UncoderIO
diff --git a/‎uncoder-core/app/translator/core/functions.py‎
Lines changed: 4 additions & 0 deletions b/‎uncoder-core/app/translator/core/functions.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎uncoder-core/app/translator/core/models/query_container.py‎
Lines changed: 1 addition & 1 deletion b/‎uncoder-core/app/translator/core/models/query_container.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎uncoder-core/app/translator/core/str_value_manager.py‎
Lines changed: 5 additions & 1 deletion b/‎uncoder-core/app/translator/core/str_value_manager.py‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎uncoder-core/app/translator/core/tokenizer.py‎
Lines changed: 1 addition & 2 deletions b/‎uncoder-core/app/translator/core/tokenizer.py‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎…or/mappings/platforms/anomali/common.yml‎ ‎…tor/mappings/platforms/anomali/proxy.yml‎uncoder-core/app/translator/mappings/platforms/anomali/common.yml renamed to uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml
Lines changed: 11 additions & 1 deletion b/‎…or/mappings/platforms/anomali/common.yml‎ ‎…tor/mappings/platforms/anomali/proxy.yml‎uncoder-core/app/translator/mappings/platforms/anomali/common.yml renamed to uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml
Lines changed: 11 additions & 1 deletion
diff --git a/‎uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml‎
Lines changed: 41 additions & 0 deletions b/‎uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml‎
Lines changed: 41 additions & 0 deletions b/‎uncoder-core/app/translator/mappings/platforms/elasticsearch_esql/aws_cloudtrail.yml‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎uncoder-core/app/translator/mappings/platforms/falco/aws_cloudtrail.yml‎
Lines changed: 8 additions & 0 deletions b/‎uncoder-core/app/translator/mappings/platforms/falco/aws_cloudtrail.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎uncoder-core/app/translator/mappings/platforms/falco/default.yml‎
Lines changed: 6 additions & 0 deletions b/‎uncoder-core/app/translator/mappings/platforms/falco/default.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎uncoder-core/app/translator/mappings/platforms/microsoft_sentinel/windows_security.yml‎
Lines changed: 46 additions & 46 deletions b/‎uncoder-core/app/translator/mappings/platforms/microsoft_sentinel/windows_security.yml‎
Lines changed: 46 additions & 46 deletions
@@ -164,6 +164,10 @@ def order_to_render(self) -> dict[str, int]:
 
         return {}
 
+    @property
+    def supported_render_names(self) -> set[str]:
+        return set(self._renders_map)
+
 
 class PlatformFunctions:
     dir_path: str = None
 
@@ -88,7 +88,7 @@ def __init__(
         self.risk_score = risk_score
         self.type_ = type_ or ""
         self.description = description or ""
-        self.author = [v.strip() for v in author] if author else []
+        self.author = [v.strip() for v in author] if author and author != [None] else []
         self.date = date or datetime.now().date().strftime("%Y-%m-%d")
         self.output_table_fields = output_table_fields or []
         self.query_fields = query_fields or []
 
@@ -182,7 +182,11 @@ class StrValueManager:
     container_spec_symbols_map: ClassVar[dict[type[BaseSpecSymbol], str]] = CONTAINER_SPEC_SYMBOLS_MAP
 
     @staticmethod
-    def from_str_to_container(value: str) -> StrValue:
+    def from_str_to_container(
+        value: str,
+        value_type: str = ValueType.value,  # noqa: ARG004
+        escape_symbol: Optional[str] = None,  # noqa: ARG004
+    ) -> StrValue:
         return StrValue(value=value, split_value=[value])
 
     def from_re_str_to_container(self, value: str) -> StrValue:
 
@@ -162,8 +162,7 @@ def search_multi_value(
 
     def _get_field_value_match(self, query: str, operator: str, field_name: str, value_pattern: str) -> re.Match:
         field_value_pattern = self.get_field_value_pattern(operator, field_name, value_pattern)
-        field_value_regex = re.compile(field_value_pattern, re.IGNORECASE)
-        field_value_match = re.match(field_value_regex, query)
+        field_value_match = re.match(field_value_pattern, query, re.IGNORECASE)
         if field_value_match is None:
             raise TokenizerGeneralException(error=f"Value couldn't be found in query part: {query}")
 
 
@@ -1,9 +1,19 @@
 platform: Anomali
-description: Common field mapping
+source: proxy
 
 field_mapping:
   c-uri-query: url
   c-useragent: user_agent
+  c-uri: url
+  cs-method: http_method
+  cs-bytes: bytes_out
+  cs-referrer: http_referrer
+  sc-status: return_code
+
+  dns-query: query
+  dns-answer: answer
+  dns-record: record_type
+
   CommandLine: command_line
   DestinationHostname: dest
   DestinationIp: dest_ip
 
@@ -0,0 +1,41 @@
+platform: Anomali
+source: webserver
+
+field_mapping:
+  c-uri-query: url
+  c-useragent: user_agent
+  c-uri: url
+  cs-method: http_method
+  cs-bytes: bytes_out
+  cs-referrer: http_referrer
+  sc-status: return_code
+
+  dns-query: query
+  dns-answer: answer
+  dns-record: record_type
+
+  CommandLine: command_line
+  DestinationHostname: dest
+  DestinationIp: dest_ip
+  DestinationPort: dest_port
+  Details: reg_value_data
+  dst_ip: dest_ip
+  dst_port: dest_port
+  EventID: event_id
+  EventName: event_name
+  FileName: file_name
+  FilePath: file_path
+  Image: image
+  NewProcessName: image
+  OriginalFileName: original_file_name
+  ParentCommandLine: parent_command_line
+  ParentImage: parent_image
+  ParentProcessID: parent_process_id
+  Platform: platform
+  ProcessCommandLine: command_line
+  ProcessID: process_id
+  SourceImage: parent_image
+  SourcePort: src_port
+  TargetFilename: file_name
+  TargetObject: reg_key
+  UserAgent: user_agent
@@ -0,0 +1,41 @@
+platform: ElasticSearch ES|QL
+source: aws_cloudtrail
+log_source:
+  index: [logs-*]
+default_log_source:
+  index: logs-*
+field_mapping:
+  additionalEventdata: aws.cloudtrail.additional_eventdata
+  apiVersion: aws.cloudtrail.api_version
+  awsRegion: cloud.region
+  errorCode: aws.cloudtrail.error_code
+  errorMessage: aws.cloudtrail.error_message
+  eventID: event.id
+  eventName: event.action
+  eventSource: event.provider
+  eventTime: '@timestamp'
+  eventType: aws.cloudtrail.event_type
+  eventVersion: aws.cloudtrail.event_version
+  managementEvent: aws.cloudtrail.management_event
+  readOnly: aws.cloudtrail.read_only
+  requestID: aws.cloudtrail.request_id
+  requestParameters: aws.cloudtrail.request_parameters
+  resources.accountId: aws.cloudtrail.resources.account_id
+  resources.ARN: aws.cloudtrail.resources.arn
+  resources.type: aws.cloudtrail.resources.type
+  responseElements: aws.cloudtrail.response_elements
+  serviceEventDetails: aws.cloudtrail.service_event_details
+  sharedEventId: aws.cloudtrail.shared_event_id
+  sourceIPAddress: source.address
+  userAgent: user_agent
+  userIdentity.accessKeyId: aws.cloudtrail.user_identity.access_key_id
+  userIdentity.accountId: cloud.account.id
+  userIdentity.arn: aws.cloudtrail.user_identity.arn
+  userIdentity.invokedBy: aws.cloudtrail.user_identity.invoked_by
+  userIdentity.principalId: user.id
+  userIdentity.sessionContext.attributes.creationDate: aws.cloudtrail.user_identity.session_context.creation_date
+  userIdentity.sessionContext.attributes.mfaAuthenticated: aws.cloudtrail.user_identity.session_context.mfa_authenticated
+  userIdentity.sessionContext.sessionIssuer.userName: role.name
+  userIdentity.type: aws.cloudtrail.user_identity.type
+  userIdentity.userName: user.name
+  vpcEndpointId: aws.cloudtrail.vpc_endpoint_id
@@ -0,0 +1,8 @@
+platform: Falco
+source: aws_cloudtrail
+
+field_mapping:
+  eventSource: ct.src
+  eventName: ct.name
+  errorCode: ct.error
+  RequestParameters: json.value[/requestParameters]
@@ -0,0 +1,6 @@
+platform: Falco
+source: default
+
+
+field_mapping:
+  {}
@@ -14,16 +14,16 @@ field_mapping:
   AccessMask: AccessMask
   AccountName: AccountName
   AllowedToDelegateTo: AllowedToDelegateTo
-  AttributeLDAPDisplayName:
+  AttributeLDAPDisplayName: AttributeLDAPDisplayName
   AuditPolicyChanges: AuditPolicyChanges
   AuthenticationPackageName: AuthenticationPackageName
   CallingProcessName: CallingProcessName
   Channel: Channel
   ComputerName: Computer
   EventType: EventType
   FailureReason: FailureReason
-  FileName: FilePath
-  GrantedAccess:
+  FileName: FileName
+  GrantedAccess: GrantedAccess
   Hashes: FileHash
   HiveName: HiveName
   IpAddress: IpAddress
@@ -48,83 +48,83 @@ field_mapping:
   TaskContent: TaskContent
   ServiceSid: ServiceSid
   CertThumbprint: CertThumbprint
-  ClassName: duplicate
-  NotificationPackageName: ClassName
+  ClassName: ClassName
+  NotificationPackageName: NotificationPackageName
   NewSd: NewSd
   TestSigning: TestSigning
   TargetInfo: TargetInfo
-  ClientProcessId: TargetInfo
+  ClientProcessId: ClientProcessId
   ParentProcessId: ParentProcessId
   AccessList: AccessList
   GroupMembership: GroupMembership
   FilterName: FilterName
   ChangeType: ChangeType
   LayerName: LayerName
   ServiceAccount: ServiceAccount
-  AttributeValue: ServiceAccount
+  AttributeValue: AttributeValue
   SessionName: SessionName
   TaskName: TaskName
-  ObjectDN: SessionName
+  ObjectDN: ObjectDN
   TemplateContent: TemplateContent
   NewTemplateContent: NewTemplateContent
-  SourcePort: TemplateContent
+  SourcePort: SourcePort
   PasswordLastSet: PasswordLastSet
   PrivilegeList: PrivilegeList
-  DeviceDescription: PasswordLastSet
-  TargetServerName: PrivilegeList
-  NewTargetUserName: DeviceDescription
-  OperationType: TargetServerName
+  DeviceDescription: DeviceDescription
+  TargetServerName: TargetServerName
+  NewTargetUserName: NewTargetUserName
+  OperationType: OperationType
   DestPort: DestPort
-  ServiceStartType: OperationType
+  ServiceStartType: ServiceStartType
   OldTargetUserName: OldTargetUserName
-  UserPrincipalName: ServiceStartType
+  UserPrincipalName: UserPrincipalName
   Accesses: Accesses
-  DnsHostName: UserPrincipalName
-  DisableIntegrityChecks: AccessList
+  DnsHostName: DnsHostName
+  DisableIntegrityChecks: DisableIntegrityChecks
   AuditSourceName: AuditSourceName
   Workstation: Workstation
   DestAddress: DestAddress
-  PreAuthType: Workstation
+  PreAuthType: PreAuthType
   SecurityPackageName: SecurityPackageName
   SubjectLogonId: SubjectLogonId
   NewUacValue: NewUacValue
-  EnabledPrivilegeList: SubjectLogonId
-  RelativeTargetName: NewUacValue
+  EnabledPrivilegeList: EnabledPrivilegeList
+  RelativeTargetName: RelativeTargetName
   CertSerialNumber: CertSerialNumber
-  SidHistory: RelativeTargetName
+  SidHistory: SidHistory
   TargetLogonId: TargetLogonId
-  KernelDebug: SidHistory
-  CallerProcessName: TargetLogonId
+  KernelDebug: KernelDebug
+  CallerProcessName: CallerProcessName
   ProcessName: ProcessName
-  Properties: CallerProcessName
-  UserAccountControl: ProcessName
-  RegistryValue: Properties
-  SecurityID: UserAccountControl
+  Properties: Properties
+  UserAccountControl: UserAccountControl
+  RegistryValue: RegistryValue
+  SecurityID: SecurityID
   ServiceFileName: ServiceFileName
-  SecurityDescriptor: SecurityID
-  ServiceName: ServiceFileName
-  ShareName: SecurityDescriptor
-  NewValue: ServiceName
-  Source: ShareName
-  Status: NewValue
+  SecurityDescriptor: SecurityDescriptor
+  ServiceName: ServiceName
+  ShareName: ShareName
+  NewValue: NewValue
+  Source: Source
+  Status: Status
   SubjectDomainName: SubjectDomainName
-  SubjectUserName: Status
-  SubjectUserSid: SubjectDomainName
-  SourceAddr: SubjectUserName
-  SourceAddress: SubjectUserSid
+  SubjectUserName: SubjectUserName
+  SubjectUserSid: SubjectUserSid
+  SourceAddr: SourceAddr
+  SourceAddress: SourceAddress
   TargetName: TargetName
   ServicePrincipalNames: ServicePrincipalNames
-  TargetDomainName: TargetName
+  TargetDomainName: TargetDomainName
   TargetSid: TargetSid
-  TargetUserName: TargetDomainName
-  ObjectServer: TargetSid
-  TargetUserSid: TargetUserName
-  TicketEncryptionType: ObjectServer
-  TicketOptions: TargetUserSid
+  TargetUserName: TargetUserName
+  ObjectServer: ObjectServer
+  TargetUserSid: TargetUserSid
+  TicketEncryptionType: TicketEncryptionType
+  TicketOptions: TicketOptions
   WorkstationName: WorkstationName
   TransmittedServices: TransmittedServices
-  AuthenticationAlgorithm: WorkstationName
-  LayerRTID: TransmittedServices
+  AuthenticationAlgorithm: AuthenticationAlgorithm
+  LayerRTID: LayerRTID
   BSSID: BSSID
   BSSType: BSSType
   CipherAlgorithm: CipherAlgorithm
@@ -139,7 +139,7 @@ field_mapping:
   Domain: Domain
   ServiceType: ServiceType
   SourceName: SourceName
-  StartType: ServiceType
+  StartType: StartType
   UserID: UserID
   ParentProcessName: ParentProcessName
   Service: Service