Merge branch 'prod' into 'gis-8504'

# Conflicts:
#   app/translator/platforms/elasticsearch/renders/detection_rule.py

Author: tarnopolskyi

uncoder-core/app/translator/core/render.py

@@ -79,12 +79,21 @@ def _get_value_type(field_name: str, value: Union[int, str, StrValue], value_typ
     def _wrap_str_value(value: str) -> str:
         return value
 
+    @staticmethod
+    def _wrap_int_value(value: int) -> str:
+        return str(value)
+
     @staticmethod
     def _map_bool_value(value: bool) -> str:
         return "true" if value else "false"
 
     def _pre_process_value(
-        self, field: str, value: Union[int, str, StrValue], value_type: str = ValueType.value, wrap_str: bool = False
+        self,
+        field: str,
+        value: Union[int, str, StrValue],
+        value_type: str = ValueType.value,
+        wrap_str: bool = False,
+        wrap_int: bool = False,
     ) -> Union[int, str]:
         value_type = self._get_value_type(field, value, value_type)
         if isinstance(value, StrValue):
@@ -95,6 +104,8 @@ def _pre_process_value(
             return self._wrap_str_value(value) if wrap_str else value
         if isinstance(value, bool):
             return self._map_bool_value(value)
+        if isinstance(value, int):
+            return self._wrap_int_value(value) if wrap_int else value
         return value
 
     def _pre_process_values_list(

uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/azure_mcas.yml

@@ -0,0 +1,301 @@
+platform: ElasticSearch ES|QL
+source: azure_mcas
+log_source:
+  index: [logs-*]
+default_log_source:
+  index: logs-*
+field_mapping:
+  Name: o365.audit.Name
+  ProviderName:
+  - winlog.event_data.ProviderName
+  - winlog.provider_name
+  dns_query_name: dns.question.name
+  EventID: winlog.event_id
+  AccessMask: winlog.event_data.AccessMask
+  AccountName: winlog.event_data.AccountName
+  AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo
+  AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName
+  AttributeValue: winlog.event_data.AttributeValue
+  AuditPolicyChanges: winlog.event_data.AuditPolicyChanges
+  AuthenticationPackageName: winlog.event_data.AuthenticationPackageName
+  CallingProcessName: winlog.event_data.CallingProcessName
+  CallTrace: winlog.event_data.CallTrace
+  Channel: winlog.channel
+  CommandLine: process.command_line.text
+  Command_Line: process.command_line.text
+  Commandline: process.command_line.text
+  commandline: process.command_line.text
+  ScriptBlockText: powershell.file.script_block_text
+  Payload:
+  - powershell.command.invocation_details
+  - winlog.event_data.Payload
+  ComputerName: winlog.ComputerName
+  CurrentDirectory: process.working_directory.text
+  Description: winlog.event_data.Description
+  DestinationHostname:
+  - destination.domain
+  - dns.question.name
+  - dns.question.subdomain
+  DestinationIp: destination.address
+  dst_ip: destination.address
+  DestinationPort: destination.port
+  dst_port: destination.port
+  DestinationPortName: network.protocol
+  Details: winlog.event_data.Details
+  EngineVersion: winlog.event_data.EngineVersion
+  EventType: winlog.event_data.EventType
+  FailureCode: winlog.event_data.FailureCode
+  FileName: file.path.text
+  GrantedAccess: winlog.event_data.GrantedAccess
+  GroupName:
+  - winlog.event_data.GroupName
+  - group.name
+  GroupSid:
+  - group.id
+  - winlog.event_data.GroupSid
+  Hashes: winlog.event_data.Hashes
+  file_hash: winlog.event_data.Hashes
+  HiveName: winlog.event_data.HiveName
+  HostVersion: winlog.event_data.HostVersion
+  Image: process.executable.text
+  ImageLoaded: dll.path
+  ImagePath: winlog.event_data.ImagePath
+  Imphash: winlog.event_data.Imphash
+  IpAddress: source.address
+  ClientAddress:
+  - winlog.event_data.ClientAddress
+  - source.ip
+  IpPort: source.port
+  KeyLength: winlog.event_data.KeyLength
+  LogonProcessName: winlog.event_data.LogonProcessName
+  LogonType: winlog.event_data.LogonType
+  MemberName: winlog.event_data.MemberName
+  MemberSid: winlog.event_data.MemberSid
+  NewProcessName: winlog.event_data.NewProcessName
+  ObjectClass: winlog.event_data.ObjectClass
+  ObjectName: winlog.event_data.ObjectName
+  ObjectType: winlog.event_data.ObjectType
+  ObjectValueName: winlog.event_data.ObjectValueName
+  ParentCommandLine: process.parent.command_line.text
+  ParentProcessName: process.parent.name.text
+  ParentImage: process.parent.executable.text
+  Path: winlog.event_data.Path
+  PipeName: file.name
+  ProcessCommandLine: winlog.event_data.ProcessCommandLine
+  ProcessName: process.executable.text
+  Properties: winlog.event_data.Properties
+  RuleName: winlog.event_data.RuleName
+  RegistryValue: winlog.event_data.RegistryValue
+  SecurityID: winlog.event_data.SecurityID
+  ServiceFileName: winlog.event_data.ServiceFileName
+  ServiceName: winlog.event_data.ServiceName
+  ShareName: winlog.event_data.ShareName
+  Signature: winlog.event_data.Signature
+  Signed: winlog.event_data.Signed
+  Source: winlog.event_data.Source
+  SourceHostname: source.domain
+  SourceImage: process.executable.text
+  SourceIp: source.address
+  src_ip: source.address
+  SourcePort: source.port
+  src_port: source.port
+  StartModule: winlog.event_data.StartModule
+  Status: winlog.event_data.Status
+  SubStatus: winlog.event_data.SubStatus
+  SubjectDomainName: winlog.event_data.SubjectDomainName
+  SubjectUserName: winlog.event_data.SubjectUserName
+  SubjectUserSid: winlog.event_data.SubjectUserSid
+  TargetDomainName: winlog.event_data.TargetDomainName
+  TargetFilename: file.path.text
+  TargetImage: winlog.event_data.TargetImage
+  TargetObject: winlog.event_data.TargetObject
+  TargetSid: winlog.event_data.TargetSid
+  TargetUserName: winlog.event_data.TargetUserName
+  TargetUserSid: winlog.event_data.TargetUserSid
+  QueryName: dns.question.name
+  TicketEncryptionType: winlog.event_data.TicketEncryptionType
+  TicketOptions: winlog.event_data.TicketOptions
+  User: user.name
+  WorkstationName: source.domain
+  TransmittedServices: winlog.event_data.TransmittedServices
+  AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm
+  BSSID: winlog.event_data.BSSID
+  BSSType: winlog.event_data.BSSType
+  CipherAlgorithm: winlog.event_data.CipherAlgorithm
+  ConnectionId: winlog.event_data.ConnectionId
+  ConnectionMode: winlog.event_data.ConnectionMode
+  InterfaceDescription: winlog.event_data.InterfaceDescription
+  InterfaceGuid: winlog.event_data.InterfaceGuid
+  OnexEnabled: winlog.event_data.OnexEnabled
+  PHYType: winlog.event_data.PHYType
+  ProfileName: winlog.event_data.ProfileName
+  SSID: winlog.event_data.SSID
+  QueryResults: dns.answers
+  OriginalFileName: winlog.event_data.OriginalFileName
+  Domain: winlog.event_data.Domain
+  ServiceType: winlog.event_data.ServiceType
+  SourceName: winlog.event_data.SourceName
+  StartType: winlog.event_data.StartType
+  UserID: winlog.event_data.UserID
+  Initiated: winlog.event_data.Initiated
+  NewUACList: winlog.event_data.NewUACList
+  UserAccountControl: winlog.event_data.UserAccountControl
+  NewUacValue: winlog.event_data.NewUacValue
+  OldUacValue: winlog.event_data.OldUacValue
+  AccountExpires: winlog.event_data.AccountExpires
+  DisplayName: winlog.event_data.DisplayName
+  DnsHostName: winlog.event_data.DnsHostName
+  HomeDirectory: winlog.event_data.HomeDirectory
+  HomePath: winlog.event_data.HomePath
+  LogonHours: winlog.event_data.LogonHours
+  PasswordLastSet: winlog.event_data.PasswordLastSet
+  PrimaryGroupId: winlog.event_data.PrimaryGroupId
+  PrivilegeList: winlog.event_data.PrivilegeList
+  ProfilePath: winlog.event_data.ProfilePath
+  SamAccountName: winlog.event_data.SamAccountName
+  ScriptPath: winlog.event_data.ScriptPath
+  ServicePrincipalNames: winlog.event_data.ServicePrincipalNames
+  SidHistory: winlog.event_data.SidHistory
+  UserParameters: winlog.event_data.UserParameters
+  UserPrincipalName: winlog.event_data.UserPrincipalName
+  UserWorkstations: winlog.event_data.UserWorkstations
+  RelativeTargetName: winlog.event_data.RelativeTargetName
+  NotificationPackageName: winlog.event_data.NotificationPackageName
+  SecurityPackageName: winlog.event_data.SecurityPackageName
+  HostApplication: process.command_line.text
+  TaskName: winlog.event_data.TaskName
+  TaskContent: winlog.event_data.TaskContent
+  ObjectServer: winlog.event_data.ObjectServer
+  NewSd: winlog.event_data.NewSd
+  OldSd: winlog.event_data.OldSd
+  TestSigning: winlog.event_data.TestSigning
+  AdvancedOptions: winlog.event_data.AdvancedOptions
+  ConfigAccessPolicy: winlog.event_data.ConfigAccessPolicy
+  DisableIntegrityChecks: winlog.event_data.DisableIntegrityChecks
+  FlightSigning: winlog.event_data.FlightSigning
+  HypervisorDebug: winlog.event_data.HypervisorDebug
+  HypervisorLaunchType: winlog.event_data.HypervisorLaunchType
+  HypervisorLoadOptions: winlog.event_data.HypervisorLoadOptions
+  KernelDebug: winlog.event_data.KernelDebug
+  LoadOptions: winlog.event_data.LoadOptions
+  RemoteEventLogging: winlog.event_data.RemoteEventLogging
+  ExceptionCode: winlog.event_data.ExceptionCode
+  CertSerialNumber: winlog.event_data.CertSerialNumber
+  CertThumbprint: winlog.event_data.CertThumbprint
+  CertIssuerName: winlog.event_data.CertIssuerName
+  TicketOptionsDescription: winlog.event_data.TicketOptionsDescription
+  keywords: winlog.keywords
+  StartAddress: winlog.event_data.StartAddress
+  ServiceSid: winlog.event_data.ServiceSid
+  TargetInfo: winlog.event_data.TargetInfo
+  ClientProcessId: winlog.event_data.ClientProcessId
+  ParentProcessId: winlog.event_data.ParentProcessId
+  AccessList: winlog.event_data.AccessList
+  GroupMembership: winlog.event_data.GroupMembership
+  FilterName: winlog.event_data.FilterName
+  ChangeType: winlog.event_data.ChangeType
+  LayerName: winlog.event_data.LayerName
+  ProcessId: winlog.event_data.ProcessId
+  ProcessID: winlog.event_data.ProcessID
+  SubjectLogonId: winlog.event_data.SubjectLogonId
+  ElevatedToken: winlog.event_data.ElevatedToken
+  PublishURLs: winlog.event_data.PublishURLs
+  VMUserAuthenticationEvent: horizon.user_authentication_event
+  VMUserAuthenticationUser: horizon.user_authentication_user
+  VMUserAuthenticationSourceIp: horizon.user_authentication_source_ip
+  VMUserAuthenticationTimeStamp: horizon.user_authentication_time_stamp
+  VMDesktopSessionStartEvent: horizon.desktop_session_start_event
+  VMDesktopSessionStartUser: horizon.desktop_session_start_user
+  VMDesktopSessionStartDesktopID: horizon.desktop_session_start_desktop_id
+  VMDesktopSessionStartTimeStamp: horizon.desktop_session_time_stamp
+  VMApplicationLaunchEvent: horizon.application_launch_event
+  VMApplicationLaunchUser: horizon.application_launch_user
+  VMApplicationLaunchAppId: horizon.application_launch_app_id
+  VMApplicationLaunchAppName: horizon.application_launch_app_name
+  VMApplicationLaunchTimeStamp: horizon.application_launch_time_stamp
+  VMConnectionServerStatusEvent: horizon.connection_server_status_event
+  VMConnectionServerStatusServer: horizon.connection_server_status_server
+  VMConnectionServerStatus: horizon.connection_Server_status
+  VMConnectionServerStatusTimeStamp: horizon.connection_server_status_time_stamp
+  VMVirtualDesktopPoolManagmentEvent: horizon.virtual_desktop_pool_managment_event
+  VMVirtualDesktopPoolManagmentPoolId: horizon.virtual_desktop_pool_managment_pool_id
+  VMVirtualDesktopPoolManagmentPoolName: horizon.virtual_desktop_pool_managment_pool_name
+  VMVirtualDesktopPoolManagmentTimeStamp: horizon.virtual_desktop_pool_managment_time_stamp
+  VMLoadBalancingEvent: horizon.load_balancing_event
+  VMLoadBalancingStatus: horizon.load_balancing_status
+  VMLoadBalancingAlgorithm: horizon.load_balancing_algorithm
+  VMLoadBalancingTimeStamp: horizon.load_balancing_time_stamp
+  VMBlastProtocolEvent: horizon.blast_protocol_event
+  VMBlastProtocolUser: horizon.blast_protocol_user
+  VMBlastProtocolProtocolVersion: horizon.blast_protocol_protocol_version
+  VMBlastProtocolTimeStamp: horizon.blast_protocol_time_stamp
+  VMSecurityEventName: horizon.security_event_name
+  VMSecurityEventUser: horizon.security_event_user
+  VMSecurityEventAlertType: horizon.security_event_alert_type
+  VMSecurityEventSourceIp: horizon.security_event_source_ip
+  VMSecurityEventTimeStamp: horizon.security_event_time_stamp
+  VMLicensingInformationEvent: horizon.licensing_information_event
+  VMLicensingInformationLicenseType: horizon.licensing_information_license_type
+  VMLicensingInformationExpiryDate: horizon.licensing_information_expiry_date
+  VMLicensingInformationTimeStamp: horizon.licensing_information_time_stamp
+  VMConnectionBrokeringEvent: horizon.connection_brokering_event
+  VMConnectionBrokeringUser: horizon.connection_brokering_user
+  VMConnectionBrokeringDesktopId: horizon.connection_brokering_desktop_id
+  VMConnectionBrokeringStatus: horizon.connection_brokering_status
+  VMConnectionBrokeringTimeStamp: horizon.connection_brokering_time_stamp
+  DatastoreName: vsphere.datastore_name
+  FilesystemType: vsphere.datastore_fstype
+  DatastoreBytes: vsphere.datastore_capacity_free_bytes
+  DatastoreBytesUsed: vsphere.datastore_capacity_used_pct
+  HostName: vsphere.host_name
+  UsedCPUmhz: vsphere.host_cpu_free_mhz
+  UsedMemoryBites: vsphere.host_memory_total_bytes
+  FreeMemoryBites: vsphere.host_memory_free_bytes
+  VMHostID: vsphere.virtualmachine_host_id
+  VMHostName:
+  - vsphere.virtualmachine_host_hostname
+  - esxi.vmhost_name
+  VMName:
+  - vsphere.virtualmachine_name
+  - esxi.vmname
+  VMOperatingSystem: vsphere.virtualmachine_os
+  VMUsedCPU: vsphere.virtualmachine_cpu_used_mhz
+  VMTotalCPU: vsphere.virtualmachine_cpu_free_mhz
+  VMMemoryGuestUsed: vsphere.virtualmachine_memory_used_guest_bytes
+  VMUMemoryHostUsed: vsphere.virtualmachine_memory_used_host_bytes
+  VMTotalMemoryGuestBytes: vsphere.virtualmachine_memory_total_guest_bytes
+  VMMemoryGuestFree: vsphere.virtualmachine_memory_free_guest_bytes
+  VMCustomFields: vsphere.virtualmachine_custom_fields
+  VMNetworkNames: vsphere.virtualmachine_network_names
+  VMLogicalSwitchingEvent: nsxv.vmlogical_switching_event
+  VMLogicalSwitchingEventID: nsxv.vmlogical_switching_event_id
+  VMLogicalSwitchingName: nsxv.vmlogical_switching_name
+  VMDistributedFirewallEvent: nsxv.distributed_firewall_event_type
+  VMDistributedFirewallRuleID: nsxv.distributed_firewall_rule_id
+  VMDistributedFirewallAction: nsxv.distributed_firewall_action
+  VMDistributedFirewallSourceIp: nsxv.distributed_firewall_source_ip
+  VMDistributedFirewallDestinationIp: nsxv.distributed_firewall_destination_ip
+  VMSecurityGroupEventType: nsxv.security_group_event_type
+  VMSecurityGroupId: nsxv.security_group_id
+  VMSecurityGroupName: nsxv.security_group_name
+  VMEdgeServicesGatewayEventType: nsxv.security_edge_services_gateway_event_type
+  VMEdgeServicesGatewayESGID: nsxv.security_edge_services_gateway_esgid
+  VMEdgeServicesGatewayStatus: nsxv.security_edge_services_gateway_status
+  VMLoadBalancingEventType: nsxv.load_balancing_event_type
+  VMLoadBalancingId: nsxv.load_balancing_id
+  VMLoadBalancingVirtualServer: nsxv.load_balancing_virtual_server
+  VMNSXManagerEventType: nsxv.nsx_manager_event_type
+  VMNSXManagerEventDescription: nsxv.nsx_manager_event_description
+  VMEdgeFirewallEventType: nsxv.edge_firewall_event_type
+  VMEdgeFirewallSourceIP: nsxv.edge_firewall_source_ip
+  VMEdgeFirewallDestinationIP: nsxv.edge_firewall_destination_ip
+  VMEdgeFirewallRuleID: nsxv.edge_firewall_rule_id
+  VMSSLVPNEventType: nsxv.ssl_vpn_event_type
+  VMSSLVPNUserName: nsxv.ssl_vpn_user_name
+  VMSSLVPNSourceIp: nsxv.ssl_vpn_source_ip
+  VMNSXControllerEventType: nsxv.nsx_controller_event_type
+  VMNSXControllerID: nsxv.nsx_controller_id
+  VMNSXControllerStatus: nsxv.nsx_controller_status
+  VMLogicalRoutingEventType: nsxv.logical_routing_event_type
+  VMLogicalRoutingRouterID: nsxv.logical_routing_router_id
+  VMLogicalRoutingRouterName: nsxv.logical_routing_router_name