NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit0395030

committed

Merge branch 'prod' into gis-8557

1 parent6c99633 commit0395030Copy full SHA for 0395030

File tree

63 files changed

+653

-277

lines changed

uncoder-core/app/translator
- core
  - exceptions
    - core.py
  - mapping.py
  - parser.py
  - render.py
- mappings/platforms
- platforms
  - base/aql
    - mapping.py
    - parsers
      - aql.py
  - elasticsearch/renders
    - esql.py
  - palo_alto
    - __init__.py
    - const.py
    - mapping.py
    - renders
  - sigma
    - mapping.py
    - parsers
      - sigma.py

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

63 files changed

+653

-277

lines changed

`‎uncoder-core/app/translator/core/exceptions/core.py‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,12 @@ def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str]`
`17`	`17`	`super().__init__(message)`
`18`	`18`
`19`	`19`
	`20`	`+classUnsupportedMappingsException(BasePlatformException):`
	`21`	`+def__init__(self,platform_name:str,mappings:list[str]):`
	`22`	`+message=f"Platform{platform_name} does not support these mappings:{mappings}."`
	`23`	`+super().__init__(message)`
	`24`	`+`
	`25`	`+`
`20`	`26`	`classStrictPlatformFieldException(BasePlatformException):`
`21`	`27`	`def__init__(self,platform_name:str,field_name:str):`
`22`	`28`	message=f"Source field `{field_name}` has no mapping for platform{platform_name}."

`‎uncoder-core/app/translator/core/mapping.py‎`

Lines changed: 29 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`fromabcimportABC,abstractmethod`
`4`	`4`	`fromtypingimportTYPE_CHECKING,Optional,TypeVar,Union`
`5`	`5`
`6`		`-fromapp.translator.core.exceptions.coreimportStrictPlatformException`
	`6`	`+fromapp.translator.core.exceptions.coreimportStrictPlatformException,UnsupportedMappingsException`
`7`	`7`	`fromapp.translator.core.models.platform_detailsimportPlatformDetails`
`8`	`8`	`fromapp.translator.mappings.utils.load_from_filesimportLoaderFileMappings`
`9`	`9`
`@@ -116,7 +116,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:`
`116`	`116`	`default_mapping=SourceMapping(source_id=DEFAULT_MAPPING_NAME)`
`117`	`117`	`formapping_dictinself._loader.load_platform_mappings(self._platform_dir):`
`118`	`118`	`log_source_signature=self.prepare_log_source_signature(mapping=mapping_dict)`
`119`		`-if (source_id:=mapping_dict.get("source"))==DEFAULT_MAPPING_NAME:`
	`119`	`+if (source_id:=mapping_dict["source"])==DEFAULT_MAPPING_NAME:`
`120`	`120`	`default_mapping.log_source_signature=log_source_signature`
`121`	`121`	`ifself.skip_load_default_mappings:`
`122`	`122`	`continue`
`@@ -152,7 +152,7 @@ def prepare_fields_mapping(field_mapping: dict) -> FieldsMapping:`
`152`	`152`	`defprepare_log_source_signature(self,mapping:dict)->LogSourceSignature:`
`153`	`153`	`raiseNotImplementedError("Abstract method")`
`154`	`154`
`155`		`-defget_suitable_source_mappings(`
	`155`	`+defget_source_mappings_by_fields_and_log_sources(`
`156`	`156`	`self,field_names:list[str],log_sources:dict[str,list[Union[int,str]]]`
`157`	`157`	`)->list[SourceMapping]:`
`158`	`158`	`by_log_sources_and_fields= []`
`@@ -170,6 +170,17 @@ def get_suitable_source_mappings(`
`170`	`170`
`171`	`171`	`returnby_log_sources_and_fieldsorby_fieldsor [self._source_mappings[DEFAULT_MAPPING_NAME]]`
`172`	`172`
	`173`	`+defget_source_mappings_by_ids(self,source_mapping_ids:list[str])->list[SourceMapping]:`
	`174`	`+source_mappings= []`
	`175`	`+forsource_mapping_idinsource_mapping_ids:`
	`176`	`+ifsource_mapping:=self.get_source_mapping(source_mapping_id):`
	`177`	`+source_mappings.append(source_mapping)`
	`178`	`+`
	`179`	`+ifnotsource_mappings:`
	`180`	`+source_mappings= [self.get_source_mapping(DEFAULT_MAPPING_NAME)]`
	`181`	`+`
	`182`	`+returnsource_mappings`
	`183`	`+`
`173`	`184`	`defget_source_mapping(self,source_id:str)->Optional[SourceMapping]:`
`174`	`185`	`returnself._source_mappings.get(source_id)`
`175`	`186`
`@@ -218,3 +229,18 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:`
`218`	`229`	`)`
`219`	`230`
`220`	`231`	`returnsource_mappings`
	`232`	`+`
	`233`	`+`
	`234`	`+classBaseStrictLogSourcesPlatformMappings(ABC,BasePlatformMappings):`
	`235`	`+defget_source_mappings_by_ids(self,source_mapping_ids:list[str])->list[SourceMapping]:`
	`236`	`+source_mappings= []`
	`237`	`+forsource_mapping_idinsource_mapping_ids:`
	`238`	`+ifsource_mapping_id==DEFAULT_MAPPING_NAME:`
	`239`	`+continue`
	`240`	`+ifsource_mapping:=self.get_source_mapping(source_mapping_id):`
	`241`	`+source_mappings.append(source_mapping)`
	`242`	`+`
	`243`	`+ifnotsource_mappings:`
	`244`	`+raiseUnsupportedMappingsException(platform_name=self.details.name,mappings=source_mapping_ids)`
	`245`	`+`
	`246`	`+returnsource_mappings`

`‎uncoder-core/app/translator/core/parser.py‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,8 @@ def get_source_mappings(`
`80`	`80`	`self,field_tokens:list[Field],log_sources:dict[str,list[Union[int,str]]]`
`81`	`81`	`)->list[SourceMapping]:`
`82`	`82`	`field_names= [field.source_nameforfieldinfield_tokens]`
`83`		`-source_mappings=self.mappings.get_suitable_source_mappings(field_names=field_names,log_sources=log_sources)`
	`83`	`+source_mappings=self.mappings.get_source_mappings_by_fields_and_log_sources(`
	`84`	`+field_names=field_names,log_sources=log_sources`
	`85`	`+ )`
`84`	`86`	`self.tokenizer.set_field_tokens_generic_names_map(field_tokens,source_mappings,self.mappings.default_mapping)`
`85`	`87`	`returnsource_mappings`

`‎uncoder-core/app/translator/core/render.py‎`

Lines changed: 3 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@`
`31`	`31`	`fromapp.translator.core.exceptions.parserimportUnsupportedOperatorException`
`32`	`32`	`fromapp.translator.core.exceptions.renderimportUnsupportedRenderMethod`
`33`	`33`	`fromapp.translator.core.functionsimportPlatformFunctions`
`34`		`-fromapp.translator.core.mappingimportDEFAULT_MAPPING_NAME,BasePlatformMappings,LogSourceSignature,SourceMapping`
	`34`	`+fromapp.translator.core.mappingimportBasePlatformMappings,LogSourceSignature,SourceMapping`
`35`	`35`	`fromapp.translator.core.models.functions.baseimportFunction,RenderedFunctions`
`36`	`36`	`fromapp.translator.core.models.platform_detailsimportPlatformDetails`
`37`	`37`	`fromapp.translator.core.models.query_containerimportMetaInfoContainer,RawQueryContainer,TokenizedQueryContainer`
`@@ -90,7 +90,7 @@ def _map_bool_value(value: bool) -> str:`
`90`	`90`	`def_pre_process_value(`
`91`	`91`	`self,`
`92`	`92`	`field:str,`
`93`		`-value:Union[int,str,StrValue],`
	`93`	`+value:Union[bool,int,str,StrValue],`
`94`	`94`	`value_type:str=ValueType.value,`
`95`	`95`	`wrap_str:bool=False,`
`96`	`96`	`wrap_int:bool=False,`
`@@ -384,17 +384,6 @@ def finalize(self, queries_map: dict[str, str]) -> str:`
`384`	`384`
`385`	`385`	`returnresult`
`386`	`386`
`387`		`-def_get_source_mappings(self,source_mapping_ids:list[str])->Optional[list[SourceMapping]]:`
`388`		`-source_mappings= []`
`389`		`-forsource_mapping_idinsource_mapping_ids:`
`390`		`-ifsource_mapping:=self.mappings.get_source_mapping(source_mapping_id):`
`391`		`-source_mappings.append(source_mapping)`
`392`		`-`
`393`		`-ifnotsource_mappings:`
`394`		`-source_mappings= [self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)]`
`395`		`-`
`396`		`-returnsource_mappings`
`397`		`-`
`398`	`387`	`defgenerate_from_raw_query_container(self,query_container:RawQueryContainer)->str:`
`399`	`388`	`returnself.finalize_query(`
`400`	`389`	`prefix="",query=query_container.query,functions="",meta_info=query_container.meta_info`
`@@ -464,7 +453,7 @@ def _generate_from_tokenized_query_container_by_source_mapping(`
`464`	`453`	`defgenerate_from_tokenized_query_container(self,query_container:TokenizedQueryContainer)->str:`
`465`	`454`	`queries_map= {}`
`466`	`455`	`errors= []`
`467`		`-source_mappings=self._get_source_mappings(query_container.meta_info.source_mapping_ids)`
	`456`	`+source_mappings=self.mappings.get_source_mappings_by_ids(query_container.meta_info.source_mapping_ids)`
`468`	`457`
`469`	`458`	`forsource_mappinginsource_mappings:`
`470`	`459`	`try:`

`‎uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml‎`

Lines changed: 41 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,41 @@`
	`1`	`+platform:ElasticSearch ES\|QL`
	`2`	`+source:aws_cloudtrail`
	`3`	`+log_source:`
	`4`	`+index:[logs-*]`
	`5`	`+default_log_source:`
	`6`	`+index:logs-*`
	`7`	`+field_mapping:`
	`8`	`+additionalEventdata:aws.cloudtrail.additional_eventdata`
	`9`	`+apiVersion:aws.cloudtrail.api_version`
	`10`	`+awsRegion:cloud.region`
	`11`	`+errorCode:aws.cloudtrail.error_code`
	`12`	`+errorMessage:aws.cloudtrail.error_message`
	`13`	`+eventID:event.id`
	`14`	`+eventName:event.action`
	`15`	`+eventSource:event.provider`
	`16`	`+eventTime:'@timestamp'`
	`17`	`+eventType:aws.cloudtrail.event_type`
	`18`	`+eventVersion:aws.cloudtrail.event_version`
	`19`	`+managementEvent:aws.cloudtrail.management_event`
	`20`	`+readOnly:aws.cloudtrail.read_only`
	`21`	`+requestID:aws.cloudtrail.request_id`
	`22`	`+requestParameters:aws.cloudtrail.request_parameters`
	`23`	`+resources.accountId:aws.cloudtrail.resources.account_id`
	`24`	`+resources.ARN:aws.cloudtrail.resources.arn`
	`25`	`+resources.type:aws.cloudtrail.resources.type`
	`26`	`+responseElements:aws.cloudtrail.response_elements`
	`27`	`+serviceEventDetails:aws.cloudtrail.service_event_details`
	`28`	`+sharedEventId:aws.cloudtrail.shared_event_id`
	`29`	`+sourceIPAddress:source.address`
	`30`	`+userAgent:user_agent`
	`31`	`+userIdentity.accessKeyId:aws.cloudtrail.user_identity.access_key_id`
	`32`	`+userIdentity.accountId:cloud.account.id`
	`33`	`+userIdentity.arn:aws.cloudtrail.user_identity.arn`
	`34`	`+userIdentity.invokedBy:aws.cloudtrail.user_identity.invoked_by`
	`35`	`+userIdentity.principalId:user.id`
	`36`	`+userIdentity.sessionContext.attributes.creationDate:aws.cloudtrail.user_identity.session_context.creation_date`
	`37`	`+userIdentity.sessionContext.attributes.mfaAuthenticated:aws.cloudtrail.user_identity.session_context.mfa_authenticated`
	`38`	`+userIdentity.sessionContext.sessionIssuer.userName:role.name`
	`39`	`+userIdentity.type:aws.cloudtrail.user_identity.type`
	`40`	`+userIdentity.userName:user.name`
	`41`	`+vpcEndpointId:aws.cloudtrail.vpc_endpoint_id`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml‎`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,6 @@`
	`1`	`+platform:Palo Alto Cortex XDR`
	`2`	`+source:default`
	`3`	`+`
	`4`	`+`
	`5`	`+default_log_source:`
	`6`	`+datamodel:datamodel`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-platform:Palo AltoXSIAM`
	`1`	`+platform:Palo AltoCortex XDR`
`2`	`2`	`source:linux_file_event`
`3`	`3`
`4`	`4`	`log_source:`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-platform:Palo AltoXSIAM`
	`1`	`+platform:Palo AltoCortex XDR`
`2`	`2`	`source:linux_process_creation`
`3`	`3`
`4`	`4`	`log_source:`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-platform:Palo AltoXSIAM`
	`1`	`+platform:Palo AltoCortex XDR`
`2`	`2`	`source:macos_file_event`
`3`	`3`
`4`	`4`	`log_source:`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-platform:Palo AltoXSIAM`
	`1`	`+platform:Palo AltoCortex XDR`
`2`	`2`	`source:macos_process_creation`
`3`	`3`
`4`	`4`	`log_source:`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0395030

File tree

63 files changed

Some content is hidden

63 files changed

`‎uncoder-core/app/translator/core/exceptions/core.py‎`

`‎uncoder-core/app/translator/core/mapping.py‎`

`‎uncoder-core/app/translator/core/parser.py‎`

`‎uncoder-core/app/translator/core/render.py‎`

`‎uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml‎renamed to ‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml‎`

0 commit comments