add alt mapping to microsoft_sentinel parser

nazargesyk · nazargesyk · commit 66fcaa7304c7 · 2025-01-07T10:56:57.000+02:00
diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py
@@ -186,6 +186,28 @@ def get_source_mappings_by_fields_and_log_sources(
 
         return by_log_sources_and_fields or by_fields or [self._source_mappings[DEFAULT_MAPPING_NAME]]
 
+    def get_alt_source_mappings_by_fields_and_log_sources(
+        self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]], alt_mapping: str
+    ) -> list[SourceMapping]:
+        by_log_sources_and_fields = []
+        by_fields = []
+        for source_mapping in self._alternative_mappings.get(alt_mapping).values():
+            if source_mapping.source_id == DEFAULT_MAPPING_NAME:
+                continue
+
+            if source_mapping.fields_mapping.is_suitable(field_names):
+                by_fields.append(source_mapping)
+
+                log_source_signature: LogSourceSignature = source_mapping.log_source_signature
+                if log_source_signature and log_source_signature.is_suitable(**log_sources):
+                    by_log_sources_and_fields.append(source_mapping)
+
+        return (
+            by_log_sources_and_fields
+            or by_fields
+            or [self._alternative_mappings.get(alt_mapping)[DEFAULT_MAPPING_NAME]]
+        )
+
     def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]:
         return self._source_mappings.get(source_id)
 
diff --git a/uncoder-core/app/translator/core/parser.py b/uncoder-core/app/translator/core/parser.py
@@ -24,7 +24,7 @@
 from app.translator.core.exceptions.parser import TokenizerGeneralException
 from app.translator.core.functions import PlatformFunctions
 from app.translator.core.mapping import BasePlatformMappings, SourceMapping
-from app.translator.core.models.functions.base import Function
+from app.translator.core.models.functions.base import Function, ParsedFunctions
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import RawQueryContainer, TokenizedQueryContainer
 from app.translator.core.models.query_tokens.field import Field
@@ -51,6 +51,9 @@ def parse_raw_query(self, text: str, language: str) -> RawQueryContainer:
     def parse(self, raw_query_container: RawQueryContainer) -> TokenizedQueryContainer:
         raise NotImplementedError("Abstract method")
 
+    def _parse_query(self, query: str) -> tuple[str, dict[str, Union[list[str], list[int]]], Optional[ParsedFunctions]]:
+        raise NotImplementedError("Abstract method")
+
 
 class PlatformQueryParser(QueryParser, ABC):
     mappings: BasePlatformMappings = None
@@ -80,11 +83,24 @@ def get_field_tokens(
         return query_field_tokens, function_field_tokens, function_field_tokens_map
 
     def get_source_mappings(
-        self, field_tokens: list[Field], log_sources: dict[str, list[Union[int, str]]]
+        self,
+        field_tokens: list[Field],
+        log_sources: dict[str, list[Union[int, str]]],
+        alt_mapping: Optional[str] = None,
     ) -> list[SourceMapping]:
         field_names = [field.source_name for field in field_tokens]
-        source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
-            field_names=field_names, log_sources=log_sources
-        )
+        if alt_mapping:
+            source_mappings = self.mappings.get_alt_source_mappings_by_fields_and_log_sources(
+                field_names=field_names, log_sources=log_sources, alt_mapping=alt_mapping
+            )
+        else:
+            source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
+                field_names=field_names, log_sources=log_sources
+            )
         self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
         return source_mappings
+
+    def get_source_mapping_ids_by_logsources(self, query: str) -> Optional[list[str]]:
+        _, parsed_logsources, _ = self._parse_query(query=query)
+        if parsed_logsources:
+            return self.mappings.get_source_mappings_by_log_sources(parsed_logsources)
diff --git a/uncoder-core/app/translator/platforms/microsoft/parsers/microsoft_sentinel.py b/uncoder-core/app/translator/platforms/microsoft/parsers/microsoft_sentinel.py
@@ -16,6 +16,7 @@
 -----------------------------------------------------------------
 """
 
+from typing import Optional, Union
 
 from app.translator.core.models.functions.base import ParsedFunctions
 from app.translator.core.models.platform_details import PlatformDetails
@@ -37,7 +38,7 @@ class MicrosoftSentinelQueryParser(PlatformQueryParser):
 
     wrapped_with_comment_pattern = r"^\s*//.*(?:\n|$)"
 
-    def _parse_query(self, query: str) -> tuple[str, dict[str, list[str]], ParsedFunctions]:
+    def _parse_query(self, query: str) -> tuple[str, dict[str, Union[list[str], list[int]]], Optional[ParsedFunctions]]:
         table, query, functions = self.platform_functions.parse(query)
         log_sources = {"table": [table]}
         return query, log_sources, functions
@@ -48,7 +49,11 @@ def parse(self, raw_query_container: RawQueryContainer) -> TokenizedQueryContain
         query_field_tokens, function_field_tokens, function_field_tokens_map = self.get_field_tokens(
             query_tokens, functions.functions
         )
-        source_mappings = self.get_source_mappings(query_field_tokens + function_field_tokens, log_sources)
+        source_mappings = self.get_source_mappings(
+            field_tokens = query_field_tokens + function_field_tokens,
+            log_sources=log_sources,
+            alt_mapping=raw_query_container.meta_info.source_alt_mapping
+        )
         meta_info = raw_query_container.meta_info
         meta_info.query_fields = query_field_tokens
         meta_info.function_fields = function_field_tokens
diff --git a/uncoder-core/app/translator/translator.py b/uncoder-core/app/translator/translator.py
@@ -105,7 +105,11 @@ def __translate_one(
         target_alt_mapping: Optional[str] = None,
     ) -> (bool, str):
         status, parsed_data = self.__parse_incoming_data(
-            text=text, source=source, target=target, source_alt_mapping=source_alt_mapping, target_alt_mapping=target_alt_mapping
+            text=text,
+            source=source,
+            target=target,
+            source_alt_mapping=source_alt_mapping,
+            target_alt_mapping=target_alt_mapping,
         )
         if not status:
             return status, parsed_data
@@ -149,9 +153,19 @@ def translate_one(
         target_alt_mapping: Optional[str] = None,
     ) -> (bool, str):
         if source == target:
+            if target_alt_mapping or source_alt_mapping:
+                message = (
+                    "Currently, Uncoder doesn't support translation between "
+                    "non-default data schemas of the same platform."
+                )
+                return False, message
             return True, text
         return self.__translate_one(
-            text=text, source=source, target=target, source_alt_mapping=source_alt_mapping, target_alt_mapping=target_alt_mapping
+            text=text,
+            source=source,
+            target=target,
+            source_alt_mapping=source_alt_mapping,
+            target_alt_mapping=target_alt_mapping,
         )
 
     def translate_all(self, text: str, source: str) -> list[dict]:
