From 4b08d370c75cbbd6a2df7d4f0a0655633e4dab4c Mon Sep 17 00:00:00 2001 From: Oleksandr Volha Date: Tue, 17 Sep 2024 08:45:15 +0300 Subject: [PATCH 1/3] cortex xdr render --- .../app/translator/core/exceptions/core.py | 6 + uncoder-core/app/translator/core/mapping.py | 32 ++- uncoder-core/app/translator/core/parser.py | 4 +- uncoder-core/app/translator/core/render.py | 17 +- .../palo_alto_cortex_xdr/default.yml | 6 + .../linux_file_event.yml | 2 +- .../linux_process_creation.yml | 2 +- .../macos_file_event.yml | 2 +- .../macos_process_creation.yml | 2 +- .../windows_file_event.yml | 2 +- .../windows_process_creation.yml | 2 +- .../windows_registry_event.yml | 2 +- .../apache_httpd.yml | 2 +- .../apache_tomcat.yml | 2 +- .../aws_cloudtrail.yml | 2 +- .../aws_eks.yml | 2 +- .../azure_aadnoninteractiveusersigninlogs.yml | 2 +- .../azure_azureactivity.yml | 2 +- .../azure_azuread.yml | 2 +- .../azure_m365.yml | 2 +- .../azure_signinlogs.yml | 2 +- .../default.yml | 2 +- .../dns.yml | 2 +- .../firewall.yml | 2 +- .../linux_file_event.yml | 29 +++ .../linux_network_connection.yml | 2 +- .../linux_process_creation.yml | 30 +++ .../macos_file_event.yml | 29 +++ .../macos_network_connection.yml | 2 +- .../macos_process_creation.yml | 29 +++ .../nginx_nginx.yml | 2 +- .../okta_okta.yml | 2 +- .../proxy.yml | 2 +- .../slack_slack_raw.yml | 2 +- .../webserver.yml | 2 +- .../windows_application.yml | 2 +- .../windows_file_event.yml | 29 +++ .../windows_image_load.yml | 2 +- .../windows_network_connection.yml | 2 +- .../windows_pipe_created.yml | 2 +- .../windows_powershell.yml | 2 +- .../windows_process_access.yml | 2 +- .../windows_process_creation.yml | 30 +++ .../windows_process_termination.yml | 2 +- .../windows_registry_event.yml | 32 +++ .../windows_security.yml | 2 +- .../windows_sysmon.yml | 2 +- .../windows_system.yml | 2 +- .../platforms/elasticsearch/renders/esql.py | 7 +- .../platforms/palo_alto/__init__.py | 3 +- .../translator/platforms/palo_alto/const.py | 16 +- .../translator/platforms/palo_alto/mapping.py | 46 ++-- .../platforms/palo_alto/renders/base.py | 205 ++++++++++++++++++ .../platforms/palo_alto/renders/cortex_xdr.py | 41 ++++ .../palo_alto/renders/cortex_xsiam.py | 201 +---------------- .../app/translator/platforms/sigma/mapping.py | 2 +- .../platforms/sigma/parsers/sigma.py | 5 +- 57 files changed, 601 insertions(+), 270 deletions(-) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xdr}/linux_file_event.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xdr}/linux_process_creation.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xdr}/macos_file_event.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xdr}/macos_process_creation.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xdr}/windows_file_event.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xdr}/windows_process_creation.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xdr}/windows_registry_event.yml (97%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/apache_httpd.yml (91%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/apache_tomcat.yml (89%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/aws_cloudtrail.yml (97%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/aws_eks.yml (94%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/azure_aadnoninteractiveusersigninlogs.yml (91%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/azure_azureactivity.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/azure_azuread.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/azure_m365.yml (96%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/azure_signinlogs.yml (97%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/default.yml (99%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/dns.yml (92%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/firewall.yml (97%) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/linux_network_connection.yml (97%) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/macos_network_connection.yml (97%) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/nginx_nginx.yml (91%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/okta_okta.yml (82%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/proxy.yml (95%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/slack_slack_raw.yml (81%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/webserver.yml (94%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_application.yml (92%) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_file_event.yml rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_image_load.yml (97%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_network_connection.yml (97%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_pipe_created.yml (83%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_powershell.yml (90%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_process_access.yml (92%) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_creation.yml rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_process_termination.yml (87%) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_registry_event.yml rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_security.yml (99%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_sysmon.yml (97%) rename uncoder-core/app/translator/mappings/platforms/{palo_alto_cortex => palo_alto_cortex_xsiam}/windows_system.yml (93%) create mode 100644 uncoder-core/app/translator/platforms/palo_alto/renders/base.py create mode 100644 uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xdr.py diff --git a/uncoder-core/app/translator/core/exceptions/core.py b/uncoder-core/app/translator/core/exceptions/core.py index e6358cce..425c1ff0 100644 --- a/uncoder-core/app/translator/core/exceptions/core.py +++ b/uncoder-core/app/translator/core/exceptions/core.py @@ -17,6 +17,12 @@ def __init__(self, platform_name: str, fields: list[str], mapping: Optional[str] super().__init__(message) +class UnsupportedMappingsException(BasePlatformException): + def __init__(self, platform_name: str, mappings: list[str]): + message = f"Platform {platform_name} does not support these mappings: {mappings}." + super().__init__(message) + + class StrictPlatformFieldException(BasePlatformException): def __init__(self, platform_name: str, field_name: str): message = f"Source field `{field_name}` has no mapping for platform {platform_name}." diff --git a/uncoder-core/app/translator/core/mapping.py b/uncoder-core/app/translator/core/mapping.py index 886cfdc3..2a06147d 100644 --- a/uncoder-core/app/translator/core/mapping.py +++ b/uncoder-core/app/translator/core/mapping.py @@ -3,7 +3,7 @@ from abc import ABC, abstractmethod from typing import TYPE_CHECKING, Optional, TypeVar, Union -from app.translator.core.exceptions.core import StrictPlatformException +from app.translator.core.exceptions.core import StrictPlatformException, UnsupportedMappingsException from app.translator.core.models.platform_details import PlatformDetails from app.translator.mappings.utils.load_from_files import LoaderFileMappings @@ -116,7 +116,7 @@ def prepare_mapping(self) -> dict[str, SourceMapping]: default_mapping = SourceMapping(source_id=DEFAULT_MAPPING_NAME) for mapping_dict in self._loader.load_platform_mappings(self._platform_dir): log_source_signature = self.prepare_log_source_signature(mapping=mapping_dict) - if (source_id := mapping_dict.get("source")) == DEFAULT_MAPPING_NAME: + if (source_id := mapping_dict["source"]) == DEFAULT_MAPPING_NAME: default_mapping.log_source_signature = log_source_signature if self.skip_load_default_mappings: continue @@ -152,7 +152,7 @@ def prepare_fields_mapping(field_mapping: dict) -> FieldsMapping: def prepare_log_source_signature(self, mapping: dict) -> LogSourceSignature: raise NotImplementedError("Abstract method") - def get_suitable_source_mappings( + def get_source_mappings_by_fields_and_log_sources( self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]] ) -> list[SourceMapping]: by_log_sources_and_fields = [] @@ -170,6 +170,17 @@ def get_suitable_source_mappings( return by_log_sources_and_fields or by_fields or [self._source_mappings[DEFAULT_MAPPING_NAME]] + def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]: + source_mappings = [] + for source_mapping_id in source_mapping_ids: + if source_mapping := self.get_source_mapping(source_mapping_id): + source_mappings.append(source_mapping) + + if not source_mappings: + source_mappings = [self.get_source_mapping(DEFAULT_MAPPING_NAME)] + + return source_mappings + def get_source_mapping(self, source_id: str) -> Optional[SourceMapping]: return self._source_mappings.get(source_id) @@ -218,3 +229,18 @@ def prepare_mapping(self) -> dict[str, SourceMapping]: ) return source_mappings + + +class BaseStrictLogSourcesPlatformMappings(ABC, BasePlatformMappings): + def get_source_mappings_by_ids(self, source_mapping_ids: list[str]) -> list[SourceMapping]: + source_mappings = [] + for source_mapping_id in source_mapping_ids: + if source_mapping_id == DEFAULT_MAPPING_NAME: + continue + if source_mapping := self.get_source_mapping(source_mapping_id): + source_mappings.append(source_mapping) + + if not source_mappings: + raise UnsupportedMappingsException(platform_name=self.details.name, mappings=source_mapping_ids) + + return source_mappings diff --git a/uncoder-core/app/translator/core/parser.py b/uncoder-core/app/translator/core/parser.py index 2d8ba1cc..0ad509d1 100644 --- a/uncoder-core/app/translator/core/parser.py +++ b/uncoder-core/app/translator/core/parser.py @@ -80,6 +80,8 @@ def get_source_mappings( self, field_tokens: list[Field], log_sources: dict[str, list[Union[int, str]]] ) -> list[SourceMapping]: field_names = [field.source_name for field in field_tokens] - source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources) + source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources( + field_names=field_names, log_sources=log_sources + ) self.tokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping) return source_mappings diff --git a/uncoder-core/app/translator/core/render.py b/uncoder-core/app/translator/core/render.py index 8e9f8373..97709dd0 100644 --- a/uncoder-core/app/translator/core/render.py +++ b/uncoder-core/app/translator/core/render.py @@ -31,7 +31,7 @@ from app.translator.core.exceptions.parser import UnsupportedOperatorException from app.translator.core.exceptions.render import UnsupportedRenderMethod from app.translator.core.functions import PlatformFunctions -from app.translator.core.mapping import DEFAULT_MAPPING_NAME, BasePlatformMappings, LogSourceSignature, SourceMapping +from app.translator.core.mapping import BasePlatformMappings, LogSourceSignature, SourceMapping from app.translator.core.models.functions.base import Function, RenderedFunctions from app.translator.core.models.platform_details import PlatformDetails from app.translator.core.models.query_container import MetaInfoContainer, RawQueryContainer, TokenizedQueryContainer @@ -90,7 +90,7 @@ def _map_bool_value(value: bool) -> str: def _pre_process_value( self, field: str, - value: Union[int, str, StrValue], + value: Union[bool, int, str, StrValue], value_type: str = ValueType.value, wrap_str: bool = False, wrap_int: bool = False, @@ -384,17 +384,6 @@ def finalize(self, queries_map: dict[str, str]) -> str: return result - def _get_source_mappings(self, source_mapping_ids: list[str]) -> Optional[list[SourceMapping]]: - source_mappings = [] - for source_mapping_id in source_mapping_ids: - if source_mapping := self.mappings.get_source_mapping(source_mapping_id): - source_mappings.append(source_mapping) - - if not source_mappings: - source_mappings = [self.mappings.get_source_mapping(DEFAULT_MAPPING_NAME)] - - return source_mappings - def generate_from_raw_query_container(self, query_container: RawQueryContainer) -> str: return self.finalize_query( prefix="", query=query_container.query, functions="", meta_info=query_container.meta_info @@ -464,7 +453,7 @@ def _generate_from_tokenized_query_container_by_source_mapping( def generate_from_tokenized_query_container(self, query_container: TokenizedQueryContainer) -> str: queries_map = {} errors = [] - source_mappings = self._get_source_mappings(query_container.meta_info.source_mapping_ids) + source_mappings = self.mappings.get_source_mappings_by_ids(query_container.meta_info.source_mapping_ids) for source_mapping in source_mappings: try: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml new file mode 100644 index 00000000..3bb33181 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/default.yml @@ -0,0 +1,6 @@ +platform: Palo Alto Cortex XDR +source: default + + +default_log_source: + datamodel: datamodel diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml index 5367f2f4..48cd3530 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_file_event.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_file_event.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XDR source: linux_file_event log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml index 06d225bc..683d4b90 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/linux_process_creation.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XDR source: linux_process_creation log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml index 75080012..28639263 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_file_event.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_file_event.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XDR source: macos_file_event log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml index 43d5a733..72d368f7 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_process_creation.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/macos_process_creation.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XDR source: macos_process_creation log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml index b6523006..10065aac 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_file_event.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_file_event.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XDR source: windows_file_event log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_process_creation.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_creation.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_process_creation.yml index 06e3a5d9..b3201f3d 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_creation.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_process_creation.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XDR source: windows_process_creation log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_registry_event.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_registry_event.yml index 04abb36b..dbcddfef 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xdr/windows_registry_event.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XDR source: windows_registry_event log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_httpd.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_httpd.yml similarity index 91% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_httpd.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_httpd.yml index d2007c81..ee859e86 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_httpd.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_httpd.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: apache_httpd diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_tomcat.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_tomcat.yml similarity index 89% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_tomcat.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_tomcat.yml index 2be3cd99..821fa0d4 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/apache_tomcat.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/apache_tomcat.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: apache_tomcat diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_cloudtrail.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_cloudtrail.yml index 980f2125..7e1b6ac9 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_cloudtrail.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: aws_cloudtrail diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_eks.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_eks.yml similarity index 94% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_eks.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_eks.yml index e7ba2c05..c7159587 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_eks.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/aws_eks.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: aws_eks diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_aadnoninteractiveusersigninlogs.yml similarity index 91% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_aadnoninteractiveusersigninlogs.yml index cd489ccb..40d419d9 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_aadnoninteractiveusersigninlogs.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: azure_aadnoninteractiveusersigninlogs diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azureactivity.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azureactivity.yml index b6605a61..78cb3137 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azureactivity.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: azure_azureactivity diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azuread.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azuread.yml index c05ce310..6044b336 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_azuread.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: azure_azuread diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_m365.yml similarity index 96% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_m365.yml index ea4cfecf..94e7a832 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_m365.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: azure_m365 diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_signinlogs.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_signinlogs.yml index b5b84cde..5aafbe6a 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/azure_signinlogs.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: azure_signinlogs diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/default.yml similarity index 99% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/default.yml index f767249b..7405d27b 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/default.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: default diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/dns.yml similarity index 92% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/dns.yml index e279a60a..ceb20d2d 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/dns.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: dns default_log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/firewall.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/firewall.yml index fc18e036..b85d5706 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/firewall.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: firewall log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml new file mode 100644 index 00000000..92223940 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_file_event.yml @@ -0,0 +1,29 @@ +platform: Palo Alto Cortex XSIAM +source: linux_file_event + +log_source: + preset: xdr_file + +default_log_source: + preset: xdr_file + +field_mapping: + TargetFilename: action_file_name + SourceFilename: action_file_previous_file_name + User: actor_effective_username + CommandLine: actor_process_image_command_line + Image: actor_process_image_path + LogonId: actor_process_logon_id + Product: actor_process_signature_product + Company: actor_process_signature_vendor + IntegrityLevel: actor_process_integrity_level + CurrentDirectory: actor_process_cwd + ProcessId: actor_process_os_id + ParentProcessId: causality_actor_process_os_id + ParentCommandLine: causality_actor_process_command_line + ParentImage: causality_actor_process_image_path + ParentUser: causality_actor_effective_username + ParentIntegrityLevel: causality_actor_process_integrity_level + ParentLogonId: causality_actor_process_logon_id + ParentProduct: causality_actor_process_signature_product + ParentCompany: causality_actor_process_signature_vendor \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_network_connection.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_network_connection.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_network_connection.yml index 310297be..1e1933e7 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_network_connection.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_network_connection.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: linux_network_connection log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml new file mode 100644 index 00000000..1245f22f --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/linux_process_creation.yml @@ -0,0 +1,30 @@ +platform: Palo Alto Cortex XSIAM +source: linux_process_creation + +log_source: + preset: xdr_process + +default_log_source: + preset: xdr_process + +field_mapping: + User: action_process_username + CommandLine: action_process_image_command_line + Image: action_process_image_path + LogonId: action_process_logon_id + Product: action_process_signature_product + Company: action_process_signature_vendor + IntegrityLevel: action_process_integrity_level + CurrentDirectory: action_process_cwd + ProcessId: action_process_os_pid + ParentProcessId: actor_process_os_pid + ParentCommandLine: actor_process_image_command_line + ParentImage: actor_process_image_path + ParentUser: actor_effective_username + ParentIntegrityLevel: actor_process_integrity_level + ParentLogonId: actor_process_logon_id + ParentProduct: actor_process_signature_product + ParentCompany: actor_process_signature_vendor + md5: action_process_image_md5 + sha256: action_process_image_sha256 + EventID: action_evtlog_event_id \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml new file mode 100644 index 00000000..60899029 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_file_event.yml @@ -0,0 +1,29 @@ +platform: Palo Alto Cortex XSIAM +source: macos_file_event + +log_source: + preset: xdr_file + +default_log_source: + preset: xdr_file + +field_mapping: + TargetFilename: action_file_name + SourceFilename: action_file_previous_file_name + User: actor_effective_username + CommandLine: actor_process_image_command_line + Image: actor_process_image_path + LogonId: actor_process_logon_id + Product: actor_process_signature_product + Company: actor_process_signature_vendor + IntegrityLevel: actor_process_integrity_level + CurrentDirectory: actor_process_cwd + ProcessId: actor_process_os_id + ParentProcessId: causality_actor_process_os_id + ParentCommandLine: causality_actor_process_command_line + ParentImage: causality_actor_process_image_path + ParentUser: causality_actor_effective_username + ParentIntegrityLevel: causality_actor_process_integrity_level + ParentLogonId: causality_actor_process_logon_id + ParentProduct: causality_actor_process_signature_product + ParentCompany: causality_actor_process_signature_vendor \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_network_connection.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_network_connection.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_network_connection.yml index aea8606f..727a1a8d 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/macos_network_connection.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_network_connection.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: macos_network_connection log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml new file mode 100644 index 00000000..e02e77a4 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/macos_process_creation.yml @@ -0,0 +1,29 @@ +platform: Palo Alto Cortex XSIAM +source: macos_process_creation + +log_source: + preset: xdr_process + +default_log_source: + preset: xdr_process + +field_mapping: + User: action_process_username + CommandLine: action_process_image_command_line + Image: action_process_image_path + LogonId: action_process_logon_id + Product: action_process_signature_product + Company: action_process_signature_vendor + IntegrityLevel: action_process_integrity_level + CurrentDirectory: action_process_cwd + ProcessId: action_process_os_pid + ParentProcessId: actor_process_os_pid + ParentCommandLine: actor_process_image_command_line + ParentImage: actor_process_image_path + ParentUser: actor_effective_username + ParentIntegrityLevel: actor_process_integrity_level + ParentLogonId: actor_process_logon_id + ParentProduct: actor_process_signature_product + ParentCompany: actor_process_signature_vendor + md5: action_process_image_md5 + sha256: action_process_image_sha256 \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/nginx_nginx.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/nginx_nginx.yml similarity index 91% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/nginx_nginx.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/nginx_nginx.yml index 4622390f..54072934 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/nginx_nginx.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/nginx_nginx.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: nginx_nginx diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/okta_okta.yml similarity index 82% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/okta_okta.yml index c0ed1066..db2e2c47 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/okta_okta.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: okta_okta diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/proxy.yml similarity index 95% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/proxy.yml index c546dc4e..846f872d 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/proxy.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: proxy default_log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/slack_slack_raw.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/slack_slack_raw.yml similarity index 81% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/slack_slack_raw.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/slack_slack_raw.yml index 60501a61..6098e617 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/slack_slack_raw.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/slack_slack_raw.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: slack_slack_raw diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/webserver.yml similarity index 94% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/webserver.yml index 505012f0..b7791fc5 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/webserver.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: webserver default_log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_application.yml similarity index 92% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_application.yml index d40073fd..f215f241 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_application.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_application default_log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_file_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_file_event.yml new file mode 100644 index 00000000..736f6215 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_file_event.yml @@ -0,0 +1,29 @@ +platform: Palo Alto Cortex XSIAM +source: windows_file_event + +log_source: + preset: xdr_file + +default_log_source: + preset: xdr_file + +field_mapping: + TargetFilename: action_file_name + SourceFilename: action_file_previous_file_name + User: actor_effective_username + CommandLine: actor_process_image_command_line + Image: actor_process_image_path + LogonId: actor_process_logon_id + Product: actor_process_signature_product + Company: actor_process_signature_vendor + IntegrityLevel: actor_process_integrity_level + CurrentDirectory: actor_process_cwd + ProcessId: actor_process_os_id + ParentProcessId: causality_actor_process_os_id + ParentCommandLine: causality_actor_process_command_line + ParentImage: causality_actor_process_image_path + ParentUser: causality_actor_effective_username + ParentIntegrityLevel: causality_actor_process_integrity_level + ParentLogonId: causality_actor_process_logon_id + ParentProduct: causality_actor_process_signature_product + ParentCompany: causality_actor_process_signature_vendor \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_image_load.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_image_load.yml index 98e62b8f..daaffa63 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_image_load.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_image_load log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_network_connection.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_network_connection.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_network_connection.yml index 9c535767..ba6ea04c 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_network_connection.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_network_connection.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_network_connection log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_pipe_created.yml similarity index 83% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_pipe_created.yml index 8deb0974..0fae37fe 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_pipe_created.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_pipe_created default_log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_powershell.yml similarity index 90% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_powershell.yml index 41ed1439..100c75d3 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_powershell.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_powershell diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_access.yml similarity index 92% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_access.yml index ab559df0..f626eed5 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_access.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_process_access default_log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_creation.yml new file mode 100644 index 00000000..ec7f6cd2 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_creation.yml @@ -0,0 +1,30 @@ +platform: Palo Alto Cortex XSIAM +source: windows_process_creation + +log_source: + preset: xdr_process + +default_log_source: + preset: xdr_process + +field_mapping: + User: action_process_username + CommandLine: action_process_image_command_line + Image: action_process_image_path + LogonId: action_process_logon_id + Product: action_process_signature_product + Company: action_process_signature_vendor + IntegrityLevel: action_process_integrity_level + CurrentDirectory: action_process_cwd + ProcessId: action_process_os_pid + ParentProcessId: actor_process_os_pid + ParentCommandLine: actor_process_image_command_line + ParentImage: actor_process_image_path + ParentUser: actor_effective_username + ParentIntegrityLevel: actor_process_integrity_level + ParentLogonId: actor_process_logon_id + ParentProduct: actor_process_signature_product + ParentCompany: actor_process_signature_vendor + md5: action_process_image_md5 + sha256: action_process_image_sha256 + OriginalFileName: actor_process_file_original_name \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_termination.yml similarity index 87% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_termination.yml index 731d6b8e..baf07e5b 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_process_termination.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_process_termination log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_registry_event.yml new file mode 100644 index 00000000..fc2a4b71 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_registry_event.yml @@ -0,0 +1,32 @@ +platform: Palo Alto Cortex XSIAM +source: windows_registry_event + +log_source: + preset: xdr_registry + +default_log_source: + preset: xdr_registry + +field_mapping: + Details: + - action_registry_value_name + - action_registry_data + TargetObject: action_registry_key_name + User: actor_effective_username + CommandLine: actor_process_image_command_line + Image: actor_process_image_path + LogonId: actor_process_logon_id + Product: actor_process_signature_product + Company: actor_process_signature_vendor + IntegrityLevel: actor_process_integrity_level + CurrentDirectory: actor_process_cwd + ProcessId: actor_process_os_id + ParentProcessId: causality_actor_process_os_id + ParentCommandLine: causality_actor_process_command_line + ParentImage: causality_actor_process_image_path + ParentUser: causality_actor_effective_username + ParentIntegrityLevel: causality_actor_process_integrity_level + ParentLogonId: causality_actor_process_logon_id + ParentProduct: causality_actor_process_signature_product + ParentCompany: causality_actor_process_signature_vendor + EventType: event_sub_type \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_security.yml similarity index 99% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_security.yml index 59a56f71..0c446f2a 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_security.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_security default_log_source: diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_sysmon.yml similarity index 97% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_sysmon.yml index a15909c9..8609ef23 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_sysmon.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_sysmon diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_system.yml similarity index 93% rename from uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml rename to uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_system.yml index 07730124..5e602fa3 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex_xsiam/windows_system.yml @@ -1,4 +1,4 @@ -platform: Palo Alto XSIAM +platform: Palo Alto Cortex XSIAM source: windows_system default_log_source: diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py index 9882e4e3..39e8e860 100644 --- a/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py +++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py @@ -27,15 +27,12 @@ from app.translator.managers import render_manager from app.translator.platforms.elasticsearch.const import elasticsearch_esql_query_details from app.translator.platforms.elasticsearch.mapping import ElasticESQLMappings, esql_query_mappings -from app.translator.platforms.elasticsearch.str_value_manager import ( - ESQLQueryStrValueManager, - esql_query_str_value_manager, -) +from app.translator.platforms.elasticsearch.str_value_manager import ESQLStrValueManager, esql_str_value_manager class ESQLFieldValueRender(BaseFieldValueRender): details: PlatformDetails = elasticsearch_esql_query_details - str_value_manager: ESQLQueryStrValueManager = esql_query_str_value_manager + str_value_manager: ESQLStrValueManager = esql_str_value_manager @staticmethod def _make_case_insensitive(value: str) -> str: diff --git a/uncoder-core/app/translator/platforms/palo_alto/__init__.py b/uncoder-core/app/translator/platforms/palo_alto/__init__.py index 437bfbd7..e0ed85a2 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/__init__.py +++ b/uncoder-core/app/translator/platforms/palo_alto/__init__.py @@ -1 +1,2 @@ -from app.translator.platforms.palo_alto.renders.cortex_xsiam import CortexXQLQueryRender # noqa: F401 +from app.translator.platforms.palo_alto.renders.cortex_xdr import CortexXDRXQLQueryRender # noqa: F401 +from app.translator.platforms.palo_alto.renders.cortex_xsiam import CortexXSIAMXQLQueryRender # noqa: F401 diff --git a/uncoder-core/app/translator/platforms/palo_alto/const.py b/uncoder-core/app/translator/platforms/palo_alto/const.py index 120938df..12facc47 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/const.py +++ b/uncoder-core/app/translator/platforms/palo_alto/const.py @@ -1,16 +1,26 @@ from app.translator.core.custom_types.predefined_fields import IPLocationType, TimeType from app.translator.core.models.platform_details import PlatformDetails -PLATFORM_DETAILS = {"group_id": "cortex", "group_name": "Palo Alto Cortex XSIAM"} +PLATFORM_DETAILS = {} CORTEX_XSIAM_XQL_QUERY_DETAILS = { "platform_id": "cortex-xql-query", "name": "Palo Alto Cortex XSIAM Query", "platform_name": "Query (XQL)", - **PLATFORM_DETAILS, + "group_id": "cortex-xsiam", + "group_name": "Palo Alto Cortex XSIAM", } -cortex_xql_query_details = PlatformDetails(**CORTEX_XSIAM_XQL_QUERY_DETAILS) +CORTEX_XDR_XQL_QUERY_DETAILS = { + "platform_id": "cortex-xdr-xql-query", + "name": "Palo Alto Cortex XDR Query", + "platform_name": "Query (XQL)", + "group_id": "cortex-xdr", + "group_name": "Palo Alto Cortex XDR", +} + +cortex_xsiam_xql_query_details = PlatformDetails(**CORTEX_XSIAM_XQL_QUERY_DETAILS) +cortex_xdr_xql_query_details = PlatformDetails(**CORTEX_XDR_XQL_QUERY_DETAILS) PREDEFINED_FIELDS_MAP = { diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py index 11ccb070..6bf2d111 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/mapping.py +++ b/uncoder-core/app/translator/platforms/palo_alto/mapping.py @@ -1,7 +1,13 @@ from typing import Optional, Union -from app.translator.core.mapping import BasePlatformMappings, FieldsMapping, LogSourceSignature, SourceMapping -from app.translator.platforms.palo_alto.const import cortex_xql_query_details +from app.translator.core.mapping import ( + BasePlatformMappings, + BaseStrictLogSourcesPlatformMappings, + FieldsMapping, + LogSourceSignature, + SourceMapping, +) +from app.translator.platforms.palo_alto.const import cortex_xdr_xql_query_details, cortex_xsiam_xql_query_details class CortexXQLLogSourceSignature(LogSourceSignature): @@ -24,34 +30,44 @@ def __prepare_log_source_for_render(logsource: Union[str, list[str]], model: str return f"{model} = {logsource}" @property - def __datamodel_scheme(self) -> str: - if datamodel := self._default_source.get("datamodel"): - return f"{datamodel} " + def __data_model_scheme(self) -> str: + if data_model := self._default_source.get("datamodel"): + return f"{data_model} " return "" def __str__(self) -> str: if preset_data := self._default_source.get("preset"): preset = self.__prepare_log_source_for_render(logsource=preset_data, model="preset") - return f"{self.__datamodel_scheme}{preset}" + return f"{self.__data_model_scheme}{preset}" if dataset_data := self._default_source.get("dataset"): dataset = self.__prepare_log_source_for_render(logsource=dataset_data, model="dataset") - return f"{self.__datamodel_scheme}{dataset}" + return f"{self.__data_model_scheme}{dataset}" return "datamodel dataset = *" -class CortexXQLMappings(BasePlatformMappings): +class CortexXQLLogSourceSignaturePreparer: + @staticmethod + def prepare_log_source_signature(mapping: dict) -> CortexXQLLogSourceSignature: + preset = mapping.get("log_source", {}).get("preset") + dataset = mapping.get("log_source", {}).get("dataset") + default_log_source = mapping["default_log_source"] + return CortexXQLLogSourceSignature(preset=preset, dataset=dataset, default_source=default_log_source) + + +class CortexXSIAMXQLMappings(CortexXQLLogSourceSignaturePreparer, BasePlatformMappings): skip_load_default_mappings: bool = False def update_default_source_mapping(self, default_mapping: SourceMapping, fields_mapping: FieldsMapping) -> None: ... - def prepare_log_source_signature(self, mapping: dict) -> CortexXQLLogSourceSignature: - preset = mapping.get("log_source", {}).get("preset") - dataset = mapping.get("log_source", {}).get("dataset") - default_log_source = mapping["default_log_source"] - return CortexXQLLogSourceSignature(preset=preset, dataset=dataset, default_source=default_log_source) + +class CortexXDRXQLMappings(CortexXQLLogSourceSignaturePreparer, BaseStrictLogSourcesPlatformMappings): + ... -cortex_xql_query_mappings = CortexXQLMappings( - platform_dir="palo_alto_cortex", platform_details=cortex_xql_query_details +cortex_xsiam_xql_query_mappings = CortexXSIAMXQLMappings( + platform_dir="palo_alto_cortex_xsiam", platform_details=cortex_xsiam_xql_query_details +) +cortex_xdr_xql_query_mappings = CortexXDRXQLMappings( + platform_dir="palo_alto_cortex_xdr", platform_details=cortex_xdr_xql_query_details ) diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/base.py b/uncoder-core/app/translator/platforms/palo_alto/renders/base.py new file mode 100644 index 00000000..6983d0f3 --- /dev/null +++ b/uncoder-core/app/translator/platforms/palo_alto/renders/base.py @@ -0,0 +1,205 @@ +""" +Uncoder IO Community Edition License +----------------------------------------------------------------- +Copyright (c) 2024 SOC Prime, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +----------------------------------------------------------------- +""" +from typing import ClassVar, Optional, Union + +from app.translator.const import DEFAULT_VALUE_TYPE +from app.translator.core.const import QUERY_TOKEN_TYPE +from app.translator.core.context_vars import preset_log_source_str_ctx_var +from app.translator.core.custom_types.tokens import OperatorType +from app.translator.core.custom_types.values import ValueType +from app.translator.core.mapping import SourceMapping +from app.translator.core.models.query_tokens.field_value import FieldValue +from app.translator.core.render import BaseFieldFieldRender, BaseFieldValueRender, PlatformQueryRender +from app.translator.core.str_value_manager import StrValue +from app.translator.platforms.palo_alto.const import PREDEFINED_FIELDS_MAP +from app.translator.platforms.palo_alto.functions import CortexXQLFunctions +from app.translator.platforms.palo_alto.mapping import CortexXQLLogSourceSignature +from app.translator.platforms.palo_alto.str_value_manager import cortex_xql_str_value_manager + +SOURCE_MAPPING_TO_FIELD_VALUE_MAP = { + "windows_registry_event": { + "EventType": { + "SetValue": "REGISTRY_SET_VALUE", + "DeleteValue": "REGISTRY_DELETE_VALUE", + "CreateKey": "REGISTRY_CREATE_KEY", + } + } +} + + +class CortexXQLFieldValueRender(BaseFieldValueRender): + str_value_manager = cortex_xql_str_value_manager + + @staticmethod + def _get_value_type(field_name: str, value: Union[int, str, StrValue], value_type: Optional[str] = None) -> str: # noqa: ARG004 + if value_type: + return value_type + + if isinstance(value, StrValue) and value.has_spec_symbols: + return ValueType.regex_value + + return ValueType.value + + @staticmethod + def _wrap_str_value(value: str) -> str: + return f'"{value}"' + + def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + values = ", ".join(f"{self._pre_process_value(field, v, ValueType.value, True)}" for v in value) + return f"{field} in ({values})" + + return f"{field} = {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" + + def less_modifier(self, field: str, value: Union[int, str]) -> str: + return f"{field} < {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" + + def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str: + return f"{field} <= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" + + def greater_modifier(self, field: str, value: Union[int, str]) -> str: + return f"{field} > {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" + + def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str: + return f"{field} >= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" + + def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + return f"({self.or_token.join([self.not_equal_modifier(field=field, value=v) for v in value])})" + return f"{field} != {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" + + def contains_modifier(self, field: str, value: Union[list, str]) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})" + if value.endswith("\\"): + return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"' + return f"{field} contains {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" + + def not_contains_modifier(self, field: str, value: Union[list, str]) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})" + if value.endswith("\\"): + return f'{field} !~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"' + return f"{field} not contains {self._pre_process_value(field, value, ValueType.value, wrap_str=True)}" + + def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})" + return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}"' + + def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + clause = self.or_token.join(self.startswith_modifier(field=field, value=v) for v in value) + return f"({clause})" + return f'{field} ~= "{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"' + + def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})" + value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True) + if value.endswith('\\\\"'): + value = value[:-1] + "]" + value[-1:] + value = value[:-4] + "[" + value[-4:] + return f"{field} ~= {value}" + + def not_regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})" + return f"{field} !~= {self._pre_process_value(field ,value, value_type=ValueType.regex_value, wrap_str=True)}" + + def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.is_none(field=field, value=v) for v in value)})" + return f"{field} = null" + + def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.is_not_none(field=field, value=v) for v in value)})" + return f"{field} != null" + + def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: + if isinstance(value, list): + return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})" + if value.endswith("\\"): + return f'_raw_log ~= ".*{self._pre_process_value(field ,value, value_type=ValueType.regex_value)}.*"' + return f"_raw_log contains {self._pre_process_value(field ,value, value_type=ValueType.value, wrap_str=True)}" + + +class CortexXQLFieldFieldRender(BaseFieldFieldRender): + operators_map: ClassVar[dict[str, str]] = { + OperatorType.EQ: "=", + OperatorType.NOT_EQ: "!=", + OperatorType.LT: "<", + OperatorType.LTE: "<=", + OperatorType.GT: ">", + OperatorType.GTE: ">=", + } + + +class CortexXQLQueryRender(PlatformQueryRender): + predefined_fields_map = PREDEFINED_FIELDS_MAP + raw_log_field_patterns_map: ClassVar[dict[str, str]] = { + "regex": '| alter {field} = regextract(to_json_string(action_evtlog_data_fields)->{field}{{}}, "\\"(.*)\\"")', + "object": '| alter {field_name} = json_extract_scalar({field_object} , "$.{field_path}")', + "list": '| alter {field_name} = arraystring(json_extract_array({field_object} , "$.{field_path}")," ")', + } + platform_functions: CortexXQLFunctions = None + + or_token = "or" + and_token = "and" + not_token = "not" + query_parts_delimiter = "\n" + + field_field_render = CortexXQLFieldFieldRender() + comment_symbol = "//" + is_single_line_comment = False + + def process_raw_log_field(self, field: str, field_type: str) -> Optional[str]: + raw_log_field_pattern = self.raw_log_field_patterns_map.get(field_type) + if raw_log_field_pattern is None: + return + if field_type == "regex": + field = field.replace(".", r"\.") + return raw_log_field_pattern.format(field=field) + if field_type in ("object", "list") and "." in field: + field_object, field_path = field.split(".", 1) + field_name = field.replace(".", "_") + return raw_log_field_pattern.format(field_name=field_name, field_object=field_object, field_path=field_path) + + def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, functions_prefix: str = "") -> str: + functions_prefix = f"{functions_prefix} | " if functions_prefix else "" + log_source_str = preset_log_source_str_ctx_var.get() or str(log_source_signature) + return f"{functions_prefix}{log_source_str}" + + def apply_token(self, token: QUERY_TOKEN_TYPE, source_mapping: SourceMapping) -> str: + if isinstance(token, FieldValue) and token.field: + field_name = token.field.source_name + if values_map := SOURCE_MAPPING_TO_FIELD_VALUE_MAP.get(source_mapping.source_id, {}).get(field_name): + values_to_update = [] + for token_value in token.values: + mapped_value: str = values_map.get(token_value, token_value) + values_to_update.append( + StrValue(value=mapped_value, split_value=mapped_value.split()) if mapped_value else token_value + ) + token.value = values_to_update + return super().apply_token(token=token, source_mapping=source_mapping) + + @staticmethod + def _finalize_search_query(query: str) -> str: + return f"| filter {query}" if query else "" diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xdr.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xdr.py new file mode 100644 index 00000000..fac4df3d --- /dev/null +++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xdr.py @@ -0,0 +1,41 @@ +""" +Uncoder IO Community Edition License +----------------------------------------------------------------- +Copyright (c) 2024 SOC Prime, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +----------------------------------------------------------------- +""" + +from app.translator.core.models.platform_details import PlatformDetails +from app.translator.managers import render_manager +from app.translator.platforms.palo_alto.const import cortex_xdr_xql_query_details +from app.translator.platforms.palo_alto.functions import cortex_xdr_xql_functions +from app.translator.platforms.palo_alto.mapping import CortexXDRXQLMappings, cortex_xdr_xql_query_mappings +from app.translator.platforms.palo_alto.renders.base import CortexXQLFieldValueRender, CortexXQLQueryRender + + +class CortexXDRXQLFieldValueRender(CortexXQLFieldValueRender): + details: PlatformDetails = cortex_xdr_xql_query_details + + +@render_manager.register +class CortexXDRXQLQueryRender(CortexXQLQueryRender): + details: PlatformDetails = cortex_xdr_xql_query_details + mappings: CortexXDRXQLMappings = cortex_xdr_xql_query_mappings + + field_value_render = CortexXDRXQLFieldValueRender(CortexXQLQueryRender.or_token) + + def init_platform_functions(self) -> None: + self.platform_functions = cortex_xdr_xql_functions + self.platform_functions.platform_query_render = self diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py index c5728eac..4b05b306 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py +++ b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py @@ -16,205 +16,26 @@ limitations under the License. ----------------------------------------------------------------- """ -from typing import ClassVar, Optional, Union -from app.translator.const import DEFAULT_VALUE_TYPE -from app.translator.core.const import QUERY_TOKEN_TYPE -from app.translator.core.context_vars import preset_log_source_str_ctx_var -from app.translator.core.custom_types.tokens import OperatorType -from app.translator.core.custom_types.values import ValueType -from app.translator.core.mapping import SourceMapping from app.translator.core.models.platform_details import PlatformDetails -from app.translator.core.models.query_tokens.field_value import FieldValue -from app.translator.core.render import BaseFieldFieldRender, BaseFieldValueRender, PlatformQueryRender -from app.translator.core.str_value_manager import StrValue from app.translator.managers import render_manager -from app.translator.platforms.palo_alto.const import PREDEFINED_FIELDS_MAP, cortex_xql_query_details -from app.translator.platforms.palo_alto.functions import CortexXQLFunctions, cortex_xql_functions -from app.translator.platforms.palo_alto.mapping import ( - CortexXQLLogSourceSignature, - CortexXQLMappings, - cortex_xql_query_mappings, -) -from app.translator.platforms.palo_alto.str_value_manager import cortex_xql_str_value_manager +from app.translator.platforms.palo_alto.const import cortex_xsiam_xql_query_details +from app.translator.platforms.palo_alto.functions import cortex_xsiam_xql_functions +from app.translator.platforms.palo_alto.mapping import CortexXSIAMXQLMappings, cortex_xsiam_xql_query_mappings +from app.translator.platforms.palo_alto.renders.base import CortexXQLFieldValueRender, CortexXQLQueryRender -SOURCE_MAPPING_TO_FIELD_VALUE_MAP = { - "windows_registry_event": { - "EventType": { - "SetValue": "REGISTRY_SET_VALUE", - "DeleteValue": "REGISTRY_DELETE_VALUE", - "CreateKey": "REGISTRY_CREATE_KEY", - } - } -} - -class CortexXQLFieldValueRender(BaseFieldValueRender): - details: PlatformDetails = cortex_xql_query_details - str_value_manager = cortex_xql_str_value_manager - - @staticmethod - def _get_value_type(field_name: str, value: Union[int, str, StrValue], value_type: Optional[str] = None) -> str: # noqa: ARG004 - if value_type: - return value_type - - if isinstance(value, StrValue) and value.has_spec_symbols: - return ValueType.regex_value - - return ValueType.value - - @staticmethod - def _wrap_str_value(value: str) -> str: - return f'"{value}"' - - def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - values = ", ".join(f"{self._pre_process_value(field, v, ValueType.value, True)}" for v in value) - return f"{field} in ({values})" - - return f"{field} = {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" - - def less_modifier(self, field: str, value: Union[int, str]) -> str: - return f"{field} < {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" - - def less_or_equal_modifier(self, field: str, value: Union[int, str]) -> str: - return f"{field} <= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" - - def greater_modifier(self, field: str, value: Union[int, str]) -> str: - return f"{field} > {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" - - def greater_or_equal_modifier(self, field: str, value: Union[int, str]) -> str: - return f"{field} >= {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" - - def not_equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - return f"({self.or_token.join([self.not_equal_modifier(field=field, value=v) for v in value])})" - return f"{field} != {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" - - def contains_modifier(self, field: str, value: Union[list, str]) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})" - if value.endswith("\\"): - return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"' - return f"{field} contains {self._pre_process_value(field, value, value_type=ValueType.value, wrap_str=True)}" - - def not_contains_modifier(self, field: str, value: Union[list, str]) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})" - if value.endswith("\\"): - return f'{field} !~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"' - return f"{field} not contains {self._pre_process_value(field, value, ValueType.value, wrap_str=True)}" - - def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})" - return f'{field} ~= ".*{self._pre_process_value(field, value, value_type=ValueType.regex_value)}"' - - def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - clause = self.or_token.join(self.startswith_modifier(field=field, value=v) for v in value) - return f"({clause})" - return f'{field} ~= "{self._pre_process_value(field, value, value_type=ValueType.regex_value)}.*"' - - def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})" - value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True) - if value.endswith('\\\\"'): - value = value[:-1] + "]" + value[-1:] - value = value[:-4] + "[" + value[-4:] - return f"{field} ~= {value}" - - def not_regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})" - return f"{field} !~= {self._pre_process_value(field ,value, value_type=ValueType.regex_value, wrap_str=True)}" - - def is_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.is_none(field=field, value=v) for v in value)})" - return f"{field} = null" - - def is_not_none(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.is_not_none(field=field, value=v) for v in value)})" - return f"{field} != null" - - def keywords(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: - if isinstance(value, list): - return f"({self.or_token.join(self.contains_modifier(field=field, value=v) for v in value)})" - if value.endswith("\\"): - return f'_raw_log ~= ".*{self._pre_process_value(field ,value, value_type=ValueType.regex_value)}.*"' - return f"_raw_log contains {self._pre_process_value(field ,value, value_type=ValueType.value, wrap_str=True)}" - - -class CortexXQLFieldFieldRender(BaseFieldFieldRender): - operators_map: ClassVar[dict[str, str]] = { - OperatorType.EQ: "=", - OperatorType.NOT_EQ: "!=", - OperatorType.LT: "<", - OperatorType.LTE: "<=", - OperatorType.GT: ">", - OperatorType.GTE: ">=", - } +class CortexXSIAMXQLFieldValueRender(CortexXQLFieldValueRender): + details: PlatformDetails = cortex_xsiam_xql_query_details @render_manager.register -class CortexXQLQueryRender(PlatformQueryRender): - details: PlatformDetails = cortex_xql_query_details - mappings: CortexXQLMappings = cortex_xql_query_mappings - predefined_fields_map = PREDEFINED_FIELDS_MAP - raw_log_field_patterns_map: ClassVar[dict[str, str]] = { - "regex": '| alter {field} = regextract(to_json_string(action_evtlog_data_fields)->{field}{{}}, "\\"(.*)\\"")', - "object": '| alter {field_name} = json_extract_scalar({field_object} , "$.{field_path}")', - "list": '| alter {field_name} = arraystring(json_extract_array({field_object} , "$.{field_path}")," ")', - } - platform_functions: CortexXQLFunctions = None +class CortexXSIAMXQLQueryRender(CortexXQLQueryRender): + details: PlatformDetails = cortex_xsiam_xql_query_details + mappings: CortexXSIAMXQLMappings = cortex_xsiam_xql_query_mappings - or_token = "or" - and_token = "and" - not_token = "not" - query_parts_delimiter = "\n" - - field_field_render = CortexXQLFieldFieldRender() - field_value_render = CortexXQLFieldValueRender(or_token=or_token) - comment_symbol = "//" - is_single_line_comment = False + field_value_render = CortexXSIAMXQLFieldValueRender(CortexXQLQueryRender.or_token) def init_platform_functions(self) -> None: - self.platform_functions = cortex_xql_functions + self.platform_functions = cortex_xsiam_xql_functions self.platform_functions.platform_query_render = self - - def process_raw_log_field(self, field: str, field_type: str) -> Optional[str]: - raw_log_field_pattern = self.raw_log_field_patterns_map.get(field_type) - if raw_log_field_pattern is None: - return - if field_type == "regex": - field = field.replace(".", r"\.") - return raw_log_field_pattern.format(field=field) - if field_type in ("object", "list") and "." in field: - field_object, field_path = field.split(".", 1) - field_name = field.replace(".", "_") - return raw_log_field_pattern.format(field_name=field_name, field_object=field_object, field_path=field_path) - - def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, functions_prefix: str = "") -> str: - functions_prefix = f"{functions_prefix} | " if functions_prefix else "" - log_source_str = preset_log_source_str_ctx_var.get() or str(log_source_signature) - return f"{functions_prefix}{log_source_str}" - - def apply_token(self, token: QUERY_TOKEN_TYPE, source_mapping: SourceMapping) -> str: - if isinstance(token, FieldValue) and token.field: - field_name = token.field.source_name - if values_map := SOURCE_MAPPING_TO_FIELD_VALUE_MAP.get(source_mapping.source_id, {}).get(field_name): - values_to_update = [] - for token_value in token.values: - mapped_value: str = values_map.get(token_value, token_value) - values_to_update.append( - StrValue(value=mapped_value, split_value=mapped_value.split()) if mapped_value else token_value - ) - token.value = values_to_update - return super().apply_token(token=token, source_mapping=source_mapping) - - @staticmethod - def _finalize_search_query(query: str) -> str: - return f"| filter {query}" if query else "" diff --git a/uncoder-core/app/translator/platforms/sigma/mapping.py b/uncoder-core/app/translator/platforms/sigma/mapping.py index fc6f7c1b..6180c948 100644 --- a/uncoder-core/app/translator/platforms/sigma/mapping.py +++ b/uncoder-core/app/translator/platforms/sigma/mapping.py @@ -48,7 +48,7 @@ def prepare_log_source_signature(self, mapping: dict) -> SigmaLogSourceSignature product=product, service=service, category=category, default_source=default_log_source ) - def get_suitable_source_mappings( + def get_source_mappings_by_fields_and_log_sources( self, field_names: list[str], log_sources: dict[str, list[Union[int, str]]] ) -> list[SourceMapping]: source_mappings = [] diff --git a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py index 4f04335a..d4a2d83c 100644 --- a/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py +++ b/uncoder-core/app/translator/platforms/sigma/parsers/sigma.py @@ -18,6 +18,7 @@ """ from datetime import timedelta +from re import I from typing import Optional, Union from app.translator.core.exceptions.core import SigmaRuleValidationException @@ -112,7 +113,9 @@ def parse(self, raw_query_container: RawQueryContainer) -> TokenizedQueryContain tokens = self.tokenizer.tokenize(detection=sigma_rule.get("detection")) field_tokens = [token.field for token in QueryTokenizer.filter_tokens(tokens, FieldValue)] field_names = [field.source_name for field in field_tokens] - source_mappings = self.mappings.get_suitable_source_mappings(field_names=field_names, log_sources=log_sources) + source_mappings = self.mappings.get_source_mappings_by_fields_and_log_sources( + field_names=field_names, log_sources=log_sources + ) QueryTokenizer.set_field_tokens_generic_names_map(field_tokens, source_mappings, self.mappings.default_mapping) sigma_fields_tokens = None if sigma_fields := sigma_rule.get("fields"): From 504d089ebfac0dcea64aac415c880dbd7c8fcda4 Mon Sep 17 00:00:00 2001 From: "oleksandr.volha" Date: Tue, 24 Sep 2024 15:50:57 +0300 Subject: [PATCH 2/3] update palo alto funcs --- .../platforms/elasticsearch/renders/esql.py | 7 +++++-- .../platforms/palo_alto/functions/__init__.py | 18 +++++++++++++++--- .../platforms/palo_alto/functions/const.py | 8 ++++++-- .../platforms/palo_alto/functions/manager.py | 3 ++- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py b/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py index 39e8e860..9e71fe2a 100644 --- a/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py +++ b/uncoder-core/app/translator/platforms/elasticsearch/renders/esql.py @@ -27,12 +27,15 @@ from app.translator.managers import render_manager from app.translator.platforms.elasticsearch.const import elasticsearch_esql_query_details from app.translator.platforms.elasticsearch.mapping import ElasticESQLMappings, esql_query_mappings -from app.translator.platforms.elasticsearch.str_value_manager import ESQLStrValueManager, esql_str_value_manager +from app.translator.platforms.elasticsearch.str_value_manager import ( + ESQLQueryStrValueManager, + esql_query_str_value_manager +) class ESQLFieldValueRender(BaseFieldValueRender): details: PlatformDetails = elasticsearch_esql_query_details - str_value_manager: ESQLStrValueManager = esql_str_value_manager + str_value_manager: ESQLQueryStrValueManager = esql_query_str_value_manager @staticmethod def _make_case_insensitive(value: str) -> str: diff --git a/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py b/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py index 2f98f633..6bc3588c 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py +++ b/uncoder-core/app/translator/platforms/palo_alto/functions/__init__.py @@ -1,12 +1,24 @@ import os.path from app.translator.core.functions import PlatformFunctions -from app.translator.platforms.palo_alto.functions.manager import CortexXQLFunctionsManager, cortex_xql_functions_manager +from app.translator.platforms.palo_alto.functions.manager import ( + CortexXQLFunctionsManager, + cortex_xdr_xql_functions_manager, + cortex_xsiam_xql_functions_manager, +) class CortexXQLFunctions(PlatformFunctions): dir_path: str = os.path.abspath(os.path.dirname(__file__)) - manager: CortexXQLFunctionsManager = cortex_xql_functions_manager -cortex_xql_functions = CortexXQLFunctions() +class CortexXSIAMXQLFunctions(CortexXQLFunctions): + manager: CortexXQLFunctionsManager = cortex_xsiam_xql_functions_manager + + +class CortexXDRXQLFunctions(CortexXQLFunctions): + manager: CortexXQLFunctionsManager = cortex_xdr_xql_functions_manager + + +cortex_xsiam_xql_functions = CortexXSIAMXQLFunctions() +cortex_xdr_xql_functions = CortexXDRXQLFunctions() diff --git a/uncoder-core/app/translator/platforms/palo_alto/functions/const.py b/uncoder-core/app/translator/platforms/palo_alto/functions/const.py index 95bb3982..91745fca 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/functions/const.py +++ b/uncoder-core/app/translator/platforms/palo_alto/functions/const.py @@ -11,6 +11,7 @@ class CortexXQLFunctionType(CustomEnum): values = "values" divide = "divide" + multiply = "multiply" lower = "lowercase" split = "split" @@ -26,18 +27,21 @@ class CortexXQLFunctionType(CustomEnum): config = "config" fields = "fields" filter = "filter" + iploc = "iploc" + join = "join" limit = "limit" sort = "sort" timeframe = "timeframe" + timestamp_diff = "timestamp_diff" union = "union" -class XqlSortOrderType(CustomEnum): +class CortexXQLSortOrderType(CustomEnum): asc = "asc" desc = "desc" -class XqlTimeFrameType(CustomEnum): +class CortexXQLTimeFrameType(CustomEnum): years = "y" months = "mo" days = "d" diff --git a/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py b/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py index 95e0cf90..2970a010 100644 --- a/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py +++ b/uncoder-core/app/translator/platforms/palo_alto/functions/manager.py @@ -5,4 +5,5 @@ class CortexXQLFunctionsManager(PlatformFunctionsManager): ... -cortex_xql_functions_manager = CortexXQLFunctionsManager() +cortex_xsiam_xql_functions_manager = CortexXQLFunctionsManager() +cortex_xdr_xql_functions_manager = CortexXQLFunctionsManager() From abf11c2370afafc1fc358b587358f7c65807bc15 Mon Sep 17 00:00:00 2001 From: "oleksandr.volha" Date: Wed, 25 Sep 2024 11:47:15 +0300 Subject: [PATCH 3/3] update dependencies --- uncoder-core/requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/uncoder-core/requirements.txt b/uncoder-core/requirements.txt index a4ab0e8e..90c4901e 100644 --- a/uncoder-core/requirements.txt +++ b/uncoder-core/requirements.txt @@ -6,4 +6,5 @@ colorama~=0.4.6 ruff==0.1.13 ujson==5.9.0 xmltodict~=0.13.0 -isodate==0.6.1 \ No newline at end of file +isodate==0.6.1 +toml==0.10.2