From 4536c50ce66bd4b7282c919af8ec046757eb53ec Mon Sep 17 00:00:00 2001 From: spsocprime <94110440+spsocprime@users.noreply.github.com> Date: Thu, 18 Jul 2024 09:29:25 +0300 Subject: [PATCH 1/2] new fields --- .../mappings/platforms/palo_alto_cortex/default.yml | 7 +++++++ .../mappings/platforms/qradar/default.yml | 13 ++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml index ac3f8c9c..a7898dd5 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml @@ -46,6 +46,7 @@ field_mapping: c-uri-query: xdm.network.http.url QueryName: xdm.network.dns.dns_question.name Application: xdm.network.application_protocol + sourceNetwork: xdm.source.subnet SourceHostName: xdm.source.host.hostname DestinationHostname: xdm.target.host.hostname Hashes: @@ -127,3 +128,9 @@ field_mapping: url_category: xdm.network.http.url_category EventSeverity: xdm.alert.severity duration: xdm.event.duration + ThreatName: xdm.alert.original_threat_id + AnalyzerName: xdm.observer.type + Classification: xdm.alert.category + ResultCode: xdm.event.outcome_reason + Technique: xdm.alert.mitre_techniques + Action: xdm.event.outcome \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index 1e098a77..a0502ea7 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -19,6 +19,7 @@ field_mapping: src-port: - SourcePort - localport + - sourcePort src-ip: - sourceip - source_ip @@ -34,6 +35,7 @@ field_mapping: User: - userName - EventUserName + - Alert Threat Cause Actor Name CommandLine: Command Protocol: - IPProtocol @@ -41,6 +43,7 @@ field_mapping: Application: - Application - application + sourceNetwork: sourceNetwork SourceHostName: - HostCount-source - identityHostName @@ -78,4 +81,12 @@ field_mapping: Source: - Source - source - duration: duration \ No newline at end of file + duration: duration + ThreatName: + - Threat Name + - Alert Blocked Threat Category + AnalyzerName: Analyzer Name + Classification: Classification + ResultCode: Alert Reason Code + Technique: Technique + Action: Action \ No newline at end of file From 976388f75d8c14e171cd2c85b74f98c04e3f3147 Mon Sep 17 00:00:00 2001 From: Gesyk Nazar <77268518+nazargesyk@users.noreply.github.com> Date: Mon, 22 Jul 2024 11:26:01 +0300 Subject: [PATCH 2/2] merge --- .../platforms/palo_alto_cortex/default.yml | 9 +++- .../palo_alto_cortex/windows_image_load.yml | 1 + .../mappings/platforms/qradar/default.yml | 16 ++++++- .../qradar/linux_process_creation.yml | 1 + .../mappings/platforms/qradar/proxy.yml | 13 ++++-- .../mappings/platforms/qradar/webserver.yml | 42 +++++++++++++------ .../platforms/qradar/windows_image_load.yml | 3 +- .../qradar/windows_process_creation.yml | 6 ++- .../platforms/qradar/windows_security.yml | 1 + 9 files changed, 70 insertions(+), 22 deletions(-) diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml index a7898dd5..f767249b 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml @@ -14,6 +14,7 @@ field_mapping: ProcessName: - xdm.target.process.name - xdm.source.process.name + ProcessPath: xdm.target.process.executable.path ImageLoaded: - xdm.target.process.executable.filename - xdm.source.process.executable.filename @@ -65,7 +66,7 @@ field_mapping: dns-query: xdm.network.dns.dns_question.name dns-answer: xdm.network.dns.dns_resource_record.value dns-record: xdm.network.dns.dns_question.name - FileName: xdm.target.file.path + FileName: xdm.target.file.filename IpAddress: xdm.source.ipv4 IpPort: xdm.source.port LogonProcessName: xdm.target.process.executable.path @@ -133,4 +134,8 @@ field_mapping: Classification: xdm.alert.category ResultCode: xdm.event.outcome_reason Technique: xdm.alert.mitre_techniques - Action: xdm.event.outcome \ No newline at end of file + Action: xdm.event.outcome + FileExtension: xdm.target.file.extension + Workstation: xdm.source.host.hostname + RegistryKey: xdm.target.registry.key + RegistryValue: xdm.target.registry.value diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml index 69a100ec..98e62b8f 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml @@ -9,6 +9,7 @@ default_log_source: field_mapping: ImageLoaded: action_module_path + FileExtension: action_file_extension md5: action_module_md5 sha256: action_module_sha256 User: actor_effective_username diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index a0502ea7..5ff97d09 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -36,6 +36,8 @@ field_mapping: - userName - EventUserName - Alert Threat Cause Actor Name + - Username + - Security ID CommandLine: Command Protocol: - IPProtocol @@ -82,11 +84,21 @@ field_mapping: - Source - source duration: duration - ThreatName: + ThreatName: - Threat Name - Alert Blocked Threat Category AnalyzerName: Analyzer Name Classification: Classification ResultCode: Alert Reason Code Technique: Technique - Action: Action \ No newline at end of file + Action: Action + Workstation: Machine Identifier + GroupMembership: Role Name + FileName: + - Filename + - File Name + RegistryKey: + - Registry Key + - Target Object + RegistryValue: RegistryValue + ProcessPath: Process Path diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml index 8fddefd6..67e3db21 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml @@ -14,6 +14,7 @@ field_mapping: CommandLine: - Command - ASACommand + - Command Arguments Image: Process Path ParentCommandLine: Parent Command ParentImage: Parent Process Path diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml index 193bc79c..75ca74a3 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml @@ -13,13 +13,16 @@ field_mapping: - URL - XForceCategoryByURL c-useragent: User Agent - cs-method: HTTP Method + cs-method: + - HTTP Method + - Method cs-bytes: Bytes Sent #cs-cookie-vars: cs-cookie-vars c-uri-extension: URL c-uri-query: - URL - URL Path + - URL Query String #cs-cookie: cs-cookie cs-host: - UrlHost @@ -32,6 +35,10 @@ field_mapping: r-dns: - UrlHost - URL Host - sc-status: HTTP Response Code + sc-status: + - HTTP Response Code + - Response Code #post-body: post-body - url_category: XForceCategoryByURL \ No newline at end of file + url_category: + - XForceCategoryByURL + - Web Category \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml b/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml index 11a769f6..ad002ea6 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/webserver.yml @@ -9,17 +9,33 @@ default_log_source: devicetype: 10 field_mapping: - c-uri: URL - c-useragent: c-useragent - cs-method: cs-method + c-uri: + - URL + - XForceCategoryByURL + c-useragent: User Agent + cs-method: + - HTTP Method + - Method cs-bytes: Bytes Sent - cs-cookie-vars: cs-cookie-vars - c-uri-extension: c-uri-extension - c-uri-query: URL - cs-cookie: cs-cookie - cs-host: cs-host - cs-referrer: URL Referrer - cs-version: cs-version - r-dns: r-dns - sc-status: sc-status - post-body: post-body \ No newline at end of file + #cs-cookie-vars: cs-cookie-vars + c-uri-extension: URL + c-uri-query: + - URL + - URL Path + - URL Query String + #cs-cookie: cs-cookie + cs-host: + - UrlHost + - URL Host + - URL Domain + cs-referrer: + - URL Referrer + - Referrer URL + cs-version: HTTP Version + r-dns: + - UrlHost + - URL Host + sc-status: + - HTTP Response Code + - Response Code + #post-body: post-body \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml index bb1189f6..79d3bd66 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml @@ -21,4 +21,5 @@ field_mapping: - Signature Status - SignatureStatus OriginalFileName: OriginalFileName - Signed: Signed \ No newline at end of file + Signed: Signed + FileExtension: File Extension \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml index 1886343a..fcad6da1 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml @@ -14,15 +14,19 @@ field_mapping: CommandLine: - Command - Encoded Argument + - Command Arguments CurrentDirectory: CurrentDirectory Hashes: File Hash Image: - Process Path - Process Name - DGApplication + - ProcessName IntegrityLevel: IntegrityLevel ParentCommandLine: Parent Command - ParentImage: Parent Process Path + ParentImage: + - Parent Process Path + - ParentProcessName ParentUser: ParentUser Product: Product User: diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml index 9ccb1fbe..2a4c9919 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml @@ -12,6 +12,7 @@ field_mapping: EventID: - Event ID - EventID + - qidEventId ParentImage: Parent Process Path AccessMask: AccessMask AccountName: Account Name