UncoderIO
diff --git a/‎uncoder-core/app/translator/core/mapping.py
Lines changed: 21 additions & 6 deletions b/‎uncoder-core/app/translator/core/mapping.py
Lines changed: 21 additions & 6 deletions
diff --git a/‎uncoder-core/app/translator/core/models/query_container.py
Lines changed: 4 additions & 2 deletions b/‎uncoder-core/app/translator/core/models/query_container.py
Lines changed: 4 additions & 2 deletions
diff --git a/‎uncoder-core/app/translator/core/parser.py
Lines changed: 12 additions & 3 deletions b/‎uncoder-core/app/translator/core/parser.py
Lines changed: 12 additions & 3 deletions
diff --git a/‎uncoder-core/app/translator/core/render.py
Lines changed: 29 additions & 3 deletions b/‎uncoder-core/app/translator/core/render.py
Lines changed: 29 additions & 3 deletions
diff --git a/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
Lines changed: 15 additions & 1 deletion b/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
Lines changed: 15 additions & 1 deletion
diff --git a/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml
Lines changed: 4 additions & 4 deletions b/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml
Lines changed: 4 additions & 4 deletions
diff --git a/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml
Lines changed: 24 additions & 0 deletions b/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml
Lines changed: 24 additions & 0 deletions
diff --git a/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml
Lines changed: 19 additions & 0 deletions b/‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml
Lines changed: 19 additions & 0 deletions
@@ -72,34 +72,49 @@ def __init__(
         source_id: str,
         log_source_signature: _LogSourceSignatureType = None,
         fields_mapping: Optional[FieldsMapping] = None,
+        raw_log_fields: Optional[list] = None,
     ):
         self.source_id = source_id
         self.log_source_signature = log_source_signature
         self.fields_mapping = fields_mapping or FieldsMapping([])
+        self.raw_log_fields = raw_log_fields
 
 
 class BasePlatformMappings:
+    skip_load_default_mappings: bool = True
+
     def __init__(self, platform_dir: str):
         self._loader = LoaderFileMappings()
         self._platform_dir = platform_dir
         self._source_mappings = self.prepare_mapping()
 
+    def update_default_source_mapping(self, default_mapping: SourceMapping, fields_mapping: FieldsMapping) -> None:
+        default_mapping.fields_mapping.update(fields_mapping)
+
     def prepare_mapping(self) -> dict[str, SourceMapping]:
         source_mappings = {}
         default_mapping = SourceMapping(source_id=DEFAULT_MAPPING_NAME)
         for mapping_dict in self._loader.load_platform_mappings(self._platform_dir):
             log_source_signature = self.prepare_log_source_signature(mapping=mapping_dict)
             if (source_id := mapping_dict["source"]) == DEFAULT_MAPPING_NAME:
                 default_mapping.log_source_signature = log_source_signature
-                continue
-
-            fields_mapping = self.prepare_fields_mapping(field_mapping=mapping_dict.get("field_mapping", {}))
-            default_mapping.fields_mapping.update(fields_mapping)
+                if self.skip_load_default_mappings:
+                    continue
+
+            field_mappings_dict = mapping_dict.get("field_mapping", {})
+            raw_log_fields = mapping_dict.get("raw_log_fields", [])
+            field_mappings_dict.update({field: field for field in raw_log_fields})
+            fields_mapping = self.prepare_fields_mapping(field_mapping=field_mappings_dict)
+            self.update_default_source_mapping(default_mapping=default_mapping, fields_mapping=fields_mapping)
             source_mappings[source_id] = SourceMapping(
-                source_id=source_id, log_source_signature=log_source_signature, fields_mapping=fields_mapping
+                source_id=source_id,
+                log_source_signature=log_source_signature,
+                fields_mapping=fields_mapping,
+                raw_log_fields=raw_log_fields,
             )
 
-        source_mappings[DEFAULT_MAPPING_NAME] = default_mapping
+        if self.skip_load_default_mappings:
+            source_mappings[DEFAULT_MAPPING_NAME] = default_mapping
 
         return source_mappings
 
 
@@ -19,7 +19,8 @@ def __init__(
         description: Optional[str] = None,
         author: Optional[str] = None,
         date: Optional[str] = None,
-        fields: Optional[list[Field]] = None,
+        output_table_fields: Optional[list[Field]] = None,
+        query_fields: Optional[list[Field]] = None,
         license_: Optional[str] = None,
         severity: Optional[str] = None,
         references: Optional[list[str]] = None,
@@ -35,7 +36,8 @@ def __init__(
         self.description = description or ""
         self.author = author or ""
         self.date = date or datetime.now().date().strftime("%Y-%m-%d")
-        self.fields = fields or []
+        self.output_table_fields = output_table_fields or []
+        self.query_fields = query_fields or []
         self.license = license_ or "DRL 1.1"
         self.severity = severity or SeverityType.low
         self.references = references or []
 
@@ -15,21 +15,27 @@
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 -----------------------------------------------------------------
 """
-
+import re
 from abc import ABC, abstractmethod
 from typing import Union
 
 from app.translator.core.exceptions.parser import TokenizerGeneralException
 from app.translator.core.functions import PlatformFunctions
 from app.translator.core.mapping import BasePlatformMappings, SourceMapping
-from app.translator.core.models.field import FieldValue
+from app.translator.core.models.field import Field, FieldValue, Keyword
 from app.translator.core.models.functions.base import ParsedFunctions
+from app.translator.core.models.identifier import Identifier
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import RawQueryContainer, TokenizedQueryContainer
 from app.translator.core.tokenizer import TOKEN_TYPE, QueryTokenizer
 
 
 class QueryParser(ABC):
+    wrapped_with_comment_pattern: str = None
+
+    def remove_comments(self, text: str) -> str:
+        return re.sub(self.wrapped_with_comment_pattern, "\n", text, flags=re.MULTILINE).strip()
+
     def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
         return RawQueryContainer(query=text, language=language)
 
@@ -44,13 +50,16 @@ class PlatformQueryParser(QueryParser, ABC):
     details: PlatformDetails = None
     platform_functions: PlatformFunctions = None
 
+    def get_fields_tokens(self, tokens: list[Union[FieldValue, Keyword, Identifier]]) -> list[Field]:
+        return [token.field for token in self.tokenizer.filter_tokens(tokens, FieldValue)]
+
     def get_tokens_and_source_mappings(
         self, query: str, log_sources: dict[str, Union[str, list[str]]]
     ) -> tuple[list[TOKEN_TYPE], list[SourceMapping]]:
         if not query:
             raise TokenizerGeneralException("Can't translate empty query. Please provide more details")
         tokens = self.tokenizer.tokenize(query=query)
-        field_tokens = [token.field for token in self.tokenizer.filter_tokens(tokens, FieldValue)]
+        field_tokens = self.get_fields_tokens(tokens=tokens)
         field_names = [field.source_name for field in field_tokens]
         source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, **log_sources)
         self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
 
@@ -59,6 +59,8 @@ def __init__(self, or_token: str):
             OperatorType.REGEX: self.regex_modifier,
             OperatorType.NOT_REGEX: self.not_regex_modifier,
             OperatorType.KEYWORD: self.keywords,
+            OperatorType.IS_NONE: self.is_none,
+            OperatorType.IS_NOT_NONE: self.is_not_none,
         }
         self.or_token = f" {or_token} "
 
@@ -107,6 +109,12 @@ def not_regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # n
     def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: ARG002
         raise NotImplementedException
 
+    def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: ARG002
+        raise NotImplementedException
+
+    def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:  # noqa: ARG002
+        raise NotImplementedException
+
     def apply_value(self, value: Union[str, int], value_type: str = ValueType.value) -> Union[str, int]:
         return self.escape_manager.escape(value, value_type)
 
@@ -118,13 +126,13 @@ def apply_field_value(self, field: str, operator: Identifier, value: DEFAULT_VAL
 
 class QueryRender(ABC):
     comment_symbol: str = None
-    is_multi_line_comment: bool = False
+    is_single_line_comment: bool = False
     unsupported_functions_text = "Unsupported functions were excluded from the result query:"
 
     platform_functions: PlatformFunctions = PlatformFunctions()
 
     def render_not_supported_functions(self, not_supported_functions: list) -> str:
-        line_template = f"{self.comment_symbol} " if self.comment_symbol and self.is_multi_line_comment else ""
+        line_template = f"{self.comment_symbol} " if self.comment_symbol and self.is_single_line_comment else ""
         not_supported_functions_str = "\n".join(line_template + func.lstrip() for func in not_supported_functions)
         return "\n\n" + self.wrap_with_comment(f"{self.unsupported_functions_text}\n{not_supported_functions_str}")
 
@@ -139,7 +147,7 @@ def generate(self, query_container: Union[RawQueryContainer, TokenizedQueryConta
 class PlatformQueryRender(QueryRender):
     mappings: BasePlatformMappings = None
     details: PlatformDetails = None
-    is_strict_mapping = False
+    is_strict_mapping: bool = False
 
     or_token = "or"
     and_token = "and"
@@ -150,6 +158,7 @@ class PlatformQueryRender(QueryRender):
     field_value_map = BaseQueryFieldValue(or_token=or_token)
 
     query_pattern = "{table} {query} {functions}"
+    raw_log_field_pattern: str = None
 
     def __init__(self):
         self.operator_map = {
@@ -272,12 +281,29 @@ def _generate_from_raw_query_container(self, query_container: RawQueryContainer)
             prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info
         )
 
+    def generate_raw_log_fields(self, fields: list[Field], source_mapping: SourceMapping) -> str:
+        defined_raw_log_fields = []
+        for field in fields:
+            mapped_field = source_mapping.fields_mapping.get_platform_field_name(generic_field_name=field.source_name)
+            if not mapped_field and self.is_strict_mapping:
+                raise StrictPlatformException(field_name=field.source_name, platform_name=self.details.name)
+            if mapped_field not in source_mapping.raw_log_fields:
+                continue
+            field_prefix = self.raw_log_field_pattern.format(field=mapped_field)
+            defined_raw_log_fields.append(field_prefix)
+        return "\n".join(defined_raw_log_fields)
+
     def _generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str:
         queries_map = {}
         source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids)
 
         for source_mapping in source_mappings:
             prefix = self.generate_prefix(source_mapping.log_source_signature)
+            if source_mapping.raw_log_fields:
+                defined_raw_log_fields = self.generate_raw_log_fields(
+                    fields=query_container.meta_info.query_fields, source_mapping=source_mapping
+                )
+                prefix += f"\n{defined_raw_log_fields}\n"
             result = self.generate_query(tokens=query_container.tokens, source_mapping=source_mapping)
             rendered_functions = self.generate_functions(query_container.functions.functions, source_mapping)
             not_supported_functions = query_container.functions.not_supported + rendered_functions.not_supported
 
@@ -3,4 +3,18 @@ source: default
 
 
 default_log_source:
-  datamodel: datamodel
+  datamodel: datamodel
+
+
+field_mapping:
+  CommandLine: xdm.target.process.command_line
+  Image:
+    - xdm.target.process.name
+    - xdm.source.process.name
+  ParentCommandLine: xdm.source.process.command_line
+  ParentImage: xdm.source.process.name
+  User: xdm.source.user.username
+  TargetFilename: xdm.target.file.filename
+  TargetImage: xdm.target.process.name
+  SourceImage: xdm.source.process.name
+  EventID: action_evtlog_event_id
@@ -20,16 +20,16 @@ field_mapping:
   SourceIp:
     - action_local_ip
     - action_remote_ip
-  dst_ip:
+  dst-ip:
     - action_local_ip
     - action_remote_ip
-  dst_port:
+  dst-port:
     - action_local_port
     - action_remote_port
-  src_ip:
+  src-ip:
     - action_local_ip
     - action_remote_ip
-  src_port:
+  src-port:
     - action_local_port
     - action_remote_port
   Protocol: action_network_protocol
 
@@ -0,0 +1,24 @@
+platform: Palo Alto XSIAM
+source: windows_application
+
+default_log_source:
+  dataset: microsoft_windows_raw
+
+field_mapping:
+  EventID: action_evtlog_event_id
+
+raw_log_fields:
+  - src_ip
+  - source
+  - additional_information
+  - EventData
+  - Channel
+  - statement
+  - Faulting application path
+  - object_name
+  - class_type
+  - action_id
+  - Provider_Name
+  - Data
+  - Message
+  - Level
@@ -0,0 +1,19 @@
+platform: Palo Alto XSIAM
+source: windows_powershell
+
+
+default_log_source:
+  dataset: microsoft_windows_raw
+
+field_mapping:
+  EventID: action_evtlog_event_id
+
+
+raw_log_fields:
+  - CommandLine
+  - ScriptBlockText
+  - Payload
+  - HostApplication
+  - ContextInfo
+  - HostName
+  - EngineVersion