From 9fb67bd7f9655becee5c386bafa3ab9c5607b62c Mon Sep 17 00:00:00 2001
From: Viktor Hrebeniuk <76157115+saltar-ua@users.noreply.github.com>
Date: Fri, 17 May 2024 17:54:36 +0300
Subject: [PATCH 1/3] Palo Alto Cortex XSIAM: Add support array of default
logsources
---
.../platforms/palo_alto_cortex/webserver.yml | 14 ++++++++++++++
.../app/translator/platforms/palo_alto/mapping.py | 13 +++++++++++--
.../platforms/palo_alto/renders/cortex_xsiam.py | 12 +-----------
3 files changed, 26 insertions(+), 13 deletions(-)
create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
new file mode 100644
index 00000000..c845789b
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
@@ -0,0 +1,14 @@
+platform: Palo Alto XSIAM
+source: webserver
+
+default_log_source:
+ dataset: [apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw]
+
+field_mapping:
+ c-uri: xdm.network.http.url
+ c-useragent: xdm.source.user_agent
+ cs-method: xdm.network.http.method
+ cs-bytes: xdm.target.sent_bytes
+ c-uri-query: xdm.network.http.url
+ cs-referrer: xdm.network.http.referrer
+ sc-status: xdm.network.http.response_code
diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
index bc3ab39c..832e5428 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
@@ -1,4 +1,4 @@
-from typing import Optional
+from typing import Optional, Union
from app.translator.core.mapping import (
DEFAULT_MAPPING_NAME,
@@ -18,8 +18,17 @@ def __init__(self, preset: Optional[list[str]], dataset: Optional[list[str]], de
def is_suitable(self, preset: str, dataset: str) -> bool:
return preset == self.preset or dataset == self.dataset
+ def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str:
+ if isinstance(logsource, list):
+ return f"{model} in ({', '.join([source for source in logsource])})"
+ return f"{model} = {logsource}"
+
def __str__(self) -> str:
- return self._default_source.get("preset") or self._default_source.get("dataset")
+ if preset_data := self._default_source.get("preset"):
+ return self.__prepare_log_source_for_render(logsource=preset_data, model="preset")
+ if dataset_data := self._default_source.get("dataset"):
+ return self.__prepare_log_source_for_render(logsource=dataset_data, model="preset")
+ return "datamodel"
class CortexXSIAMMappings(BasePlatformMappings):
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
index 5f6c95c6..1147e256 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -118,14 +118,4 @@ class CortexXQLQueryRender(PlatformQueryRender):
is_single_line_comment = False
def generate_prefix(self, log_source_signature: CortexXSIAMLogSourceSignature) -> str:
- preset = (
- f"preset = {log_source_signature._default_source.get('preset')}"
- if log_source_signature._default_source.get("preset")
- else None
- )
- dataset = (
- f"dataset = {log_source_signature._default_source.get('dataset')}"
- if log_source_signature._default_source.get("dataset")
- else None
- )
- return preset or dataset or "datamodel"
+ return str(log_source_signature)
From 99547096b4e66598179c61d3c0860f874d9b727d Mon Sep 17 00:00:00 2001
From: Viktor Hrebeniuk <76157115+saltar-ua@users.noreply.github.com>
Date: Fri, 17 May 2024 17:56:05 +0300
Subject: [PATCH 2/3] Palo Alto Cortex XSIAM: Add support array of default
logsources
---
.../app/translator/platforms/palo_alto/escape_manager.py | 7 ++++---
uncoder-core/app/translator/platforms/palo_alto/mapping.py | 2 +-
.../translator/platforms/palo_alto/renders/cortex_xsiam.py | 4 +---
3 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py b/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py
index 5ea90f40..eba294b5 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py
@@ -7,9 +7,10 @@
class XQLEscapeManager(EscapeManager):
escape_map: ClassVar[dict[str, list[EscapeDetails]]] = {
- ValueType.regex_value: [EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1")],
- ValueType.value: [EscapeDetails(pattern=r'([\\])', escape_symbols=r"\\\1")],
-
+ ValueType.regex_value: [
+ EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1")
+ ],
+ ValueType.value: [EscapeDetails(pattern=r"([\\])", escape_symbols=r"\\\1")],
}
diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
index 832e5428..393b15f5 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
@@ -20,7 +20,7 @@ def is_suitable(self, preset: str, dataset: str) -> bool:
def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str:
if isinstance(logsource, list):
- return f"{model} in ({', '.join([source for source in logsource])})"
+ return f"{model} in ({', '.join(source for source in logsource)})"
return f"{model} = {logsource}"
def __str__(self) -> str:
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
index 1147e256..37c96f3b 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -69,9 +69,7 @@ def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
if isinstance(value, list):
- return (
- f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
- )
+ return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
return f'{field} ~= ".*{self.apply_value(value, value_type=ValueType.regex_value)}"'
def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
From 17ea72ddd9a27a6503ebdd2cc3a86da9a3980009 Mon Sep 17 00:00:00 2001
From: Viktor Hrebeniuk <76157115+saltar-ua@users.noreply.github.com>
Date: Mon, 20 May 2024 13:11:14 +0300
Subject: [PATCH 3/3] Fix bug
---
uncoder-core/app/translator/platforms/palo_alto/mapping.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
index 393b15f5..a4fd9c64 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
@@ -27,7 +27,7 @@ def __str__(self) -> str:
if preset_data := self._default_source.get("preset"):
return self.__prepare_log_source_for_render(logsource=preset_data, model="preset")
if dataset_data := self._default_source.get("dataset"):
- return self.__prepare_log_source_for_render(logsource=dataset_data, model="preset")
+ return self.__prepare_log_source_for_render(logsource=dataset_data, model="dataset")
return "datamodel"
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy