From 949b3aee90f8bb583e16c77c0f0ee508deaeb646 Mon Sep 17 00:00:00 2001 From: spsocprime <94110440+spsocprime@users.noreply.github.com> Date: Wed, 12 Jun 2024 15:19:55 +0300 Subject: [PATCH] mapping improvement - stats from 05.06.24 --- .../platforms/palo_alto_cortex/default.yml | 5 +- .../platforms/palo_alto_cortex/proxy.yml | 12 +++- .../windows_process_termination.yml | 13 +++++ .../mappings/platforms/qradar/default.yml | 12 +++- .../mappings/platforms/qradar/firewall.yml | 1 + .../mappings/platforms/qradar/proxy.yml | 28 ++++++---- .../platforms/qradar/windows_image_load.yml | 10 +++- .../qradar/windows_process_termination.yml | 16 ++++++ .../platforms/qradar/windows_security.yml | 55 ++++++++++++++----- 9 files changed, 119 insertions(+), 33 deletions(-) create mode 100644 uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml create mode 100644 uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml index 30995299..5b6ed4f1 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml @@ -75,7 +75,6 @@ field_mapping: NewTargetUserName: xdm.target.user.username OldTargetUserName: xdm.target.user.username UserPrincipalName: xdm.source.user.username - DestAddress: xdm.target.ipv4 SubjectUserName: xdm.source.user.username SubjectUserSid: xdm.source.user.identifier @@ -115,3 +114,7 @@ field_mapping: http.method: xdm.network.http.method method: xdm.network.http.method notice.user_agent: xdm.network.http.browser + hasIdentity: xdm.source.user.identity_type + SubjectAccountName: xdm.source.user.username + ComputerName: xdm.source.host.hostname + ExternalSeverity: xdm.alert.severity diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml index 6095b8cf..1d114dac 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml @@ -6,11 +6,17 @@ default_log_source: field_mapping: c-uri: xdm.network.http.url - c-useragent: xdm.source.user_agent + c-useragent: xdm.network.http.browser cs-method: xdm.network.http.method cs-bytes: xdm.target.sent_bytes c-uri-query: xdm.network.http.url cs-referrer: xdm.network.http.referrer sc-status: xdm.network.http.response_code - cs-host: xdm.network.http.url - cs-uri-query: xdm.network.http.url \ No newline at end of file + cs-host: xdm.network.http.domain + cs-uri-query: xdm.network.http.url + cs-cookie-vars: xdm.network.http.http_header.value + c-uri-extension: xdm.network.http.url + cs-cookie: xdm.network.http.http_header.value + #cs-version: cs-version + r-dns: xdm.network.http.domain + post-body: xdm.network.http.http_header.value \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml new file mode 100644 index 00000000..731d6b8e --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml @@ -0,0 +1,13 @@ +platform: Palo Alto XSIAM +source: windows_process_termination + +log_source: + preset: xdr_process + +default_log_source: + preset: xdr_process + +field_mapping: + Image: action_process_image_path + ProcessId: action_process_os_pid + ProcessGuid: ProcessGuid \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index 7efabc4e..47447d13 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -32,8 +32,13 @@ field_mapping: Application: - Application - application - SourceHostName: HostCount-source - DestinationHostname: HostCount-destination + SourceHostName: + - HostCount-source + - identityHostName + - sourceAssetName + DestinationHostname: + - HostCount-destination + - Recipient Host src-packets: - PacketRatio-src - src-packets @@ -41,4 +46,5 @@ field_mapping: - PacketRatio-dst - dst-packets src-bytes: src-bytes - dst-bytes: dst-bytes \ No newline at end of file + dst-bytes: dst-bytes + ExternalSeverity: External Severity \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml b/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml index cdeb8b82..14d7aefc 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml @@ -29,4 +29,5 @@ field_mapping: - DstPort - RemotePort Protocol: IPProtocol + application: Application Application: Application \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml index 2369e399..2acad313 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml @@ -13,15 +13,23 @@ field_mapping: - URL - XForceCategoryByURL c-useragent: User Agent - cs-method: cs-method + cs-method: HTTP Method cs-bytes: Bytes Sent - cs-cookie-vars: cs-cookie-vars + #cs-cookie-vars: cs-cookie-vars c-uri-extension: URL - c-uri-query: URL - cs-cookie: cs-cookie - cs-host: cs-host - cs-referrer: URL Referrer - cs-version: cs-version - r-dns: r-dns - sc-status: sc-status - post-body: post-body \ No newline at end of file + c-uri-query: + - URL + - URL Path + #cs-cookie: cs-cookie + cs-host: + - UrlHost + - URL Host + cs-referrer: + - URL Referrer + - Referrer URL + cs-version: HTTP Version + r-dns: + - UrlHost + - URL Host + sc-status: HTTP Response Code + #post-body: post-body \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml index 434114c0..bb1189f6 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml @@ -13,8 +13,12 @@ default_log_source: qideventcategory: Microsoft-Windows-Sysmon/Operational field_mapping: - Image: username - ImageLoaded: Process Path - SignatureStatus: Signature Status + Image: Process Path + ImageLoaded: + - Process Path + - LoadedImage + SignatureStatus: + - Signature Status + - SignatureStatus OriginalFileName: OriginalFileName Signed: Signed \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml new file mode 100644 index 00000000..563403a4 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml @@ -0,0 +1,16 @@ +platform: Qradar +source: windows_process_termination + + +log_source: + devicetype: [12] + category: [8113] + +default_log_source: + devicetype: 12 + category: 8113 + +field_mapping: + Image: Process Path + ProcessId: ProcessId +# ProcessGuid: ProcessGuid \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml index a217b92c..d9148d86 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml @@ -19,28 +19,44 @@ field_mapping: AuthenticationPackageName: AuthenticationPackageName CallingProcessName: CallingProcessName Channel: Channel - ComputerName: Machine Identifier + ComputerName: + - Machine Identifier + - Hostname EventType: EventType FailureReason: FailureReason FileName: Filename GrantedAccess: GrantedAccess Hashes: File Hash HiveName: HiveName - IpAddress: IpAddress - IpPort: IpPort + IpAddress: + - sourceip + - identityIP + IpPort: sourceport KeyLength: KeyLength LogonProcessName: LogonProcessName - LogonType: Logon Type + LogonType: + - Logon Type + - Login Type + - MSLogonType LinkName: LinkName MemberName: MemberName MemberSid: MemberSid NewProcessName: Process Name ObjectClass: ObjectClass - ObjectName: Object Name - ObjectType: Object Type + ObjectName: + - Object Name + - objectname + - MSFileObjectName + - ObjectName_Filename + - ObjectName + ObjectType: + - Object Type + - ObjectType ObjectValueName: ObjectValueName Path: Path - CommandLine: Command + CommandLine: + - Command + - Process Command Line OldUacValue: OldUacValue SubStatus: SubStatus DisplayName: DisplayName @@ -55,7 +71,9 @@ field_mapping: ClientProcessId: ClientProcessId ParentProcessId: ParentProcessId AccessList: AccessList - GroupMembership: GroupMembership + GroupMembership: + - GroupMembership + - GroupName FilterName: FilterName ChangeType: ChangeType LayerName: LayerName @@ -99,10 +117,14 @@ field_mapping: UserAccountControl: UserAccountControl RegistryValue: Target Object SecurityID: SecurityID - ServiceFileName: Service Filename + ServiceFileName: + - Service Filename + - ServiceFileName SecurityDescriptor: SecurityDescriptor ServiceName: Service Name - ShareName: Share Name + ShareName: + - Share Name + - ShareName NewValue: NewValue Source: Source Status: Status @@ -110,12 +132,17 @@ field_mapping: SubjectUserName: Target Username SubjectUserSid: SubjectUserSid SourceAddr: sourceip - SourceAddress: sourceip + SourceAddress: + - sourceip + - sourceaddress + TargetFilename: File Directory TargetName: Target Username ServicePrincipalNames: ServicePrincipalNames TargetDomainName: TargetDomainName TargetSid: TargetSid - TargetUserName: Target Username + TargetUserName: + - Target Username + - Target User Name ObjectServer: ObjectServer TargetUserSid: TargetUserSid TicketEncryptionType: TicketEncryptionType @@ -141,4 +168,6 @@ field_mapping: StartType: StartType UserID: UserID ParentProcessName: Parent Process Name - Service: Service \ No newline at end of file + Service: Service + hasIdentity: hasIdentity + SubjectAccountName: SubjectAccountName \ No newline at end of file