mappings added and fix 7

rm-socprime · rm-socprime · commit 3aeb7fc8903e · 2024-06-17T16:50:30.000+02:00
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml
@@ -32,4 +32,5 @@ raw_log_fields:
   userIdentity.principalId: object
   userIdentity.sessionContext.sessionIssuer.type: object
   userIdentity.type: object
-  userIdentity.userName: object
+  userIdentity.userName: object
+  requestParameters.publiclyAccessible: object
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml
@@ -0,0 +1,46 @@
+platform: Palo Alto XSIAM
+source: azure_signinlogs
+
+
+default_log_source:
+  dataset: msft_azure_raw
+
+field_mapping:
+  AppDisplayName: properties.appDisplayName
+  AppId: properties.appId
+  AuthenticationRequirement: properties.authenticationRequirement
+  Category: properties.category
+  ConditionalAccessStatus: properties.conditionalAccessStatus
+  DeviceDetail: properties.deviceDetail
+  IsInteractive: properties.isInteractive
+  NetworkLocationDetails: properties.networkLocationDetails
+  ResourceDisplayName: properties.resourceDisplayName
+  ResourceIdentity: properties.resourceIdentity
+  ResultDescription: properties.resultDescription
+  ResultType: properties.resultType
+  Status.errorCode: properties.status.errorCode
+  Status: properties.status
+  Status.failureReason: properties.status.failureReason
+  TokenIssuerType: properties.tokenIssuerType
+  UserAgent: properties.userAgent
+  UserPrincipalName: properties.userPrincipalName
+
+raw_log_fields:
+  properties.appDisplayName: object
+  properties.appId: object
+  properties.authenticationRequirement: object
+  properties.category: object
+  properties.conditionalAccessStatus: object
+  properties.deviceDetail: object
+  properties.isInteractive: object
+  properties.networkLocationDetails: object
+  properties.resourceDisplayName: object
+  properties.resourceIdentity: object
+  properties.resultDescription: object
+  properties.resultType: object
+  properties.status.errorCode: object
+  properties.status: object
+  properties.status.failureReason: object
+  properties.tokenIssuerType: object
+  properties.userAgent: object
+  properties.userPrincipalName: object
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml
@@ -8,4 +8,6 @@ field_mapping:
   dns-query: xdm.network.dns.dns_question.name
   dns-answer: xdm.network.dns.dns_resource_record.value
   #dns-record: dns-record
-  dns_query_name: xdm.network.dns.dns_question.name
+  dns_query_name: xdm.network.dns.dns_question.name
+  QueryName: xdm.network.dns.dns_question.name
+  query: xdm.network.dns.dns_question.name
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
@@ -14,3 +14,6 @@ field_mapping:
   sc-status: xdm.network.http.response_code
   cs-uri-stem: xdm.network.http.url
   cs-uri-query: xdm.network.http.url
+  c-uri-path: xdm.network.http.url
+  uri_path: xdm.network.http.url
+  cs-uri: xdm.network.http.url
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml
@@ -16,4 +16,5 @@ raw_log_fields:
   HostApplication: regex
   ContextInfo: regex
   HostName: regex
-  EngineVersion: regex
+  EngineVersion: regex
+  Path: regex
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml
@@ -147,4 +147,5 @@ raw_log_fields:
   ExceptionCode: regex
   Service: regex
   SamAccountName: regex
-  ImpersonationLevel: regex
+  ImpersonationLevel: regex
+  PrimaryGroupId: regex
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml
@@ -57,4 +57,5 @@ raw_log_fields:
   FileVersion: regex
   StartAddress: regex
   StartFunction: regex
-  EventType: regex
+  EventType: regex
+  GrantedAccess: regex
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml
@@ -20,4 +20,6 @@ raw_log_fields:
   param1: regex
   param2: regex
   Channel: regex
-  DeviceName: regex
+  DeviceName: regex
+  Message: regex
+  ComputerName: regex
diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml b/uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml
@@ -4,7 +4,7 @@ source: azure_azureactivity
 
 log_source:
   product: [azure]
-  service: [azureactivity]
+  service: [azureactivity, activitylogs]
 
 default_log_source:
   product: azure
diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml b/uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml
@@ -4,7 +4,7 @@ source: azure_azuread
 
 log_source:
   product: [azure]
-  service: [azuread]
+  service: [azuread, auditlogs]
 
 default_log_source:
   product: azure
diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/azure_m365.yml b/uncoder-core/app/translator/mappings/platforms/sigma/azure_m365.yml
@@ -4,7 +4,7 @@ source: azure_m365
 
 log_source:
   product: [azure]
-  service: [m365]
+  service: [m365, o365, office365]
 
 default_log_source:
   product: azure
