Palo Alto Cortex XSIAM: Add support array of default logsources

Author: saltar-ua

uncoder-core/app/translator/platforms/palo_alto/escape_manager.py

@@ -7,9 +7,10 @@
 
 class XQLEscapeManager(EscapeManager):
     escape_map: ClassVar[dict[str, list[EscapeDetails]]] = {
-        ValueType.regex_value: [EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1")],
-        ValueType.value: [EscapeDetails(pattern=r'([\\])', escape_symbols=r"\\\1")],
-
+        ValueType.regex_value: [
+            EscapeDetails(pattern=r'([_!@#$%^&*=+()\[\]{}|;:\'",.<>?/`~\-\s\\])', escape_symbols=r"\\\1")
+        ],
+        ValueType.value: [EscapeDetails(pattern=r"([\\])", escape_symbols=r"\\\1")],
     }
 
 

uncoder-core/app/translator/platforms/palo_alto/mapping.py

@@ -20,7 +20,7 @@ def is_suitable(self, preset: str, dataset: str) -> bool:
 
     def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str:
         if isinstance(logsource, list):
-            return f"{model} in ({', '.join([source for source in logsource])})"
+            return f"{model} in ({', '.join(source for source in logsource)})"
         return f"{model} = {logsource}"
 
     def __str__(self) -> str:

uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py

@@ -69,9 +69,7 @@ def contains_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
 
     def endswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
-            return (
-                f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
-            )
+            return f"({self.or_token.join(self.endswith_modifier(field=field, value=v) for v in value)})"
         return f'{field} ~= ".*{self.apply_value(value, value_type=ValueType.regex_value)}"'
 
     def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str: