Merge pull request #126 from UncoderIO/gis-aql-mapping-improvements

saltar-ua · web-flow · commit 0daa95784a67 · 2024-05-29T15:03:50.000+03:00
Improve mappings
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -41,5 +41,7 @@ field_mapping:
   dst-hostname: xdm.target.host.hostname
   icmp.type: xdm.network.icmp.type
   icmp.code: xdm.network.icmp.code
-  URL: xdm.target.url
-  QueryName: xdm.target.url
+  c-uri: xdm.network.http.url
+  c-uri-query: xdm.network.http.url
+  QueryName: xdm.network.dns.dns_question.name
+  Application: xdm.network.application_protocol
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/firewall.yml
@@ -51,4 +51,6 @@ field_mapping:
   ParentIntegrityLevel: causality_actor_process_integrity_level
   ParentLogonId: causality_actor_process_logon_id
   ParentProduct: causality_actor_process_signature_product
-  ParentCompany: causality_actor_process_signature_vendor
+  ParentCompany: causality_actor_process_signature_vendor
+  Application: xdm.network.application_protocol
+  application: xdm.network.application_protocol
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml
@@ -13,6 +13,7 @@ field_mapping:
     - DstPort
     - DestinationPort
   dst-hostname: DstHost
+  src-hostname: SrcHost
   src-port: SourcePort
   src-ip:
    - sourceip
@@ -24,4 +25,7 @@ field_mapping:
     - destination_ip
   User: userName
   CommandLine: Command
-  Protocol: IPProtocol
+  Protocol: IPProtocol
+  Application: 
+    - Application
+    - application
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/dns.yml b/uncoder-core/app/translator/mappings/platforms/qradar/dns.yml
@@ -9,7 +9,7 @@ default_log_source:
   devicetype: 185
 
 field_mapping:
-  dns-query: dns-query
+  dns-query: URL
   parent-domain: parent-domain
   dns-answer: dns-answer
-  dns-record: dns-record
+  dns-record: URL
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml b/uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml
@@ -9,7 +9,24 @@ default_log_source:
   devicetype: 4
 
 field_mapping:
-  src-ip: sourceip
-  src-port: sourceport
-  dst-ip: destinationip
-  dst-port: sestinationport
+  src-ip:
+    - sourceip
+    - SrcHost
+    - LocalHost
+    - Source
+    - NetworkView
+  src-port:
+    - sourceport
+    - SrcPort
+    - LocalPort
+  dst-ip:
+    - destinationip
+    - DstHost
+    - RemoteHost
+    - Destination
+  dst-port:
+    - destinationport
+    - DstPort
+    - RemotePort
+  Protocol: IPProtocol
+  Application: Application
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml
@@ -9,8 +9,10 @@ default_log_source:
   devicetype: 46
 
 field_mapping:
-  c-uri: URL
-  c-useragent: c-useragent
+  c-uri: 
+    - URL
+    - XForceCategoryByURL
+  c-useragent: User Agent
   cs-method: cs-method
   cs-bytes: Bytes Sent
   cs-cookie-vars: cs-cookie-vars
