Skip to content

Commit 6a98de3

Browse files
nazargesyknazargesyk
committed
Merge branch 'prod' into 'gis-9137'
# Conflicts: # app/translator/platforms/arcsight/const.py # app/translator/platforms/arcsight/renders/arcsight_cti.py
1 parent a033392 commit 6a98de3

32 files changed

+846
-8
lines changed

uncoder-core/app/translator/core/mixins/tokens.py

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
from typing import Union
2+
3+
from app.translator.core.const import QUERY_TOKEN_TYPE
4+
from app.translator.core.custom_types.tokens import LogicalOperatorType, OperatorType
5+
from app.translator.core.mapping import SourceMapping
6+
from app.translator.core.models.query_tokens.field_value import FieldValue
7+
from app.translator.core.models.query_tokens.identifier import Identifier
8+
9+
10+
class ExtraConditionMixin:
11+
def generate_extra_conditions(self, source_mapping: SourceMapping) -> list[QUERY_TOKEN_TYPE]:
12+
extra_tokens = []
13+
for field, value in source_mapping.conditions.items():
14+
extra_tokens.extend(
15+
[
16+
FieldValue(source_name=field, operator=Identifier(token_type=OperatorType.EQ), value=value),
17+
Identifier(token_type=LogicalOperatorType.AND),
18+
]
19+
)
20+
return extra_tokens

uncoder-core/app/translator/core/render.py

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -403,6 +403,9 @@ def process_raw_log_field_prefix(self, field: str, source_mapping: SourceMapping
403403
if raw_log_field_type := source_mapping.raw_log_fields.get(field):
404404
return [self.process_raw_log_field(field=field, field_type=raw_log_field_type)]
405405

406+
def generate_extra_conditions(self, source_mapping: SourceMapping) -> list[QUERY_TOKEN_TYPE]: # noqa: ARG002
407+
return []
408+
406409
def generate_raw_log_fields(self, fields: list[Field], source_mapping: SourceMapping) -> str:
407410
if not self.raw_log_field_patterns_map:
408411
return ""
@@ -428,16 +431,23 @@ def _generate_from_tokenized_query_container_by_source_mapping(
428431
self, query_container: TokenizedQueryContainer, source_mapping: SourceMapping
429432
) -> str:
430433
unmapped_fields = self.mappings.check_fields_mapping_existence(
431-
query_container.meta_info.query_fields, source_mapping
434+
query_container.meta_info.query_fields,
435+
query_container.meta_info.function_fields_map,
436+
self.platform_functions.manager.supported_render_names,
437+
source_mapping,
432438
)
433439
rendered_functions = self.generate_functions(query_container.functions.functions, source_mapping)
434440
prefix = self.generate_prefix(source_mapping.log_source_signature, rendered_functions.rendered_prefix)
435441

436442
if source_mapping.raw_log_fields:
437443
defined_raw_log_fields = self.generate_raw_log_fields(
438-
fields=query_container.meta_info.query_fields, source_mapping=source_mapping
444+
fields=query_container.meta_info.query_fields + query_container.meta_info.function_fields,
445+
source_mapping=source_mapping,
439446
)
440447
prefix += f"\n{defined_raw_log_fields}"
448+
if source_mapping.conditions:
449+
extra_tokens = self.generate_extra_conditions(source_mapping=source_mapping)
450+
query_container.tokens = [*extra_tokens, *query_container.tokens]
441451
query = self.generate_query(tokens=query_container.tokens, source_mapping=source_mapping)
442452
not_supported_functions = query_container.functions.not_supported + rendered_functions.not_supported
443453
return self.finalize_query(

uncoder-core/app/translator/mappings/platforms/anomali/common.yml renamed to uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,19 @@
11
platform: Anomali
2-
description: Common field mapping
2+
source: proxy
33

44
field_mapping:
55
c-uri-query: url
66
c-useragent: user_agent
7+
c-uri: url
8+
cs-method: http_method
9+
cs-bytes: bytes_out
10+
cs-referrer: http_referrer
11+
sc-status: return_code
12+
13+
dns-query: query
14+
dns-answer: answer
15+
dns-record: record_type
16+
717
CommandLine: command_line
818
DestinationHostname: dest
919
DestinationIp: dest_ip

uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
platform: Anomali
2+
source: webserver
3+
4+
field_mapping:
5+
c-uri-query: url
6+
c-useragent: user_agent
7+
c-uri: url
8+
cs-method: http_method
9+
cs-bytes: bytes_out
10+
cs-referrer: http_referrer
11+
sc-status: return_code
12+
13+
dns-query: query
14+
dns-answer: answer
15+
dns-record: record_type
16+
17+
CommandLine: command_line
18+
DestinationHostname: dest
19+
DestinationIp: dest_ip
20+
DestinationPort: dest_port
21+
Details: reg_value_data
22+
dst_ip: dest_ip
23+
dst_port: dest_port
24+
EventID: event_id
25+
EventName: event_name
26+
FileName: file_name
27+
FilePath: file_path
28+
Image: image
29+
NewProcessName: image
30+
OriginalFileName: original_file_name
31+
ParentCommandLine: parent_command_line
32+
ParentImage: parent_image
33+
ParentProcessID: parent_process_id
34+
Platform: platform
35+
ProcessCommandLine: command_line
36+
ProcessID: process_id
37+
SourceImage: parent_image
38+
SourcePort: src_port
39+
TargetFilename: file_name
40+
TargetObject: reg_key
41+
UserAgent: user_agent

uncoder-core/app/translator/mappings/platforms/arcsight/default.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
platform: ArcSight
2+
source: default
3+
4+
5+
default_log_source: {}

uncoder-core/app/translator/mappings/platforms/arcsight/linux_network_connection.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
platform: ArcSight
2+
source: linux_network_connection
3+
4+
5+
default_log_source: {}
6+
7+
8+
field_mapping:
9+
SourceHostname: sourceHostName

uncoder-core/app/translator/mappings/platforms/arcsight/macos_network_connection.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
platform: ArcSight
2+
source: macos_network_connection
3+
4+
5+
default_log_source: {}
6+
7+
8+
field_mapping:
9+
SourceHostname: sourceHostName

uncoder-core/app/translator/mappings/platforms/arcsight/windows_create_remote_thread.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
platform: ArcSight
2+
source: windows_create_remote_thread
3+
4+
5+
default_log_source: {}
6+
7+
8+
field_mapping:
9+
SourceImage: sourceProcessName
10+
TargetImage: destinationProcessName
11+
StartModule: deviceCustomString3
12+
StartAddress: deviceCustomString3
13+
StartFunction: deviceCustomString3

uncoder-core/app/translator/mappings/platforms/arcsight/windows_network_connection.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
platform: ArcSight
2+
source: windows_network_connection
3+
4+
5+
default_log_source: {}
6+
7+
8+
field_mapping:
9+
SourceHostname: sourceHostName

uncoder-core/app/translator/mappings/platforms/arcsight/windows_process_creation.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
platform: ArcSight
2+
source: windows_process_creation
3+
4+
5+
default_log_source: {}
6+
7+
8+
field_mapping:
9+
OriginalFileName: oldFileName

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy