Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit68d3e0e

Browse files
authored
Merge pull request#162 from UncoderIO/gis-7956
Gis 7956
2 parents95e0b6e +5f2d770 commit68d3e0e

File tree

3 files changed

+33
-1
lines changed

3 files changed

+33
-1
lines changed

‎uncoder-core/app/translator/core/models/field.py‎

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,11 @@ def value(self) -> Union[int, str, StrValue, list[Union[int, str, StrValue]]]:
6060
returnself.values[0]
6161
returnself.values
6262

63+
@value.setter
64+
defvalue(self,new_value:Union[int,str,StrValue,list[Union[int,str,StrValue]]])->None:
65+
self.values= []
66+
self.__add_value(new_value)
67+
6368
def__add_value(self,value:Optional[Union[int,str,StrValue,list,tuple]])->None:
6469
ifvalueandisinstance(value, (list,tuple)):
6570
forvinvalue:

‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,5 @@ field_mapping:
2828
ParentIntegrityLevel:causality_actor_process_integrity_level
2929
ParentLogonId:causality_actor_process_logon_id
3030
ParentProduct:causality_actor_process_signature_product
31-
ParentCompany:causality_actor_process_signature_vendor
31+
ParentCompany:causality_actor_process_signature_vendor
32+
EventType:event_sub_type

‎uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py‎

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@
2121

2222
fromapp.translator.constimportDEFAULT_VALUE_TYPE
2323
fromapp.translator.core.custom_types.valuesimportValueType
24+
fromapp.translator.core.mappingimportSourceMapping
25+
fromapp.translator.core.models.fieldimportFieldValue,Keyword
26+
fromapp.translator.core.models.identifierimportIdentifier
2427
fromapp.translator.core.models.platform_detailsimportPlatformDetails
2528
fromapp.translator.core.renderimportBaseQueryFieldValue,PlatformQueryRender
2629
fromapp.translator.core.str_value_managerimportStrValue
@@ -34,6 +37,16 @@
3437
)
3538
fromapp.translator.platforms.palo_alto.str_value_managerimportcortex_xql_str_value_manager
3639

40+
SOURCE_MAPPING_TO_FIELD_VALUE_MAP= {
41+
"windows_registry_event": {
42+
"EventType": {
43+
"SetValue":"REGISTRY_SET_VALUE",
44+
"DeleteValue":"REGISTRY_DELETE_VALUE",
45+
"CreateKey":"REGISTRY_CREATE_KEY",
46+
}
47+
}
48+
}
49+
3750

3851
classCortexXQLFieldValue(BaseQueryFieldValue):
3952
details:PlatformDetails=cortex_xql_query_details
@@ -173,6 +186,19 @@ def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, fun
173186
functions_prefix=f"{functions_prefix} | "iffunctions_prefixelse""
174187
returnf"{functions_prefix}{log_source_signature}"
175188

189+
defapply_token(self,token:Union[FieldValue,Keyword,Identifier],source_mapping:SourceMapping)->str:
190+
ifisinstance(token,FieldValue):
191+
field_name=token.field.source_name
192+
ifvalues_map:=SOURCE_MAPPING_TO_FIELD_VALUE_MAP.get(source_mapping.source_id, {}).get(field_name):
193+
values_to_update= []
194+
fortoken_valueintoken.values:
195+
mapped_value:str=values_map.get(token_value,token_value)
196+
values_to_update.append(
197+
StrValue(value=mapped_value,split_value=mapped_value.split())ifmapped_valueelsetoken_value
198+
)
199+
token.value=values_to_update
200+
returnsuper().apply_token(token=token,source_mapping=source_mapping)
201+
176202
@staticmethod
177203
def_finalize_search_query(query:str)->str:
178204
returnf"| filter{query}"ifqueryelse""

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp