From a821bdb4cbf2952c4ee867d2ed4f9f35cbab46b0 Mon Sep 17 00:00:00 2001 From: Viktor Hrebeniuk <76157115+saltar-ua@users.noreply.github.com> Date: Mon, 10 Jun 2024 12:10:29 +0300 Subject: [PATCH] Add XQL mappings --- .../platforms/palo_alto_cortex/webserver.yml | 2 +- .../palo_alto_cortex/windows_pipe_created.yml | 12 ++++++++++ .../windows_process_access.yml | 19 +++++++++++++++ .../palo_alto_cortex/windows_sysmon.yml | 2 +- .../sigma/windows_process_access.yml | 24 +++++++++++++++++++ 5 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml create mode 100644 uncoder-core/app/translator/mappings/platforms/sigma/windows_process_access.yml diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml index c845789b..49a58521 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml @@ -2,7 +2,7 @@ platform: Palo Alto XSIAM source: webserver default_log_source: - dataset: [apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw] + datamodel: datamodel field_mapping: c-uri: xdm.network.http.url diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml new file mode 100644 index 00000000..2e7ea732 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml @@ -0,0 +1,12 @@ +platform: Palo Alto XSIAM +source: windows_pipe_created + +default_log_source: + preset: xdr_event_log + +field_mapping: + EventID: action_evtlog_event_id + +raw_log_fields: + - PipeName + - Image \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml new file mode 100644 index 00000000..47a1033e --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml @@ -0,0 +1,19 @@ +platform: Palo Alto XSIAM +source: windows_process_access + +default_log_source: + preset: xdr_event_log + +field_mapping: + User: action_process_username + +raw_log_fields: + - SourceProcessGUID + - SourceProcessId + - SourceThreadId + - SourceImage + - TargetProcessGUID + - TargerProcessId + - TargetImage + - GrantedAccess + - CallTrace \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml index d066d871..ebfac1ec 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml @@ -8,6 +8,7 @@ default_log_source: field_mapping: EventID: action_evtlog_event_id OriginalFileName: actor_process_file_original_name + Description: action_evtlog_description raw_log_fields: - CommandLine @@ -16,7 +17,6 @@ raw_log_fields: - CallTrace - Company - CurrentDirectory - - Description - DestinationHostname - DestinationIp - DestinationIsIpv6 diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/windows_process_access.yml b/uncoder-core/app/translator/mappings/platforms/sigma/windows_process_access.yml new file mode 100644 index 00000000..3b6aeb2c --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/sigma/windows_process_access.yml @@ -0,0 +1,24 @@ + +platform: Sigma +source: windows_process_access + + +log_source: + product: [windows] + category: [process_access] + +default_log_source: + product: windows + category: process_access + +field_mapping: + SourceProcessGUID: SourceProcessGUID + SourceProcessId: SourceProcessId + SourceThreadId: SourceThreadId + SourceImage: SourceImage + TargetProcessGUID: TargetProcessGUID + TargerProcessId: TargerProcessId + TargetImage: TargetImage + GrantedAccess: GrantedAccess + CallTrace: CallTrace + User: User \ No newline at end of file