From 0d550b393a612025d93d773651f736e5985e89d2 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Wed, 19 Jun 2024 16:23:13 +0300 Subject: [PATCH 1/6] gis-8085 Improve StrictPlatformException --- .../app/translator/core/exceptions/core.py | 22 ++++++++++++++----- uncoder-core/app/translator/core/render.py | 10 ++++++++- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py index 68c66962..a8219985 100644 --- a/uncoder-core/app/translator/core/exceptions/core.py +++ b/uncoder-core/app/translator/core/exceptions/core.py @@ -1,14 +1,24 @@ -class NotImplementedException(BaseException): - ... +from typing import Optional -class BasePlatformException(BaseException): - ... +class NotImplementedException(BaseException): ... + + +class BasePlatformException(BaseException): ... class StrictPlatformException(BasePlatformException): - def __init__(self, platform_name: str, field_name: str): - message = f"Platform {platform_name} has strict mapping. Source field {field_name} has no mapping." + field_name = None + + def __init__( + self, platform_name: str, field_name: str, mapping: str = "default", detected_fields: Optional[list] = None + ): + message = ( + f"Platform {platform_name} has strict mapping. " + f"Source fields: {', '.join(detected_fields) if detected_fields else field_name} has no mapping." + f" Mapping file: {mapping}." if mapping else "" + ) + self.field_name = field_name super().__init__(message) diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py index 055ce889..846396bf 100644 --- a/uncoder-core/app/translator/core/render.py +++ b/uncoder-core/app/translator/core/render.py @@ -262,8 +262,16 @@ def apply_token(self, token: Union[FieldValue, Keyword, Identifier], source_mapp def generate_query(self, tokens: list[TOKEN_TYPE], source_mapping: SourceMapping) -> str: result_values = [] + not_found_mapping_fields = set() for token in tokens: - result_values.append(self.apply_token(token=token, source_mapping=source_mapping)) + try: + result_values.append(self.apply_token(token=token, source_mapping=source_mapping)) + except StrictPlatformException as err: + not_found_mapping_fields.add(err.field_name) + if not_found_mapping_fields: + raise StrictPlatformException( + self.details.name, "", source_mapping.source_id, list(not_found_mapping_fields) + ) return "".join(result_values) def wrap_query_with_meta_info(self, meta_info: MetaInfoContainer, query: str) -> str: From 0caf55b8ee9d673c56472d450833c4e17eed9814 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Wed, 19 Jun 2024 16:28:40 +0300 Subject: [PATCH 2/6] gis-8085 Improve StrictPlatformException --- uncoder-core/app/translator/core/exceptions/core.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py index a8219985..ab391bbb 100644 --- a/uncoder-core/app/translator/core/exceptions/core.py +++ b/uncoder-core/app/translator/core/exceptions/core.py @@ -11,7 +11,7 @@ class StrictPlatformException(BasePlatformException): field_name = None def __init__( - self, platform_name: str, field_name: str, mapping: str = "default", detected_fields: Optional[list] = None + self, platform_name: str, field_name: str, mapping: str = None, detected_fields: Optional[list] = None ): message = ( f"Platform {platform_name} has strict mapping. " From 8f1d1450485c9bf43a20220aa8a7bf71e024c3f0 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Fri, 21 Jun 2024 10:05:17 +0300 Subject: [PATCH 3/6] TDM-8085 fix errors --- uncoder-core/app/translator/core/render.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py index 846396bf..6c475655 100644 --- a/uncoder-core/app/translator/core/render.py +++ b/uncoder-core/app/translator/core/render.py @@ -270,7 +270,7 @@ def generate_query(self, tokens: list[TOKEN_TYPE], source_mapping: SourceMapping not_found_mapping_fields.add(err.field_name) if not_found_mapping_fields: raise StrictPlatformException( - self.details.name, "", source_mapping.source_id, list(not_found_mapping_fields) + self.details.name, "", source_mapping.source_id, sorted(list(not_found_mapping_fields)) ) return "".join(result_values) From 716329e884c7c39bb1bbe204d28566883549b2c5 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Tue, 25 Jun 2024 11:14:54 +0300 Subject: [PATCH 4/6] Merge branch 'refs/heads/prod' into gis-8085 # Conflicts: # app/translator/core/exceptions/core.py --- uncoder-core/app/translator/core/exceptions/core.py | 6 ++++-- uncoder-core/app/translator/core/render.py | 10 +++++++--- .../mappings/platforms/palo_alto_cortex/default.yml | 1 + .../translator/mappings/platforms/qradar/default.yml | 3 ++- .../platforms/palo_alto/renders/cortex_xsiam.py | 1 + 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py index ab391bbb..9fca85b5 100644 --- a/uncoder-core/app/translator/core/exceptions/core.py +++ b/uncoder-core/app/translator/core/exceptions/core.py @@ -1,10 +1,12 @@ from typing import Optional -class NotImplementedException(BaseException): ... +class NotImplementedException(BaseException): + ... -class BasePlatformException(BaseException): ... +class BasePlatformException(BaseException): + ... class StrictPlatformException(BasePlatformException): diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py index 6c475655..8680ebff 100644 --- a/uncoder-core/app/translator/core/render.py +++ b/uncoder-core/app/translator/core/render.py @@ -197,6 +197,7 @@ class PlatformQueryRender(QueryRender): not_token = "not" group_token = "(%s)" + query_parts_delimiter = " " field_value_map = BaseQueryFieldValue(or_token=or_token) @@ -292,6 +293,10 @@ def wrap_query_with_meta_info(self, meta_info: MetaInfoContainer, query: str) -> def _finalize_search_query(query: str) -> str: return query + def _join_query_parts(self, prefix: str, query: str, functions: str) -> str: + parts = filter(lambda s: bool(s), map(str.strip, [prefix, self._finalize_search_query(query), functions])) + return self.query_parts_delimiter.join(parts) + def finalize_query( self, prefix: str, @@ -303,8 +308,7 @@ def finalize_query( *args, # noqa: ARG002 **kwargs, # noqa: ARG002 ) -> str: - parts = filter(lambda s: bool(s), map(str.strip, [prefix, self._finalize_search_query(query), functions])) - query = " ".join(parts) + query = self._join_query_parts(prefix, query, functions) query = self.wrap_query_with_meta_info(meta_info=meta_info, query=query) if not_supported_functions: rendered_not_supported = self.render_not_supported_functions(not_supported_functions) @@ -391,7 +395,7 @@ def _generate_from_tokenized_query_container(self, query_container: TokenizedQue defined_raw_log_fields = self.generate_raw_log_fields( fields=query_container.meta_info.query_fields, source_mapping=source_mapping ) - prefix += f"\n{defined_raw_log_fields}\n" + prefix += f"\n{defined_raw_log_fields}" result = self.generate_query(tokens=query_container.tokens, source_mapping=source_mapping) except StrictPlatformException as err: errors.append(err) diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml index f6b25023..fa904aaf 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml @@ -125,3 +125,4 @@ field_mapping: SourceOS: xdm.source.host.os DestinationOS: xdm.target.host.os url_category: xdm.network.http.url_category + EventSeverity: xdm.alert.severity diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index 6e798034..215bfb73 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -64,4 +64,5 @@ field_mapping: DestinationOS: DestinationOS TargetUserName: DestinationUserName SourceUserName: SourceUserName - url_category: XForceCategoryByURL \ No newline at end of file + url_category: XForceCategoryByURL + EventSeverity: EventSeverity \ No newline at end of file diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py index 72a2737b..54f50916 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py +++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py @@ -147,6 +147,7 @@ class CortexXQLQueryRender(PlatformQueryRender): or_token = "or" and_token = "and" not_token = "not" + query_parts_delimiter = "\n" field_value_map = CortexXQLFieldValue(or_token=or_token) comment_symbol = "//" From f7db612c08642918207468e2dfdfa3f60419dd16 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Tue, 25 Jun 2024 11:26:01 +0300 Subject: [PATCH 5/6] gis-8085 fix --- uncoder-core/app/translator/core/exceptions/core.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py index 9fca85b5..75af5d6e 100644 --- a/uncoder-core/app/translator/core/exceptions/core.py +++ b/uncoder-core/app/translator/core/exceptions/core.py @@ -10,7 +10,7 @@ class BasePlatformException(BaseException): class StrictPlatformException(BasePlatformException): - field_name = None + field_name: str = None def __init__( self, platform_name: str, field_name: str, mapping: str = None, detected_fields: Optional[list] = None From 3c5b2adc27c704eb826ec3fee7bb6c59fc47f33f Mon Sep 17 00:00:00 2001 From: Nazar Gesyk Date: Tue, 25 Jun 2024 11:56:09 +0300 Subject: [PATCH 6/6] Improve mapping --- .../app/translator/mappings/platforms/qradar/default.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index 215bfb73..23e8b1bd 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -13,9 +13,12 @@ field_mapping: dst-port: - DstPort - DestinationPort + - remoteport dst-hostname: DstHost src-hostname: SrcHost - src-port: SourcePort + src-port: + - SourcePort + - localport src-ip: - sourceip - source_ip @@ -27,6 +30,7 @@ field_mapping: - destination_ip - destinationIP - destinationaddress + - destination User: - userName - EventUserName pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy