added values transfrom

tarnopolskyi · tarnopolskyi · commit 8f99a55c38bb · 2024-06-19T16:11:37.000+02:00
diff --git a/uncoder-core/app/translator/core/models/field.py b/uncoder-core/app/translator/core/models/field.py
@@ -60,6 +60,11 @@ def value(self) -> Union[int, str, StrValue, list[Union[int, str, StrValue]]]:
             return self.values[0]
         return self.values
 
+    @value.setter
+    def value(self, new_value: Union[int, str, StrValue, list[Union[int, str, StrValue]]]) -> None:
+        self.values = []
+        self.__add_value(new_value)
+
     def __add_value(self, value: Optional[Union[int, str, StrValue, list, tuple]]) -> None:
         if value and isinstance(value, (list, tuple)):
             for v in value:
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -21,6 +21,9 @@
 
 from app.translator.const import DEFAULT_VALUE_TYPE
 from app.translator.core.custom_types.values import ValueType
+from app.translator.core.mapping import SourceMapping
+from app.translator.core.models.field import FieldValue, Keyword
+from app.translator.core.models.identifier import Identifier
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render import BaseQueryFieldValue, PlatformQueryRender
 from app.translator.core.str_value_manager import StrValue
@@ -34,6 +37,16 @@
 )
 from app.translator.platforms.palo_alto.str_value_manager import cortex_xql_str_value_manager
 
+SOURCE_MAPPING_TO_FIELD_VALUE_MAP = {
+    "windows_registry_event": {
+        "EventType": {
+            "SetValue": "REGISTRY_SET_VALUE",
+            "DeleteValue": "REGISTRY_DELETE_VALUE",
+            "CreateKey": "REGISTRY_CREATE_KEY",
+        }
+    }
+}
+
 
 class CortexXQLFieldValue(BaseQueryFieldValue):
     details: PlatformDetails = cortex_xql_query_details
@@ -51,12 +64,6 @@ def _get_value_type(field_name: str, value: Union[int, str, StrValue], value_typ
 
     @staticmethod
     def _wrap_str_value(value: str) -> str:
-        if value == "SetValue":
-            return '"REGISTRY_SET_VALUE"'
-        if value == "DeleteValue":
-            return '"REGISTRY_DELETE_VALUE"'
-        if value == "CreateKey":
-            return '"REGISTRY_CREATE_KEY"'
         return f'"{value}"'
 
     def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
@@ -178,3 +185,29 @@ def process_raw_log_field(self, field: str, field_type: str) -> Optional[str]:
     def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, functions_prefix: str = "") -> str:
         functions_prefix = f"{functions_prefix} | " if functions_prefix else ""
         return f"{functions_prefix}{log_source_signature}"
+
+    def apply_token(self, token: Union[FieldValue, Keyword, Identifier], source_mapping: SourceMapping) -> str:
+        if (
+            isinstance(token, FieldValue)
+            and source_mapping.source_id in SOURCE_MAPPING_TO_FIELD_VALUE_MAP
+            and token.field.source_name in SOURCE_MAPPING_TO_FIELD_VALUE_MAP[source_mapping.source_id]
+        ):
+            values_to_update = []
+            token_values = token.values
+            for token_value in token_values:
+                if (
+                    isinstance(token_value, str)
+                    and token_value
+                    in SOURCE_MAPPING_TO_FIELD_VALUE_MAP[source_mapping.source_id][token.field.source_name]
+                ):
+                    values_to_update.append(
+                        SOURCE_MAPPING_TO_FIELD_VALUE_MAP[source_mapping.source_id][token.field.source_name][
+                            token_value
+                        ]
+                    )
+                else:
+                    values_to_update.append(token_value)
+            if values_to_update != token_values:
+                token.value = values_to_update
+
+        return super().apply_token(token=token, source_mapping=source_mapping)
