Skip to content

Commit 9fb67bd

Browse files
saltar-uasaltar-ua
committed
Palo Alto Cortex XSIAM: Add support array of default logsources
1 parent 4f01f62 commit 9fb67bd

File tree

3 files changed

+26
-13
lines changed

3 files changed

+26
-13
lines changed

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
platform: Palo Alto XSIAM
2+
source: webserver
3+
4+
default_log_source:
5+
dataset: [apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw]
6+
7+
field_mapping:
8+
c-uri: xdm.network.http.url
9+
c-useragent: xdm.source.user_agent
10+
cs-method: xdm.network.http.method
11+
cs-bytes: xdm.target.sent_bytes
12+
c-uri-query: xdm.network.http.url
13+
cs-referrer: xdm.network.http.referrer
14+
sc-status: xdm.network.http.response_code

uncoder-core/app/translator/platforms/palo_alto/mapping.py

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
from typing import Optional
1+
from typing import Optional, Union
22

33
from app.translator.core.mapping import (
44
DEFAULT_MAPPING_NAME,
@@ -18,8 +18,17 @@ def __init__(self, preset: Optional[list[str]], dataset: Optional[list[str]], de
1818
def is_suitable(self, preset: str, dataset: str) -> bool:
1919
return preset == self.preset or dataset == self.dataset
2020

21+
def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str:
22+
if isinstance(logsource, list):
23+
return f"{model} in ({', '.join([source for source in logsource])})"
24+
return f"{model} = {logsource}"
25+
2126
def __str__(self) -> str:
22-
return self._default_source.get("preset") or self._default_source.get("dataset")
27+
if preset_data := self._default_source.get("preset"):
28+
return self.__prepare_log_source_for_render(logsource=preset_data, model="preset")
29+
if dataset_data := self._default_source.get("dataset"):
30+
return self.__prepare_log_source_for_render(logsource=dataset_data, model="preset")
31+
return "datamodel"
2332

2433

2534
class CortexXSIAMMappings(BasePlatformMappings):

uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -118,14 +118,4 @@ class CortexXQLQueryRender(PlatformQueryRender):
118118
is_single_line_comment = False
119119

120120
def generate_prefix(self, log_source_signature: CortexXSIAMLogSourceSignature) -> str:
121-
preset = (
122-
f"preset = {log_source_signature._default_source.get('preset')}"
123-
if log_source_signature._default_source.get("preset")
124-
else None
125-
)
126-
dataset = (
127-
f"dataset = {log_source_signature._default_source.get('dataset')}"
128-
if log_source_signature._default_source.get("dataset")
129-
else None
130-
)
131-
return preset or dataset or "datamodel"
121+
return str(log_source_signature)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy