Skip to content

Gis add anomali mappings1612 #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Dec 17, 2024
Merged

Gis add anomali mappings1612 #225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d0e6d55
Merge branch 'gis-9137' into 'prod'
nazargesyk Dec 16, 2024
044119e
windows mappings added
rm-socprime Dec 16, 2024
9e0c582
Merge branch 'main' into gis-add-anomali-mappings1612
nazargesyk Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_image_load.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
platform: Anomali
source: windows_image_load


log_source:
product: [windows]
category: [image_load]

default_log_source:
product: windows
category: image_load

field_mapping:
Image: image
#ImageLoaded: ImageLoaded
#SignatureStatus: SignatureStatus
OriginalFileName: original_file_name
#Signed: Signed
20 changes: 20 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_network_connection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
platform: Anomali
source: windows_network_connection


log_source:
product: [windows]
category: [network_connection]

default_log_source:
product: windows
category: network_connection

field_mapping:
Image: image
DestinationHostname: dest
DestinationIp: dest_ip
DestinationPort: dest_port
SourceIp: src_ip
SourcePort: src_port
#Initiated: Initiated
16 changes: 16 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_pipe_created.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
platform: Anomali
source: windows_pipe_created


log_source:
product: [windows]
category: [pipe_created]

default_log_source:
product: windows
category: pipe_created

field_mapping:
EventID: event_id
#PipeName: PipeName
Image: image
24 changes: 24 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_process_access.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@

platform: Anomali
source: windows_process_access


log_source:
product: [windows]
category: [process_access]

default_log_source:
product: windows
category: process_access

field_mapping:
#SourceProcessGUID: SourceProcessGUID
#SourceProcessId: SourceProcessId
#SourceThreadId: SourceThreadId
#ourceImage: SourceImage
#TargetProcessGUID: TargetProcessGUID
#TargerProcessId: TargerProcessId
#TargetImage: TargetImage
#GrantedAccess: GrantedAccess
#CallTrace: CallTrace
User: user
23 changes: 23 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_process_creation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
platform: Anomali
source: windows_process_creation


log_source:
product: [windows]
category: [process_creation]

default_log_source:
product: windows
category: process_creation

field_mapping:
CommandLine: command_line
#CurrentDirectory: CurrentDirectory
Hashes: file_hash
Image: image
#IntegrityLevel: IntegrityLevel
ParentCommandLine: parent_command_line
ParentImage: parent_image
#ParentUser: ParentUser
#Product: Product
User: user
31 changes: 31 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_registry_event.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
platform: Anomali
source: windows_registry_event

log_source:
product: [windows]
category: [registry_event, registry_set, registry_delete, registry_add]

default_log_source:
product: windows
category: registry_event

field_mapping:
TargetObject: reg_key
Image: image
Details: reg_value_data
EventType: event_name
CommandLine: command_line
#LogonId: LogonId
#Product: Product
#Company: Company
#IntegrityLevel: IntegrityLevel
#CurrentDirectory: CurrentDirectory
ProcessId: process_id
ParentProcessId: parent_process_id
ParentCommandLine: parent_command_line
ParentImage: parent_image
#ParentUser: ParentUser
#ParentIntegrityLevel: ParentIntegrityLevel
#ParentLogonId: ParentLogonId
#ParentProduct: ParentProduct
#ParentCompany: ParentCompany
147 changes: 147 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
platform: Anomali
source: windows_security


log_source:
product: [windows]
service: [security]

default_log_source:
product: windows
service: security

field_mapping:
EventID: event_id
ParentImage: parent_image
#AccessMask: AccessMask
AccountName: user
#AllowedToDelegateTo: AllowedToDelegateTo
#AttributeLDAPDisplayName: AttributeLDAPDisplayName
#AuditPolicyChanges: AuditPolicyChanges
#AuthenticationPackageName: AuthenticationPackageName
#CallingProcessName: CallingProcessName
#Channel: Channel
#ComputerName: ComputerName
#EventType: EventType
#FailureReason: FailureReason
#FileName: FileName
#GrantedAccess: GrantedAccess
#Hashes: Hashes
#HiveName: HiveName
#IpAddress: IpAddress
#IpPort: IpPort
#KeyLength: KeyLength
#LogonProcessName: LogonProcessName
#LogonType: LogonType
#LinkName: LinkName
#MemberName: MemberName
#MemberSid: MemberSid
#NewProcessName: NewProcessName
#ObjectClass: ObjectClass
#ObjectType: ObjectType
#ObjectValueName: ObjectValueName
#Path: Path
#CommandLine: CommandLine
#OldUacValue: OldUacValue
#CertIssuerName: CertIssuerName
#SubStatus: SubStatus
#DisplayName: DisplayName
#TaskContent: TaskContent
#ServiceSid: ServiceSid
#CertThumbprint: CertThumbprint
#ObjectName: ObjectName
#ClassName: ClassName
#NotificationPackageName: NotificationPackageName
#NewSd: NewSd
#TestSigning: TestSigning
#TargetInfo: TargetInfo
#ParentProcessId: ParentProcessId
#AccessList: AccessList
#GroupMembership: GroupMembership
#FilterName: FilterName
#ChangeType: ChangeType
#LayerName: LayerName
#ServiceAccount: ServiceAccount
#ClientProcessId: ClientProcessId
#AttributeValue: AttributeValue
#SessionName: SessionName
#TaskName: TaskName
#ObjectDN: ObjectDN
#TemplateContent: TemplateContent
#NewTemplateContent: NewTemplateContent
#SourcePort: SourcePort
#PasswordLastSet: PasswordLastSet
#PrivilegeList: PrivilegeList
#DeviceDescription: DeviceDescription
#TargetServerName: TargetServerName
#NewTargetUserName: NewTargetUserName
#OperationType: OperationType
#DestPort: DestPort
#ServiceStartType: ServiceStartType
#OldTargetUserName: OldTargetUserName
#UserPrincipalName: UserPrincipalName
#Accesses: Accesses
#DnsHostName: DnsHostName
#DisableIntegrityChecks: DisableIntegrityChecks
#AuditSourceName: AuditSourceName
#Workstation: Workstation
#DestAddress: DestAddress
#PreAuthType: PreAuthType
#SecurityPackageName: SecurityPackageName
#SubjectLogonId: SubjectLogonId
#NewUacValue: NewUacValue
#EnabledPrivilegeList: EnabledPrivilegeList
#RelativeTargetName: RelativeTargetName
#CertSerialNumber: CertSerialNumber
#SidHistory: SidHistory
#TargetLogonId: TargetLogonId
#KernelDebug: KernelDebug
#CallerProcessName: CallerProcessName
#Properties: Properties
#UserAccountControl: UserAccountControl
#RegistryValue: RegistryValue
#SecurityID: SecurityID
#ServiceFileName: ServiceFileName
#SecurityDescriptor: SecurityDescriptor
#ServiceName: ServiceName
#ShareName: ShareName
#NewValue: NewValue
#Source: Source
#Status: Status
#SubjectDomainName: SubjectDomainName
#SubjectUserName: SubjectUserName
#SubjectUserSid: SubjectUserSid
#SourceAddr: SourceAddr
#SourceAddress: SourceAddress
#TargetName: TargetName
#ServicePrincipalNames: ServicePrincipalNames
#TargetDomainName: TargetDomainName
#TargetSid: TargetSid
#TargetUserName: TargetUserName
#ObjectServer: ObjectServer
#TargetUserSid: TargetUserSid
#TicketEncryptionType: TicketEncryptionType
#TicketOptions: TicketOptions
#WorkstationName: WorkstationName
#TransmittedServices: TransmittedServices
#AuthenticationAlgorithm: AuthenticationAlgorithm
#LayerRTID: LayerRTID
#BSSID: BSSID
#BSSType: BSSType
#CipherAlgorithm: CipherAlgorithm
#ConnectionId: ConnectionId
#ConnectionMode: ConnectionMode
#InterfaceDescription: InterfaceDescription
#InterfaceGuid: InterfaceGuid
#OnexEnabled: OnexEnabled
#PHYType: PHYType
#ProfileName: ProfileName
#SSID: SSID
#Domain: Domain
#ServiceType: ServiceType
#SourceName: SourceName
#StartType: StartType
#UserID: UserID
#ParentProcessName: ParentProcessName
#Service: Service
#ProcessName: ProcessName
63 changes: 63 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_sysmon.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
platform: Anomali
source: windows_sysmon


log_source:
product: [windows]
service: [sysmon]

default_log_source:
product: windows
service: sysmon

field_mapping:
CommandLine: command_line
Image: image
ParentImage: parent_image
EventID: event_id
#CallTrace: CallTrace
#Company: Company
#CurrentDirectory: CurrentDirectory
#Description: Description
DestinationHostname: dest
DestinationIp: dest_ip
#DestinationIsIpv6: DestinationIsIpv6
DestinationPort: dest_port
#DestinationPortName: DestinationPortName
Hashes: file_hash
#Initiated: Initiated
#IntegrityLevel: IntegrityLevel
ParentCommandLine: parent_command_line
#Product: Product
#Protocol: Protocol
#RuleName: RuleName
SourceHostname: src
SourceIp: src_ip
#SourceIsIpv6: SourceIsIpv6
SourcePort: src_port
#SourcePortName: SourcePortName
TargetFilename: file_name
User: user
OriginalFileName: original_file_name
#Signed: Signed
#Signature: Signature
#SignatureStatus: SignatureStatus
TargetObject: reg_key
Details: reg_value_data
QueryName: query
QueryResults: record_type
#QueryStatus: QueryStatus
#IsExecutable: IsExecutable
#PipeName: PipeName
#ImageLoaded: ImageLoaded
#ImagePath: ImagePath
#Imphash: Imphash
#SourceImage: SourceImage
#StartModule: StartModule
#TargetImage: TargetImage
Device: dvc_name
ProcessID: process_id
#FileVersion: FileVersion
#StartAddress: StartAddress
#StartFunction: StartFunction
EventType: event_name
27 changes: 27 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/anomali/windows_system.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
platform: Anomali
source: windows_system


log_source:
product: [windows]
service: [system]

default_log_source:
product: windows
service: system

field_mapping:
EventID: event_id
#AccountName: AccountName
#ImagePath: ImagePath
#ServiceName: ServiceName
#ServiceType: ServiceType
#StartType: StartType
#Provider_Name: Provider_Name
#Origin: Origin
#HiveName: HiveName
#Caption: Caption
#param1: param1
#param2: param2
#Channel: Channel
#DeviceName: DeviceName
Loading
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy