Skip to content

Commit 99cfbba

Browse files
nazargesyknazargesyk
committed
gis-8825 added sentinel one power query mappings
1 parent e55a7df commit 99cfbba

File tree

9 files changed

+96
-0
lines changed

9 files changed

+96
-0
lines changed

uncoder-core/app/translator/mappings/platforms/sentinel_one/default.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
platform: Sentinel One Power Query
2+
source: default

uncoder-core/app/translator/mappings/platforms/sentinel_one/dns.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
platform: Sentinel One Power Query
2+
source: dns
3+
4+
field_mapping:
5+
Image: src.process.image.path
6+
CommandLine: src.process.cmdline
7+
ParentImage: src.process.parent.image.path
8+
ParentCommandLine: src.process.parent.cmdline
9+
query: event.dns.request
10+
answer: event.dns.response
11+
QueryName: event.dns.request
12+
record_type: event.dns.response

uncoder-core/app/translator/mappings/platforms/sentinel_one/linux_file_event.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
platform: Sentinel One Power Query
2+
source: linux_file_event
3+
4+
field_mapping:
5+
Image: src.process.image.path
6+
CommandLine: src.process.cmdline
7+
ParentImage: src.process.parent.image.path
8+
ParentCommandLine: src.process.parent.cmdline
9+
TargetFilename: tgt.file.path
10+
SourceFilename: tgt.file.oldPath
11+
User: src.process.use

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_image_load.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
platform: Sentinel One Power Query
2+
source: windows_image_load
3+
4+
field_mapping:
5+
Image: Image
6+
ImageLoaded: ImageLoaded
7+
SignatureStatus: SignatureStatus
8+
OriginalFileName: OriginalFileName
9+
Signed: Signed

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_network_connection.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
platform: Sentinel One Power Query
2+
source: windows_network_connection
3+
4+
field_mapping:
5+
Image: src.process.image.path
6+
CommandLine: src.process.cmdline
7+
ParentImage: src.process.parent.image.path
8+
ParentCommandLine: src.process.parent.cmdline
9+
DestinationHostname:
10+
- url.address
11+
- event.dns.request
12+
DestinationPort: dst.port.number
13+
DestinationIp: dst.ip.address
14+
User: src.process.user
15+
SourceIp: src.ip.address
16+
SourcePort: src.port.number
17+
Protocol: NetProtocolName
18+
dst_ip: dst.ip.address
19+
src_ip: src.ip.address
20+
dst_port: dst.port.number
21+
src_port: src.port.number

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_pipe_created.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
platform: Sentinel One Power Query
2+
source: windows_pipe_created
3+
4+
field_mapping:
5+
PipeName: namedPipe.name
6+
Image: src.process.image.path
7+
CommandLine: src.process.cmdline
8+
ParentImage: src.process.parent.image.path
9+
ParentCommandLine: src.process.parent.cmdline

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_process_creation.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
platform: Sentinel One Power Query
2+
source: windows_process_creation
3+
4+
field_mapping:
5+
ProcessId: tgt.process.pid
6+
Image: tgt.process.image.path
7+
Description: tgt.process.displayName
8+
Publisher: tgt.process.publisher
9+
Product: tgt.process.displayName
10+
Company: tgt.process.publisher
11+
CommandLine: tgt.process.cmdline
12+
CurrentDirectory: tgt.process.image.path
13+
User: tgt.process.user
14+
TerminalSessionId: tgt.process.sessionid
15+
IntegrityLevel: tgt.process.integrityLevel
16+
md5: tgt.process.image.md5
17+
sha1: tgt.process.image.sha1
18+
sha256: tgt.process.image.sha256
19+
ParentProcessId: src.process.pid
20+
ParentImage: src.process.image.path
21+
ParentCommandLine: src.process.cmdline

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_registry_event.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
platform: Sentinel One Power Query
2+
source: windows_registry_event
3+
4+
field_mapping:
5+
Image: src.process.image.path
6+
CommandLine: src.process.cmdline
7+
ParentImage: src.process.parent.image.path
8+
ParentCommandLine: src.process.parent.cmdline
9+
TargetObject: registry.keyPath
10+
Details: registry.value

uncoder-core/app/translator/platforms/sentinel_one/const.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,4 @@
1818
}
1919

2020
sentinel_one_events_query_details = PlatformDetails(**SENTINEL_ONE_EVENTS_QUERY_DETAILS)
21+
sentinel_one_power_query_details = PlatformDetails(**SENTINEL_ONE_POWER_QUERY_DETAILS)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy