UncoderIO · nazargesyk · Jul 25, 2024 · Jul 24, 2024
diff --git a/uncoder-core/app/translator/core/custom_types/predefined_fields.py b/uncoder-core/app/translator/core/custom_types/predefined_fields.py
@@ -10,3 +10,7 @@ class IPLocationType(CustomEnum):
     lat_lon = "ip_loc_lat_lon"
     region = "ip_loc_region"
     timezone = "ip_loc_timezone"
+
+
+class TimeType(CustomEnum):
+    timestamp = "timestamp"
diff --git a/uncoder-core/app/translator/core/functions.py b/uncoder-core/app/translator/core/functions.py
@@ -26,7 +26,7 @@
 from app.translator.core.exceptions.functions import NotSupportedFunctionException
 from app.translator.core.mapping import SourceMapping
 from app.translator.core.models.functions.base import Function, ParsedFunctions, RenderedFunctions
-from app.translator.core.models.query_tokens.field import Alias, Field
+from app.translator.core.models.query_tokens.field import Alias, Field, PredefinedField
 from app.translator.tools.utils import execute_module
 from settings import INIT_FUNCTIONS
 
@@ -103,6 +103,9 @@ def map_field(self, field: Union[Alias, Field], source_mapping: SourceMapping) -
             mapped_fields = mappings.map_field(field, source_mapping)
             return mapped_fields[0]
 
+        if isinstance(field, PredefinedField):
+            return self.manager.platform_functions.platform_query_render.map_predefined_field(field)
+
         raise NotSupportedFunctionException
 
 

diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py
@@ -70,7 +70,7 @@ def update(self, fields_mapping: FieldsMapping) -> None:
         self.__render_mapping.update(fields_mapping.__render_mapping)
 
     def is_suitable(self, field_names: list[str]) -> bool:
-        return set(field_names).issubset(set(self.__parser_mapping.keys()))
+        return bool(field_names) and set(field_names).issubset(set(self.__parser_mapping.keys()))
 
 
 _LogSourceSignatureType = TypeVar("_LogSourceSignatureType", bound=LogSourceSignature)

diff --git a/uncoder-core/app/translator/core/models/functions/group_by.py b/uncoder-core/app/translator/core/models/functions/group_by.py
@@ -3,12 +3,12 @@
 
 from app.translator.core.custom_types.functions import FunctionType
 from app.translator.core.models.functions.base import Function
-from app.translator.core.models.query_tokens.field import Alias
+from app.translator.core.models.query_tokens.field import Alias, PredefinedField
 
 
 @dataclass
 class GroupByFunction(Function):
     name: str = FunctionType.stats
     args: list[Function] = field(default_factory=list)
-    by_clauses: list[Union[Alias, Field]] = field(default_factory=list)
+    by_clauses: list[Union[Alias, Field, PredefinedField]] = field(default_factory=list)
     filter_: Function = None
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -97,8 +97,10 @@ field_mapping:
   FileName: 
     - Filename
     - File Name
+    - Encoded Filename
   RegistryKey: 
     - Registry Key
     - Target Object
   RegistryValue: RegistryValue
   ProcessPath: Process Path
+  hasIdentity: hasIdentity
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -191,4 +191,3 @@ field_mapping:
   UserID: UserID
   ParentProcessName: Parent Process Name
   Service: Service
-  hasIdentity: hasIdentity
diff --git a/uncoder-core/app/translator/platforms/base/aql/mapping.py b/uncoder-core/app/translator/platforms/base/aql/mapping.py
@@ -31,11 +31,12 @@ def is_suitable(
         qid_event_category_match = (
             set(qideventcategory).issubset(self.qid_event_categories) if qideventcategory else None
         )
-        return all(
+        all_conditions = [
             condition
             for condition in (device_type_match, category_match, qid_match, qid_event_category_match)
             if condition is not None
-        )
+        ]
+        return bool(all_conditions) and all(all_conditions)
 
     def __str__(self) -> str:
         return self._default_source.get("table", "events")

diff --git a/uncoder-core/app/translator/platforms/palo_alto/const.py b/uncoder-core/app/translator/platforms/palo_alto/const.py
@@ -1,4 +1,4 @@
-from app.translator.core.custom_types.predefined_fields import IPLocationType
+from app.translator.core.custom_types.predefined_fields import IPLocationType, TimeType
 from app.translator.core.models.platform_details import PlatformDetails
 
 PLATFORM_DETAILS = {"group_id": "cortex", "group_name": "Palo Alto Cortex XSIAM"}
@@ -22,4 +22,5 @@
     IPLocationType.lat_lon: "loc_latlon",
     IPLocationType.region: "loc_region",
     IPLocationType.timezone: "loc_timezone",
+    TimeType.timestamp: "_time",
 }
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -69,10 +69,7 @@ def _wrap_str_value(value: str) -> str:
 
     def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
-            values = ", ".join(
-                f"{self._pre_process_value(field, str(v) if isinstance(v, int) else v, ValueType.value, True)}"
-                for v in value
-            )
+            values = ", ".join(f"{self._pre_process_value(field, v, ValueType.value, True)}" for v in value)
             return f"{field} in ({values})"
 
         return f"{field} = {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}"