Merge pull request #162 from UncoderIO/gis-7956

Gis 7956

Author: tarnopolskyi

uncoder-core/app/translator/core/models/field.py

@@ -60,6 +60,11 @@ def value(self) -> Union[int, str, StrValue, list[Union[int, str, StrValue]]]:
             return self.values[0]
         return self.values
 
+    @value.setter
+    def value(self, new_value: Union[int, str, StrValue, list[Union[int, str, StrValue]]]) -> None:
+        self.values = []
+        self.__add_value(new_value)
+
     def __add_value(self, value: Optional[Union[int, str, StrValue, list, tuple]]) -> None:
         if value and isinstance(value, (list, tuple)):
             for v in value:

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_registry_event.yml

@@ -28,4 +28,5 @@ field_mapping:
   ParentIntegrityLevel: causality_actor_process_integrity_level
   ParentLogonId: causality_actor_process_logon_id
   ParentProduct: causality_actor_process_signature_product
-  ParentCompany: causality_actor_process_signature_vendor
+  ParentCompany: causality_actor_process_signature_vendor
+  EventType: event_sub_type

uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py

@@ -21,6 +21,9 @@
 
 from app.translator.const import DEFAULT_VALUE_TYPE
 from app.translator.core.custom_types.values import ValueType
+from app.translator.core.mapping import SourceMapping
+from app.translator.core.models.field import FieldValue, Keyword
+from app.translator.core.models.identifier import Identifier
 from app.translator.core.models.platform_details import PlatformDetails
 from app.translator.core.render import BaseQueryFieldValue, PlatformQueryRender
 from app.translator.core.str_value_manager import StrValue
@@ -34,6 +37,16 @@
 )
 from app.translator.platforms.palo_alto.str_value_manager import cortex_xql_str_value_manager
 
+SOURCE_MAPPING_TO_FIELD_VALUE_MAP = {
+    "windows_registry_event": {
+        "EventType": {
+            "SetValue": "REGISTRY_SET_VALUE",
+            "DeleteValue": "REGISTRY_DELETE_VALUE",
+            "CreateKey": "REGISTRY_CREATE_KEY",
+        }
+    }
+}
+
 
 class CortexXQLFieldValue(BaseQueryFieldValue):
     details: PlatformDetails = cortex_xql_query_details
@@ -173,6 +186,19 @@ def generate_prefix(self, log_source_signature: CortexXQLLogSourceSignature, fun
         functions_prefix = f"{functions_prefix} | " if functions_prefix else ""
         return f"{functions_prefix}{log_source_signature}"
 
+    def apply_token(self, token: Union[FieldValue, Keyword, Identifier], source_mapping: SourceMapping) -> str:
+        if isinstance(token, FieldValue):
+            field_name = token.field.source_name
+            if values_map := SOURCE_MAPPING_TO_FIELD_VALUE_MAP.get(source_mapping.source_id, {}).get(field_name):
+                values_to_update = []
+                for token_value in token.values:
+                    mapped_value: str = values_map.get(token_value, token_value)
+                    values_to_update.append(
+                        StrValue(value=mapped_value, split_value=mapped_value.split()) if mapped_value else token_value
+                    )
+                token.value = values_to_update
+        return super().apply_token(token=token, source_mapping=source_mapping)
+
     @staticmethod
     def _finalize_search_query(query: str) -> str:
         return f"| filter {query}" if query else ""