Palo Alto Cortex XSIAM: Add support array of default logsources

saltar-ua · saltar-ua · commit 9fb67bd7f965 · 2024-05-17T17:54:36.000+03:00
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
@@ -0,0 +1,14 @@
+platform: Palo Alto XSIAM
+source: webserver
+
+default_log_source:
+  dataset: [apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw]
+
+field_mapping:
+  c-uri: xdm.network.http.url
+  c-useragent: xdm.source.user_agent
+  cs-method: xdm.network.http.method
+  cs-bytes: xdm.target.sent_bytes
+  c-uri-query: xdm.network.http.url
+  cs-referrer: xdm.network.http.referrer
+  sc-status: xdm.network.http.response_code
diff --git a/uncoder-core/app/translator/platforms/palo_alto/mapping.py b/uncoder-core/app/translator/platforms/palo_alto/mapping.py
@@ -1,4 +1,4 @@
-from typing import Optional
+from typing import Optional, Union
 
 from app.translator.core.mapping import (
     DEFAULT_MAPPING_NAME,
@@ -18,8 +18,17 @@ def __init__(self, preset: Optional[list[str]], dataset: Optional[list[str]], de
     def is_suitable(self, preset: str, dataset: str) -> bool:
         return preset == self.preset or dataset == self.dataset
 
+    def __prepare_log_source_for_render(self, logsource: Union[str, list[str]], model: str = "datamodel") -> str:
+        if isinstance(logsource, list):
+            return f"{model} in ({', '.join([source for source in logsource])})"
+        return f"{model} = {logsource}"
+
     def __str__(self) -> str:
-        return self._default_source.get("preset") or self._default_source.get("dataset")
+        if preset_data := self._default_source.get("preset"):
+            return self.__prepare_log_source_for_render(logsource=preset_data, model="preset")
+        if dataset_data := self._default_source.get("dataset"):
+            return self.__prepare_log_source_for_render(logsource=dataset_data, model="preset")
+        return "datamodel"
 
 
 class CortexXSIAMMappings(BasePlatformMappings):
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -118,14 +118,4 @@ class CortexXQLQueryRender(PlatformQueryRender):
     is_single_line_comment = False
 
     def generate_prefix(self, log_source_signature: CortexXSIAMLogSourceSignature) -> str:
-        preset = (
-            f"preset = {log_source_signature._default_source.get('preset')}"
-            if log_source_signature._default_source.get("preset")
-            else None
-        )
-        dataset = (
-            f"dataset = {log_source_signature._default_source.get('dataset')}"
-            if log_source_signature._default_source.get("dataset")
-            else None
-        )
-        return preset or dataset or "datamodel"
+        return str(log_source_signature)
