From ca238161c39bbc43d0d0d11476a1b3722e645d69 Mon Sep 17 00:00:00 2001
From: spsocprime <94110440+spsocprime@users.noreply.github.com>
Date: Wed, 19 Jun 2024 13:59:29 +0300
Subject: [PATCH] fix field SubjectAccountName
---
.../mappings/platforms/palo_alto_cortex/default.yml | 2 +-
.../platforms/palo_alto_cortex/windows_security.yml | 3 ++-
.../mappings/platforms/qradar/windows_security.yml | 6 ++++--
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
index 81d9dcc8..f6b25023 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -77,6 +77,7 @@ field_mapping:
OldTargetUserName: xdm.target.user.username
UserPrincipalName: xdm.source.user.username
DestAddress: xdm.target.ipv4
+ SubjectAccountName: xdm.source.user.username
SubjectUserName: xdm.source.user.username
SubjectUserSid: xdm.source.user.identifier
SourceAddr: xdm.source.ipv4
@@ -117,7 +118,6 @@ field_mapping:
method: xdm.network.http.method
notice.user_agent: xdm.network.http.browser
hasIdentity: xdm.source.user.identity_type
- SubjectAccountName: xdm.source.user.username
ComputerName: xdm.source.host.hostname
ExternalSeverity: xdm.alert.severity
SourceMAC: xdm.source.host.mac_addresses
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml
index 42fe9a54..59a56f71 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml
@@ -7,7 +7,8 @@ default_log_source:
field_mapping:
EventID: action_evtlog_event_id
Provider_Name: provider_name
-
+ SubjectAccountName: actor_effective_username
+
raw_log_fields:
ParentImage: regex
AccessMask: regex
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
index 20883e94..7d01b97e 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -130,6 +130,9 @@ field_mapping:
NewValue: NewValue
Source: Source
Status: Status
+ SubjectAccountName:
+ - Subject Account Name
+ - SubjectAccountName
SubjectDomainName: SubjectDomainName
SubjectUserName: Target Username
SubjectUserSid: SubjectUserSid
@@ -171,5 +174,4 @@ field_mapping:
UserID: UserID
ParentProcessName: Parent Process Name
Service: Service
- hasIdentity: hasIdentity
- SubjectAccountName: SubjectAccountName
\ No newline at end of file
+ hasIdentity: hasIdentity
\ No newline at end of file
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy