Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitae7b8bb

Browse files
committed
palo alto datamodel mapping usage
1 parent50a0bbf commitae7b8bb

File tree

4 files changed

+107
-88
lines changed

4 files changed

+107
-88
lines changed

‎uncoder-core/app/translator/core/render.py‎

Lines changed: 29 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -397,37 +397,45 @@ def generate_raw_log_fields(self, fields: list[Field], source_mapping: SourceMap
397397
defined_raw_log_fields.append(prefix)
398398
return"\n".join(defined_raw_log_fields)
399399

400+
def_generate_from_tokenized_query_container_by_source_mapping(
401+
self,query_container:TokenizedQueryContainer,source_mapping:SourceMapping
402+
)->str:
403+
rendered_functions=self.generate_functions(query_container.functions.functions,source_mapping)
404+
prefix=self.generate_prefix(source_mapping.log_source_signature,rendered_functions.rendered_prefix)
405+
406+
ifsource_mapping.raw_log_fields:
407+
defined_raw_log_fields=self.generate_raw_log_fields(
408+
fields=query_container.meta_info.query_fields,source_mapping=source_mapping
409+
)
410+
prefix+=f"\n{defined_raw_log_fields}"
411+
query=self.generate_query(tokens=query_container.tokens,source_mapping=source_mapping)
412+
not_supported_functions=query_container.functions.not_supported+rendered_functions.not_supported
413+
returnself.finalize_query(
414+
prefix=prefix,
415+
query=query,
416+
functions=rendered_functions.rendered,
417+
not_supported_functions=not_supported_functions,
418+
meta_info=query_container.meta_info,
419+
source_mapping=source_mapping,
420+
)
421+
400422
defgenerate_from_tokenized_query_container(self,query_container:TokenizedQueryContainer)->str:
401423
queries_map= {}
402424
errors= []
403425
source_mappings=self._get_source_mappings(query_container.meta_info.source_mapping_ids)
404426

405427
forsource_mappinginsource_mappings:
406-
rendered_functions=self.generate_functions(query_container.functions.functions,source_mapping)
407-
prefix=self.generate_prefix(source_mapping.log_source_signature,rendered_functions.rendered_prefix)
408428
try:
409-
ifsource_mapping.raw_log_fields:
410-
defined_raw_log_fields=self.generate_raw_log_fields(
411-
fields=query_container.meta_info.query_fields,source_mapping=source_mapping
412-
)
413-
prefix+=f"\n{defined_raw_log_fields}"
414-
result=self.generate_query(tokens=query_container.tokens,source_mapping=source_mapping)
429+
finalized_query=self._generate_from_tokenized_query_container_by_source_mapping(
430+
query_container,source_mapping
431+
)
415432
exceptStrictPlatformExceptionaserr:
416433
errors.append(err)
417434
continue
418-
else:
419-
not_supported_functions=query_container.functions.not_supported+rendered_functions.not_supported
420-
finalized_query=self.finalize_query(
421-
prefix=prefix,
422-
query=result,
423-
functions=rendered_functions.rendered,
424-
not_supported_functions=not_supported_functions,
425-
meta_info=query_container.meta_info,
426-
source_mapping=source_mapping,
427-
)
428-
ifreturn_only_first_query_ctx_var.get()isTrue:
429-
returnfinalized_query
430-
queries_map[source_mapping.source_id]=finalized_query
435+
436+
ifreturn_only_first_query_ctx_var.get()isTrue:
437+
returnfinalized_query
438+
queries_map[source_mapping.source_id]=finalized_query
431439
ifnotqueries_mapanderrors:
432440
raiseerrors[0]
433441
returnself.finalize(queries_map)

‎uncoder-core/app/translator/platforms/forti_siem/renders/forti_siem_rule.py‎

Lines changed: 27 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919

2020
fromapp.translator.constimportDEFAULT_VALUE_TYPE
2121
fromapp.translator.core.constimportTOKEN_TYPE
22-
fromapp.translator.core.context_varsimportreturn_only_first_query_ctx_var
2322
fromapp.translator.core.custom_types.meta_infoimportSeverityType
2423
fromapp.translator.core.custom_types.tokensimportGroupType,LogicalOperatorType,OperatorType
2524
fromapp.translator.core.custom_types.valuesimportValueType
@@ -244,40 +243,33 @@ def __replace_not_tokens(self, tokens: list[TOKEN_TYPE]) -> list[TOKEN_TYPE]:
244243

245244
returntokens
246245

247-
defgenerate_from_tokenized_query_container(self,query_container:TokenizedQueryContainer)->str:
248-
queries_map= {}
249-
source_mappings=self._get_source_mappings(query_container.meta_info.source_mapping_ids)
250-
251-
forsource_mappinginsource_mappings:
252-
is_event_type_set=False
253-
field_values= [tokenfortokeninquery_container.tokensifisinstance(token,FieldValue)]
254-
mapped_fields_set=set()
255-
forfield_valueinfield_values:
256-
mapped_fields=self.map_field(field_value.field,source_mapping)
257-
mapped_fields_set=mapped_fields_set.union(set(mapped_fields))
258-
if_EVENT_TYPE_FIELDinmapped_fields:
259-
is_event_type_set=True
260-
self.__update_event_type_values(field_value,source_mapping.source_id)
261-
262-
tokens=self.__replace_not_tokens(query_container.tokens)
263-
result=self.generate_query(tokens=tokens,source_mapping=source_mapping)
264-
prefix=""ifis_event_type_setelseself.generate_prefix(source_mapping.log_source_signature)
265-
rendered_functions=self.generate_functions(query_container.functions.functions,source_mapping)
266-
not_supported_functions=query_container.functions.not_supported+rendered_functions.not_supported
267-
finalized_query=self.finalize_query(
268-
prefix=prefix,
269-
query=result,
270-
functions=rendered_functions.rendered,
271-
not_supported_functions=not_supported_functions,
272-
meta_info=query_container.meta_info,
273-
source_mapping=source_mapping,
274-
fields=mapped_fields_set,
275-
)
276-
ifreturn_only_first_query_ctx_var.get()isTrue:
277-
returnfinalized_query
278-
queries_map[source_mapping.source_id]=finalized_query
279-
280-
returnself.finalize(queries_map)
246+
def_generate_from_tokenized_query_container_by_source_mapping(
247+
self,query_container:TokenizedQueryContainer,source_mapping:SourceMapping
248+
)->str:
249+
is_event_type_set=False
250+
field_values= [tokenfortokeninquery_container.tokensifisinstance(token,FieldValue)]
251+
mapped_fields_set=set()
252+
forfield_valueinfield_values:
253+
mapped_fields=self.map_field(field_value.field,source_mapping)
254+
mapped_fields_set=mapped_fields_set.union(set(mapped_fields))
255+
if_EVENT_TYPE_FIELDinmapped_fields:
256+
is_event_type_set=True
257+
self.__update_event_type_values(field_value,source_mapping.source_id)
258+
259+
tokens=self.__replace_not_tokens(query_container.tokens)
260+
result=self.generate_query(tokens=tokens,source_mapping=source_mapping)
261+
prefix=""ifis_event_type_setelseself.generate_prefix(source_mapping.log_source_signature)
262+
rendered_functions=self.generate_functions(query_container.functions.functions,source_mapping)
263+
not_supported_functions=query_container.functions.not_supported+rendered_functions.not_supported
264+
returnself.finalize_query(
265+
prefix=prefix,
266+
query=result,
267+
functions=rendered_functions.rendered,
268+
not_supported_functions=not_supported_functions,
269+
meta_info=query_container.meta_info,
270+
source_mapping=source_mapping,
271+
fields=mapped_fields_set,
272+
)
281273

282274
@staticmethod
283275
def__update_event_type_values(field_value:FieldValue,source_id:str)->None:

‎uncoder-core/app/translator/platforms/logrhythm_axon/renders/logrhythm_axon_query.py‎

Lines changed: 20 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,6 @@
2020
fromtypingimportUnion
2121

2222
fromapp.translator.constimportDEFAULT_VALUE_TYPE
23-
fromapp.translator.core.context_varsimportreturn_only_first_query_ctx_var
2423
fromapp.translator.core.custom_types.tokensimportLogicalOperatorType
2524
fromapp.translator.core.custom_types.valuesimportValueType
2625
fromapp.translator.core.exceptions.coreimportStrictPlatformException
@@ -242,30 +241,23 @@ def apply_token(self, token: Union[FieldValue, Keyword, Identifier], source_mapp
242241

243242
returnsuper().apply_token(token,source_mapping)
244243

245-
defgenerate_from_tokenized_query_container(self,query_container:TokenizedQueryContainer)->str:
246-
queries_map= {}
247-
source_mappings=self._get_source_mappings(query_container.meta_info.source_mapping_ids)
248-
249-
forsource_mappinginsource_mappings:
250-
prefix=self.generate_prefix(source_mapping.log_source_signature)
251-
if"product"inquery_container.meta_info.parsed_logsources:
252-
prefix=f"{prefix} CONTAINS{query_container.meta_info.parsed_logsources['product'][0]}"
253-
else:
254-
prefix=f"{prefix} CONTAINS anything"
255-
256-
result=self.generate_query(tokens=query_container.tokens,source_mapping=source_mapping)
257-
rendered_functions=self.generate_functions(query_container.functions.functions,source_mapping)
258-
not_supported_functions=query_container.functions.not_supported+rendered_functions.not_supported
259-
finalized_query=self.finalize_query(
260-
prefix=prefix,
261-
query=result,
262-
functions=rendered_functions.rendered,
263-
not_supported_functions=not_supported_functions,
264-
meta_info=query_container.meta_info,
265-
source_mapping=source_mapping,
266-
)
267-
ifreturn_only_first_query_ctx_var.get()isTrue:
268-
returnfinalized_query
269-
queries_map[source_mapping.source_id]=finalized_query
270-
271-
returnself.finalize(queries_map)
244+
def_generate_from_tokenized_query_container_by_source_mapping(
245+
self,query_container:TokenizedQueryContainer,source_mapping:SourceMapping
246+
)->str:
247+
prefix=self.generate_prefix(source_mapping.log_source_signature)
248+
if"product"inquery_container.meta_info.parsed_logsources:
249+
prefix=f"{prefix} CONTAINS{query_container.meta_info.parsed_logsources['product'][0]}"
250+
else:
251+
prefix=f"{prefix} CONTAINS anything"
252+
253+
result=self.generate_query(tokens=query_container.tokens,source_mapping=source_mapping)
254+
rendered_functions=self.generate_functions(query_container.functions.functions,source_mapping)
255+
not_supported_functions=query_container.functions.not_supported+rendered_functions.not_supported
256+
returnself.finalize_query(
257+
prefix=prefix,
258+
query=result,
259+
functions=rendered_functions.rendered,
260+
not_supported_functions=not_supported_functions,
261+
meta_info=query_container.meta_info,
262+
source_mapping=source_mapping,
263+
)

‎uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py‎

Lines changed: 31 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,15 @@
2020
fromtypingimportClassVar,Optional,Union
2121

2222
fromapp.translator.constimportDEFAULT_VALUE_TYPE
23-
fromapp.translator.core.context_varsimportpreset_log_source_str_ctx_var
23+
fromapp.translator.core.context_varsimportpreset_log_source_str_ctx_var,return_only_first_query_ctx_var
2424
fromapp.translator.core.custom_types.tokensimportOperatorType
2525
fromapp.translator.core.custom_types.valuesimportValueType
26-
fromapp.translator.core.mappingimportSourceMapping
26+
fromapp.translator.core.exceptions.coreimportStrictPlatformException
27+
fromapp.translator.core.mappingimportDEFAULT_MAPPING_NAME,SourceMapping
2728
fromapp.translator.core.models.fieldimportFieldValue,Keyword
2829
fromapp.translator.core.models.identifierimportIdentifier
2930
fromapp.translator.core.models.platform_detailsimportPlatformDetails
31+
fromapp.translator.core.models.query_containerimportTokenizedQueryContainer
3032
fromapp.translator.core.renderimportBaseFieldFieldRender,BaseFieldValueRender,PlatformQueryRender
3133
fromapp.translator.core.str_value_managerimportStrValue
3234
fromapp.translator.managersimportrender_manager
@@ -71,8 +73,7 @@ def _wrap_str_value(value: str) -> str:
7173
defequal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:
7274
ifisinstance(value,list):
7375
values=", ".join(
74-
f"{self._pre_process_value(field,str(v)ifisinstance(v,int)elsev,ValueType.value,True)}"
75-
forvinvalue
76+
f"{self._pre_process_value(field,str(v),value_type=ValueType.value,wrap_str=True)}"forvinvalue
7677
)
7778
returnf"{field} in ({values})"
7879

@@ -222,3 +223,29 @@ def apply_token(self, token: Union[FieldValue, Keyword, Identifier], source_mapp
222223
@staticmethod
223224
def_finalize_search_query(query:str)->str:
224225
returnf"| filter{query}"ifqueryelse""
226+
227+
defgenerate_from_tokenized_query_container(self,query_container:TokenizedQueryContainer)->str:
228+
queries_map= {}
229+
errors= []
230+
source_mappings=self._get_source_mappings(query_container.meta_info.source_mapping_ids)
231+
232+
forsource_mappinginsource_mappings:
233+
try:
234+
finalized_query=self._generate_from_tokenized_query_container_by_source_mapping(
235+
query_container,source_mapping
236+
)
237+
exceptStrictPlatformExceptionaserr:
238+
ifsource_mapping.source_id!=DEFAULT_MAPPING_NAME:
239+
errors.append(err)
240+
continue
241+
242+
finalized_query=self._generate_from_tokenized_query_container_by_source_mapping(
243+
query_container,self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)
244+
)
245+
246+
ifreturn_only_first_query_ctx_var.get()isTrue:
247+
returnfinalized_query
248+
queries_map[source_mapping.source_id]=finalized_query
249+
ifnotqueries_mapanderrors:
250+
raiseerrors[0]
251+
returnself.finalize(queries_map)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp