Merge pull request #158 from UncoderIO/gis-8085

GIS-8085 Improve StrictPlatformException and mapping

Author: nazargesyk

uncoder-core/app/translator/core/exceptions/core.py

@@ -1,3 +1,6 @@
+from typing import Optional
+
+
 class NotImplementedException(BaseException):
     ...
 
@@ -7,8 +10,17 @@ class BasePlatformException(BaseException):
 
 
 class StrictPlatformException(BasePlatformException):
-    def __init__(self, platform_name: str, field_name: str):
-        message = f"Platform {platform_name} has strict mapping. Source field {field_name} has no mapping."
+    field_name: str = None
+
+    def __init__(
+        self, platform_name: str, field_name: str, mapping: str = None, detected_fields: Optional[list] = None
+    ):
+        message = (
+            f"Platform {platform_name} has strict mapping. "
+            f"Source fields: {', '.join(detected_fields) if detected_fields else field_name} has no mapping."
+            f" Mapping file: {mapping}." if mapping else ""
+        )
+        self.field_name = field_name
         super().__init__(message)
 
 

uncoder-core/app/translator/core/render.py

@@ -263,8 +263,16 @@ def apply_token(self, token: Union[FieldValue, Keyword, Identifier], source_mapp
 
     def generate_query(self, tokens: list[TOKEN_TYPE], source_mapping: SourceMapping) -> str:
         result_values = []
+        not_found_mapping_fields = set()
         for token in tokens:
-            result_values.append(self.apply_token(token=token, source_mapping=source_mapping))
+            try:
+                result_values.append(self.apply_token(token=token, source_mapping=source_mapping))
+            except StrictPlatformException as err:
+                not_found_mapping_fields.add(err.field_name)
+        if not_found_mapping_fields:
+            raise StrictPlatformException(
+                self.details.name, "", source_mapping.source_id, sorted(list(not_found_mapping_fields))
+            )
         return "".join(result_values)
 
     def wrap_query_with_meta_info(self, meta_info: MetaInfoContainer, query: str) -> str:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml

@@ -125,3 +125,4 @@ field_mapping:
   SourceOS: xdm.source.host.os
   DestinationOS: xdm.target.host.os
   url_category: xdm.network.http.url_category
+  EventSeverity: xdm.alert.severity

uncoder-core/app/translator/mappings/platforms/qradar/default.yml

@@ -13,9 +13,12 @@ field_mapping:
   dst-port:
     - DstPort
     - DestinationPort
+    - remoteport
   dst-hostname: DstHost
   src-hostname: SrcHost
-  src-port: SourcePort
+  src-port:
+    - SourcePort
+    - localport
   src-ip:
     - sourceip
     - source_ip
@@ -27,6 +30,7 @@ field_mapping:
     - destination_ip
     - destinationIP
     - destinationaddress
+    - destination
   User:
     - userName
     - EventUserName
@@ -64,4 +68,5 @@ field_mapping:
   DestinationOS: DestinationOS
   TargetUserName: DestinationUserName
   SourceUserName: SourceUserName
-  url_category: XForceCategoryByURL
+  url_category: XForceCategoryByURL
+  EventSeverity: EventSeverity