merge

nazargesyk · nazargesyk · commit 976388f75d8c · 2024-07-22T11:26:01.000+03:00
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -14,6 +14,7 @@ field_mapping:
   ProcessName:
     - xdm.target.process.name
     - xdm.source.process.name
+  ProcessPath: xdm.target.process.executable.path
   ImageLoaded:
     - xdm.target.process.executable.filename
     - xdm.source.process.executable.filename
@@ -65,7 +66,7 @@ field_mapping:
   dns-query: xdm.network.dns.dns_question.name
   dns-answer: xdm.network.dns.dns_resource_record.value
   dns-record: xdm.network.dns.dns_question.name
-  FileName: xdm.target.file.path
+  FileName: xdm.target.file.filename
   IpAddress: xdm.source.ipv4
   IpPort: xdm.source.port
   LogonProcessName: xdm.target.process.executable.path
@@ -133,4 +134,8 @@ field_mapping:
   Classification: xdm.alert.category
   ResultCode: xdm.event.outcome_reason
   Technique: xdm.alert.mitre_techniques
-  Action: xdm.event.outcome
+  Action: xdm.event.outcome
+  FileExtension: xdm.target.file.extension
+  Workstation: xdm.source.host.hostname
+  RegistryKey: xdm.target.registry.key
+  RegistryValue: xdm.target.registry.value
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
@@ -9,6 +9,7 @@ default_log_source:
 
 field_mapping:
   ImageLoaded: action_module_path
+  FileExtension: action_file_extension
   md5: action_module_md5
   sha256: action_module_sha256
   User: actor_effective_username
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -36,6 +36,8 @@ field_mapping:
     - userName
     - EventUserName
     - Alert Threat Cause Actor Name
+    - Username
+    - Security ID
   CommandLine: Command
   Protocol: 
     - IPProtocol
@@ -82,11 +84,21 @@ field_mapping:
     - Source
     - source
   duration: duration
-  ThreatName: 
+  ThreatName:
     - Threat Name
     - Alert Blocked Threat Category
   AnalyzerName: Analyzer Name
   Classification: Classification
   ResultCode: Alert Reason Code
   Technique: Technique
-  Action: Action
+  Action: Action
+  Workstation: Machine Identifier
+  GroupMembership: Role Name
+  FileName: 
+    - Filename
+    - File Name
+  RegistryKey: 
+    - Registry Key
+    - Target Object
+  RegistryValue: RegistryValue
+  ProcessPath: Process Path
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
@@ -14,6 +14,7 @@ field_mapping:
   CommandLine:
     - Command
     - ASACommand
+    - Command Arguments
   Image: Process Path
   ParentCommandLine: Parent Command
   ParentImage: Parent Process Path
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml
@@ -13,13 +13,16 @@ field_mapping:
     - URL
     - XForceCategoryByURL
   c-useragent: User Agent
-  cs-method: HTTP Method
+  cs-method: 
+    - HTTP Method
+    - Method
   cs-bytes: Bytes Sent
   #cs-cookie-vars: cs-cookie-vars
   c-uri-extension: URL
   c-uri-query:
     - URL
     - URL Path
+    - URL Query String
   #cs-cookie: cs-cookie
   cs-host:
     - UrlHost
@@ -32,6 +35,10 @@ field_mapping:
   r-dns:
     - UrlHost
     - URL Host
-  sc-status: HTTP Response Code
+  sc-status: 
+    - HTTP Response Code
+    - Response Code
   #post-body: post-body
-  url_category: XForceCategoryByURL
+  url_category: 
+    - XForceCategoryByURL
+    - Web Category
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml b/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml
@@ -9,17 +9,33 @@ default_log_source:
   devicetype: 10
 
 field_mapping:
-  c-uri: URL
-  c-useragent: c-useragent
-  cs-method: cs-method
+  c-uri:
+    - URL
+    - XForceCategoryByURL
+  c-useragent: User Agent
+  cs-method: 
+    - HTTP Method
+    - Method
   cs-bytes: Bytes Sent
-  cs-cookie-vars: cs-cookie-vars
-  c-uri-extension: c-uri-extension
-  c-uri-query: URL
-  cs-cookie: cs-cookie
-  cs-host: cs-host
-  cs-referrer: URL Referrer
-  cs-version: cs-version
-  r-dns: r-dns
-  sc-status: sc-status
-  post-body: post-body
+  #cs-cookie-vars: cs-cookie-vars
+  c-uri-extension: URL
+  c-uri-query:
+    - URL
+    - URL Path
+    - URL Query String
+  #cs-cookie: cs-cookie
+  cs-host: 
+    - UrlHost
+    - URL Host
+    - URL Domain
+  cs-referrer: 
+    - URL Referrer
+    - Referrer URL
+  cs-version: HTTP Version
+  r-dns: 
+    - UrlHost
+    - URL Host
+  sc-status: 
+    - HTTP Response Code
+    - Response Code
+  #post-body: post-body
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
@@ -21,4 +21,5 @@ field_mapping:
     - Signature Status
     - SignatureStatus
   OriginalFileName: OriginalFileName
-  Signed: Signed
+  Signed: Signed
+  FileExtension: File Extension
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
@@ -14,15 +14,19 @@ field_mapping:
   CommandLine:
     - Command
     - Encoded Argument
+    - Command Arguments
   CurrentDirectory: CurrentDirectory
   Hashes: File Hash
   Image:
     - Process Path
     - Process Name
     - DGApplication
+    - ProcessName
   IntegrityLevel: IntegrityLevel
   ParentCommandLine: Parent Command
-  ParentImage: Parent Process Path
+  ParentImage: 
+    - Parent Process Path
+    - ParentProcessName
   ParentUser: ParentUser
   Product: Product
   User:
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -12,6 +12,7 @@ field_mapping:
   EventID:
     - Event ID
     - EventID
+    - qidEventId
   ParentImage: Parent Process Path
   AccessMask: AccessMask
   AccountName: Account Name
