Merge pull request #122 from UncoderIO/gis-xql-mapping-improve

saltar-ua · web-flow · commit a9b07c3054d5 · 2024-05-28T17:39:17.000+03:00
Improve mappings
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -11,10 +11,35 @@ field_mapping:
   Image:
     - xdm.target.process.name
     - xdm.source.process.name
+  ProcessName:
+    - xdm.target.process.name
+    - xdm.source.process.name
+  ImageLoaded:
+    - xdm.target.process.executable.filename
+    - xdm.source.process.executable.filename
   ParentCommandLine: xdm.source.process.command_line
   ParentImage: xdm.source.process.name
   User: xdm.source.user.username
   TargetFilename: xdm.target.file.filename
   TargetImage: xdm.target.process.name
   SourceImage: xdm.source.process.name
-  EventID: action_evtlog_event_id
+  EventID: xdm.event.id
+  Protocol: xdm.network.ip_protocol
+  src-ip: xdm.source.ipv4
+  SourceIp: xdm.source.ipv4
+  src-packets: xdm.source.sent_packets
+  dst-packets: xdm.target.sent_packets
+  src-port: xdm.source.port
+  SourcePort: xdm.source.port
+  dst-ip: xdm.target.ipv4
+  DestinationIp: xdm.target.ipv4
+  dst-port: xdm.target.port
+  DestinationPort: xdm.target.port
+  src-bytes: xdm.source.sent_bytes
+  dst-bytes: xdm.target.sent_bytes
+  src-hostname: xdm.source.host.hostname
+  dst-hostname: xdm.target.host.hostname
+  icmp.type: xdm.network.icmp.type
+  icmp.code: xdm.network.icmp.code
+  URL: xdm.target.url
+  QueryName: xdm.target.url
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_application.yml
@@ -6,6 +6,7 @@ default_log_source:
 
 field_mapping:
   EventID: action_evtlog_event_id
+  Provider_Name: provider_name
 
 raw_log_fields:
   - src_ip
@@ -18,7 +19,6 @@ raw_log_fields:
   - object_name
   - class_type
   - action_id
-  - Provider_Name
   - Data
   - Message
   - Level
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml
@@ -7,6 +7,7 @@ default_log_source:
 
 field_mapping:
   EventID: action_evtlog_event_id
+  OriginalFileName: actor_process_file_original_name
 
 raw_log_fields:
   - CommandLine
@@ -35,7 +36,6 @@ raw_log_fields:
   - SourcePortName
   - TargetFilename
   - User
-  - OriginalFileName
   - Signed
   - Signature
   - SignatureStatus
