From fc38d6705c228da5961fd9d2491260a1e163cacd Mon Sep 17 00:00:00 2001
From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com>
Date: Thu, 27 Jun 2024 14:30:22 +0300
Subject: [PATCH] mapping update
---
.../linux_process_creation.yml | 3 ++-
.../mappings/platforms/qradar/default.yml | 8 ++++---
.../mappings/platforms/qradar/firewall.yml | 3 +++
.../qradar/linux_process_creation.yml | 7 ++++--
.../qradar/windows_process_creation.yml | 13 ++++++++---
.../qradar/windows_process_termination.yml | 4 +++-
.../platforms/qradar/windows_security.yml | 23 +++++++++++++++----
7 files changed, 46 insertions(+), 15 deletions(-)
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml
index f1cda96d..06d225bc 100644
--- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml
@@ -26,4 +26,5 @@ field_mapping:
ParentProduct: actor_process_signature_product
ParentCompany: actor_process_signature_vendor
md5: action_process_image_md5
- sha256: action_process_image_sha256
\ No newline at end of file
+ sha256: action_process_image_sha256
+ EventID: action_evtlog_event_id
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
index 08fd3391..00dcef55 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -59,7 +59,9 @@ field_mapping:
- dst-packets
src-bytes: src-bytes
dst-bytes: dst-bytes
- ExternalSeverity: External Severity
+ ExternalSeverity:
+ - External Severity
+ - Observeit Severity
SourceMAC:
- SourceMAC
- MAC
@@ -73,6 +75,6 @@ field_mapping:
SourceUserName: SourceUserName
url_category: XForceCategoryByURL
EventSeverity: EventSeverity
- Source:
+ Source:
- Source
- - source
+ - source
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml b/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml
index 14d7aefc..e1313d6d 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml
@@ -11,10 +11,13 @@ default_log_source:
field_mapping:
src-ip:
- sourceip
+ - sourceIP
+ - SourceIP
- SrcHost
- LocalHost
- Source
- NetworkView
+ - HostName
src-port:
- sourceport
- SrcPort
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
index 80814237..8fddefd6 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
@@ -11,9 +11,12 @@ default_log_source:
category: 8110
field_mapping:
- CommandLine: Command
+ CommandLine:
+ - Command
+ - ASACommand
Image: Process Path
ParentCommandLine: Parent Command
ParentImage: Parent Process Path
User: username
- LogonId: Logon ID
\ No newline at end of file
+ LogonId: Logon ID
+ EventID: ASASyslogCode
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
index c6bff8b8..1886343a 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
@@ -11,13 +11,20 @@ default_log_source:
category: 8110
field_mapping:
- CommandLine: Command
+ CommandLine:
+ - Command
+ - Encoded Argument
CurrentDirectory: CurrentDirectory
Hashes: File Hash
- Image: Process Path
+ Image:
+ - Process Path
+ - Process Name
+ - DGApplication
IntegrityLevel: IntegrityLevel
ParentCommandLine: Parent Command
ParentImage: Parent Process Path
ParentUser: ParentUser
Product: Product
- User: username
\ No newline at end of file
+ User:
+ - username
+ - userName
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml
index 563403a4..0109186c 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml
@@ -11,6 +11,8 @@ default_log_source:
category: 8113
field_mapping:
- Image: Process Path
+ Image:
+ - Process Path
+ - Terminated Process Name
ProcessId: ProcessId
# ProcessGuid: ProcessGuid
\ No newline at end of file
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
index 53b37952..9ccb1fbe 100644
--- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
+++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -9,7 +9,9 @@ default_log_source:
devicetype: 12
field_mapping:
- EventID: Event ID
+ EventID:
+ - Event ID
+ - EventID
ParentImage: Parent Process Path
AccessMask: AccessMask
AccountName: Account Name
@@ -22,13 +24,16 @@ field_mapping:
ComputerName:
- Machine Identifier
- Hostname
+ - identityNetBiosName
EventType: EventType
FailureReason: FailureReason
FileName: Filename
GrantedAccess: GrantedAccess
Hashes: File Hash
HiveName: HiveName
- IpAddress:
+ IpAddress:
+ - sourceIP
+ - SourceIP
- sourceip
- identityIP
IpPort: sourceport
@@ -45,7 +50,7 @@ field_mapping:
- Process Name
- New Process Name
ObjectClass: ObjectClass
- ObjectName:
+ ObjectName:
- Object Name
- objectname
- MSFileObjectName
@@ -76,6 +81,7 @@ field_mapping:
GroupMembership:
- GroupMembership
- GroupName
+ - Group Name
FilterName: FilterName
ChangeType: ChangeType
LayerName: LayerName
@@ -95,7 +101,9 @@ field_mapping:
TargetServerName: TargetServerName
NewTargetUserName: NewTargetUserName
OperationType: OperationType
- DestPort: destinationport
+ DestPort:
+ - destinationport
+ - DstPort
ServiceStartType: ServiceStartType
OldTargetUserName: OldTargetUserName
UserPrincipalName: UserPrincipalName
@@ -104,7 +112,10 @@ field_mapping:
DisableIntegrityChecks: DisableIntegrityChecks
AuditSourceName: AuditSourceName
Workstation: Machine Identifier
- DestAddress: destinationip
+ DestAddress:
+ - destinationip
+ - DestinationIP
+ - destinationaddress
PreAuthType: PreAuthType
SecurityPackageName: SecurityPackageName
SubjectLogonId: SubjectLogonId
@@ -150,6 +161,8 @@ field_mapping:
TargetSid: TargetSid
TargetUserName:
- Target Username
+ - User
+ - userName
- Target User Name
ObjectServer: ObjectServer
TargetUserSid: TargetUserSid
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy