Skip to content

mapping improvement - stats from 05.06.24 #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 12, 2024
Merged

mapping improvement - stats from 05.06.24 #136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ field_mapping:
NewTargetUserName: xdm.target.user.username
OldTargetUserName: xdm.target.user.username
UserPrincipalName: xdm.source.user.username

DestAddress: xdm.target.ipv4
SubjectUserName: xdm.source.user.username
SubjectUserSid: xdm.source.user.identifier
Expand Down Expand Up @@ -115,3 +114,7 @@ field_mapping:
http.method: xdm.network.http.method
method: xdm.network.http.method
notice.user_agent: xdm.network.http.browser
hasIdentity: xdm.source.user.identity_type
SubjectAccountName: xdm.source.user.username
ComputerName: xdm.source.host.hostname
ExternalSeverity: xdm.alert.severity
12 changes: 9 additions & 3 deletions uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,17 @@ default_log_source:

field_mapping:
c-uri: xdm.network.http.url
c-useragent: xdm.source.user_agent
c-useragent: xdm.network.http.browser
cs-method: xdm.network.http.method
cs-bytes: xdm.target.sent_bytes
c-uri-query: xdm.network.http.url
cs-referrer: xdm.network.http.referrer
sc-status: xdm.network.http.response_code
cs-host: xdm.network.http.url
cs-uri-query: xdm.network.http.url
cs-host: xdm.network.http.domain
cs-uri-query: xdm.network.http.url
cs-cookie-vars: xdm.network.http.http_header.value
c-uri-extension: xdm.network.http.url
cs-cookie: xdm.network.http.http_header.value
#cs-version: cs-version
r-dns: xdm.network.http.domain
post-body: xdm.network.http.http_header.value
13 changes: 13 additions & 0 deletions ...r-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
platform: Palo Alto XSIAM
source: windows_process_termination

log_source:
preset: xdr_process

default_log_source:
preset: xdr_process

field_mapping:
Image: action_process_image_path
ProcessId: action_process_os_pid
ProcessGuid: ProcessGuid
12 changes: 9 additions & 3 deletions uncoder-core/app/translator/mappings/platforms/qradar/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,19 @@ field_mapping:
Application:
- Application
- application
SourceHostName: HostCount-source
DestinationHostname: HostCount-destination
SourceHostName:
- HostCount-source
- identityHostName
- sourceAssetName
DestinationHostname:
- HostCount-destination
- Recipient Host
src-packets:
- PacketRatio-src
- src-packets
dst-packets:
- PacketRatio-dst
- dst-packets
src-bytes: src-bytes
dst-bytes: dst-bytes
dst-bytes: dst-bytes
ExternalSeverity: External Severity
1 change: 1 addition & 0 deletions uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,5 @@ field_mapping:
- DstPort
- RemotePort
Protocol: IPProtocol
application: Application
Application: Application
28 changes: 18 additions & 10 deletions uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,23 @@ field_mapping:
- URL
- XForceCategoryByURL
c-useragent: User Agent
cs-method: cs-method
cs-method: HTTP Method
cs-bytes: Bytes Sent
cs-cookie-vars: cs-cookie-vars
#cs-cookie-vars: cs-cookie-vars
c-uri-extension: URL
c-uri-query: URL
cs-cookie: cs-cookie
cs-host: cs-host
cs-referrer: URL Referrer
cs-version: cs-version
r-dns: r-dns
sc-status: sc-status
post-body: post-body
c-uri-query:
- URL
- URL Path
#cs-cookie: cs-cookie
cs-host:
- UrlHost
- URL Host
cs-referrer:
- URL Referrer
- Referrer URL
cs-version: HTTP Version
r-dns:
- UrlHost
- URL Host
sc-status: HTTP Response Code
#post-body: post-body
10 changes: 7 additions & 3 deletions uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,12 @@ default_log_source:
qideventcategory: Microsoft-Windows-Sysmon/Operational

field_mapping:
Image: username
ImageLoaded: Process Path
SignatureStatus: Signature Status
Image: Process Path
ImageLoaded:
- Process Path
- LoadedImage
SignatureStatus:
- Signature Status
- SignatureStatus
OriginalFileName: OriginalFileName
Signed: Signed
16 changes: 16 additions & 0 deletions uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
platform: Qradar
source: windows_process_termination


log_source:
devicetype: [12]
category: [8113]

default_log_source:
devicetype: 12
category: 8113

field_mapping:
Image: Process Path
ProcessId: ProcessId
# ProcessGuid: ProcessGuid
55 changes: 42 additions & 13 deletions uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,28 +19,44 @@ field_mapping:
AuthenticationPackageName: AuthenticationPackageName
CallingProcessName: CallingProcessName
Channel: Channel
ComputerName: Machine Identifier
ComputerName:
- Machine Identifier
- Hostname
EventType: EventType
FailureReason: FailureReason
FileName: Filename
GrantedAccess: GrantedAccess
Hashes: File Hash
HiveName: HiveName
IpAddress: IpAddress
IpPort: IpPort
IpAddress:
- sourceip
- identityIP
IpPort: sourceport
KeyLength: KeyLength
LogonProcessName: LogonProcessName
LogonType: Logon Type
LogonType:
- Logon Type
- Login Type
- MSLogonType
LinkName: LinkName
MemberName: MemberName
MemberSid: MemberSid
NewProcessName: Process Name
ObjectClass: ObjectClass
ObjectName: Object Name
ObjectType: Object Type
ObjectName:
- Object Name
- objectname
- MSFileObjectName
- ObjectName_Filename
- ObjectName
ObjectType:
- Object Type
- ObjectType
ObjectValueName: ObjectValueName
Path: Path
CommandLine: Command
CommandLine:
- Command
- Process Command Line
OldUacValue: OldUacValue
SubStatus: SubStatus
DisplayName: DisplayName
Expand All @@ -55,7 +71,9 @@ field_mapping:
ClientProcessId: ClientProcessId
ParentProcessId: ParentProcessId
AccessList: AccessList
GroupMembership: GroupMembership
GroupMembership:
- GroupMembership
- GroupName
FilterName: FilterName
ChangeType: ChangeType
LayerName: LayerName
Expand Down Expand Up @@ -99,23 +117,32 @@ field_mapping:
UserAccountControl: UserAccountControl
RegistryValue: Target Object
SecurityID: SecurityID
ServiceFileName: Service Filename
ServiceFileName:
- Service Filename
- ServiceFileName
SecurityDescriptor: SecurityDescriptor
ServiceName: Service Name
ShareName: Share Name
ShareName:
- Share Name
- ShareName
NewValue: NewValue
Source: Source
Status: Status
SubjectDomainName: SubjectDomainName
SubjectUserName: Target Username
SubjectUserSid: SubjectUserSid
SourceAddr: sourceip
SourceAddress: sourceip
SourceAddress:
- sourceip
- sourceaddress
TargetFilename: File Directory
TargetName: Target Username
ServicePrincipalNames: ServicePrincipalNames
TargetDomainName: TargetDomainName
TargetSid: TargetSid
TargetUserName: Target Username
TargetUserName:
- Target Username
- Target User Name
ObjectServer: ObjectServer
TargetUserSid: TargetUserSid
TicketEncryptionType: TicketEncryptionType
Expand All @@ -141,4 +168,6 @@ field_mapping:
StartType: StartType
UserID: UserID
ParentProcessName: Parent Process Name
Service: Service
Service: Service
hasIdentity: hasIdentity
SubjectAccountName: SubjectAccountName