Skip to content

Commit 68d3e0e

Browse files
tarnopolskyitarnopolskyi
authored
Merge pull request #162 from UncoderIO/gis-7956
Gis 7956
2 parents 95e0b6e + 5f2d770 commit 68d3e0e

File tree

3 files changed

+33
-1
lines changed

3 files changed

+33
-1
lines changed

uncoder-core/app/translator/core/models/field.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,11 @@ def value(self) -> Union[int, str, StrValue, list[Union[int, str, StrValue]]]:
6060
return self.values[0]
6161
return self.values
6262

63+
@value.setter
64+
def value(self, new_value: Union[int, str, StrValue, list[Union[int, str, StrValue]]]) -> None:
65+
self.values = []
66+
self.__add_value(new_value)
67+
6368
def __add_value(self, value: Optional[Union[int, str, StrValue, list, tuple]]) -> None:
6469
if value and isinstance(value, (list, tuple)):
6570
for v in value:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,5 @@ field_mapping:
2828
ParentIntegrityLevel: causality_actor_process_integrity_level
2929
ParentLogonId: causality_actor_process_logon_id
3030
ParentProduct: causality_actor_process_signature_product
31-
ParentCompany: causality_actor_process_signature_vendor
31+
ParentCompany: causality_actor_process_signature_vendor
32+
EventType: event_sub_type

uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@
2121

2222
from app.translator.const import DEFAULT_VALUE_TYPE
2323
from app.translator.core.custom_types.values import ValueType
24+
from app.translator.core.mapping import SourceMapping
25+
from app.translator.core.models.field import FieldValue, Keyword
26+
from app.translator.core.models.identifier import Identifier
2427
from app.translator.core.models.platform_details import PlatformDetails
2528
from app.translator.core.render import BaseQueryFieldValue, PlatformQueryRender
2629
from app.translator.core.str_value_manager import StrValue
@@ -34,6 +37,16 @@
3437
)
3538
from app.translator.platforms.palo_alto.str_value_manager import cortex_xql_str_value_manager
3639

40+
SOURCE_MAPPING_TO_FIELD_VALUE_MAP = {
41+
"windows_registry_event": {
42+
"EventType": {
43+
"SetValue": "REGISTRY_SET_VALUE",
44+
"DeleteValue": "REGISTRY_DELETE_VALUE",
45+
"CreateKey": "REGISTRY_CREATE_KEY",
46+
}
47+
}
48+
}
49+
3750

3851
class CortexXQLFieldValue(BaseQueryFieldValue):
3952
details: PlatformDetails = cortex_xql_query_details
@@ -173,6 +186,19 @@ def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, fun
173186
functions_prefix = f"{functions_prefix} | " if functions_prefix else ""
174187
return f"{functions_prefix}{log_source_signature}"
175188

189+
def apply_token(self, token: Union[FieldValue, Keyword, Identifier], source_mapping: SourceMapping) -> str:
190+
if isinstance(token, FieldValue):
191+
field_name = token.field.source_name
192+
if values_map := SOURCE_MAPPING_TO_FIELD_VALUE_MAP.get(source_mapping.source_id, {}).get(field_name):
193+
values_to_update = []
194+
for token_value in token.values:
195+
mapped_value: str = values_map.get(token_value, token_value)
196+
values_to_update.append(
197+
StrValue(value=mapped_value, split_value=mapped_value.split()) if mapped_value else token_value
198+
)
199+
token.value = values_to_update
200+
return super().apply_token(token=token, source_mapping=source_mapping)
201+
176202
@staticmethod
177203
def _finalize_search_query(query: str) -> str:
178204
return f"| filter {query}" if query else ""

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy