Commit2b3836c

authored

Merge pull request#111 from UncoderIO/gis-7789

Palo Alto Cortex XSIAM: add support array of default logsources

2 parents4f01f62 +17ea72d commit2b3836cCopy full SHA for 2b3836c

File tree

+31

-19

lines changed

+31

-19

lines changed

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,14 @@`
	`1`	`+platform:Palo Alto XSIAM`
	`2`	`+source:webserver`
	`3`	`+`
	`4`	`+default_log_source:`
	`5`	`+dataset:[apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw]`
	`6`	`+`
	`7`	`+field_mapping:`
	`8`	`+c-uri:xdm.network.http.url`
	`9`	`+c-useragent:xdm.source.user_agent`
	`10`	`+cs-method:xdm.network.http.method`
	`11`	`+cs-bytes:xdm.target.sent_bytes`
	`12`	`+c-uri-query:xdm.network.http.url`
	`13`	`+cs-referrer:xdm.network.http.referrer`
	`14`	`+sc-status:xdm.network.http.response_code`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,9 +7,10 @@`
`7`	`7`
`8`	`8`	`classXQLEscapeManager(EscapeManager):`
`9`	`9`	`escape_map:ClassVar[dict[str,list[EscapeDetails]]]= {`
`10`		-ValueType.regex_value: [EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}\|;:\'",.<>?/`~\-\s\\])',escape_symbols=r"\\\1")],
`11`		`-ValueType.value: [EscapeDetails(pattern=r'([\\])',escape_symbols=r"\\\1")],`
`12`		`-`
	`10`	`+ValueType.regex_value: [`
	`11`	+EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}\|;:\'",.<>?/`~\-\s\\])',escape_symbols=r"\\\1")
	`12`	`+ ],`
	`13`	`+ValueType.value: [EscapeDetails(pattern=r"([\\])",escape_symbols=r"\\\1")],`
`13`	`14`	`}`
`14`	`15`
`15`	`16`

Lines changed: 11 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-fromtypingimportOptional`
	`1`	`+fromtypingimportOptional,Union`
`2`	`2`
`3`	`3`	`fromapp.translator.core.mappingimport (`
`4`	`4`	`DEFAULT_MAPPING_NAME,`
`@@ -18,8 +18,17 @@ def __init__(self, preset: Optional[list[str]], dataset: Optional[list[str]], de`
`18`	`18`	`defis_suitable(self,preset:str,dataset:str)->bool:`
`19`	`19`	`returnpreset==self.presetordataset==self.dataset`
`20`	`20`
	`21`	`+def__prepare_log_source_for_render(self,logsource:Union[str,list[str]],model:str="datamodel")->str:`
	`22`	`+ifisinstance(logsource,list):`
	`23`	`+returnf"{model} in ({', '.join(sourceforsourceinlogsource)})"`
	`24`	`+returnf"{model} ={logsource}"`
	`25`	`+`
`21`	`26`	`def__str__(self)->str:`
`22`		`-returnself._default_source.get("preset")orself._default_source.get("dataset")`
	`27`	`+ifpreset_data:=self._default_source.get("preset"):`
	`28`	`+returnself.__prepare_log_source_for_render(logsource=preset_data,model="preset")`
	`29`	`+ifdataset_data:=self._default_source.get("dataset"):`
	`30`	`+returnself.__prepare_log_source_for_render(logsource=dataset_data,model="dataset")`
	`31`	`+return"datamodel"`
`23`	`32`
`24`	`33`
`25`	`34`	`classCortexXSIAMMappings(BasePlatformMappings):`

Lines changed: 2 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -69,9 +69,7 @@ def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:`
`69`	`69`
`70`	`70`	`defendswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
`71`	`71`	`ifisinstance(value,list):`
`72`		`-return (`
`73`		`-f"({self.or_token.join(self.endswith_modifier(field=field,value=v)forvinvalue)})"`
`74`		`- )`
	`72`	`+returnf"({self.or_token.join(self.endswith_modifier(field=field,value=v)forvinvalue)})"`
`75`	`73`	`returnf'{field} ~= ".*{self.apply_value(value,value_type=ValueType.regex_value)}"'`
`76`	`74`
`77`	`75`	`defstartswith_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
`@@ -118,14 +116,4 @@ class CortexXQLQueryRender(PlatformQueryRender):`
`118`	`116`	`is_single_line_comment=False`
`119`	`117`
`120`	`118`	`defgenerate_prefix(self,log_source_signature:CortexXSIAMLogSourceSignature)->str:`
`121`		`-preset= (`
`122`		`-f"preset ={log_source_signature._default_source.get('preset')}"`
`123`		`-iflog_source_signature._default_source.get("preset")`
`124`		`-elseNone`
`125`		`- )`
`126`		`-dataset= (`
`127`		`-f"dataset ={log_source_signature._default_source.get('dataset')}"`
`128`		`-iflog_source_signature._default_source.get("dataset")`
`129`		`-elseNone`
`130`		`- )`
`131`		`-returnpresetordatasetor"datamodel"`
	`119`	`+returnstr(log_source_signature)`

Comments

(0)