From 4536c50ce66bd4b7282c919af8ec046757eb53ec Mon Sep 17 00:00:00 2001
From: spsocprime <94110440+spsocprime@users.noreply.github.com>
Date: Thu, 18 Jul 2024 09:29:25 +0300
Subject: [PATCH 1/2] new fields
---
.../mappings/platforms/palo_alto_cortex/default.yml | 7 +++++++
.../mappings/platforms/qradar/default.yml | 13 ++++++++++++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
index ac3f8c9c..a7898dd5 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -46,6 +46,7 @@ field_mapping:
c-uri-query: xdm.network.http.url
QueryName: xdm.network.dns.dns_question.name
Application: xdm.network.application_protocol
+ sourceNetwork: xdm.source.subnet
SourceHostName: xdm.source.host.hostname
DestinationHostname: xdm.target.host.hostname
Hashes:
@@ -127,3 +128,9 @@ field_mapping:
url_category: xdm.network.http.url_category
EventSeverity: xdm.alert.severity
duration: xdm.event.duration
+ ThreatName: xdm.alert.original_threat_id
+ AnalyzerName: xdm.observer.type
+ Classification: xdm.alert.category
+ ResultCode: xdm.event.outcome_reason
+ Technique: xdm.alert.mitre_techniques
+ Action: xdm.event.outcome
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
index 1e098a77..a0502ea7 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -19,6 +19,7 @@ field_mapping:
src-port:
- SourcePort
- localport
+ - sourcePort
src-ip:
- sourceip
- source_ip
@@ -34,6 +35,7 @@ field_mapping:
User:
- userName
- EventUserName
+ - Alert Threat Cause Actor Name
CommandLine: Command
Protocol:
- IPProtocol
@@ -41,6 +43,7 @@ field_mapping:
Application:
- Application
- application
+ sourceNetwork: sourceNetwork
SourceHostName:
- HostCount-source
- identityHostName
@@ -78,4 +81,12 @@ field_mapping:
Source:
- Source
- source
- duration: duration
\ No newline at end of file
+ duration: duration
+ ThreatName:
+ - Threat Name
+ - Alert Blocked Threat Category
+ AnalyzerName: Analyzer Name
+ Classification: Classification
+ ResultCode: Alert Reason Code
+ Technique: Technique
+ Action: Action
\ No newline at end of file
From 976388f75d8c14e171cd2c85b74f98c04e3f3147 Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Mon, 22 Jul 2024 11:26:01 +0300
Subject: [PATCH 2/2] merge
---
.../platforms/palo_alto_cortex/default.yml | 9 +++-
.../palo_alto_cortex/windows_image_load.yml | 1 +
.../mappings/platforms/qradar/default.yml | 16 ++++++-
.../qradar/linux_process_creation.yml | 1 +
.../mappings/platforms/qradar/proxy.yml | 13 ++++--
.../mappings/platforms/qradar/webserver.yml | 42 +++++++++++++------
.../platforms/qradar/windows_image_load.yml | 3 +-
.../qradar/windows_process_creation.yml | 6 ++-
.../platforms/qradar/windows_security.yml | 1 +
9 files changed, 70 insertions(+), 22 deletions(-)
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
index a7898dd5..f767249b 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -14,6 +14,7 @@ field_mapping:
ProcessName:
- xdm.target.process.name
- xdm.source.process.name
+ ProcessPath: xdm.target.process.executable.path
ImageLoaded:
- xdm.target.process.executable.filename
- xdm.source.process.executable.filename
@@ -65,7 +66,7 @@ field_mapping:
dns-query: xdm.network.dns.dns_question.name
dns-answer: xdm.network.dns.dns_resource_record.value
dns-record: xdm.network.dns.dns_question.name
- FileName: xdm.target.file.path
+ FileName: xdm.target.file.filename
IpAddress: xdm.source.ipv4
IpPort: xdm.source.port
LogonProcessName: xdm.target.process.executable.path
@@ -133,4 +134,8 @@ field_mapping:
Classification: xdm.alert.category
ResultCode: xdm.event.outcome_reason
Technique: xdm.alert.mitre_techniques
- Action: xdm.event.outcome
\ No newline at end of file
+ Action: xdm.event.outcome
+ FileExtension: xdm.target.file.extension
+ Workstation: xdm.source.host.hostname
+ RegistryKey: xdm.target.registry.key
+ RegistryValue: xdm.target.registry.value
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
index 69a100ec..98e62b8f 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml
@@ -9,6 +9,7 @@ default_log_source:
field_mapping:
ImageLoaded: action_module_path
+ FileExtension: action_file_extension
md5: action_module_md5
sha256: action_module_sha256
User: actor_effective_username
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
index a0502ea7..5ff97d09 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -36,6 +36,8 @@ field_mapping:
- userName
- EventUserName
- Alert Threat Cause Actor Name
+ - Username
+ - Security ID
CommandLine: Command
Protocol:
- IPProtocol
@@ -82,11 +84,21 @@ field_mapping:
- Source
- source
duration: duration
- ThreatName:
+ ThreatName:
- Threat Name
- Alert Blocked Threat Category
AnalyzerName: Analyzer Name
Classification: Classification
ResultCode: Alert Reason Code
Technique: Technique
- Action: Action
\ No newline at end of file
+ Action: Action
+ Workstation: Machine Identifier
+ GroupMembership: Role Name
+ FileName:
+ - Filename
+ - File Name
+ RegistryKey:
+ - Registry Key
+ - Target Object
+ RegistryValue: RegistryValue
+ ProcessPath: Process Path
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
index 8fddefd6..67e3db21 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
@@ -14,6 +14,7 @@ field_mapping:
CommandLine:
- Command
- ASACommand
+ - Command Arguments
Image: Process Path
ParentCommandLine: Parent Command
ParentImage: Parent Process Path
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml
index 193bc79c..75ca74a3 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml
@@ -13,13 +13,16 @@ field_mapping:
- URL
- XForceCategoryByURL
c-useragent: User Agent
- cs-method: HTTP Method
+ cs-method:
+ - HTTP Method
+ - Method
cs-bytes: Bytes Sent
#cs-cookie-vars: cs-cookie-vars
c-uri-extension: URL
c-uri-query:
- URL
- URL Path
+ - URL Query String
#cs-cookie: cs-cookie
cs-host:
- UrlHost
@@ -32,6 +35,10 @@ field_mapping:
r-dns:
- UrlHost
- URL Host
- sc-status: HTTP Response Code
+ sc-status:
+ - HTTP Response Code
+ - Response Code
#post-body: post-body
- url_category: XForceCategoryByURL
\ No newline at end of file
+ url_category:
+ - XForceCategoryByURL
+ - Web Category
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml b/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml
index 11a769f6..ad002ea6 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml
@@ -9,17 +9,33 @@ default_log_source:
devicetype: 10
field_mapping:
- c-uri: URL
- c-useragent: c-useragent
- cs-method: cs-method
+ c-uri:
+ - URL
+ - XForceCategoryByURL
+ c-useragent: User Agent
+ cs-method:
+ - HTTP Method
+ - Method
cs-bytes: Bytes Sent
- cs-cookie-vars: cs-cookie-vars
- c-uri-extension: c-uri-extension
- c-uri-query: URL
- cs-cookie: cs-cookie
- cs-host: cs-host
- cs-referrer: URL Referrer
- cs-version: cs-version
- r-dns: r-dns
- sc-status: sc-status
- post-body: post-body
\ No newline at end of file
+ #cs-cookie-vars: cs-cookie-vars
+ c-uri-extension: URL
+ c-uri-query:
+ - URL
+ - URL Path
+ - URL Query String
+ #cs-cookie: cs-cookie
+ cs-host:
+ - UrlHost
+ - URL Host
+ - URL Domain
+ cs-referrer:
+ - URL Referrer
+ - Referrer URL
+ cs-version: HTTP Version
+ r-dns:
+ - UrlHost
+ - URL Host
+ sc-status:
+ - HTTP Response Code
+ - Response Code
+ #post-body: post-body
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
index bb1189f6..79d3bd66 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
@@ -21,4 +21,5 @@ field_mapping:
- Signature Status
- SignatureStatus
OriginalFileName: OriginalFileName
- Signed: Signed
\ No newline at end of file
+ Signed: Signed
+ FileExtension: File Extension
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
index 1886343a..fcad6da1 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
@@ -14,15 +14,19 @@ field_mapping:
CommandLine:
- Command
- Encoded Argument
+ - Command Arguments
CurrentDirectory: CurrentDirectory
Hashes: File Hash
Image:
- Process Path
- Process Name
- DGApplication
+ - ProcessName
IntegrityLevel: IntegrityLevel
ParentCommandLine: Parent Command
- ParentImage: Parent Process Path
+ ParentImage:
+ - Parent Process Path
+ - ParentProcessName
ParentUser: ParentUser
Product: Product
User:
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
index 9ccb1fbe..2a4c9919 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -12,6 +12,7 @@ field_mapping:
EventID:
- Event ID
- EventID
+ - qidEventId
ParentImage: Parent Process Path
AccessMask: AccessMask
AccountName: Account Name
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy