Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Gis 8557 splunk fixes#201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
nazargesyk merged 3 commits intomainfromgis-8557
Oct 16, 2024
Merged
Show file tree
Hide file tree
Changes from1 commit
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
PrevPrevious commit
NextNext commit
Merge branch 'prod' into gis-8557
  • Loading branch information
@nazargesyk
nazargesyk committedSep 30, 2024
commit0395030134b243aec624468a1bf88958ed0cedb0
6 changes: 6 additions & 0 deletionsuncoder-core/app/translator/core/exceptions/core.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -17,6 +17,12 @@ def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str]
super().__init__(message)


class UnsupportedMappingsException(BasePlatformException):
def __init__(self, platform_name: str, mappings: list[str]):
message = f"Platform {platform_name} does not support these mappings: {mappings}."
super().__init__(message)


class StrictPlatformFieldException(BasePlatformException):
def __init__(self, platform_name: str, field_name: str):
message = f"Source field `{field_name}` has no mapping for platform {platform_name}."
Expand Down
32 changes: 29 additions & 3 deletionsuncoder-core/app/translator/core/mapping.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3,7 +3,7 @@
from abc import ABC, abstractmethod
from typing import TYPE_CHECKING, Optional, TypeVar, Union

from app.translator.core.exceptions.core import StrictPlatformException
from app.translator.core.exceptions.core import StrictPlatformException, UnsupportedMappingsException
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.mappings.utils.load_from_files import LoaderFileMappings

Expand DownExpand Up@@ -116,7 +116,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
default_mapping = SourceMapping(source_id=DEFAULT_MAPPING_NAME)
for mapping_dict in self._loader.load_platform_mappings(self._platform_dir):
log_source_signature = self.prepare_log_source_signature(mapping=mapping_dict)
if (source_id := mapping_dict.get("source")) == DEFAULT_MAPPING_NAME:
if (source_id := mapping_dict["source"]) == DEFAULT_MAPPING_NAME:
default_mapping.log_source_signature = log_source_signature
if self.skip_load_default_mappings:
continue
Expand DownExpand Up@@ -152,7 +152,7 @@ def prepare_fields_mapping(field_mapping: dict) -> FieldsMapping:
def prepare_log_source_signature(self, mapping: dict) -> LogSourceSignature:
raise NotImplementedError("Abstract method")

defget_suitable_source_mappings(
defget_source_mappings_by_fields_and_log_sources(
self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]]
) -> list[SourceMapping]:
by_log_sources_and_fields = []
Expand All@@ -170,6 +170,17 @@ def get_suitable_source_mappings(

return by_log_sources_and_fields or by_fields or [self._source_mappings[DEFAULT_MAPPING_NAME]]

def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
source_mappings = []
for source_mapping_id in source_mapping_ids:
if source_mapping := self.get_source_mapping(source_mapping_id):
source_mappings.append(source_mapping)

if not source_mappings:
source_mappings = [self.get_source_mapping(DEFAULT_MAPPING_NAME)]

return source_mappings

def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]:
return self._source_mappings.get(source_id)

Expand DownExpand Up@@ -218,3 +229,18 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
)

return source_mappings


class BaseStrictLogSourcesPlatformMappings(ABC, BasePlatformMappings):
def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
source_mappings = []
for source_mapping_id in source_mapping_ids:
if source_mapping_id == DEFAULT_MAPPING_NAME:
continue
if source_mapping := self.get_source_mapping(source_mapping_id):
source_mappings.append(source_mapping)

if not source_mappings:
raise UnsupportedMappingsException(platform_name=self.details.name, mappings=source_mapping_ids)

return source_mappings
4 changes: 3 additions & 1 deletionuncoder-core/app/translator/core/parser.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -80,6 +80,8 @@ def get_source_mappings(
self, field_tokens: list[Field], log_sources: dict[str, list[Union[int, str]]]
) -> list[SourceMapping]:
field_names = [field.source_name for field in field_tokens]
source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources)
source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
field_names=field_names, log_sources=log_sources
)
self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
return source_mappings
17 changes: 3 additions & 14 deletionsuncoder-core/app/translator/core/render.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -31,7 +31,7 @@
from app.translator.core.exceptions.parser import UnsupportedOperatorException
from app.translator.core.exceptions.render import UnsupportedRenderMethod
from app.translator.core.functions import PlatformFunctions
from app.translator.core.mapping importDEFAULT_MAPPING_NAME,BasePlatformMappings, LogSourceSignature, SourceMapping
from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping
from app.translator.core.models.functions.base import Function, RenderedFunctions
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer, TokenizedQueryContainer
Expand DownExpand Up@@ -90,7 +90,7 @@ def _map_bool_value(value: bool) -> str:
def _pre_process_value(
self,
field: str,
value: Union[int, str, StrValue],
value: Union[bool,int, str, StrValue],
value_type: str = ValueType.value,
wrap_str: bool = False,
wrap_int: bool = False,
Expand DownExpand Up@@ -384,17 +384,6 @@ def finalize(self, queries_map: dict[str, str]) -> str:

return result

def _get_source_mappings(self, source_mapping_ids: list[str]) -> Optional[list[SourceMapping]]:
source_mappings = []
for source_mapping_id in source_mapping_ids:
if source_mapping := self.mappings.get_source_mapping(source_mapping_id):
source_mappings.append(source_mapping)

if not source_mappings:
source_mappings = [self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)]

return source_mappings

def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str:
return self.finalize_query(
prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info
Expand DownExpand Up@@ -464,7 +453,7 @@ def _generate_from_tokenized_query_container_by_source_mapping(
def generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str:
queries_map = {}
errors = []
source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids)
source_mappings = self.mappings.get_source_mappings_by_ids(query_container.meta_info.source_mapping_ids)

for source_mapping in source_mappings:
try:
Expand Down
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
platform: ElasticSearch ES|QL
source: aws_cloudtrail
log_source:
index: [logs-*]
default_log_source:
index: logs-*
field_mapping:
additionalEventdata: aws.cloudtrail.additional_eventdata
apiVersion: aws.cloudtrail.api_version
awsRegion: cloud.region
errorCode: aws.cloudtrail.error_code
errorMessage: aws.cloudtrail.error_message
eventID: event.id
eventName: event.action
eventSource: event.provider
eventTime: '@timestamp'
eventType: aws.cloudtrail.event_type
eventVersion: aws.cloudtrail.event_version
managementEvent: aws.cloudtrail.management_event
readOnly: aws.cloudtrail.read_only
requestID: aws.cloudtrail.request_id
requestParameters: aws.cloudtrail.request_parameters
resources.accountId: aws.cloudtrail.resources.account_id
resources.ARN: aws.cloudtrail.resources.arn
resources.type: aws.cloudtrail.resources.type
responseElements: aws.cloudtrail.response_elements
serviceEventDetails: aws.cloudtrail.service_event_details
sharedEventId: aws.cloudtrail.shared_event_id
sourceIPAddress: source.address
userAgent: user_agent
userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
userIdentity.accountId: cloud.account.id
userIdentity.arn: aws.cloudtrail.user_identity.arn
userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
userIdentity.principalId: user.id
userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
userIdentity.sessionContext.sessionIssuer.userName: role.name
userIdentity.type: aws.cloudtrail.user_identity.type
userIdentity.userName: user.name
vpcEndpointId: aws.cloudtrail.vpc_endpoint_id
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
platform: Palo Alto Cortex XDR
source: default


default_log_source:
datamodel: datamodel
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo AltoXSIAM
platform: Palo AltoCortex XDR
source: linux_file_event

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo AltoXSIAM
platform: Palo AltoCortex XDR
source: linux_process_creation

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo AltoXSIAM
platform: Palo AltoCortex XDR
source: macos_file_event

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo AltoXSIAM
platform: Palo AltoCortex XDR
source: macos_process_creation

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo AltoXSIAM
platform: Palo AltoCortex XDR
source: windows_file_event

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo AltoXSIAM
platform: Palo AltoCortex XDR
source: windows_process_creation

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo AltoXSIAM
platform: Palo AltoCortex XDR
source: windows_registry_event

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: apache_httpd


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: apache_tomcat


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: aws_cloudtrail


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: aws_eks


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: azure_aadnoninteractiveusersigninlogs


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: azure_azureactivity


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: azure_azuread


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: azure_m365


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: azure_signinlogs


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: default


Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: dns

default_log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: firewall

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
platform: Palo Alto Cortex XSIAM
source: linux_file_event

log_source:
preset: xdr_file

default_log_source:
preset: xdr_file

field_mapping:
TargetFilename: action_file_name
SourceFilename: action_file_previous_file_name
User: actor_effective_username
CommandLine: actor_process_image_command_line
Image: actor_process_image_path
LogonId: actor_process_logon_id
Product: actor_process_signature_product
Company: actor_process_signature_vendor
IntegrityLevel: actor_process_integrity_level
CurrentDirectory: actor_process_cwd
ProcessId: actor_process_os_id
ParentProcessId: causality_actor_process_os_id
ParentCommandLine: causality_actor_process_command_line
ParentImage: causality_actor_process_image_path
ParentUser: causality_actor_effective_username
ParentIntegrityLevel: causality_actor_process_integrity_level
ParentLogonId: causality_actor_process_logon_id
ParentProduct: causality_actor_process_signature_product
ParentCompany: causality_actor_process_signature_vendor
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
platform: Palo Alto XSIAM
platform: Palo AltoCortexXSIAM
source: linux_network_connection

log_source:
Expand Down
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
platform: Palo Alto Cortex XSIAM
source: linux_process_creation

log_source:
preset: xdr_process

default_log_source:
preset: xdr_process

field_mapping:
User: action_process_username
CommandLine: action_process_image_command_line
Image: action_process_image_path
LogonId: action_process_logon_id
Product: action_process_signature_product
Company: action_process_signature_vendor
IntegrityLevel: action_process_integrity_level
CurrentDirectory: action_process_cwd
ProcessId: action_process_os_pid
ParentProcessId: actor_process_os_pid
ParentCommandLine: actor_process_image_command_line
ParentImage: actor_process_image_path
ParentUser: actor_effective_username
ParentIntegrityLevel: actor_process_integrity_level
ParentLogonId: actor_process_logon_id
ParentProduct: actor_process_signature_product
ParentCompany: actor_process_signature_vendor
md5: action_process_image_md5
sha256: action_process_image_sha256
EventID: action_evtlog_event_id
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
platform: Palo Alto Cortex XSIAM
source: macos_file_event

log_source:
preset: xdr_file

default_log_source:
preset: xdr_file

field_mapping:
TargetFilename: action_file_name
SourceFilename: action_file_previous_file_name
User: actor_effective_username
CommandLine: actor_process_image_command_line
Image: actor_process_image_path
LogonId: actor_process_logon_id
Product: actor_process_signature_product
Company: actor_process_signature_vendor
IntegrityLevel: actor_process_integrity_level
CurrentDirectory: actor_process_cwd
ProcessId: actor_process_os_id
ParentProcessId: causality_actor_process_os_id
ParentCommandLine: causality_actor_process_command_line
ParentImage: causality_actor_process_image_path
ParentUser: causality_actor_effective_username
ParentIntegrityLevel: causality_actor_process_integrity_level
ParentLogonId: causality_actor_process_logon_id
ParentProduct: causality_actor_process_signature_product
ParentCompany: causality_actor_process_signature_vendor
Loading
[8]ページ先頭
©2009-2025 Movatter.jp