Merge pull request #111 from UncoderIO/gis-7789

Palo Alto Cortex XSIAM: add support array of default logsources

Author: saltar-ua

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml

@@ -0,0 +1,14 @@
+platform: Palo Alto XSIAM
+source: webserver
+
+default_log_source:
+  dataset: [apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw]
+
+field_mapping:
+  c-uri: xdm.network.http.url
+  c-useragent: xdm.source.user_agent
+  cs-method: xdm.network.http.method
+  cs-bytes: xdm.target.sent_bytes
+  c-uri-query: xdm.network.http.url
+  cs-referrer: xdm.network.http.referrer
+  sc-status: xdm.network.http.response_code

uncoder-core/app/translator/platforms/palo_alto/escape_manager.py

@@ -7,9 +7,10 @@
 
 class XQLEscapeManager(EscapeManager):
     escape_map: ClassVar[dict[str, list[EscapeDetails]]] = {
-        ValueType.regex_value: [EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1")],
-        ValueType.value: [EscapeDetails(pattern=r'([\\])', escape_symbols=r"\\\1")],
-
+        ValueType.regex_value: [
+            EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1")
+        ],
+        ValueType.value: [EscapeDetails(pattern=r"([\\])", escape_symbols=r"\\\1")],
     }
 
 

uncoder-core/app/translator/platforms/palo_alto/mapping.py

@@ -1,4 +1,4 @@
-from typing import Optional
+from typing import Optional, Union
 
 from app.translator.core.mapping import (
     DEFAULT_MAPPING_NAME,
@@ -18,8 +18,17 @@ def __init__(self, preset: Optional[list[str]], dataset: Optional[list[str]], de
     def is_suitable(self, preset: str, dataset: str) -> bool:
         return preset == self.preset or dataset == self.dataset
 
+    def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str:
+        if isinstance(logsource, list):
+            return f"{model} in ({', '.join(source for source in logsource)})"
+        return f"{model} = {logsource}"
+
     def __str__(self) -> str:
-        return self._default_source.get("preset") or self._default_source.get("dataset")
+        if preset_data := self._default_source.get("preset"):
+            return self.__prepare_log_source_for_render(logsource=preset_data, model="preset")
+        if dataset_data := self._default_source.get("dataset"):
+            return self.__prepare_log_source_for_render(logsource=dataset_data, model="dataset")
+        return "datamodel"
 
 
 class CortexXSIAMMappings(BasePlatformMappings):

uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py

@@ -69,9 +69,7 @@ def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
 
     def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
-            return (
-                f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
-            )
+            return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
         return f'{field} ~= ".*{self.apply_value(value, value_type=ValueType.regex_value)}"'
 
     def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
@@ -118,14 +116,4 @@ class CortexXQLQueryRender(PlatformQueryRender):
     is_single_line_comment = False
 
     def generate_prefix(self, log_source_signature: CortexXSIAMLogSourceSignature) -> str:
-        preset = (
-            f"preset = {log_source_signature._default_source.get('preset')}"
-            if log_source_signature._default_source.get("preset")
-            else None
-        )
-        dataset = (
-            f"dataset = {log_source_signature._default_source.get('dataset')}"
-            if log_source_signature._default_source.get("dataset")
-            else None
-        )
-        return preset or dataset or "datamodel"
+        return str(log_source_signature)