Merge branch 'refs/heads/prod' into gis-8085

nazargesyk · nazargesyk · commit 716329e884c7 · 2024-06-25T11:14:54.000+03:00
# Conflicts:
#	app/translator/core/exceptions/core.py
diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py
@@ -1,10 +1,12 @@
 from typing import Optional
 
 
-class NotImplementedException(BaseException): ...
+class NotImplementedException(BaseException):
+    ...
 
 
-class BasePlatformException(BaseException): ...
+class BasePlatformException(BaseException):
+    ...
 
 
 class StrictPlatformException(BasePlatformException):
diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py
@@ -197,6 +197,7 @@ class PlatformQueryRender(QueryRender):
     not_token = "not"
 
     group_token = "(%s)"
+    query_parts_delimiter = " "
 
     field_value_map = BaseQueryFieldValue(or_token=or_token)
 
@@ -292,6 +293,10 @@ def wrap_query_with_meta_info(self, meta_info: MetaInfoContainer, query: str) ->
     def _finalize_search_query(query: str) -> str:
         return query
 
+    def _join_query_parts(self, prefix: str, query: str, functions: str) -> str:
+        parts = filter(lambda s: bool(s), map(str.strip, [prefix, self._finalize_search_query(query), functions]))
+        return self.query_parts_delimiter.join(parts)
+
     def finalize_query(
         self,
         prefix: str,
@@ -303,8 +308,7 @@ def finalize_query(
         *args,  # noqa: ARG002
         **kwargs,  # noqa: ARG002
     ) -> str:
-        parts = filter(lambda s: bool(s), map(str.strip, [prefix, self._finalize_search_query(query), functions]))
-        query = " ".join(parts)
+        query = self._join_query_parts(prefix, query, functions)
         query = self.wrap_query_with_meta_info(meta_info=meta_info, query=query)
         if not_supported_functions:
             rendered_not_supported = self.render_not_supported_functions(not_supported_functions)
@@ -391,7 +395,7 @@ def _generate_from_tokenized_query_container(self, query_container: TokenizedQue
                     defined_raw_log_fields = self.generate_raw_log_fields(
                         fields=query_container.meta_info.query_fields, source_mapping=source_mapping
                     )
-                    prefix += f"\n{defined_raw_log_fields}\n"
+                    prefix += f"\n{defined_raw_log_fields}"
                 result = self.generate_query(tokens=query_container.tokens, source_mapping=source_mapping)
             except StrictPlatformException as err:
                 errors.append(err)
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -125,3 +125,4 @@ field_mapping:
   SourceOS: xdm.source.host.os
   DestinationOS: xdm.target.host.os
   url_category: xdm.network.http.url_category
+  EventSeverity: xdm.alert.severity
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -64,4 +64,5 @@ field_mapping:
   DestinationOS: DestinationOS
   TargetUserName: DestinationUserName
   SourceUserName: SourceUserName
-  url_category: XForceCategoryByURL
+  url_category: XForceCategoryByURL
+  EventSeverity: EventSeverity
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -147,6 +147,7 @@ class CortexXQLQueryRender(PlatformQueryRender):
     or_token = "or"
     and_token = "and"
     not_token = "not"
+    query_parts_delimiter = "\n"
 
     field_value_map = CortexXQLFieldValue(or_token=or_token)
     comment_symbol = "//"
