From 9fb67bd7f9655becee5c386bafa3ab9c5607b62c Mon Sep 17 00:00:00 2001 From: Viktor Hrebeniuk <76157115+saltar-ua@users.noreply.github.com> Date: Fri, 17 May 2024 17:54:36 +0300 Subject: [PATCH 1/3] Palo Alto Cortex XSIAM: Add support array of default logsources --- .../platforms/palo_alto_cortex/webserver.yml | 14 ++++++++++++++ .../app/translator/platforms/palo_alto/mapping.py | 13 +++++++++++-- .../platforms/palo_alto/renders/cortex_xsiam.py | 12 +----------- 3 files changed, 26 insertions(+), 13 deletions(-) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml new file mode 100644 index 00000000..c845789b --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml @@ -0,0 +1,14 @@ +platform: Palo Alto XSIAM +source: webserver + +default_log_source: + dataset: [apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw] + +field_mapping: + c-uri: xdm.network.http.url + c-useragent: xdm.source.user_agent + cs-method: xdm.network.http.method + cs-bytes: xdm.target.sent_bytes + c-uri-query: xdm.network.http.url + cs-referrer: xdm.network.http.referrer + sc-status: xdm.network.http.response_code diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py index bc3ab39c..832e5428 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py +++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py @@ -1,4 +1,4 @@ -from typing import Optional +from typing import Optional, Union from app.translator.core.mapping import ( DEFAULT_MAPPING_NAME, @@ -18,8 +18,17 @@ def __init__(self, preset: Optional[list[str]], dataset: Optional[list[str]], de def is_suitable(self, preset: str, dataset: str) -> bool: return preset == self.preset or dataset == self.dataset + def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str: + if isinstance(logsource, list): + return f"{model} in ({', '.join([source for source in logsource])})" + return f"{model} = {logsource}" + def __str__(self) -> str: - return self._default_source.get("preset") or self._default_source.get("dataset") + if preset_data := self._default_source.get("preset"): + return self.__prepare_log_source_for_render(logsource=preset_data, model="preset") + if dataset_data := self._default_source.get("dataset"): + return self.__prepare_log_source_for_render(logsource=dataset_data, model="preset") + return "datamodel" class CortexXSIAMMappings(BasePlatformMappings): diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py index 5f6c95c6..1147e256 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py +++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py @@ -118,14 +118,4 @@ class CortexXQLQueryRender(PlatformQueryRender): is_single_line_comment = False def generate_prefix(self, log_source_signature: CortexXSIAMLogSourceSignature) -> str: - preset = ( - f"preset = {log_source_signature._default_source.get('preset')}" - if log_source_signature._default_source.get("preset") - else None - ) - dataset = ( - f"dataset = {log_source_signature._default_source.get('dataset')}" - if log_source_signature._default_source.get("dataset") - else None - ) - return preset or dataset or "datamodel" + return str(log_source_signature) From 99547096b4e66598179c61d3c0860f874d9b727d Mon Sep 17 00:00:00 2001 From: Viktor Hrebeniuk <76157115+saltar-ua@users.noreply.github.com> Date: Fri, 17 May 2024 17:56:05 +0300 Subject: [PATCH 2/3] Palo Alto Cortex XSIAM: Add support array of default logsources --- .../app/translator/platforms/palo_alto/escape_manager.py | 7 ++++--- uncoder-core/app/translator/platforms/palo_alto/mapping.py | 2 +- .../translator/platforms/palo_alto/renders/cortex_xsiam.py | 4 +--- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py b/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py index 5ea90f40..eba294b5 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py +++ b/uncoder-core/app/translator/platforms/palo_alto/escape_manager.py @@ -7,9 +7,10 @@ class XQLEscapeManager(EscapeManager): escape_map: ClassVar[dict[str, list[EscapeDetails]]] = { - ValueType.regex_value: [EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1")], - ValueType.value: [EscapeDetails(pattern=r'([\\])', escape_symbols=r"\\\1")], - + ValueType.regex_value: [ + EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1") + ], + ValueType.value: [EscapeDetails(pattern=r"([\\])", escape_symbols=r"\\\1")], } diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py index 832e5428..393b15f5 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py +++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py @@ -20,7 +20,7 @@ def is_suitable(self, preset: str, dataset: str) -> bool: def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str: if isinstance(logsource, list): - return f"{model} in ({', '.join([source for source in logsource])})" + return f"{model} in ({', '.join(source for source in logsource)})" return f"{model} = {logsource}" def __str__(self) -> str: diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py index 1147e256..37c96f3b 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py +++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py @@ -69,9 +69,7 @@ def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: if isinstance(value, list): - return ( - f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})" - ) + return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})" return f'{field} ~= ".*{self.apply_value(value, value_type=ValueType.regex_value)}"' def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: From 17ea72ddd9a27a6503ebdd2cc3a86da9a3980009 Mon Sep 17 00:00:00 2001 From: Viktor Hrebeniuk <76157115+saltar-ua@users.noreply.github.com> Date: Mon, 20 May 2024 13:11:14 +0300 Subject: [PATCH 3/3] Fix bug --- uncoder-core/app/translator/platforms/palo_alto/mapping.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py index 393b15f5..a4fd9c64 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py +++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py @@ -27,7 +27,7 @@ def __str__(self) -> str: if preset_data := self._default_source.get("preset"): return self.__prepare_log_source_for_render(logsource=preset_data, model="preset") if dataset_data := self._default_source.get("dataset"): - return self.__prepare_log_source_for_render(logsource=dataset_data, model="preset") + return self.__prepare_log_source_for_render(logsource=dataset_data, model="dataset") return "datamodel"