		`-dns-record-type:xdm.network.dns.dns_question.type`
	`14`	`+dns-record-type:xdm.network.dns.dns_question.type`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -26,4 +26,5 @@ field_mapping:`
`26`	`26`	`ParentProduct:actor_process_signature_product`
`27`	`27`	`ParentCompany:actor_process_signature_vendor`
`28`	`28`	`md5:action_process_image_md5`
`29`		`-sha256:action_process_image_sha256`
	`29`	`+sha256:action_process_image_sha256`
	`30`	`+EventID:action_evtlog_event_id`

`‎uncoder-core/app/translator/mappings/platforms/qradar/default.yml‎`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,9 @@ field_mapping:`
`59`	`59`	`-dst-packets`
`60`	`60`	`src-bytes:src-bytes`
`61`	`61`	`dst-bytes:dst-bytes`
`62`		`-ExternalSeverity:External Severity`
	`62`	`+ExternalSeverity:`
	`63`	`+ -External Severity`
	`64`	`+ -Observeit Severity`
`63`	`65`	`SourceMAC:`
`64`	`66`	`-SourceMAC`
`65`	`67`	`-MAC`
`@@ -73,6 +75,6 @@ field_mapping:`
`73`	`75`	`SourceUserName:SourceUserName`
`74`	`76`	`url_category:XForceCategoryByURL`
`75`	`77`	`EventSeverity:EventSeverity`
`76`		`-Source:`
	`78`	`+Source:`
`77`	`79`	`-Source`
`78`		`- -source`
	`80`	`+ -source`

`‎uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,10 +11,13 @@ default_log_source:`
`11`	`11`	`field_mapping:`
`12`	`12`	`src-ip:`
`13`	`13`	`-sourceip`
	`14`	`+ -sourceIP`
	`15`	`+ -SourceIP`
`14`	`16`	`-SrcHost`
`15`	`17`	`-LocalHost`
`16`	`18`	`-Source`
`17`	`19`	`-NetworkView`
	`20`	`+ -HostName`
`18`	`21`	`src-port:`
`19`	`22`	`-sourceport`
`20`	`23`	`-SrcPort`

`‎uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml‎`

Lines changed: 5 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,9 +11,12 @@ default_log_source:`
`11`	`11`	`category:8110`
`12`	`12`
`13`	`13`	`field_mapping:`
`14`		`-CommandLine:Command`
	`14`	`+CommandLine:`
	`15`	`+ -Command`
	`16`	`+ -ASACommand`
`15`	`17`	`Image:Process Path`
`16`	`18`	`ParentCommandLine:Parent Command`
`17`	`19`	`ParentImage:Parent Process Path`
`18`	`20`	`User:username`
`19`		`-LogonId:Logon ID`
	`21`	`+LogonId:Logon ID`
	`22`	`+EventID:ASASyslogCode`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit4b54f66

File tree

17 files changed

17 files changed

`‎uncoder-core/app/translator/core/custom_types/functions.py‎`

`‎uncoder-core/app/translator/core/custom_types/predefined_fields.py‎`

`‎uncoder-core/app/translator/core/models/field.py‎`

`‎uncoder-core/app/translator/core/render.py‎`

`‎uncoder-core/app/translator/core/tokenizer.py‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/default.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml‎`

0 commit comments