Skip to content

Commit 29fa729

Browse files
alexvolhaalexvolha
authored
Merge pull request #194 from UncoderIO/gis-8678
cortex xdr render
2 parents 5b9c114 + abf11c2 commit 29fa729

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

61 files changed

+624
-272
lines changed

uncoder-core/app/translator/core/exceptions/core.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,12 @@ def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str]
1717
super().__init__(message)
1818

1919

20+
class UnsupportedMappingsException(BasePlatformException):
21+
def __init__(self, platform_name: str, mappings: list[str]):
22+
message = f"Platform {platform_name} does not support these mappings: {mappings}."
23+
super().__init__(message)
24+
25+
2026
class StrictPlatformFieldException(BasePlatformException):
2127
def __init__(self, platform_name: str, field_name: str):
2228
message = f"Source field `{field_name}` has no mapping for platform {platform_name}."

uncoder-core/app/translator/core/mapping.py

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
from abc import ABC, abstractmethod
44
from typing import TYPE_CHECKING, Optional, TypeVar, Union
55

6-
from app.translator.core.exceptions.core import StrictPlatformException
6+
from app.translator.core.exceptions.core import StrictPlatformException, UnsupportedMappingsException
77
from app.translator.core.models.platform_details import PlatformDetails
88
from app.translator.mappings.utils.load_from_files import LoaderFileMappings
99

@@ -116,7 +116,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
116116
default_mapping = SourceMapping(source_id=DEFAULT_MAPPING_NAME)
117117
for mapping_dict in self._loader.load_platform_mappings(self._platform_dir):
118118
log_source_signature = self.prepare_log_source_signature(mapping=mapping_dict)
119-
if (source_id := mapping_dict.get("source")) == DEFAULT_MAPPING_NAME:
119+
if (source_id := mapping_dict["source"]) == DEFAULT_MAPPING_NAME:
120120
default_mapping.log_source_signature = log_source_signature
121121
if self.skip_load_default_mappings:
122122
continue
@@ -152,7 +152,7 @@ def prepare_fields_mapping(field_mapping: dict) -> FieldsMapping:
152152
def prepare_log_source_signature(self, mapping: dict) -> LogSourceSignature:
153153
raise NotImplementedError("Abstract method")
154154

155-
def get_suitable_source_mappings(
155+
def get_source_mappings_by_fields_and_log_sources(
156156
self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]]
157157
) -> list[SourceMapping]:
158158
by_log_sources_and_fields = []
@@ -170,6 +170,17 @@ def get_suitable_source_mappings(
170170

171171
return by_log_sources_and_fields or by_fields or [self._source_mappings[DEFAULT_MAPPING_NAME]]
172172

173+
def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
174+
source_mappings = []
175+
for source_mapping_id in source_mapping_ids:
176+
if source_mapping := self.get_source_mapping(source_mapping_id):
177+
source_mappings.append(source_mapping)
178+
179+
if not source_mappings:
180+
source_mappings = [self.get_source_mapping(DEFAULT_MAPPING_NAME)]
181+
182+
return source_mappings
183+
173184
def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]:
174185
return self._source_mappings.get(source_id)
175186

@@ -218,3 +229,18 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
218229
)
219230

220231
return source_mappings
232+
233+
234+
class BaseStrictLogSourcesPlatformMappings(ABC, BasePlatformMappings):
235+
def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
236+
source_mappings = []
237+
for source_mapping_id in source_mapping_ids:
238+
if source_mapping_id == DEFAULT_MAPPING_NAME:
239+
continue
240+
if source_mapping := self.get_source_mapping(source_mapping_id):
241+
source_mappings.append(source_mapping)
242+
243+
if not source_mappings:
244+
raise UnsupportedMappingsException(platform_name=self.details.name, mappings=source_mapping_ids)
245+
246+
return source_mappings

uncoder-core/app/translator/core/parser.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,8 @@ def get_source_mappings(
8080
self, field_tokens: list[Field], log_sources: dict[str, list[Union[int, str]]]
8181
) -> list[SourceMapping]:
8282
field_names = [field.source_name for field in field_tokens]
83-
source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources)
83+
source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
84+
field_names=field_names, log_sources=log_sources
85+
)
8486
self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
8587
return source_mappings

uncoder-core/app/translator/core/render.py

Lines changed: 2 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@
3131
from app.translator.core.exceptions.parser import UnsupportedOperatorException
3232
from app.translator.core.exceptions.render import UnsupportedRenderMethod
3333
from app.translator.core.functions import PlatformFunctions
34-
from app.translator.core.mapping import DEFAULT_MAPPING_NAME, BasePlatformMappings, LogSourceSignature, SourceMapping
34+
from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping
3535
from app.translator.core.models.functions.base import Function, RenderedFunctions
3636
from app.translator.core.models.platform_details import PlatformDetails
3737
from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer, TokenizedQueryContainer
@@ -384,17 +384,6 @@ def finalize(self, queries_map: dict[str, str]) -> str:
384384

385385
return result
386386

387-
def _get_source_mappings(self, source_mapping_ids: list[str]) -> Optional[list[SourceMapping]]:
388-
source_mappings = []
389-
for source_mapping_id in source_mapping_ids:
390-
if source_mapping := self.mappings.get_source_mapping(source_mapping_id):
391-
source_mappings.append(source_mapping)
392-
393-
if not source_mappings:
394-
source_mappings = [self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)]
395-
396-
return source_mappings
397-
398387
def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str:
399388
return self.finalize_query(
400389
prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info
@@ -464,7 +453,7 @@ def _generate_from_tokenized_query_container_by_source_mapping(
464453
def generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str:
465454
queries_map = {}
466455
errors = []
467-
source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids)
456+
source_mappings = self.mappings.get_source_mappings_by_ids(query_container.meta_info.source_mapping_ids)
468457

469458
for source_mapping in source_mappings:
470459
try:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
platform: Palo Alto Cortex XDR
2+
source: default
3+
4+
5+
default_log_source:
6+
datamodel: datamodel

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
platform: Palo Alto XSIAM
1+
platform: Palo Alto Cortex XDR
22
source: linux_file_event
33

44
log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
platform: Palo Alto XSIAM
1+
platform: Palo Alto Cortex XDR
22
source: linux_process_creation
33

44
log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
platform: Palo Alto XSIAM
1+
platform: Palo Alto Cortex XDR
22
source: macos_file_event
33

44
log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
platform: Palo Alto XSIAM
1+
platform: Palo Alto Cortex XDR
22
source: macos_process_creation
33

44
log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
platform: Palo Alto XSIAM
1+
platform: Palo Alto Cortex XDR
22
source: windows_file_event
33

44
log_source:

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy