UncoderIO · alexvolha · Sep 25, 2024 · Sep 17, 2024 · Sep 24, 2024 · Sep 25, 2024
diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py
@@ -17,6 +17,12 @@ def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str]
         super().__init__(message)
 
 
+class UnsupportedMappingsException(BasePlatformException):
+    def __init__(self, platform_name: str, mappings: list[str]):
+        message = f"Platform {platform_name} does not support these mappings: {mappings}."
+        super().__init__(message)
+
+
 class StrictPlatformFieldException(BasePlatformException):
     def __init__(self, platform_name: str, field_name: str):
         message = f"Source field `{field_name}` has no mapping for platform {platform_name}."

diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py
@@ -3,7 +3,7 @@
 from abc import ABC, abstractmethod
 from typing import TYPE_CHECKING, Optional, TypeVar, Union
 
-from app.translator.core.exceptions.core import StrictPlatformException
+from app.translator.core.exceptions.core import StrictPlatformException, UnsupportedMappingsException
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.mappings.utils.load_from_files import LoaderFileMappings
 
@@ -116,7 +116,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
         default_mapping = SourceMapping(source_id=DEFAULT_MAPPING_NAME)
         for mapping_dict in self._loader.load_platform_mappings(self._platform_dir):
             log_source_signature = self.prepare_log_source_signature(mapping=mapping_dict)
-            if (source_id := mapping_dict.get("source")) == DEFAULT_MAPPING_NAME:
+            if (source_id := mapping_dict["source"]) == DEFAULT_MAPPING_NAME:
                 default_mapping.log_source_signature = log_source_signature
                 if self.skip_load_default_mappings:
                     continue
@@ -152,7 +152,7 @@ def prepare_fields_mapping(field_mapping: dict) -> FieldsMapping:
     def prepare_log_source_signature(self, mapping: dict) -> LogSourceSignature:
         raise NotImplementedError("Abstract method")
 
-    def get_suitable_source_mappings(
+    def get_source_mappings_by_fields_and_log_sources(
         self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]]
     ) -> list[SourceMapping]:
         by_log_sources_and_fields = []
@@ -170,6 +170,17 @@ def get_suitable_source_mappings(
 
         return by_log_sources_and_fields or by_fields or [self._source_mappings[DEFAULT_MAPPING_NAME]]
 
+    def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
+        source_mappings = []
+        for source_mapping_id in source_mapping_ids:
+            if source_mapping := self.get_source_mapping(source_mapping_id):
+                source_mappings.append(source_mapping)
+
+        if not source_mappings:
+            source_mappings = [self.get_source_mapping(DEFAULT_MAPPING_NAME)]
+
+        return source_mappings
+
     def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]:
         return self._source_mappings.get(source_id)
 
@@ -218,3 +229,18 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
             )
 
         return source_mappings
+
+
+class BaseStrictLogSourcesPlatformMappings(ABC, BasePlatformMappings):
+    def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
+        source_mappings = []
+        for source_mapping_id in source_mapping_ids:
+            if source_mapping_id == DEFAULT_MAPPING_NAME:
+                continue
+            if source_mapping := self.get_source_mapping(source_mapping_id):
+                source_mappings.append(source_mapping)
+
+        if not source_mappings:
+            raise UnsupportedMappingsException(platform_name=self.details.name, mappings=source_mapping_ids)
+
+        return source_mappings
diff --git a/uncoder-core/app/translator/core/parser.py b/uncoder-core/app/translator/core/parser.py
@@ -80,6 +80,8 @@ def get_source_mappings(
         self, field_tokens: list[Field], log_sources: dict[str, list[Union[int, str]]]
     ) -> list[SourceMapping]:
         field_names = [field.source_name for field in field_tokens]
-        source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources)
+        source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
+            field_names=field_names, log_sources=log_sources
+        )
         self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
         return source_mappings
diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py
@@ -31,7 +31,7 @@
 from app.translator.core.exceptions.parser import UnsupportedOperatorException
 from app.translator.core.exceptions.render import UnsupportedRenderMethod
 from app.translator.core.functions import PlatformFunctions
-from app.translator.core.mapping import DEFAULT_MAPPING_NAME, BasePlatformMappings, LogSourceSignature, SourceMapping
+from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping
 from app.translator.core.models.functions.base import Function, RenderedFunctions
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer, TokenizedQueryContainer
@@ -384,17 +384,6 @@ def finalize(self, queries_map: dict[str, str]) -> str:
 
         return result
 
-    def _get_source_mappings(self, source_mapping_ids: list[str]) -> Optional[list[SourceMapping]]:
-        source_mappings = []
-        for source_mapping_id in source_mapping_ids:
-            if source_mapping := self.mappings.get_source_mapping(source_mapping_id):
-                source_mappings.append(source_mapping)
-
-        if not source_mappings:
-            source_mappings = [self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)]
-
-        return source_mappings
-
     def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str:
         return self.finalize_query(
             prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info
@@ -464,7 +453,7 @@ def _generate_from_tokenized_query_container_by_source_mapping(
     def generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str:
         queries_map = {}
         errors = []
-        source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids)
+        source_mappings = self.mappings.get_source_mappings_by_ids(query_container.meta_info.source_mapping_ids)
 
         for source_mapping in source_mappings:
             try:

diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml
@@ -0,0 +1,6 @@
+platform: Palo Alto Cortex XDR
+source: default
+
+
+default_log_source:
+  datamodel: datamodel
diff --git a/...rms/palo_alto_cortex/linux_file_event.yml → ...palo_alto_cortex_xdr/linux_file_event.yml b/...rms/palo_alto_cortex/linux_file_event.yml → ...palo_alto_cortex_xdr/linux_file_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: linux_file_event
 
 log_source:

diff --git a/...lo_alto_cortex/linux_process_creation.yml → ...lto_cortex_xdr/linux_process_creation.yml b/...lo_alto_cortex/linux_process_creation.yml → ...lto_cortex_xdr/linux_process_creation.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: linux_process_creation
 
 log_source:

diff --git a/...rms/palo_alto_cortex/macos_file_event.yml → ...palo_alto_cortex_xdr/macos_file_event.yml b/...rms/palo_alto_cortex/macos_file_event.yml → ...palo_alto_cortex_xdr/macos_file_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: macos_file_event
 
 log_source:

diff --git a/...lo_alto_cortex/macos_process_creation.yml → ...lto_cortex_xdr/macos_process_creation.yml b/...lo_alto_cortex/macos_process_creation.yml → ...lto_cortex_xdr/macos_process_creation.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: macos_process_creation
 
 log_source:

diff --git a/...s/palo_alto_cortex/windows_file_event.yml → ...lo_alto_cortex_xdr/windows_file_event.yml b/...s/palo_alto_cortex/windows_file_event.yml → ...lo_alto_cortex_xdr/windows_file_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: windows_file_event
 
 log_source:

diff --git a/..._alto_cortex/windows_process_creation.yml → ...o_cortex_xdr/windows_process_creation.yml b/..._alto_cortex/windows_process_creation.yml → ...o_cortex_xdr/windows_process_creation.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: windows_process_creation
 
 log_source:

diff --git a/...lo_alto_cortex/windows_registry_event.yml → ...lto_cortex_xdr/windows_registry_event.yml b/...lo_alto_cortex/windows_registry_event.yml → ...lto_cortex_xdr/windows_registry_event.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: windows_registry_event
 
 log_source:

diff --git a/...atforms/palo_alto_cortex/apache_httpd.yml → ...s/palo_alto_cortex_xsiam/apache_httpd.yml b/...atforms/palo_alto_cortex/apache_httpd.yml → ...s/palo_alto_cortex_xsiam/apache_httpd.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: apache_httpd
 
 

diff --git a/...tforms/palo_alto_cortex/apache_tomcat.yml → .../palo_alto_cortex_xsiam/apache_tomcat.yml b/...tforms/palo_alto_cortex/apache_tomcat.yml → .../palo_alto_cortex_xsiam/apache_tomcat.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: apache_tomcat
 
 

diff --git a/...forms/palo_alto_cortex/aws_cloudtrail.yml → ...palo_alto_cortex_xsiam/aws_cloudtrail.yml b/...forms/palo_alto_cortex/aws_cloudtrail.yml → ...palo_alto_cortex_xsiam/aws_cloudtrail.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: aws_cloudtrail
 
 

diff --git a/...gs/platforms/palo_alto_cortex/aws_eks.yml → ...tforms/palo_alto_cortex_xsiam/aws_eks.yml b/...gs/platforms/palo_alto_cortex/aws_eks.yml → ...tforms/palo_alto_cortex_xsiam/aws_eks.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: aws_eks
 
 

diff --git a/...azure_aadnoninteractiveusersigninlogs.yml → ...azure_aadnoninteractiveusersigninlogs.yml b/...azure_aadnoninteractiveusersigninlogs.yml → ...azure_aadnoninteractiveusersigninlogs.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: azure_aadnoninteractiveusersigninlogs
 
 

diff --git a/.../palo_alto_cortex/azure_azureactivity.yml → ...alto_cortex_xsiam/azure_azureactivity.yml b/.../palo_alto_cortex/azure_azureactivity.yml → ...alto_cortex_xsiam/azure_azureactivity.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: azure_azureactivity
 
 

diff --git a/...tforms/palo_alto_cortex/azure_azuread.yml → .../palo_alto_cortex_xsiam/azure_azuread.yml b/...tforms/palo_alto_cortex/azure_azuread.yml → .../palo_alto_cortex_xsiam/azure_azuread.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: azure_azuread
 
 

diff --git a/...platforms/palo_alto_cortex/azure_m365.yml → ...rms/palo_alto_cortex_xsiam/azure_m365.yml b/...platforms/palo_alto_cortex/azure_m365.yml → ...rms/palo_alto_cortex_xsiam/azure_m365.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: azure_m365
 
 

diff --git a/...rms/palo_alto_cortex/azure_signinlogs.yml → ...lo_alto_cortex_xsiam/azure_signinlogs.yml b/...rms/palo_alto_cortex/azure_signinlogs.yml → ...lo_alto_cortex_xsiam/azure_signinlogs.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: azure_signinlogs
 
 

diff --git a/...gs/platforms/palo_alto_cortex/default.yml → ...tforms/palo_alto_cortex_xsiam/default.yml b/...gs/platforms/palo_alto_cortex/default.yml → ...tforms/palo_alto_cortex_xsiam/default.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: default
 
 

diff --git a/...ppings/platforms/palo_alto_cortex/dns.yml → .../platforms/palo_alto_cortex_xsiam/dns.yml b/...ppings/platforms/palo_alto_cortex/dns.yml → .../platforms/palo_alto_cortex_xsiam/dns.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: dns
 
 default_log_source:

diff --git a/...s/platforms/palo_alto_cortex/firewall.yml → ...forms/palo_alto_cortex_xsiam/firewall.yml b/...s/platforms/palo_alto_cortex/firewall.yml → ...forms/palo_alto_cortex_xsiam/firewall.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: firewall
 
 log_source:

diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml
@@ -0,0 +1,29 @@
+platform: Palo Alto Cortex XSIAM
+source: linux_file_event
+
+log_source:
+  preset: xdr_file
+
+default_log_source:
+  preset: xdr_file
+
+field_mapping:
+  TargetFilename: action_file_name
+  SourceFilename: action_file_previous_file_name
+  User: actor_effective_username
+  CommandLine: actor_process_image_command_line
+  Image: actor_process_image_path
+  LogonId: actor_process_logon_id
+  Product: actor_process_signature_product
+  Company: actor_process_signature_vendor
+  IntegrityLevel: actor_process_integrity_level
+  CurrentDirectory: actor_process_cwd
+  ProcessId: actor_process_os_id
+  ParentProcessId: causality_actor_process_os_id
+  ParentCommandLine: causality_actor_process_command_line
+  ParentImage: causality_actor_process_image_path
+  ParentUser: causality_actor_effective_username
+  ParentIntegrityLevel: causality_actor_process_integrity_level
+  ParentLogonId: causality_actor_process_logon_id
+  ParentProduct: causality_actor_process_signature_product
+  ParentCompany: causality_actor_process_signature_vendor
diff --git a/..._alto_cortex/linux_network_connection.yml → ...cortex_xsiam/linux_network_connection.yml b/..._alto_cortex/linux_network_connection.yml → ...cortex_xsiam/linux_network_connection.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: linux_network_connection
 
 log_source:

diff --git a/...-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml b/...-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml
@@ -0,0 +1,30 @@
+platform: Palo Alto Cortex XSIAM
+source: linux_process_creation
+
+log_source:
+  preset: xdr_process
+
+default_log_source:
+  preset: xdr_process
+
+field_mapping:
+  User: action_process_username
+  CommandLine: action_process_image_command_line
+  Image: action_process_image_path
+  LogonId: action_process_logon_id
+  Product: action_process_signature_product
+  Company: action_process_signature_vendor
+  IntegrityLevel: action_process_integrity_level
+  CurrentDirectory: action_process_cwd
+  ProcessId: action_process_os_pid
+  ParentProcessId: actor_process_os_pid
+  ParentCommandLine: actor_process_image_command_line
+  ParentImage: actor_process_image_path
+  ParentUser: actor_effective_username
+  ParentIntegrityLevel: actor_process_integrity_level
+  ParentLogonId: actor_process_logon_id
+  ParentProduct: actor_process_signature_product
+  ParentCompany: actor_process_signature_vendor
+  md5: action_process_image_md5
+  sha256: action_process_image_sha256
+  EventID: action_evtlog_event_id
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml
@@ -0,0 +1,29 @@
+platform: Palo Alto Cortex XSIAM
+source: macos_file_event
+
+log_source:
+  preset: xdr_file
+
+default_log_source:
+  preset: xdr_file
+
+field_mapping:
+  TargetFilename: action_file_name
+  SourceFilename: action_file_previous_file_name
+  User: actor_effective_username
+  CommandLine: actor_process_image_command_line
+  Image: actor_process_image_path
+  LogonId: actor_process_logon_id
+  Product: actor_process_signature_product
+  Company: actor_process_signature_vendor
+  IntegrityLevel: actor_process_integrity_level
+  CurrentDirectory: actor_process_cwd
+  ProcessId: actor_process_os_id
+  ParentProcessId: causality_actor_process_os_id
+  ParentCommandLine: causality_actor_process_command_line
+  ParentImage: causality_actor_process_image_path
+  ParentUser: causality_actor_effective_username
+  ParentIntegrityLevel: causality_actor_process_integrity_level
+  ParentLogonId: causality_actor_process_logon_id
+  ParentProduct: causality_actor_process_signature_product
+  ParentCompany: causality_actor_process_signature_vendor
diff --git a/..._alto_cortex/macos_network_connection.yml → ...cortex_xsiam/macos_network_connection.yml b/..._alto_cortex/macos_network_connection.yml → ...cortex_xsiam/macos_network_connection.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: macos_network_connection
 
 log_source:

diff --git a/...-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml b/...-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml
@@ -0,0 +1,29 @@
+platform: Palo Alto Cortex XSIAM
+source: macos_process_creation
+
+log_source:
+  preset: xdr_process
+
+default_log_source:
+  preset: xdr_process
+
+field_mapping:
+  User: action_process_username
+  CommandLine: action_process_image_command_line
+  Image: action_process_image_path
+  LogonId: action_process_logon_id
+  Product: action_process_signature_product
+  Company: action_process_signature_vendor
+  IntegrityLevel: action_process_integrity_level
+  CurrentDirectory: action_process_cwd
+  ProcessId: action_process_os_pid
+  ParentProcessId: actor_process_os_pid
+  ParentCommandLine: actor_process_image_command_line
+  ParentImage: actor_process_image_path
+  ParentUser: actor_effective_username
+  ParentIntegrityLevel: actor_process_integrity_level
+  ParentLogonId: actor_process_logon_id
+  ParentProduct: actor_process_signature_product
+  ParentCompany: actor_process_signature_vendor
+  md5: action_process_image_md5
+  sha256: action_process_image_sha256
diff --git a/...latforms/palo_alto_cortex/nginx_nginx.yml → ...ms/palo_alto_cortex_xsiam/nginx_nginx.yml b/...latforms/palo_alto_cortex/nginx_nginx.yml → ...ms/palo_alto_cortex_xsiam/nginx_nginx.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: nginx_nginx
 
 

diff --git a/.../platforms/palo_alto_cortex/okta_okta.yml → ...orms/palo_alto_cortex_xsiam/okta_okta.yml b/.../platforms/palo_alto_cortex/okta_okta.yml → ...orms/palo_alto_cortex_xsiam/okta_okta.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: okta_okta
 
 

diff --git a/...ings/platforms/palo_alto_cortex/proxy.yml → ...latforms/palo_alto_cortex_xsiam/proxy.yml b/...ings/platforms/palo_alto_cortex/proxy.yml → ...latforms/palo_alto_cortex_xsiam/proxy.yml
@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XSIAM
 source: proxy
 
 default_log_source: