Merge pull request #194 from UncoderIO/gis-8678

cortex xdr render

Author: alexvolha

uncoder-core/app/translator/core/exceptions/core.py

@@ -17,6 +17,12 @@ def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str]
         super().__init__(message)
 
 
+class UnsupportedMappingsException(BasePlatformException):
+    def __init__(self, platform_name: str, mappings: list[str]):
+        message = f"Platform {platform_name} does not support these mappings: {mappings}."
+        super().__init__(message)
+
+
 class StrictPlatformFieldException(BasePlatformException):
     def __init__(self, platform_name: str, field_name: str):
         message = f"Source field `{field_name}` has no mapping for platform {platform_name}."

uncoder-core/app/translator/core/mapping.py

@@ -3,7 +3,7 @@
 from abc import ABC, abstractmethod
 from typing import TYPE_CHECKING, Optional, TypeVar, Union
 
-from app.translator.core.exceptions.core import StrictPlatformException
+from app.translator.core.exceptions.core import StrictPlatformException, UnsupportedMappingsException
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.mappings.utils.load_from_files import LoaderFileMappings
 
@@ -116,7 +116,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
         default_mapping = SourceMapping(source_id=DEFAULT_MAPPING_NAME)
         for mapping_dict in self._loader.load_platform_mappings(self._platform_dir):
             log_source_signature = self.prepare_log_source_signature(mapping=mapping_dict)
-            if (source_id := mapping_dict.get("source")) == DEFAULT_MAPPING_NAME:
+            if (source_id := mapping_dict["source"]) == DEFAULT_MAPPING_NAME:
                 default_mapping.log_source_signature = log_source_signature
                 if self.skip_load_default_mappings:
                     continue
@@ -152,7 +152,7 @@ def prepare_fields_mapping(field_mapping: dict) -> FieldsMapping:
     def prepare_log_source_signature(self, mapping: dict) -> LogSourceSignature:
         raise NotImplementedError("Abstract method")
 
-    def get_suitable_source_mappings(
+    def get_source_mappings_by_fields_and_log_sources(
         self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]]
     ) -> list[SourceMapping]:
         by_log_sources_and_fields = []
@@ -170,6 +170,17 @@ def get_suitable_source_mappings(
 
         return by_log_sources_and_fields or by_fields or [self._source_mappings[DEFAULT_MAPPING_NAME]]
 
+    def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
+        source_mappings = []
+        for source_mapping_id in source_mapping_ids:
+            if source_mapping := self.get_source_mapping(source_mapping_id):
+                source_mappings.append(source_mapping)
+
+        if not source_mappings:
+            source_mappings = [self.get_source_mapping(DEFAULT_MAPPING_NAME)]
+
+        return source_mappings
+
     def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]:
         return self._source_mappings.get(source_id)
 
@@ -218,3 +229,18 @@ def prepare_mapping(self) -> dict[str, SourceMapping]:
             )
 
         return source_mappings
+
+
+class BaseStrictLogSourcesPlatformMappings(ABC, BasePlatformMappings):
+    def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]:
+        source_mappings = []
+        for source_mapping_id in source_mapping_ids:
+            if source_mapping_id == DEFAULT_MAPPING_NAME:
+                continue
+            if source_mapping := self.get_source_mapping(source_mapping_id):
+                source_mappings.append(source_mapping)
+
+        if not source_mappings:
+            raise UnsupportedMappingsException(platform_name=self.details.name, mappings=source_mapping_ids)
+
+        return source_mappings

uncoder-core/app/translator/core/parser.py

@@ -80,6 +80,8 @@ def get_source_mappings(
         self, field_tokens: list[Field], log_sources: dict[str, list[Union[int, str]]]
     ) -> list[SourceMapping]:
         field_names = [field.source_name for field in field_tokens]
-        source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources)
+        source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources(
+            field_names=field_names, log_sources=log_sources
+        )
         self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping)
         return source_mappings

uncoder-core/app/translator/core/render.py

@@ -31,7 +31,7 @@
 from app.translator.core.exceptions.parser import UnsupportedOperatorException
 from app.translator.core.exceptions.render import UnsupportedRenderMethod
 from app.translator.core.functions import PlatformFunctions
-from app.translator.core.mapping import DEFAULT_MAPPING_NAME, BasePlatformMappings, LogSourceSignature, SourceMapping
+from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping
 from app.translator.core.models.functions.base import Function, RenderedFunctions
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer, TokenizedQueryContainer
@@ -384,17 +384,6 @@ def finalize(self, queries_map: dict[str, str]) -> str:
 
         return result
 
-    def _get_source_mappings(self, source_mapping_ids: list[str]) -> Optional[list[SourceMapping]]:
-        source_mappings = []
-        for source_mapping_id in source_mapping_ids:
-            if source_mapping := self.mappings.get_source_mapping(source_mapping_id):
-                source_mappings.append(source_mapping)
-
-        if not source_mappings:
-            source_mappings = [self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)]
-
-        return source_mappings
-
     def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str:
         return self.finalize_query(
             prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info
@@ -464,7 +453,7 @@ def _generate_from_tokenized_query_container_by_source_mapping(
     def generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str:
         queries_map = {}
         errors = []
-        source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids)
+        source_mappings = self.mappings.get_source_mappings_by_ids(query_container.meta_info.source_mapping_ids)
 
         for source_mapping in source_mappings:
             try:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml

@@ -0,0 +1,6 @@
+platform: Palo Alto Cortex XDR
+source: default
+
+
+default_log_source:
+  datamodel: datamodel

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml

@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: linux_file_event
 
 log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml

@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: linux_process_creation
 
 log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml

@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: macos_file_event
 
 log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml

@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: macos_process_creation
 
 log_source:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml renamed to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml

@@ -1,4 +1,4 @@
-platform: Palo Alto XSIAM
+platform: Palo Alto Cortex XDR
 source: windows_file_event
 
 log_source: