Merge pull request #177 from UncoderIO/gis-aql-upd-2024-07-20

aql fields upd

Author: saltar-ua

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml

@@ -14,6 +14,7 @@ field_mapping:
   ProcessName:
     - xdm.target.process.name
     - xdm.source.process.name
+  ProcessPath: xdm.target.process.executable.path
   ImageLoaded:
     - xdm.target.process.executable.filename
     - xdm.source.process.executable.filename
@@ -64,7 +65,7 @@ field_mapping:
   dns-query: xdm.network.dns.dns_question.name
   dns-answer: xdm.network.dns.dns_resource_record.value
   dns-record: xdm.network.dns.dns_question.name
-  FileName: xdm.target.file.path
+  FileName: xdm.target.file.filename
   IpAddress: xdm.source.ipv4
   IpPort: xdm.source.port
   LogonProcessName: xdm.target.process.executable.path
@@ -127,3 +128,7 @@ field_mapping:
   url_category: xdm.network.http.url_category
   EventSeverity: xdm.alert.severity
   duration: xdm.event.duration
+  FileExtension: xdm.target.file.extension
+  Workstation: xdm.source.host.hostname
+  RegistryKey: xdm.target.registry.key
+  RegistryValue: xdm.target.registry.value

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml

@@ -9,6 +9,7 @@ default_log_source:
 
 field_mapping:
   ImageLoaded: action_module_path
+  FileExtension: action_file_extension
   md5: action_module_md5
   sha256: action_module_sha256
   User: actor_effective_username

uncoder-core/app/translator/mappings/platforms/qradar/default.yml

@@ -19,6 +19,7 @@ field_mapping:
   src-port:
     - SourcePort
     - localport
+    - sourcePort
   src-ip:
     - sourceip
     - source_ip
@@ -34,6 +35,8 @@ field_mapping:
   User:
     - userName
     - EventUserName
+    - Username
+    - Security ID
   CommandLine: Command
   Protocol: 
     - IPProtocol
@@ -78,4 +81,14 @@ field_mapping:
   Source:
     - Source
     - source
-  duration: duration
+  duration: duration
+  Workstation: Machine Identifier
+  GroupMembership: Role Name
+  FileName: 
+    - Filename
+    - File Name
+  RegistryKey: 
+    - Registry Key
+    - Target Object
+  RegistryValue: RegistryValue
+  ProcessPath: Process Path

uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml

@@ -14,6 +14,7 @@ field_mapping:
   CommandLine:
     - Command
     - ASACommand
+    - Command Arguments
   Image: Process Path
   ParentCommandLine: Parent Command
   ParentImage: Parent Process Path

uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml

@@ -21,4 +21,5 @@ field_mapping:
     - Signature Status
     - SignatureStatus
   OriginalFileName: OriginalFileName
-  Signed: Signed
+  Signed: Signed
+  FileExtension: File Extension

uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml

@@ -14,15 +14,19 @@ field_mapping:
   CommandLine:
     - Command
     - Encoded Argument
+    - Command Arguments
   CurrentDirectory: CurrentDirectory
   Hashes: File Hash
   Image:
     - Process Path
     - Process Name
     - DGApplication
+    - ProcessName
   IntegrityLevel: IntegrityLevel
   ParentCommandLine: Parent Command
-  ParentImage: Parent Process Path
+  ParentImage: 
+    - Parent Process Path
+    - ParentProcessName
   ParentUser: ParentUser
   Product: Product
   User:

uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml

@@ -12,6 +12,7 @@ field_mapping:
   EventID:
     - Event ID
     - EventID
+    - qidEventId
   ParentImage: Parent Process Path
   AccessMask: AccessMask
   AccountName: Account Name