Merge pull request #136 from UncoderIO/gis-aql-12-06-2024-2

mapping improvement - stats from 05.06.24

Author: saltar-ua

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml

@@ -75,7 +75,6 @@ field_mapping:
   NewTargetUserName: xdm.target.user.username
   OldTargetUserName: xdm.target.user.username
   UserPrincipalName: xdm.source.user.username
-
   DestAddress: xdm.target.ipv4
   SubjectUserName: xdm.source.user.username
   SubjectUserSid: xdm.source.user.identifier
@@ -115,3 +114,7 @@ field_mapping:
   http.method: xdm.network.http.method
   method: xdm.network.http.method
   notice.user_agent: xdm.network.http.browser
+  hasIdentity: xdm.source.user.identity_type
+  SubjectAccountName: xdm.source.user.username
+  ComputerName: xdm.source.host.hostname
+  ExternalSeverity: xdm.alert.severity

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml

@@ -6,11 +6,17 @@ default_log_source:
 
 field_mapping:
   c-uri: xdm.network.http.url
-  c-useragent: xdm.source.user_agent
+  c-useragent: xdm.network.http.browser
   cs-method: xdm.network.http.method
   cs-bytes: xdm.target.sent_bytes
   c-uri-query: xdm.network.http.url
   cs-referrer: xdm.network.http.referrer
   sc-status: xdm.network.http.response_code
-  cs-host: xdm.network.http.url
-  cs-uri-query: xdm.network.http.url
+  cs-host: xdm.network.http.domain
+  cs-uri-query: xdm.network.http.url
+  cs-cookie-vars: xdm.network.http.http_header.value
+  c-uri-extension: xdm.network.http.url
+  cs-cookie: xdm.network.http.http_header.value
+  #cs-version: cs-version
+  r-dns:  xdm.network.http.domain
+  post-body: xdm.network.http.http_header.value

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_termination.yml

@@ -0,0 +1,13 @@
+platform: Palo Alto XSIAM
+source: windows_process_termination
+
+log_source:
+  preset: xdr_process
+
+default_log_source:
+  preset: xdr_process
+
+field_mapping:
+  Image: action_process_image_path
+  ProcessId: action_process_os_pid
+  ProcessGuid: ProcessGuid

uncoder-core/app/translator/mappings/platforms/qradar/default.yml

@@ -32,13 +32,19 @@ field_mapping:
   Application:
     - Application
     - application
-  SourceHostName: HostCount-source
-  DestinationHostname: HostCount-destination
+  SourceHostName: 
+    - HostCount-source
+    - identityHostName
+    - sourceAssetName
+  DestinationHostname: 
+    - HostCount-destination
+    - Recipient Host
   src-packets:
     - PacketRatio-src
     - src-packets
   dst-packets:
     - PacketRatio-dst
     - dst-packets
   src-bytes: src-bytes
-  dst-bytes: dst-bytes
+  dst-bytes: dst-bytes
+  ExternalSeverity: External Severity

uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml

@@ -29,4 +29,5 @@ field_mapping:
     - DstPort
     - RemotePort
   Protocol: IPProtocol
+  application: Application
   Application: Application

uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml

@@ -13,15 +13,23 @@ field_mapping:
     - URL
     - XForceCategoryByURL
   c-useragent: User Agent
-  cs-method: cs-method
+  cs-method: HTTP Method
   cs-bytes: Bytes Sent
-  cs-cookie-vars: cs-cookie-vars
+  #cs-cookie-vars: cs-cookie-vars
   c-uri-extension: URL
-  c-uri-query: URL
-  cs-cookie: cs-cookie
-  cs-host: cs-host
-  cs-referrer: URL Referrer
-  cs-version: cs-version
-  r-dns:  r-dns
-  sc-status: sc-status
-  post-body: post-body
+  c-uri-query: 
+    - URL
+    - URL Path
+  #cs-cookie: cs-cookie
+  cs-host: 
+    - UrlHost
+    - URL Host
+  cs-referrer: 
+    - URL Referrer
+    - Referrer URL
+  cs-version: HTTP Version
+  r-dns:
+    - UrlHost
+    - URL Host
+  sc-status: HTTP Response Code
+  #post-body: post-body

uncoder-core/app/translator/mappings/platforms/qradar/windows_image_load.yml

@@ -13,8 +13,12 @@ default_log_source:
   qideventcategory: Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
-  Image: username
-  ImageLoaded: Process Path
-  SignatureStatus: Signature Status
+  Image: Process Path
+  ImageLoaded: 
+    - Process Path
+    - LoadedImage
+  SignatureStatus: 
+    - Signature Status
+    - SignatureStatus
   OriginalFileName: OriginalFileName
   Signed: Signed

uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml

@@ -0,0 +1,16 @@
+platform: Qradar
+source: windows_process_termination
+
+
+log_source:
+  devicetype: [12]
+  category: [8113]
+
+default_log_source:
+  devicetype: 12
+  category: 8113
+
+field_mapping:
+  Image: Process Path
+  ProcessId: ProcessId
+#  ProcessGuid: ProcessGuid

uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml

@@ -19,28 +19,44 @@ field_mapping:
   AuthenticationPackageName: AuthenticationPackageName
   CallingProcessName: CallingProcessName
   Channel: Channel
-  ComputerName: Machine Identifier
+  ComputerName: 
+    - Machine Identifier
+    - Hostname
   EventType: EventType
   FailureReason: FailureReason
   FileName: Filename
   GrantedAccess: GrantedAccess
   Hashes: File Hash
   HiveName: HiveName
-  IpAddress: IpAddress
-  IpPort: IpPort
+  IpAddress: 
+    - sourceip
+    - identityIP
+  IpPort: sourceport
   KeyLength: KeyLength
   LogonProcessName: LogonProcessName
-  LogonType: Logon Type
+  LogonType: 
+    - Logon Type
+    - Login Type
+    - MSLogonType
   LinkName: LinkName
   MemberName: MemberName
   MemberSid: MemberSid
   NewProcessName: Process Name
   ObjectClass: ObjectClass
-  ObjectName: Object Name
-  ObjectType: Object Type
+  ObjectName: 
+    - Object Name
+    - objectname
+    - MSFileObjectName
+    - ObjectName_Filename
+    - ObjectName
+  ObjectType: 
+    - Object Type
+    - ObjectType
   ObjectValueName: ObjectValueName
   Path: Path
-  CommandLine: Command
+  CommandLine: 
+    - Command
+    - Process Command Line
   OldUacValue: OldUacValue
   SubStatus: SubStatus
   DisplayName: DisplayName
@@ -55,7 +71,9 @@ field_mapping:
   ClientProcessId: ClientProcessId
   ParentProcessId: ParentProcessId
   AccessList: AccessList
-  GroupMembership: GroupMembership
+  GroupMembership: 
+    - GroupMembership
+    - GroupName
   FilterName: FilterName
   ChangeType: ChangeType
   LayerName: LayerName
@@ -101,23 +119,32 @@ field_mapping:
   UserAccountControl: UserAccountControl
   RegistryValue: Target Object
   SecurityID: SecurityID
-  ServiceFileName: Service Filename
+  ServiceFileName: 
+    - Service Filename
+    - ServiceFileName
   SecurityDescriptor: SecurityDescriptor
   ServiceName: Service Name
-  ShareName: Share Name
+  ShareName: 
+    - Share Name
+    - ShareName
   NewValue: NewValue
   Source: Source
   Status: Status
   SubjectDomainName: SubjectDomainName
   SubjectUserName: Target Username
   SubjectUserSid: SubjectUserSid
   SourceAddr: sourceip
-  SourceAddress: sourceip
+  SourceAddress: 
+    - sourceip
+    - sourceaddress
+  TargetFilename: File Directory
   TargetName: Target Username
   ServicePrincipalNames: ServicePrincipalNames
   TargetDomainName: TargetDomainName
   TargetSid: TargetSid
-  TargetUserName: Target Username
+  TargetUserName: 
+    - Target Username
+    - Target User Name
   ObjectServer: ObjectServer
   TargetUserSid: TargetUserSid
   TicketEncryptionType: TicketEncryptionType
@@ -143,4 +170,6 @@ field_mapping:
   StartType: StartType
   UserID: UserID
   ParentProcessName: Parent Process Name
-  Service: Service
+  Service: Service
+  hasIdentity: hasIdentity
+  SubjectAccountName: SubjectAccountName