Skip to content

Commit 899e9e9

Browse files
saltar-uasaltar-ua
authored
Merge pull request #142 from UncoderIO/gis-xql-06-13-2024
XQL mappings update
2 parents 4a92933 + e60a66d commit 899e9e9

File tree

9 files changed

+122
-4
lines changed

9 files changed

+122
-4
lines changed

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,4 +13,4 @@ field_mapping:
1313
raw_log_fields:
1414
properties.userAgent: object
1515
properties.type: object
16-
properties.authenticationProcessingDetails: object
16+
properties.authenticationProcessingDetails: list

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
platform: Palo Alto XSIAM
2+
source: azure_azureactivity
3+
4+
5+
default_log_source:
6+
dataset: msft_azure_raw
7+
8+
field_mapping:
9+
ActivityStatus: properties.activityStatus
10+
ActivityStatusValue: properties.activityStatusValue
11+
ActivitySubstatusValue: properties.activitySubstatusValue
12+
Authorization: properties.authorization
13+
Category: properties.category
14+
CategoryValue: properties.categoryValue
15+
OperationName: properties.operationName
16+
OperationNameValue: oproperties.perationNameValue
17+
ResourceId: properties.resourceId
18+
ResourceProviderValue: properties.resourceProviderValue
19+
Type: properties.type
20+
operationName: properties.operationName
21+
22+
raw_log_fields:
23+
properties.activityStatus: object
24+
properties.activityStatusValue: object
25+
properties.activitySubstatusValue: object
26+
properties.authorization: object
27+
properties.category: object
28+
properties.categoryValue: object
29+
properties.operationName: object
30+
properties.operationNameValue: object
31+
properties.resourceId: object
32+
properties.resourceProviderValue: object
33+
properties.type: object

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
platform: Palo Alto XSIAM
2+
source: azure_azuread
3+
4+
5+
default_log_source:
6+
dataset: msft_azure_raw
7+
8+
field_mapping:
9+
ActivityDisplayName: properties.activityDisplayName
10+
Category: properties.category
11+
LoggedByService: properties.loggedByService
12+
Result: properties.result
13+
OperationName: properties.operationName
14+
TargetResources: properties.targetResources
15+
AADOperationType: properties.AADOperationType
16+
InitiatedBy: properties.initiatedBy
17+
ResultReason: properties.resultReason
18+
Status: properties.status
19+
#Status.errorCode: properties.status_errorCode
20+
UserAgent: properties.userAgent
21+
22+
raw_log_fields:
23+
properties.activityDisplayName: object
24+
properties.category: object
25+
properties.loggedByService: object
26+
properties.result: object
27+
properties.operationName: object
28+
properties.targetResources: object
29+
properties.AADOperationType: object
30+
properties.initiatedBy: object
31+
properties.resultReason: object
32+
properties.status: object
33+
properties.status_errorCode: object
34+
properties.userAgent: object

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
platform: Palo Alto XSIAM
2+
source: azure_m365
3+
4+
5+
default_log_source:
6+
dataset: msft_azure_raw
7+
8+
field_mapping:
9+
ClientInfoString: properties.clientInfoString
10+
LogonError: properties.logonError
11+
ModifiedProperties: properties.modifiedProperties
12+
OfficeObjectId: properties.officeObjectId
13+
OfficeWorkload: properties.officeWorkload
14+
Operation: properties.operation
15+
Parameters: properties.parameters
16+
RecordType: properties.recordType
17+
ResultStatus: properties.resultStatus
18+
SourceFileExtension: properties.sourceFileExtension
19+
SourceFileName: properties.sourceFileName
20+
UserAgent: properties.userAgent
21+
22+
raw_log_fields:
23+
properties.clientInfoString: object
24+
properties.logonError: object
25+
properties.modifiedProperties: object
26+
properties.officeObjectId: object
27+
properties.officeWorkload: object
28+
properties.operation: object
29+
properties.parameters: object
30+
properties.recordType: object
31+
properties.resultStatus: object
32+
properties.sourceFileExtension: object
33+
properties.sourceFileName: object
34+
properties.userAgent: object

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
platform: Palo Alto XSIAM
2+
source: dns
3+
4+
default_log_source:
5+
datamodel: datamodel
6+
7+
field_mapping:
8+
dns-query: xdm.network.dns.dns_question.name
9+
dns-answer: xdm.network.dns.dns_resource_record.value
10+
#dns-record: dns-record
11+
dns_query_name: xdm.network.dns.dns_question.name

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,4 +7,5 @@ default_log_source:
77
dataset: okta_okta_raw
88

99
field_mapping:
10-
eventType: xdm.event.type
10+
eventType: xdm.event.type
11+
eventtype: xdm.event.type

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,5 @@ field_mapping:
1212
c-uri-query: xdm.network.http.url
1313
cs-referrer: xdm.network.http.referrer
1414
sc-status: xdm.network.http.response_code
15+
cs-uri-stem: xdm.network.http.url
16+
cs-uri-query: xdm.network.http.url

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,5 @@ field_mapping:
2727
ParentIntegrityLevel: causality_actor_process_integrity_level
2828
ParentLogonId: causality_actor_process_logon_id
2929
ParentProduct: causality_actor_process_signature_product
30-
ParentCompany: causality_actor_process_signature_vendor
30+
ParentCompany: causality_actor_process_signature_vendor
31+
Signed: actor_process_signature_status #Signature status of the process: Signed = 1 SignedInvalid = 2 Unsigned = 3 FailedToObtain = 4 WeakHash = 5, where the MD5 is used as the hash algorithm. Unsupported = 6, which means the signature was not calculated. InvalidCVE2020_0601 = 7, which means the executable is malicious and is trying to exploit the windows vulnerability CVE2020-0601. Deleted = 8, which means that the file was deleted by the time the agent tried to calculate the signature.

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -145,4 +145,6 @@ raw_log_fields:
145145
UserID: regex
146146
ParentProcessName: regex
147147
ExceptionCode: regex
148-
Service: regex
148+
Service: regex
149+
SamAccountName: regex
150+
ImpersonationLevel: regex

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy