From edd2c852b031f6388873a7eda79b885b475815a1 Mon Sep 17 00:00:00 2001
From: spsocprime <94110440+spsocprime@users.noreply.github.com>
Date: Mon, 22 Jul 2024 10:22:12 +0300
Subject: [PATCH] add fields

---
 .../platforms/palo_alto_cortex/default.yml        |  7 ++++++-
 .../palo_alto_cortex/windows_image_load.yml       |  1 +
 .../mappings/platforms/qradar/default.yml         | 15 ++++++++++++++-
 .../platforms/qradar/linux_process_creation.yml   |  1 +
 .../platforms/qradar/windows_image_load.yml       |  3 ++-
 .../platforms/qradar/windows_process_creation.yml |  6 +++++-
 .../platforms/qradar/windows_security.yml         |  1 +
 7 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
index ac3f8c9c..606317a6 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -14,6 +14,7 @@ field_mapping:
   ProcessName:
     - xdm.target.process.name
     - xdm.source.process.name
+  ProcessPath: xdm.target.process.executable.path
   ImageLoaded:
     - xdm.target.process.executable.filename
     - xdm.source.process.executable.filename
@@ -64,7 +65,7 @@ field_mapping:
   dns-query: xdm.network.dns.dns_question.name
   dns-answer: xdm.network.dns.dns_resource_record.value
   dns-record: xdm.network.dns.dns_question.name
-  FileName: xdm.target.file.path
+  FileName: xdm.target.file.filename
   IpAddress: xdm.source.ipv4
   IpPort: xdm.source.port
   LogonProcessName: xdm.target.process.executable.path
@@ -127,3 +128,7 @@ field_mapping:
   url_category: xdm.network.http.url_category
   EventSeverity: xdm.alert.severity
   duration: xdm.event.duration
+  FileExtension: xdm.target.file.extension
+  Workstation: xdm.source.host.hostname
+  RegistryKey: xdm.target.registry.key
+  RegistryValue: xdm.target.registry.value
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
index 69a100ec..98e62b8f 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
@@ -9,6 +9,7 @@ default_log_source:
 
 field_mapping:
   ImageLoaded: action_module_path
+  FileExtension: action_file_extension
   md5: action_module_md5
   sha256: action_module_sha256
   User: actor_effective_username
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
index 1e098a77..d0629251 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -19,6 +19,7 @@ field_mapping:
   src-port:
     - SourcePort
     - localport
+    - sourcePort
   src-ip:
     - sourceip
     - source_ip
@@ -34,6 +35,8 @@ field_mapping:
   User:
     - userName
     - EventUserName
+    - Username
+    - Security ID
   CommandLine: Command
   Protocol: 
     - IPProtocol
@@ -78,4 +81,14 @@ field_mapping:
   Source:
     - Source
     - source
-  duration: duration
\ No newline at end of file
+  duration: duration
+  Workstation: Machine Identifier
+  GroupMembership: Role Name
+  FileName: 
+    - Filename
+    - File Name
+  RegistryKey: 
+    - Registry Key
+    - Target Object
+  RegistryValue: RegistryValue
+  ProcessPath: Process Path
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
index 8fddefd6..67e3db21 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
@@ -14,6 +14,7 @@ field_mapping:
   CommandLine:
     - Command
     - ASACommand
+    - Command Arguments
   Image: Process Path
   ParentCommandLine: Parent Command
   ParentImage: Parent Process Path
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
index bb1189f6..79d3bd66 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
@@ -21,4 +21,5 @@ field_mapping:
     - Signature Status
     - SignatureStatus
   OriginalFileName: OriginalFileName
-  Signed: Signed
\ No newline at end of file
+  Signed: Signed
+  FileExtension: File Extension
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
index 1886343a..fcad6da1 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
@@ -14,15 +14,19 @@ field_mapping:
   CommandLine:
     - Command
     - Encoded Argument
+    - Command Arguments
   CurrentDirectory: CurrentDirectory
   Hashes: File Hash
   Image:
     - Process Path
     - Process Name
     - DGApplication
+    - ProcessName
   IntegrityLevel: IntegrityLevel
   ParentCommandLine: Parent Command
-  ParentImage: Parent Process Path
+  ParentImage: 
+    - Parent Process Path
+    - ParentProcessName
   ParentUser: ParentUser
   Product: Product
   User:
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
index 9ccb1fbe..2a4c9919 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -12,6 +12,7 @@ field_mapping:
   EventID:
     - Event ID
     - EventID
+    - qidEventId
   ParentImage: Parent Process Path
   AccessMask: AccessMask
   AccountName: Account Name

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/177.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/177.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/177.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/UncoderIO/Uncoder_IO/pull/177.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>