diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py
index e6358cce..425c1ff0 100644
--- a/uncoder-core/app/translator/core/exceptions/core.py
+++ b/uncoder-core/app/translator/core/exceptions/core.py
@@ -17,6 +17,12 @@ def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str]
super().__init__(message)
+class UnsupportedMappingsException(BasePlatformException):
+ def __init__(self, platform_name: str, mappings: list[str]):
+ message = f"Platform {platform_name} does not support these mappings: {mappings}."
+ super().__init__(message)
+
+
class StrictPlatformFieldException(BasePlatformException):
def __init__(self, platform_name: str, field_name: str):
message = f"Source field `{field_name}` has no mapping for platform {platform_name}."
diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py
index 886cfdc3..2a06147d 100644
--- a/uncoder-core/app/translator/core/mapping.py
+++ b/uncoder-core/app/translator/core/mapping.py
@@ -3,7 +3,7 @@
from abc import ABC, abstractmethod
from typing import TYPE_CHECKING, Optional, TypeVar, Union
-from app.translator.core.exceptions.core import StrictPlatformException
+from app.translator.core.exceptions.core import StrictPlatformException, UnsupportedMappingsException
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.mappings.utils.load_from_files import LoaderFileMappings
@@ -116,7 +116,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
default_mapping = SourceMapping(source_id=DEFAULT_MAPPING_NAME)
for mapping_dict in self._loader.load_platform_mappings(self._platform_dir):
log_source_signature = self.prepare_log_source_signature(mapping=mapping_dict)
- if (source_id := mapping_dict.get("source")) == DEFAULT_MAPPING_NAME:
+ if (source_id := mapping_dict["source"]) == DEFAULT_MAPPING_NAME:
default_mapping.log_source_signature = log_source_signature
if self.skip_load_default_mappings:
continue
@@ -152,7 +152,7 @@ def prepare_fields_mapping(field_mapping: dict) -> FieldsMapping:
def prepare_log_source_signature(self, mapping: dict) -> LogSourceSignature:
raise NotImplementedError("Abstract method")
- def get_suitable_source_mappings(
+ def get_source_mappings_by_fields_and_log_sources(
self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]]
) -> list[SourceMapping]:
by_log_sources_and_fields = []
@@ -170,6 +170,17 @@ def get_suitable_source_mappings(
return by_log_sources_and_fields or by_fields or [self._source_mappings[DEFAULT_MAPPING_NAME]]
+ def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
+ source_mappings = []
+ for source_mapping_id in source_mapping_ids:
+ if source_mapping := self.get_source_mapping(source_mapping_id):
+ source_mappings.append(source_mapping)
+
+ if not source_mappings:
+ source_mappings = [self.get_source_mapping(DEFAULT_MAPPING_NAME)]
+
+ return source_mappings
+
def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]:
return self._source_mappings.get(source_id)
@@ -218,3 +229,18 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
)
return source_mappings
+
+
+class BaseStrictLogSourcesPlatformMappings(ABC, BasePlatformMappings):
+ def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
+ source_mappings = []
+ for source_mapping_id in source_mapping_ids:
+ if source_mapping_id == DEFAULT_MAPPING_NAME:
+ continue
+ if source_mapping := self.get_source_mapping(source_mapping_id):
+ source_mappings.append(source_mapping)
+
+ if not source_mappings:
+ raise UnsupportedMappingsException(platform_name=self.details.name, mappings=source_mapping_ids)
+
+ return source_mappings
diff --git a/uncoder-core/app/translator/core/parser.py b/uncoder-core/app/translator/core/parser.py
index 2d8ba1cc..0ad509d1 100644
--- a/uncoder-core/app/translator/core/parser.py
+++ b/uncoder-core/app/translator/core/parser.py
@@ -80,6 +80,8 @@ def get_source_mappings(
self, field_tokens: list[Field], log_sources: dict[str, list[Union[int, str]]]
) -> list[SourceMapping]:
field_names = [field.source_name for field in field_tokens]
- source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources)
+ source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
+ field_names=field_names, log_sources=log_sources
+ )
self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
return source_mappings
diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py
index 778fbfb2..97709dd0 100644
--- a/uncoder-core/app/translator/core/render.py
+++ b/uncoder-core/app/translator/core/render.py
@@ -31,7 +31,7 @@
from app.translator.core.exceptions.parser import UnsupportedOperatorException
from app.translator.core.exceptions.render import UnsupportedRenderMethod
from app.translator.core.functions import PlatformFunctions
-from app.translator.core.mapping import DEFAULT_MAPPING_NAME, BasePlatformMappings, LogSourceSignature, SourceMapping
+from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping
from app.translator.core.models.functions.base import Function, RenderedFunctions
from app.translator.core.models.platform_details import PlatformDetails
from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer, TokenizedQueryContainer
@@ -384,17 +384,6 @@ def finalize(self, queries_map: dict[str, str]) -> str:
return result
- def _get_source_mappings(self, source_mapping_ids: list[str]) -> Optional[list[SourceMapping]]:
- source_mappings = []
- for source_mapping_id in source_mapping_ids:
- if source_mapping := self.mappings.get_source_mapping(source_mapping_id):
- source_mappings.append(source_mapping)
-
- if not source_mappings:
- source_mappings = [self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)]
-
- return source_mappings
-
def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str:
return self.finalize_query(
prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info
@@ -464,7 +453,7 @@ def _generate_from_tokenized_query_container_by_source_mapping(
def generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str:
queries_map = {}
errors = []
- source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids)
+ source_mappings = self.mappings.get_source_mappings_by_ids(query_container.meta_info.source_mapping_ids)
for source_mapping in source_mappings:
try:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml
new file mode 100644
index 00000000..3bb33181
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml
@@ -0,0 +1,6 @@
+platform: Palo Alto Cortex XDR
+source: default
+
+
+default_log_source:
+ datamodel: datamodel
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml
index 5367f2f4..48cd3530 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
source: linux_file_event
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml
index 06d225bc..683d4b90 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
source: linux_process_creation
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml
index 75080012..28639263 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
source: macos_file_event
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml
index 43d5a733..72d368f7 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
source: macos_process_creation
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml
index b6523006..10065aac 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
source: windows_file_event
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_process_creation.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_creation.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_process_creation.yml
index 06e3a5d9..b3201f3d 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_process_creation.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
source: windows_process_creation
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_registry_event.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_registry_event.yml
index 04abb36b..dbcddfef 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_registry_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
source: windows_registry_event
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_httpd.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_httpd.yml
similarity index 91%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_httpd.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_httpd.yml
index d2007c81..ee859e86 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_httpd.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_httpd.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: apache_httpd
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_tomcat.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_tomcat.yml
similarity index 89%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_tomcat.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_tomcat.yml
index 2be3cd99..821fa0d4 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_tomcat.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_tomcat.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: apache_tomcat
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_cloudtrail.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_cloudtrail.yml
index 980f2125..7e1b6ac9 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_cloudtrail.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: aws_cloudtrail
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_eks.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_eks.yml
similarity index 94%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_eks.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_eks.yml
index e7ba2c05..c7159587 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_eks.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_eks.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: aws_eks
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_aadnoninteractiveusersigninlogs.yml
similarity index 91%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_aadnoninteractiveusersigninlogs.yml
index cd489ccb..40d419d9 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_aadnoninteractiveusersigninlogs.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: azure_aadnoninteractiveusersigninlogs
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azureactivity.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azureactivity.yml
index b6605a61..78cb3137 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azureactivity.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: azure_azureactivity
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azuread.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azuread.yml
index c05ce310..6044b336 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azuread.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: azure_azuread
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_m365.yml
similarity index 96%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_m365.yml
index ea4cfecf..94e7a832 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_m365.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: azure_m365
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_signinlogs.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_signinlogs.yml
index b5b84cde..5aafbe6a 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_signinlogs.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: azure_signinlogs
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/default.yml
similarity index 99%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/default.yml
index f767249b..7405d27b 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/default.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: default
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/dns.yml
similarity index 92%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/dns.yml
index e279a60a..ceb20d2d 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/dns.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: dns
default_log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/firewall.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/firewall.yml
index fc18e036..b85d5706 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/firewall.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: firewall
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml
new file mode 100644
index 00000000..92223940
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml
@@ -0,0 +1,29 @@
+platform: Palo Alto Cortex XSIAM
+source: linux_file_event
+
+log_source:
+ preset: xdr_file
+
+default_log_source:
+ preset: xdr_file
+
+field_mapping:
+ TargetFilename: action_file_name
+ SourceFilename: action_file_previous_file_name
+ User: actor_effective_username
+ CommandLine: actor_process_image_command_line
+ Image: actor_process_image_path
+ LogonId: actor_process_logon_id
+ Product: actor_process_signature_product
+ Company: actor_process_signature_vendor
+ IntegrityLevel: actor_process_integrity_level
+ CurrentDirectory: actor_process_cwd
+ ProcessId: actor_process_os_id
+ ParentProcessId: causality_actor_process_os_id
+ ParentCommandLine: causality_actor_process_command_line
+ ParentImage: causality_actor_process_image_path
+ ParentUser: causality_actor_effective_username
+ ParentIntegrityLevel: causality_actor_process_integrity_level
+ ParentLogonId: causality_actor_process_logon_id
+ ParentProduct: causality_actor_process_signature_product
+ ParentCompany: causality_actor_process_signature_vendor
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_network_connection.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_network_connection.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_network_connection.yml
index 310297be..1e1933e7 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_network_connection.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_network_connection.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: linux_network_connection
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml
new file mode 100644
index 00000000..1245f22f
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml
@@ -0,0 +1,30 @@
+platform: Palo Alto Cortex XSIAM
+source: linux_process_creation
+
+log_source:
+ preset: xdr_process
+
+default_log_source:
+ preset: xdr_process
+
+field_mapping:
+ User: action_process_username
+ CommandLine: action_process_image_command_line
+ Image: action_process_image_path
+ LogonId: action_process_logon_id
+ Product: action_process_signature_product
+ Company: action_process_signature_vendor
+ IntegrityLevel: action_process_integrity_level
+ CurrentDirectory: action_process_cwd
+ ProcessId: action_process_os_pid
+ ParentProcessId: actor_process_os_pid
+ ParentCommandLine: actor_process_image_command_line
+ ParentImage: actor_process_image_path
+ ParentUser: actor_effective_username
+ ParentIntegrityLevel: actor_process_integrity_level
+ ParentLogonId: actor_process_logon_id
+ ParentProduct: actor_process_signature_product
+ ParentCompany: actor_process_signature_vendor
+ md5: action_process_image_md5
+ sha256: action_process_image_sha256
+ EventID: action_evtlog_event_id
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml
new file mode 100644
index 00000000..60899029
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml
@@ -0,0 +1,29 @@
+platform: Palo Alto Cortex XSIAM
+source: macos_file_event
+
+log_source:
+ preset: xdr_file
+
+default_log_source:
+ preset: xdr_file
+
+field_mapping:
+ TargetFilename: action_file_name
+ SourceFilename: action_file_previous_file_name
+ User: actor_effective_username
+ CommandLine: actor_process_image_command_line
+ Image: actor_process_image_path
+ LogonId: actor_process_logon_id
+ Product: actor_process_signature_product
+ Company: actor_process_signature_vendor
+ IntegrityLevel: actor_process_integrity_level
+ CurrentDirectory: actor_process_cwd
+ ProcessId: actor_process_os_id
+ ParentProcessId: causality_actor_process_os_id
+ ParentCommandLine: causality_actor_process_command_line
+ ParentImage: causality_actor_process_image_path
+ ParentUser: causality_actor_effective_username
+ ParentIntegrityLevel: causality_actor_process_integrity_level
+ ParentLogonId: causality_actor_process_logon_id
+ ParentProduct: causality_actor_process_signature_product
+ ParentCompany: causality_actor_process_signature_vendor
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_network_connection.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_network_connection.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_network_connection.yml
index aea8606f..727a1a8d 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_network_connection.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_network_connection.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: macos_network_connection
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml
new file mode 100644
index 00000000..e02e77a4
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml
@@ -0,0 +1,29 @@
+platform: Palo Alto Cortex XSIAM
+source: macos_process_creation
+
+log_source:
+ preset: xdr_process
+
+default_log_source:
+ preset: xdr_process
+
+field_mapping:
+ User: action_process_username
+ CommandLine: action_process_image_command_line
+ Image: action_process_image_path
+ LogonId: action_process_logon_id
+ Product: action_process_signature_product
+ Company: action_process_signature_vendor
+ IntegrityLevel: action_process_integrity_level
+ CurrentDirectory: action_process_cwd
+ ProcessId: action_process_os_pid
+ ParentProcessId: actor_process_os_pid
+ ParentCommandLine: actor_process_image_command_line
+ ParentImage: actor_process_image_path
+ ParentUser: actor_effective_username
+ ParentIntegrityLevel: actor_process_integrity_level
+ ParentLogonId: actor_process_logon_id
+ ParentProduct: actor_process_signature_product
+ ParentCompany: actor_process_signature_vendor
+ md5: action_process_image_md5
+ sha256: action_process_image_sha256
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/nginx_nginx.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/nginx_nginx.yml
similarity index 91%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/nginx_nginx.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/nginx_nginx.yml
index 4622390f..54072934 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/nginx_nginx.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/nginx_nginx.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: nginx_nginx
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/okta_okta.yml
similarity index 82%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/okta_okta.yml
index c0ed1066..db2e2c47 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/okta_okta.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: okta_okta
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/proxy.yml
similarity index 95%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/proxy.yml
index c546dc4e..846f872d 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/proxy.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: proxy
default_log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/slack_slack_raw.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/slack_slack_raw.yml
similarity index 81%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/slack_slack_raw.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/slack_slack_raw.yml
index 60501a61..6098e617 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/slack_slack_raw.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/slack_slack_raw.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: slack_slack_raw
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/webserver.yml
similarity index 94%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/webserver.yml
index 505012f0..b7791fc5 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/webserver.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: webserver
default_log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_application.yml
similarity index 92%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_application.yml
index d40073fd..f215f241 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_application.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_application
default_log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_file_event.yml
new file mode 100644
index 00000000..736f6215
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_file_event.yml
@@ -0,0 +1,29 @@
+platform: Palo Alto Cortex XSIAM
+source: windows_file_event
+
+log_source:
+ preset: xdr_file
+
+default_log_source:
+ preset: xdr_file
+
+field_mapping:
+ TargetFilename: action_file_name
+ SourceFilename: action_file_previous_file_name
+ User: actor_effective_username
+ CommandLine: actor_process_image_command_line
+ Image: actor_process_image_path
+ LogonId: actor_process_logon_id
+ Product: actor_process_signature_product
+ Company: actor_process_signature_vendor
+ IntegrityLevel: actor_process_integrity_level
+ CurrentDirectory: actor_process_cwd
+ ProcessId: actor_process_os_id
+ ParentProcessId: causality_actor_process_os_id
+ ParentCommandLine: causality_actor_process_command_line
+ ParentImage: causality_actor_process_image_path
+ ParentUser: causality_actor_effective_username
+ ParentIntegrityLevel: causality_actor_process_integrity_level
+ ParentLogonId: causality_actor_process_logon_id
+ ParentProduct: causality_actor_process_signature_product
+ ParentCompany: causality_actor_process_signature_vendor
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_image_load.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_image_load.yml
index 98e62b8f..daaffa63 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_image_load.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_image_load
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_network_connection.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_network_connection.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_network_connection.yml
index 9c535767..ba6ea04c 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_network_connection.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_network_connection.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_network_connection
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_pipe_created.yml
similarity index 83%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_pipe_created.yml
index 8deb0974..0fae37fe 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_pipe_created.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_pipe_created
default_log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_powershell.yml
similarity index 90%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_powershell.yml
index 41ed1439..100c75d3 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_powershell.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_powershell
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_access.yml
similarity index 92%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_access.yml
index ab559df0..f626eed5 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_access.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_process_access
default_log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_creation.yml
new file mode 100644
index 00000000..ec7f6cd2
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_creation.yml
@@ -0,0 +1,30 @@
+platform: Palo Alto Cortex XSIAM
+source: windows_process_creation
+
+log_source:
+ preset: xdr_process
+
+default_log_source:
+ preset: xdr_process
+
+field_mapping:
+ User: action_process_username
+ CommandLine: action_process_image_command_line
+ Image: action_process_image_path
+ LogonId: action_process_logon_id
+ Product: action_process_signature_product
+ Company: action_process_signature_vendor
+ IntegrityLevel: action_process_integrity_level
+ CurrentDirectory: action_process_cwd
+ ProcessId: action_process_os_pid
+ ParentProcessId: actor_process_os_pid
+ ParentCommandLine: actor_process_image_command_line
+ ParentImage: actor_process_image_path
+ ParentUser: actor_effective_username
+ ParentIntegrityLevel: actor_process_integrity_level
+ ParentLogonId: actor_process_logon_id
+ ParentProduct: actor_process_signature_product
+ ParentCompany: actor_process_signature_vendor
+ md5: action_process_image_md5
+ sha256: action_process_image_sha256
+ OriginalFileName: actor_process_file_original_name
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_termination.yml
similarity index 87%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_termination.yml
index 731d6b8e..baf07e5b 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_termination.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_process_termination
log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_registry_event.yml
new file mode 100644
index 00000000..fc2a4b71
--- /dev/null
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_registry_event.yml
@@ -0,0 +1,32 @@
+platform: Palo Alto Cortex XSIAM
+source: windows_registry_event
+
+log_source:
+ preset: xdr_registry
+
+default_log_source:
+ preset: xdr_registry
+
+field_mapping:
+ Details:
+ - action_registry_value_name
+ - action_registry_data
+ TargetObject: action_registry_key_name
+ User: actor_effective_username
+ CommandLine: actor_process_image_command_line
+ Image: actor_process_image_path
+ LogonId: actor_process_logon_id
+ Product: actor_process_signature_product
+ Company: actor_process_signature_vendor
+ IntegrityLevel: actor_process_integrity_level
+ CurrentDirectory: actor_process_cwd
+ ProcessId: actor_process_os_id
+ ParentProcessId: causality_actor_process_os_id
+ ParentCommandLine: causality_actor_process_command_line
+ ParentImage: causality_actor_process_image_path
+ ParentUser: causality_actor_effective_username
+ ParentIntegrityLevel: causality_actor_process_integrity_level
+ ParentLogonId: causality_actor_process_logon_id
+ ParentProduct: causality_actor_process_signature_product
+ ParentCompany: causality_actor_process_signature_vendor
+ EventType: event_sub_type
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_security.yml
similarity index 99%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_security.yml
index 59a56f71..0c446f2a 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_security.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_security
default_log_source:
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_sysmon.yml
similarity index 97%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_sysmon.yml
index a15909c9..8609ef23 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_sysmon.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_sysmon
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_system.yml
similarity index 93%
rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml
rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_system.yml
index 07730124..5e602fa3 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_system.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
source: windows_system
default_log_source:
diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py
index 9882e4e3..9e71fe2a 100644
--- a/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py
+++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py
@@ -29,7 +29,7 @@
from app.translator.platforms.elasticsearch.mapping import ElasticESQLMappings, esql_query_mappings
from app.translator.platforms.elasticsearch.str_value_manager import (
ESQLQueryStrValueManager,
- esql_query_str_value_manager,
+ esql_query_str_value_manager
)
diff --git a/uncoder-core/app/translator/platforms/palo_alto/__init__.py b/uncoder-core/app/translator/platforms/palo_alto/__init__.py
index 437bfbd7..e0ed85a2 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/__init__.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/__init__.py
@@ -1 +1,2 @@
-from app.translator.platforms.palo_alto.renders.cortex_xsiam import CortexXQLQueryRender # noqa: F401
+from app.translator.platforms.palo_alto.renders.cortex_xdr import CortexXDRXQLQueryRender # noqa: F401
+from app.translator.platforms.palo_alto.renders.cortex_xsiam import CortexXSIAMXQLQueryRender # noqa: F401
diff --git a/uncoder-core/app/translator/platforms/palo_alto/const.py b/uncoder-core/app/translator/platforms/palo_alto/const.py
index 120938df..12facc47 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/const.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/const.py
@@ -1,16 +1,26 @@
from app.translator.core.custom_types.predefined_fields import IPLocationType, TimeType
from app.translator.core.models.platform_details import PlatformDetails
-PLATFORM_DETAILS = {"group_id": "cortex", "group_name": "Palo Alto Cortex XSIAM"}
+PLATFORM_DETAILS = {}
CORTEX_XSIAM_XQL_QUERY_DETAILS = {
"platform_id": "cortex-xql-query",
"name": "Palo Alto Cortex XSIAM Query",
"platform_name": "Query (XQL)",
- **PLATFORM_DETAILS,
+ "group_id": "cortex-xsiam",
+ "group_name": "Palo Alto Cortex XSIAM",
}
-cortex_xql_query_details = PlatformDetails(**CORTEX_XSIAM_XQL_QUERY_DETAILS)
+CORTEX_XDR_XQL_QUERY_DETAILS = {
+ "platform_id": "cortex-xdr-xql-query",
+ "name": "Palo Alto Cortex XDR Query",
+ "platform_name": "Query (XQL)",
+ "group_id": "cortex-xdr",
+ "group_name": "Palo Alto Cortex XDR",
+}
+
+cortex_xsiam_xql_query_details = PlatformDetails(**CORTEX_XSIAM_XQL_QUERY_DETAILS)
+cortex_xdr_xql_query_details = PlatformDetails(**CORTEX_XDR_XQL_QUERY_DETAILS)
PREDEFINED_FIELDS_MAP = {
diff --git a/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py b/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py
index 2f98f633..6bc3588c 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py
@@ -1,12 +1,24 @@
import os.path
from app.translator.core.functions import PlatformFunctions
-from app.translator.platforms.palo_alto.functions.manager import CortexXQLFunctionsManager, cortex_xql_functions_manager
+from app.translator.platforms.palo_alto.functions.manager import (
+ CortexXQLFunctionsManager,
+ cortex_xdr_xql_functions_manager,
+ cortex_xsiam_xql_functions_manager,
+)
class CortexXQLFunctions(PlatformFunctions):
dir_path: str = os.path.abspath(os.path.dirname(__file__))
- manager: CortexXQLFunctionsManager = cortex_xql_functions_manager
-cortex_xql_functions = CortexXQLFunctions()
+class CortexXSIAMXQLFunctions(CortexXQLFunctions):
+ manager: CortexXQLFunctionsManager = cortex_xsiam_xql_functions_manager
+
+
+class CortexXDRXQLFunctions(CortexXQLFunctions):
+ manager: CortexXQLFunctionsManager = cortex_xdr_xql_functions_manager
+
+
+cortex_xsiam_xql_functions = CortexXSIAMXQLFunctions()
+cortex_xdr_xql_functions = CortexXDRXQLFunctions()
diff --git a/uncoder-core/app/translator/platforms/palo_alto/functions/const.py b/uncoder-core/app/translator/platforms/palo_alto/functions/const.py
index 95bb3982..91745fca 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/functions/const.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/functions/const.py
@@ -11,6 +11,7 @@ class CortexXQLFunctionType(CustomEnum):
values = "values"
divide = "divide"
+ multiply = "multiply"
lower = "lowercase"
split = "split"
@@ -26,18 +27,21 @@ class CortexXQLFunctionType(CustomEnum):
config = "config"
fields = "fields"
filter = "filter"
+ iploc = "iploc"
+ join = "join"
limit = "limit"
sort = "sort"
timeframe = "timeframe"
+ timestamp_diff = "timestamp_diff"
union = "union"
-class XqlSortOrderType(CustomEnum):
+class CortexXQLSortOrderType(CustomEnum):
asc = "asc"
desc = "desc"
-class XqlTimeFrameType(CustomEnum):
+class CortexXQLTimeFrameType(CustomEnum):
years = "y"
months = "mo"
days = "d"
diff --git a/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py b/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py
index 95e0cf90..2970a010 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py
@@ -5,4 +5,5 @@ class CortexXQLFunctionsManager(PlatformFunctionsManager):
...
-cortex_xql_functions_manager = CortexXQLFunctionsManager()
+cortex_xsiam_xql_functions_manager = CortexXQLFunctionsManager()
+cortex_xdr_xql_functions_manager = CortexXQLFunctionsManager()
diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
index 11ccb070..6bf2d111 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
@@ -1,7 +1,13 @@
from typing import Optional, Union
-from app.translator.core.mapping import BasePlatformMappings, FieldsMapping, LogSourceSignature, SourceMapping
-from app.translator.platforms.palo_alto.const import cortex_xql_query_details
+from app.translator.core.mapping import (
+ BasePlatformMappings,
+ BaseStrictLogSourcesPlatformMappings,
+ FieldsMapping,
+ LogSourceSignature,
+ SourceMapping,
+)
+from app.translator.platforms.palo_alto.const import cortex_xdr_xql_query_details, cortex_xsiam_xql_query_details
class CortexXQLLogSourceSignature(LogSourceSignature):
@@ -24,34 +30,44 @@ def __prepare_log_source_for_render(logsource: Union[str, list[str]], model: str
return f"{model} = {logsource}"
@property
- def __datamodel_scheme(self) -> str:
- if datamodel := self._default_source.get("datamodel"):
- return f"{datamodel} "
+ def __data_model_scheme(self) -> str:
+ if data_model := self._default_source.get("datamodel"):
+ return f"{data_model} "
return ""
def __str__(self) -> str:
if preset_data := self._default_source.get("preset"):
preset = self.__prepare_log_source_for_render(logsource=preset_data, model="preset")
- return f"{self.__datamodel_scheme}{preset}"
+ return f"{self.__data_model_scheme}{preset}"
if dataset_data := self._default_source.get("dataset"):
dataset = self.__prepare_log_source_for_render(logsource=dataset_data, model="dataset")
- return f"{self.__datamodel_scheme}{dataset}"
+ return f"{self.__data_model_scheme}{dataset}"
return "datamodel dataset = *"
-class CortexXQLMappings(BasePlatformMappings):
+class CortexXQLLogSourceSignaturePreparer:
+ @staticmethod
+ def prepare_log_source_signature(mapping: dict) -> CortexXQLLogSourceSignature:
+ preset = mapping.get("log_source", {}).get("preset")
+ dataset = mapping.get("log_source", {}).get("dataset")
+ default_log_source = mapping["default_log_source"]
+ return CortexXQLLogSourceSignature(preset=preset, dataset=dataset, default_source=default_log_source)
+
+
+class CortexXSIAMXQLMappings(CortexXQLLogSourceSignaturePreparer, BasePlatformMappings):
skip_load_default_mappings: bool = False
def update_default_source_mapping(self, default_mapping: SourceMapping, fields_mapping: FieldsMapping) -> None:
...
- def prepare_log_source_signature(self, mapping: dict) -> CortexXQLLogSourceSignature:
- preset = mapping.get("log_source", {}).get("preset")
- dataset = mapping.get("log_source", {}).get("dataset")
- default_log_source = mapping["default_log_source"]
- return CortexXQLLogSourceSignature(preset=preset, dataset=dataset, default_source=default_log_source)
+
+class CortexXDRXQLMappings(CortexXQLLogSourceSignaturePreparer, BaseStrictLogSourcesPlatformMappings):
+ ...
-cortex_xql_query_mappings = CortexXQLMappings(
- platform_dir="palo_alto_cortex", platform_details=cortex_xql_query_details
+cortex_xsiam_xql_query_mappings = CortexXSIAMXQLMappings(
+ platform_dir="palo_alto_cortex_xsiam", platform_details=cortex_xsiam_xql_query_details
+)
+cortex_xdr_xql_query_mappings = CortexXDRXQLMappings(
+ platform_dir="palo_alto_cortex_xdr", platform_details=cortex_xdr_xql_query_details
)
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/base.py b/uncoder-core/app/translator/platforms/palo_alto/renders/base.py
new file mode 100644
index 00000000..6983d0f3
--- /dev/null
+++ b/uncoder-core/app/translator/platforms/palo_alto/renders/base.py
@@ -0,0 +1,205 @@
+"""
+Uncoder IO Community Edition License
+-----------------------------------------------------------------
+Copyright (c) 2024 SOC Prime, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-----------------------------------------------------------------
+"""
+from typing import ClassVar, Optional, Union
+
+from app.translator.const import DEFAULT_VALUE_TYPE
+from app.translator.core.const import QUERY_TOKEN_TYPE
+from app.translator.core.context_vars import preset_log_source_str_ctx_var
+from app.translator.core.custom_types.tokens import OperatorType
+from app.translator.core.custom_types.values import ValueType
+from app.translator.core.mapping import SourceMapping
+from app.translator.core.models.query_tokens.field_value import FieldValue
+from app.translator.core.render import BaseFieldFieldRender, BaseFieldValueRender, PlatformQueryRender
+from app.translator.core.str_value_manager import StrValue
+from app.translator.platforms.palo_alto.const import PREDEFINED_FIELDS_MAP
+from app.translator.platforms.palo_alto.functions import CortexXQLFunctions
+from app.translator.platforms.palo_alto.mapping import CortexXQLLogSourceSignature
+from app.translator.platforms.palo_alto.str_value_manager import cortex_xql_str_value_manager
+
+SOURCE_MAPPING_TO_FIELD_VALUE_MAP = {
+ "windows_registry_event": {
+ "EventType": {
+ "SetValue": "REGISTRY_SET_VALUE",
+ "DeleteValue": "REGISTRY_DELETE_VALUE",
+ "CreateKey": "REGISTRY_CREATE_KEY",
+ }
+ }
+}
+
+
+class CortexXQLFieldValueRender(BaseFieldValueRender):
+ str_value_manager = cortex_xql_str_value_manager
+
+ @staticmethod
+ def _get_value_type(field_name: str, value: Union[int, str, StrValue], value_type: Optional[str] = None) -> str: # noqa: ARG004
+ if value_type:
+ return value_type
+
+ if isinstance(value, StrValue) and value.has_spec_symbols:
+ return ValueType.regex_value
+
+ return ValueType.value
+
+ @staticmethod
+ def _wrap_str_value(value: str) -> str:
+ return f'"{value}"'
+
+ def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ values = ", ".join(f"{self._pre_process_value(field, v, ValueType.value, True)}" for v in value)
+ return f"{field} in ({values})"
+
+ return f"{field} = {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
+
+ def less_modifier(self, field: str, value: Union[int, str]) -> str:
+ return f"{field} < {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
+
+ def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
+ return f"{field} <= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
+
+ def greater_modifier(self, field: str, value: Union[int, str]) -> str:
+ return f"{field} > {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
+
+ def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
+ return f"{field} >= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
+
+ def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join([self.not_equal_modifier(field=field, value=v) for v in value])})"
+ return f"{field} != {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
+
+ def contains_modifier(self, field: str, value: Union[list, str]) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
+ if value.endswith("\\"):
+ return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"'
+ return f"{field} contains {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
+
+ def not_contains_modifier(self, field: str, value: Union[list, str]) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
+ if value.endswith("\\"):
+ return f'{field} !~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"'
+ return f"{field} not contains {self._pre_process_value(field, value, ValueType.value, wrap_str=True)}"
+
+ def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
+ return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}"'
+
+ def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ clause = self.or_token.join(self.startswith_modifier(field=field, value=v) for v in value)
+ return f"({clause})"
+ return f'{field} ~= "{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"'
+
+ def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
+ value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True)
+ if value.endswith('\\\\"'):
+ value = value[:-1] + "]" + value[-1:]
+ value = value[:-4] + "[" + value[-4:]
+ return f"{field} ~= {value}"
+
+ def not_regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
+ return f"{field} !~= {self._pre_process_value(field ,value, value_type=ValueType.regex_value, wrap_str=True)}"
+
+ def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.is_none(field=field, value=v) for v in value)})"
+ return f"{field} = null"
+
+ def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.is_not_none(field=field, value=v) for v in value)})"
+ return f"{field} != null"
+
+ def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
+ if isinstance(value, list):
+ return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
+ if value.endswith("\\"):
+ return f'_raw_log ~= ".*{self._pre_process_value(field ,value, value_type=ValueType.regex_value)}.*"'
+ return f"_raw_log contains {self._pre_process_value(field ,value, value_type=ValueType.value, wrap_str=True)}"
+
+
+class CortexXQLFieldFieldRender(BaseFieldFieldRender):
+ operators_map: ClassVar[dict[str, str]] = {
+ OperatorType.EQ: "=",
+ OperatorType.NOT_EQ: "!=",
+ OperatorType.LT: "<",
+ OperatorType.LTE: "<=",
+ OperatorType.GT: ">",
+ OperatorType.GTE: ">=",
+ }
+
+
+class CortexXQLQueryRender(PlatformQueryRender):
+ predefined_fields_map = PREDEFINED_FIELDS_MAP
+ raw_log_field_patterns_map: ClassVar[dict[str, str]] = {
+ "regex": '| alter {field} = regextract(to_json_string(action_evtlog_data_fields)->{field}{{}}, "\\"(.*)\\"")',
+ "object": '| alter {field_name} = json_extract_scalar({field_object} , "$.{field_path}")',
+ "list": '| alter {field_name} = arraystring(json_extract_array({field_object} , "$.{field_path}")," ")',
+ }
+ platform_functions: CortexXQLFunctions = None
+
+ or_token = "or"
+ and_token = "and"
+ not_token = "not"
+ query_parts_delimiter = "\n"
+
+ field_field_render = CortexXQLFieldFieldRender()
+ comment_symbol = "//"
+ is_single_line_comment = False
+
+ def process_raw_log_field(self, field: str, field_type: str) -> Optional[str]:
+ raw_log_field_pattern = self.raw_log_field_patterns_map.get(field_type)
+ if raw_log_field_pattern is None:
+ return
+ if field_type == "regex":
+ field = field.replace(".", r"\.")
+ return raw_log_field_pattern.format(field=field)
+ if field_type in ("object", "list") and "." in field:
+ field_object, field_path = field.split(".", 1)
+ field_name = field.replace(".", "_")
+ return raw_log_field_pattern.format(field_name=field_name, field_object=field_object, field_path=field_path)
+
+ def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, functions_prefix: str = "") -> str:
+ functions_prefix = f"{functions_prefix} | " if functions_prefix else ""
+ log_source_str = preset_log_source_str_ctx_var.get() or str(log_source_signature)
+ return f"{functions_prefix}{log_source_str}"
+
+ def apply_token(self, token: QUERY_TOKEN_TYPE, source_mapping: SourceMapping) -> str:
+ if isinstance(token, FieldValue) and token.field:
+ field_name = token.field.source_name
+ if values_map := SOURCE_MAPPING_TO_FIELD_VALUE_MAP.get(source_mapping.source_id, {}).get(field_name):
+ values_to_update = []
+ for token_value in token.values:
+ mapped_value: str = values_map.get(token_value, token_value)
+ values_to_update.append(
+ StrValue(value=mapped_value, split_value=mapped_value.split()) if mapped_value else token_value
+ )
+ token.value = values_to_update
+ return super().apply_token(token=token, source_mapping=source_mapping)
+
+ @staticmethod
+ def _finalize_search_query(query: str) -> str:
+ return f"| filter {query}" if query else ""
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xdr.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xdr.py
new file mode 100644
index 00000000..fac4df3d
--- /dev/null
+++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xdr.py
@@ -0,0 +1,41 @@
+"""
+Uncoder IO Community Edition License
+-----------------------------------------------------------------
+Copyright (c) 2024 SOC Prime, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-----------------------------------------------------------------
+"""
+
+from app.translator.core.models.platform_details import PlatformDetails
+from app.translator.managers import render_manager
+from app.translator.platforms.palo_alto.const import cortex_xdr_xql_query_details
+from app.translator.platforms.palo_alto.functions import cortex_xdr_xql_functions
+from app.translator.platforms.palo_alto.mapping import CortexXDRXQLMappings, cortex_xdr_xql_query_mappings
+from app.translator.platforms.palo_alto.renders.base import CortexXQLFieldValueRender, CortexXQLQueryRender
+
+
+class CortexXDRXQLFieldValueRender(CortexXQLFieldValueRender):
+ details: PlatformDetails = cortex_xdr_xql_query_details
+
+
+@render_manager.register
+class CortexXDRXQLQueryRender(CortexXQLQueryRender):
+ details: PlatformDetails = cortex_xdr_xql_query_details
+ mappings: CortexXDRXQLMappings = cortex_xdr_xql_query_mappings
+
+ field_value_render = CortexXDRXQLFieldValueRender(CortexXQLQueryRender.or_token)
+
+ def init_platform_functions(self) -> None:
+ self.platform_functions = cortex_xdr_xql_functions
+ self.platform_functions.platform_query_render = self
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
index c5728eac..4b05b306 100644
--- a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
+++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -16,205 +16,26 @@
limitations under the License.
-----------------------------------------------------------------
"""
-from typing import ClassVar, Optional, Union
-from app.translator.const import DEFAULT_VALUE_TYPE
-from app.translator.core.const import QUERY_TOKEN_TYPE
-from app.translator.core.context_vars import preset_log_source_str_ctx_var
-from app.translator.core.custom_types.tokens import OperatorType
-from app.translator.core.custom_types.values import ValueType
-from app.translator.core.mapping import SourceMapping
from app.translator.core.models.platform_details import PlatformDetails
-from app.translator.core.models.query_tokens.field_value import FieldValue
-from app.translator.core.render import BaseFieldFieldRender, BaseFieldValueRender, PlatformQueryRender
-from app.translator.core.str_value_manager import StrValue
from app.translator.managers import render_manager
-from app.translator.platforms.palo_alto.const import PREDEFINED_FIELDS_MAP, cortex_xql_query_details
-from app.translator.platforms.palo_alto.functions import CortexXQLFunctions, cortex_xql_functions
-from app.translator.platforms.palo_alto.mapping import (
- CortexXQLLogSourceSignature,
- CortexXQLMappings,
- cortex_xql_query_mappings,
-)
-from app.translator.platforms.palo_alto.str_value_manager import cortex_xql_str_value_manager
+from app.translator.platforms.palo_alto.const import cortex_xsiam_xql_query_details
+from app.translator.platforms.palo_alto.functions import cortex_xsiam_xql_functions
+from app.translator.platforms.palo_alto.mapping import CortexXSIAMXQLMappings, cortex_xsiam_xql_query_mappings
+from app.translator.platforms.palo_alto.renders.base import CortexXQLFieldValueRender, CortexXQLQueryRender
-SOURCE_MAPPING_TO_FIELD_VALUE_MAP = {
- "windows_registry_event": {
- "EventType": {
- "SetValue": "REGISTRY_SET_VALUE",
- "DeleteValue": "REGISTRY_DELETE_VALUE",
- "CreateKey": "REGISTRY_CREATE_KEY",
- }
- }
-}
-
-class CortexXQLFieldValueRender(BaseFieldValueRender):
- details: PlatformDetails = cortex_xql_query_details
- str_value_manager = cortex_xql_str_value_manager
-
- @staticmethod
- def _get_value_type(field_name: str, value: Union[int, str, StrValue], value_type: Optional[str] = None) -> str: # noqa: ARG004
- if value_type:
- return value_type
-
- if isinstance(value, StrValue) and value.has_spec_symbols:
- return ValueType.regex_value
-
- return ValueType.value
-
- @staticmethod
- def _wrap_str_value(value: str) -> str:
- return f'"{value}"'
-
- def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- values = ", ".join(f"{self._pre_process_value(field, v, ValueType.value, True)}" for v in value)
- return f"{field} in ({values})"
-
- return f"{field} = {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
-
- def less_modifier(self, field: str, value: Union[int, str]) -> str:
- return f"{field} < {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
-
- def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
- return f"{field} <= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
-
- def greater_modifier(self, field: str, value: Union[int, str]) -> str:
- return f"{field} > {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
-
- def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str:
- return f"{field} >= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
-
- def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join([self.not_equal_modifier(field=field, value=v) for v in value])})"
- return f"{field} != {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
-
- def contains_modifier(self, field: str, value: Union[list, str]) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
- if value.endswith("\\"):
- return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"'
- return f"{field} contains {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"
-
- def not_contains_modifier(self, field: str, value: Union[list, str]) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
- if value.endswith("\\"):
- return f'{field} !~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"'
- return f"{field} not contains {self._pre_process_value(field, value, ValueType.value, wrap_str=True)}"
-
- def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
- return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}"'
-
- def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- clause = self.or_token.join(self.startswith_modifier(field=field, value=v) for v in value)
- return f"({clause})"
- return f'{field} ~= "{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"'
-
- def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
- value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True)
- if value.endswith('\\\\"'):
- value = value[:-1] + "]" + value[-1:]
- value = value[:-4] + "[" + value[-4:]
- return f"{field} ~= {value}"
-
- def not_regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
- return f"{field} !~= {self._pre_process_value(field ,value, value_type=ValueType.regex_value, wrap_str=True)}"
-
- def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.is_none(field=field, value=v) for v in value)})"
- return f"{field} = null"
-
- def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.is_not_none(field=field, value=v) for v in value)})"
- return f"{field} != null"
-
- def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
- if isinstance(value, list):
- return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})"
- if value.endswith("\\"):
- return f'_raw_log ~= ".*{self._pre_process_value(field ,value, value_type=ValueType.regex_value)}.*"'
- return f"_raw_log contains {self._pre_process_value(field ,value, value_type=ValueType.value, wrap_str=True)}"
-
-
-class CortexXQLFieldFieldRender(BaseFieldFieldRender):
- operators_map: ClassVar[dict[str, str]] = {
- OperatorType.EQ: "=",
- OperatorType.NOT_EQ: "!=",
- OperatorType.LT: "<",
- OperatorType.LTE: "<=",
- OperatorType.GT: ">",
- OperatorType.GTE: ">=",
- }
+class CortexXSIAMXQLFieldValueRender(CortexXQLFieldValueRender):
+ details: PlatformDetails = cortex_xsiam_xql_query_details
@render_manager.register
-class CortexXQLQueryRender(PlatformQueryRender):
- details: PlatformDetails = cortex_xql_query_details
- mappings: CortexXQLMappings = cortex_xql_query_mappings
- predefined_fields_map = PREDEFINED_FIELDS_MAP
- raw_log_field_patterns_map: ClassVar[dict[str, str]] = {
- "regex": '| alter {field} = regextract(to_json_string(action_evtlog_data_fields)->{field}{{}}, "\\"(.*)\\"")',
- "object": '| alter {field_name} = json_extract_scalar({field_object} , "$.{field_path}")',
- "list": '| alter {field_name} = arraystring(json_extract_array({field_object} , "$.{field_path}")," ")',
- }
- platform_functions: CortexXQLFunctions = None
+class CortexXSIAMXQLQueryRender(CortexXQLQueryRender):
+ details: PlatformDetails = cortex_xsiam_xql_query_details
+ mappings: CortexXSIAMXQLMappings = cortex_xsiam_xql_query_mappings
- or_token = "or"
- and_token = "and"
- not_token = "not"
- query_parts_delimiter = "\n"
-
- field_field_render = CortexXQLFieldFieldRender()
- field_value_render = CortexXQLFieldValueRender(or_token=or_token)
- comment_symbol = "//"
- is_single_line_comment = False
+ field_value_render = CortexXSIAMXQLFieldValueRender(CortexXQLQueryRender.or_token)
def init_platform_functions(self) -> None:
- self.platform_functions = cortex_xql_functions
+ self.platform_functions = cortex_xsiam_xql_functions
self.platform_functions.platform_query_render = self
-
- def process_raw_log_field(self, field: str, field_type: str) -> Optional[str]:
- raw_log_field_pattern = self.raw_log_field_patterns_map.get(field_type)
- if raw_log_field_pattern is None:
- return
- if field_type == "regex":
- field = field.replace(".", r"\.")
- return raw_log_field_pattern.format(field=field)
- if field_type in ("object", "list") and "." in field:
- field_object, field_path = field.split(".", 1)
- field_name = field.replace(".", "_")
- return raw_log_field_pattern.format(field_name=field_name, field_object=field_object, field_path=field_path)
-
- def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, functions_prefix: str = "") -> str:
- functions_prefix = f"{functions_prefix} | " if functions_prefix else ""
- log_source_str = preset_log_source_str_ctx_var.get() or str(log_source_signature)
- return f"{functions_prefix}{log_source_str}"
-
- def apply_token(self, token: QUERY_TOKEN_TYPE, source_mapping: SourceMapping) -> str:
- if isinstance(token, FieldValue) and token.field:
- field_name = token.field.source_name
- if values_map := SOURCE_MAPPING_TO_FIELD_VALUE_MAP.get(source_mapping.source_id, {}).get(field_name):
- values_to_update = []
- for token_value in token.values:
- mapped_value: str = values_map.get(token_value, token_value)
- values_to_update.append(
- StrValue(value=mapped_value, split_value=mapped_value.split()) if mapped_value else token_value
- )
- token.value = values_to_update
- return super().apply_token(token=token, source_mapping=source_mapping)
-
- @staticmethod
- def _finalize_search_query(query: str) -> str:
- return f"| filter {query}" if query else ""
diff --git a/uncoder-core/app/translator/platforms/sigma/mapping.py b/uncoder-core/app/translator/platforms/sigma/mapping.py
index fc6f7c1b..6180c948 100644
--- a/uncoder-core/app/translator/platforms/sigma/mapping.py
+++ b/uncoder-core/app/translator/platforms/sigma/mapping.py
@@ -48,7 +48,7 @@ def prepare_log_source_signature(self, mapping: dict) -> SigmaLogSourceSignature
product=product, service=service, category=category, default_source=default_log_source
)
- def get_suitable_source_mappings(
+ def get_source_mappings_by_fields_and_log_sources(
self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]]
) -> list[SourceMapping]:
source_mappings = []
diff --git a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py
index 4f04335a..d4a2d83c 100644
--- a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py
+++ b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py
@@ -18,6 +18,7 @@
"""
from datetime import timedelta
+from re import I
from typing import Optional, Union
from app.translator.core.exceptions.core import SigmaRuleValidationException
@@ -112,7 +113,9 @@ def parse(self, raw_query_container: RawQueryContainer) -> TokenizedQueryContain
tokens = self.tokenizer.tokenize(detection=sigma_rule.get("detection"))
field_tokens = [token.field for token in QueryTokenizer.filter_tokens(tokens, FieldValue)]
field_names = [field.source_name for field in field_tokens]
- source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources)
+ source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
+ field_names=field_names, log_sources=log_sources
+ )
QueryTokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
sigma_fields_tokens = None
if sigma_fields := sigma_rule.get("fields"):
diff --git a/uncoder-core/requirements.txt b/uncoder-core/requirements.txt
index a4ab0e8e..90c4901e 100644
--- a/uncoder-core/requirements.txt
+++ b/uncoder-core/requirements.txt
@@ -6,4 +6,5 @@ colorama~=0.4.6
ruff==0.1.13
ujson==5.9.0
xmltodict~=0.13.0
-isodate==0.6.1
\ No newline at end of file
+isodate==0.6.1
+toml==0.10.2
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy