diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml index f8327a54..980f2125 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml @@ -32,4 +32,5 @@ raw_log_fields: userIdentity.principalId: object userIdentity.sessionContext.sessionIssuer.type: object userIdentity.type: object - userIdentity.userName: object \ No newline at end of file + userIdentity.userName: object + requestParameters.publiclyAccessible: object \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml new file mode 100644 index 00000000..b5b84cde --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml @@ -0,0 +1,46 @@ +platform: Palo Alto XSIAM +source: azure_signinlogs + + +default_log_source: + dataset: msft_azure_raw + +field_mapping: + AppDisplayName: properties.appDisplayName + AppId: properties.appId + AuthenticationRequirement: properties.authenticationRequirement + Category: properties.category + ConditionalAccessStatus: properties.conditionalAccessStatus + DeviceDetail: properties.deviceDetail + IsInteractive: properties.isInteractive + NetworkLocationDetails: properties.networkLocationDetails + ResourceDisplayName: properties.resourceDisplayName + ResourceIdentity: properties.resourceIdentity + ResultDescription: properties.resultDescription + ResultType: properties.resultType + Status.errorCode: properties.status.errorCode + Status: properties.status + Status.failureReason: properties.status.failureReason + TokenIssuerType: properties.tokenIssuerType + UserAgent: properties.userAgent + UserPrincipalName: properties.userPrincipalName + +raw_log_fields: + properties.appDisplayName: object + properties.appId: object + properties.authenticationRequirement: object + properties.category: object + properties.conditionalAccessStatus: object + properties.deviceDetail: object + properties.isInteractive: object + properties.networkLocationDetails: object + properties.resourceDisplayName: object + properties.resourceIdentity: object + properties.resultDescription: object + properties.resultType: object + properties.status.errorCode: object + properties.status: object + properties.status.failureReason: object + properties.tokenIssuerType: object + properties.userAgent: object + properties.userPrincipalName: object \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml index 65cbbbad..e489fd50 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml @@ -8,4 +8,6 @@ field_mapping: dns-query: xdm.network.dns.dns_question.name dns-answer: xdm.network.dns.dns_resource_record.value #dns-record: dns-record - dns_query_name: xdm.network.dns.dns_question.name \ No newline at end of file + dns_query_name: xdm.network.dns.dns_question.name + QueryName: xdm.network.dns.dns_question.name + query: xdm.network.dns.dns_question.name \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml index 505d2498..7a1eaa84 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml @@ -14,3 +14,6 @@ field_mapping: sc-status: xdm.network.http.response_code cs-uri-stem: xdm.network.http.url cs-uri-query: xdm.network.http.url + c-uri-path: xdm.network.http.url + uri_path: xdm.network.http.url + cs-uri: xdm.network.http.url diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml index 1d2e0ef4..41ed1439 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml @@ -16,4 +16,5 @@ raw_log_fields: HostApplication: regex ContextInfo: regex HostName: regex - EngineVersion: regex \ No newline at end of file + EngineVersion: regex + Path: regex \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml index a1a1e613..42fe9a54 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml @@ -147,4 +147,5 @@ raw_log_fields: ExceptionCode: regex Service: regex SamAccountName: regex - ImpersonationLevel: regex \ No newline at end of file + ImpersonationLevel: regex + PrimaryGroupId: regex \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml index bc88c7c6..a15909c9 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml @@ -57,4 +57,5 @@ raw_log_fields: FileVersion: regex StartAddress: regex StartFunction: regex - EventType: regex \ No newline at end of file + EventType: regex + GrantedAccess: regex \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml index 889872e6..07730124 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml @@ -20,4 +20,6 @@ raw_log_fields: param1: regex param2: regex Channel: regex - DeviceName: regex \ No newline at end of file + DeviceName: regex + Message: regex + ComputerName: regex \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml b/uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml index c8d090a5..7a17a916 100644 --- a/uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml +++ b/uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml @@ -4,7 +4,7 @@ source: azure_azureactivity log_source: product: [azure] - service: [azureactivity] + service: [azureactivity, activitylogs] default_log_source: product: azure diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml b/uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml index 54594bb0..d46b9688 100644 --- a/uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml +++ b/uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml @@ -4,7 +4,7 @@ source: azure_azuread log_source: product: [azure] - service: [azuread] + service: [azuread, auditlogs] default_log_source: product: azure diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/azure_m365.yml b/uncoder-core/app/translator/mappings/platforms/sigma/azure_m365.yml index 7d2d1c46..b9877a5b 100644 --- a/uncoder-core/app/translator/mappings/platforms/sigma/azure_m365.yml +++ b/uncoder-core/app/translator/mappings/platforms/sigma/azure_m365.yml @@ -4,7 +4,7 @@ source: azure_m365 log_source: product: [azure] - service: [m365] + service: [m365, o365, office365] default_log_source: product: azure