gis-9415 add global alternative mapping

nazargesyk · nazargesyk · commit 0c64c329f0f1 · 2025-01-20T11:33:10.000+02:00
diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py
@@ -1,7 +1,8 @@
 from __future__ import annotations
 
+import os
 from abc import ABC, abstractmethod
-from typing import TYPE_CHECKING, Optional, TypeVar, Union
+from typing import TYPE_CHECKING, ClassVar, Optional, TypeVar, Union
 
 from app.translator.core.exceptions.core import (
     StrictPlatformException,
@@ -16,6 +17,7 @@
 
 
 DEFAULT_MAPPING_NAME = "default"
+GLOBAL_ALTERNATIVE_MAPPING_DIR = "global_alternative"
 
 
 class LogSourceSignature(ABC):
@@ -113,14 +115,15 @@ class BasePlatformMappings:
     is_strict_mapping: bool = False
     skip_load_default_mappings: bool = True
     extend_default_mapping_with_all_fields: bool = False
-    global_mappings: list[str] = []
+    global_alternative_mappings: ClassVar[list[str]] = []
 
     def __init__(self, platform_dir: str, platform_details: PlatformDetails):
         self._loader = LoaderFileMappings()
         self.details = platform_details
         self._source_mappings = self.prepare_mapping(platform_dir)
         self._alternative_mappings = self.prepare_alternative_mapping(platform_dir)
-        global_alternative_mappings = self.prepare_global_alternative_mapping()
+        if self.global_alternative_mappings:
+            self._alternative_mappings.update(self.prepare_global_alternative_mapping())
 
     def update_default_source_mapping(self, default_mapping: SourceMapping, fields_mapping: FieldsMapping) -> None:
         default_mapping.fields_mapping.update(fields_mapping)
@@ -132,8 +135,10 @@ def prepare_alternative_mapping(self, platform_dir: str) -> dict[str, dict[str,
         return alternative_mappings
 
     def prepare_global_alternative_mapping(self) -> dict[str, dict[str, SourceMapping]]:
-        globa_alternative_mappings = {}
-        return globa_alternative_mappings
+        global_alternative_mappings = {}
+        for name in self.global_alternative_mappings:
+            global_alternative_mappings[name] = self.prepare_mapping(os.path.join(GLOBAL_ALTERNATIVE_MAPPING_DIR, name))
+        return global_alternative_mappings
 
     def prepare_mapping(self, platform_dir: str) -> dict[str, SourceMapping]:
         source_mappings = {}
diff --git a/uncoder-core/app/translator/core/models/query_container.py b/uncoder-core/app/translator/core/models/query_container.py
@@ -136,7 +136,7 @@ class RawQueryContainer:
 class RawQueryDictContainer:
     query: dict
     language: str
-    meta_info: dict
+    meta_info: MetaInfoContainer = field(default_factory=MetaInfoContainer)
 
 
 @dataclass
diff --git a/uncoder-core/app/translator/mappings/platforms/global_alternative/ocsf/default.yml b/uncoder-core/app/translator/mappings/platforms/global_alternative/ocsf/default.yml
@@ -1,7 +1,6 @@
 platform: Global OCSF
 source: default
 
-default_log_source: {}
 
 fieldmappings:
   IntegrityLevel: process.integrity
diff --git a/uncoder-core/app/translator/platforms/splunk/mapping.py b/uncoder-core/app/translator/platforms/splunk/mapping.py
@@ -1,4 +1,4 @@
-from typing import Optional
+from typing import ClassVar, Optional
 
 from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature
 from app.translator.platforms.splunk.const import splunk_alert_details, splunk_query_details
@@ -39,9 +39,13 @@ def __str__(self) -> str:
 
 
 class SplunkMappings(BasePlatformMappings):
+    global_alternative_mappings: ClassVar[list[str]] = ["ocsf"]
+
     def prepare_log_source_signature(self, mapping: dict) -> SplunkLogSourceSignature:
         log_source = mapping.get("log_source", {})
-        default_log_source = mapping["default_log_source"]
+        default_log_source = (
+            mapping.get("default_log_source") if mapping.get("default_log_source") else {"source": "WinEventLog: *"}
+        )
         return SplunkLogSourceSignature(
             sources=log_source.get("source"),
             source_types=log_source.get("sourcetype"),
