Skip to content

Commit fc38d67

Browse files
nazargesyknazargesyk
committed
mapping update
1 parent 95e0b6e commit fc38d67

File tree

7 files changed

+46
-15
lines changed

7 files changed

+46
-15
lines changed

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,4 +26,5 @@ field_mapping:
2626
ParentProduct: actor_process_signature_product
2727
ParentCompany: actor_process_signature_vendor
2828
md5: action_process_image_md5
29-
sha256: action_process_image_sha256
29+
sha256: action_process_image_sha256
30+
EventID: action_evtlog_event_id

uncoder-core/app/translator/mappings/platforms/qradar/default.yml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,9 @@ field_mapping:
5959
- dst-packets
6060
src-bytes: src-bytes
6161
dst-bytes: dst-bytes
62-
ExternalSeverity: External Severity
62+
ExternalSeverity:
63+
- External Severity
64+
- Observeit Severity
6365
SourceMAC:
6466
- SourceMAC
6567
- MAC
@@ -73,6 +75,6 @@ field_mapping:
7375
SourceUserName: SourceUserName
7476
url_category: XForceCategoryByURL
7577
EventSeverity: EventSeverity
76-
Source:
78+
Source:
7779
- Source
78-
- source
80+
- source

uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,13 @@ default_log_source:
1111
field_mapping:
1212
src-ip:
1313
- sourceip
14+
- sourceIP
15+
- SourceIP
1416
- SrcHost
1517
- LocalHost
1618
- Source
1719
- NetworkView
20+
- HostName
1821
src-port:
1922
- sourceport
2023
- SrcPort

uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,12 @@ default_log_source:
1111
category: 8110
1212

1313
field_mapping:
14-
CommandLine: Command
14+
CommandLine:
15+
- Command
16+
- ASACommand
1517
Image: Process Path
1618
ParentCommandLine: Parent Command
1719
ParentImage: Parent Process Path
1820
User: username
19-
LogonId: Logon ID
21+
LogonId: Logon ID
22+
EventID: ASASyslogCode

uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,20 @@ default_log_source:
1111
category: 8110
1212

1313
field_mapping:
14-
CommandLine: Command
14+
CommandLine:
15+
- Command
16+
- Encoded Argument
1517
CurrentDirectory: CurrentDirectory
1618
Hashes: File Hash
17-
Image: Process Path
19+
Image:
20+
- Process Path
21+
- Process Name
22+
- DGApplication
1823
IntegrityLevel: IntegrityLevel
1924
ParentCommandLine: Parent Command
2025
ParentImage: Parent Process Path
2126
ParentUser: ParentUser
2227
Product: Product
23-
User: username
28+
User:
29+
- username
30+
- userName

uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ default_log_source:
1111
category: 8113
1212

1313
field_mapping:
14-
Image: Process Path
14+
Image:
15+
- Process Path
16+
- Terminated Process Name
1517
ProcessId: ProcessId
1618
# ProcessGuid: ProcessGuid

uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,9 @@ default_log_source:
99
devicetype: 12
1010

1111
field_mapping:
12-
EventID: Event ID
12+
EventID:
13+
- Event ID
14+
- EventID
1315
ParentImage: Parent Process Path
1416
AccessMask: AccessMask
1517
AccountName: Account Name
@@ -22,13 +24,16 @@ field_mapping:
2224
ComputerName:
2325
- Machine Identifier
2426
- Hostname
27+
- identityNetBiosName
2528
EventType: EventType
2629
FailureReason: FailureReason
2730
FileName: Filename
2831
GrantedAccess: GrantedAccess
2932
Hashes: File Hash
3033
HiveName: HiveName
31-
IpAddress:
34+
IpAddress:
35+
- sourceIP
36+
- SourceIP
3237
- sourceip
3338
- identityIP
3439
IpPort: sourceport
@@ -45,7 +50,7 @@ field_mapping:
4550
- Process Name
4651
- New Process Name
4752
ObjectClass: ObjectClass
48-
ObjectName:
53+
ObjectName:
4954
- Object Name
5055
- objectname
5156
- MSFileObjectName
@@ -76,6 +81,7 @@ field_mapping:
7681
GroupMembership:
7782
- GroupMembership
7883
- GroupName
84+
- Group Name
7985
FilterName: FilterName
8086
ChangeType: ChangeType
8187
LayerName: LayerName
@@ -95,7 +101,9 @@ field_mapping:
95101
TargetServerName: TargetServerName
96102
NewTargetUserName: NewTargetUserName
97103
OperationType: OperationType
98-
DestPort: destinationport
104+
DestPort:
105+
- destinationport
106+
- DstPort
99107
ServiceStartType: ServiceStartType
100108
OldTargetUserName: OldTargetUserName
101109
UserPrincipalName: UserPrincipalName
@@ -104,7 +112,10 @@ field_mapping:
104112
DisableIntegrityChecks: DisableIntegrityChecks
105113
AuditSourceName: AuditSourceName
106114
Workstation: Machine Identifier
107-
DestAddress: destinationip
115+
DestAddress:
116+
- destinationip
117+
- DestinationIP
118+
- destinationaddress
108119
PreAuthType: PreAuthType
109120
SecurityPackageName: SecurityPackageName
110121
SubjectLogonId: SubjectLogonId
@@ -150,6 +161,8 @@ field_mapping:
150161
TargetSid: TargetSid
151162
TargetUserName:
152163
- Target Username
164+
- User
165+
- userName
153166
- Target User Name
154167
ObjectServer: ObjectServer
155168
TargetUserSid: TargetUserSid

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy