From 8d4f8d4911acfa11a0d8026d95ef7e958db68b4c Mon Sep 17 00:00:00 2001 From: spsocprime <94110440+spsocprime@users.noreply.github.com> Date: Wed, 26 Jun 2024 12:21:17 +0300 Subject: [PATCH] upd fields --- .../mappings/platforms/palo_alto_cortex/dns.yml | 3 ++- .../translator/mappings/platforms/qradar/default.yml | 10 ++++++++-- .../app/translator/mappings/platforms/qradar/dns.yml | 3 ++- .../app/translator/mappings/platforms/qradar/proxy.yml | 1 + .../mappings/platforms/qradar/windows_security.yml | 5 ++++- 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml index e489fd50..e279a60a 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml @@ -10,4 +10,5 @@ field_mapping: #dns-record: dns-record dns_query_name: xdm.network.dns.dns_question.name QueryName: xdm.network.dns.dns_question.name - query: xdm.network.dns.dns_question.name \ No newline at end of file + query: xdm.network.dns.dns_question.name + dns-record-type: xdm.network.dns.dns_question.type \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index 23e8b1bd..004e10c7 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -35,7 +35,9 @@ field_mapping: - userName - EventUserName CommandLine: Command - Protocol: IPProtocol + Protocol: + - IPProtocol + - protocol Application: - Application - application @@ -61,6 +63,7 @@ field_mapping: SourceMAC: - SourceMAC - MAC + - sourceMAC DestinationMAC: DestinationMAC SourceOS: - SourceOS @@ -69,4 +72,7 @@ field_mapping: TargetUserName: DestinationUserName SourceUserName: SourceUserName url_category: XForceCategoryByURL - EventSeverity: EventSeverity \ No newline at end of file + EventSeverity: EventSeverity + Source: + - Source + - source \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/dns.yml b/uncoder-core/app/translator/mappings/platforms/qradar/dns.yml index 048a4bd3..d9aad78e 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/dns.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/dns.yml @@ -12,4 +12,5 @@ field_mapping: dns-query: URL parent-domain: parent-domain dns-answer: dns-answer - dns-record: URL \ No newline at end of file + dns-record: URL + dns-record-type: DNSRecordType \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml index 58393ac0..193bc79c 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml @@ -24,6 +24,7 @@ field_mapping: cs-host: - UrlHost - URL Host + - URL Domain cs-referrer: - URL Referrer - Referrer URL diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml index 7d01b97e..53b37952 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml @@ -41,7 +41,9 @@ field_mapping: LinkName: LinkName MemberName: MemberName MemberSid: MemberSid - NewProcessName: Process Name + NewProcessName: + - Process Name + - New Process Name ObjectClass: ObjectClass ObjectName: - Object Name @@ -122,6 +124,7 @@ field_mapping: ServiceFileName: - Service Filename - ServiceFileName + - Service File Name SecurityDescriptor: SecurityDescriptor ServiceName: Service Name ShareName: