Merge pull request #123 from UncoderIO/gis-improve-qradar-mappings

Qradar AQL mapping improvements

Author: saltar-ua

uncoder-core/app/translator/mappings/platforms/qradar/default.yml

@@ -2,9 +2,26 @@ platform: Qradar
 source: default
 description: Text that describe current mapping
 
-log_source:
-  devicetype:
-    - 12
 
 default_log_source:
-  devicetype: 12
+  devicetype: 12
+
+
+field_mapping:
+  icmp.type: IcmpType
+  dst-port:
+    - DstPort
+    - DestinationPort
+  dst-hostname: DstHost
+  src-port: SourcePort
+  src-ip:
+   - sourceip
+   - source_ip
+   - SourceIP
+  dst-ip:
+    - DestinationIP
+    - destinationip
+    - destination_ip
+  User: userName
+  CommandLine: Command
+  Protocol: IPProtocol

uncoder-core/app/translator/mappings/platforms/qradar/linux_auditd.yml

@@ -1,6 +1,6 @@
 platform: Qradar
 source: linux_auditd
-description: Auditd field mappings to QRadar default CEPs.
+description: Text that describe current mapping
 
 log_source:
   devicetype: [11]
@@ -14,8 +14,10 @@ field_mapping:
   a2: Command
   a3: Command
   exe: Process Path
-  CommandLine: Command
+  CommandLine:
+    - Process CommandLine
+    - Command
   Image: Process Path
   User: username
   LogonId: Logon ID
-  ParentImage: Parent Process Path
+  ParentImage: Parent Process Path

uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml

@@ -14,4 +14,6 @@ field_mapping:
   CommandLine: Command
   Image: Process Path
   ParentCommandLine: Parent Command
-  ParentImage: Parent Process Path
+  ParentImage: Parent Process Path
+  User: username
+  LogonId: Logon ID