merge prod into gis-8036

alexvolha · alexvolha · commit c1dddc76522d · 2024-06-28T13:49:16.000+03:00
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml
@@ -11,4 +11,4 @@ field_mapping:
   dns_query_name: xdm.network.dns.dns_question.name
   QueryName: xdm.network.dns.dns_question.name
   query: xdm.network.dns.dns_question.name
-  dns-record-type: xdm.network.dns.dns_question.type
+  dns-record-type: xdm.network.dns.dns_question.type
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml
@@ -26,4 +26,5 @@ field_mapping:
   ParentProduct: actor_process_signature_product
   ParentCompany: actor_process_signature_vendor
   md5: action_process_image_md5
-  sha256: action_process_image_sha256
+  sha256: action_process_image_sha256
+  EventID: action_evtlog_event_id
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -59,7 +59,9 @@ field_mapping:
     - dst-packets
   src-bytes: src-bytes
   dst-bytes: dst-bytes
-  ExternalSeverity: External Severity
+  ExternalSeverity:
+    - External Severity
+    - Observeit Severity
   SourceMAC:
     - SourceMAC
     - MAC
@@ -73,6 +75,6 @@ field_mapping:
   SourceUserName: SourceUserName
   url_category: XForceCategoryByURL
   EventSeverity: EventSeverity
-  Source: 
+  Source:
     - Source
-    - source
+    - source
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml b/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml
@@ -11,10 +11,13 @@ default_log_source:
 field_mapping:
   src-ip:
     - sourceip
+    - sourceIP
+    - SourceIP
     - SrcHost
     - LocalHost
     - Source
     - NetworkView
+    - HostName
   src-port:
     - sourceport
     - SrcPort
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml
@@ -11,9 +11,12 @@ default_log_source:
   category: 8110
 
 field_mapping:
-  CommandLine: Command
+  CommandLine:
+    - Command
+    - ASACommand
   Image: Process Path
   ParentCommandLine: Parent Command
   ParentImage: Parent Process Path
   User: username
-  LogonId: Logon ID
+  LogonId: Logon ID
+  EventID: ASASyslogCode
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml
@@ -11,13 +11,20 @@ default_log_source:
   category: 8110
 
 field_mapping:
-  CommandLine: Command
+  CommandLine:
+    - Command
+    - Encoded Argument
   CurrentDirectory: CurrentDirectory
   Hashes: File Hash
-  Image: Process Path
+  Image:
+    - Process Path
+    - Process Name
+    - DGApplication
   IntegrityLevel: IntegrityLevel
   ParentCommandLine: Parent Command
   ParentImage: Parent Process Path
   ParentUser: ParentUser
   Product: Product
-  User: username
+  User:
+    - username
+    - userName
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml
@@ -11,6 +11,8 @@ default_log_source:
   category: 8113
 
 field_mapping:
-  Image: Process Path
+  Image:
+    - Process Path
+    - Terminated Process Name
   ProcessId: ProcessId
 #  ProcessGuid: ProcessGuid
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -9,7 +9,9 @@ default_log_source:
   devicetype: 12
 
 field_mapping:
-  EventID: Event ID
+  EventID:
+    - Event ID
+    - EventID
   ParentImage: Parent Process Path
   AccessMask: AccessMask
   AccountName: Account Name
@@ -22,13 +24,16 @@ field_mapping:
   ComputerName: 
     - Machine Identifier
     - Hostname
+    - identityNetBiosName
   EventType: EventType
   FailureReason: FailureReason
   FileName: Filename
   GrantedAccess: GrantedAccess
   Hashes: File Hash
   HiveName: HiveName
-  IpAddress: 
+  IpAddress:
+    - sourceIP
+    - SourceIP
     - sourceip
     - identityIP
   IpPort: sourceport
@@ -45,7 +50,7 @@ field_mapping:
     - Process Name
     - New Process Name
   ObjectClass: ObjectClass
-  ObjectName: 
+  ObjectName:
     - Object Name
     - objectname
     - MSFileObjectName
@@ -76,6 +81,7 @@ field_mapping:
   GroupMembership: 
     - GroupMembership
     - GroupName
+    - Group Name
   FilterName: FilterName
   ChangeType: ChangeType
   LayerName: LayerName
@@ -95,7 +101,9 @@ field_mapping:
   TargetServerName: TargetServerName
   NewTargetUserName: NewTargetUserName
   OperationType: OperationType
-  DestPort: destinationport
+  DestPort:
+    - destinationport
+    - DstPort
   ServiceStartType: ServiceStartType
   OldTargetUserName: OldTargetUserName
   UserPrincipalName: UserPrincipalName
@@ -104,7 +112,10 @@ field_mapping:
   DisableIntegrityChecks: DisableIntegrityChecks
   AuditSourceName: AuditSourceName
   Workstation: Machine Identifier
-  DestAddress: destinationip
+  DestAddress:
+    - destinationip
+    - DestinationIP
+    - destinationaddress
   PreAuthType: PreAuthType
   SecurityPackageName: SecurityPackageName
   SubjectLogonId: SubjectLogonId
@@ -150,6 +161,8 @@ field_mapping:
   TargetSid: TargetSid
   TargetUserName: 
     - Target Username
+    - User
+    - userName
     - Target User Name
   ObjectServer: ObjectServer
   TargetUserSid: TargetUserSid
diff --git a/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py b/uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py
@@ -50,7 +50,6 @@
 }
 
 
-
 class CortexXQLFieldValueRender(BaseFieldValueRender):
     details: PlatformDetails = cortex_xql_query_details
     str_value_manager = cortex_xql_str_value_manager
@@ -72,7 +71,7 @@ def _wrap_str_value(value: str) -> str:
     def equal_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             values = ", ".join(
-                f"{self._pre_process_value(field, v, value_type=ValueType.value, wrap_str=True)}" for v in value
+                f"{self._pre_process_value(field, str(v), value_type=ValueType.value, wrap_str=True)}" for v in value
             )
             return f"{field} in ({values})"
 
@@ -123,7 +122,11 @@ def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
     def regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
             return f"({self.or_token.join(self.regex_modifier(field=field, value=v) for v in value)})"
-        return f"{field} ~= {self._pre_process_value(field ,value, value_type=ValueType.regex_value, wrap_str=True)}"
+        value = self._pre_process_value(field, value, value_type=ValueType.regex_value, wrap_str=True)
+        if value.endswith('\\\\"'):
+            value = value[:-1] + "]" + value[-1:]
+            value = value[:-4] + "[" + value[-4:]
+        return f"{field} ~= {value}"
 
     def not_regex_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:
         if isinstance(value, list):
