Merge pull request #142 from UncoderIO/gis-xql-06-13-2024

XQL mappings update

Author: saltar-ua

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml

@@ -13,4 +13,4 @@ field_mapping:
 raw_log_fields:
  properties.userAgent: object
  properties.type: object
- properties.authenticationProcessingDetails: object
+ properties.authenticationProcessingDetails: list

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml

@@ -0,0 +1,33 @@
+platform: Palo Alto XSIAM
+source: azure_azureactivity
+
+
+default_log_source:
+  dataset: msft_azure_raw
+
+field_mapping:
+  ActivityStatus: properties.activityStatus
+  ActivityStatusValue: properties.activityStatusValue
+  ActivitySubstatusValue: properties.activitySubstatusValue
+  Authorization: properties.authorization
+  Category: properties.category
+  CategoryValue: properties.categoryValue
+  OperationName: properties.operationName
+  OperationNameValue: oproperties.perationNameValue
+  ResourceId: properties.resourceId
+  ResourceProviderValue: properties.resourceProviderValue
+  Type: properties.type
+  operationName: properties.operationName
+
+raw_log_fields:
+  properties.activityStatus: object
+  properties.activityStatusValue: object
+  properties.activitySubstatusValue: object
+  properties.authorization: object
+  properties.category: object
+  properties.categoryValue: object
+  properties.operationName: object
+  properties.operationNameValue: object
+  properties.resourceId: object
+  properties.resourceProviderValue: object
+  properties.type: object

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml

@@ -0,0 +1,34 @@
+platform: Palo Alto XSIAM
+source: azure_azuread
+
+
+default_log_source:
+  dataset: msft_azure_raw
+
+field_mapping:
+  ActivityDisplayName: properties.activityDisplayName
+  Category: properties.category
+  LoggedByService: properties.loggedByService
+  Result: properties.result
+  OperationName: properties.operationName
+  TargetResources: properties.targetResources
+  AADOperationType: properties.AADOperationType
+  InitiatedBy: properties.initiatedBy
+  ResultReason: properties.resultReason
+  Status: properties.status
+  #Status.errorCode: properties.status_errorCode
+  UserAgent: properties.userAgent
+
+raw_log_fields:
+  properties.activityDisplayName: object
+  properties.category: object
+  properties.loggedByService: object
+  properties.result: object
+  properties.operationName: object
+  properties.targetResources: object
+  properties.AADOperationType: object
+  properties.initiatedBy: object
+  properties.resultReason: object
+  properties.status: object
+  properties.status_errorCode: object
+  properties.userAgent: object

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml

@@ -0,0 +1,34 @@
+platform: Palo Alto XSIAM
+source: azure_m365
+
+
+default_log_source:
+  dataset: msft_azure_raw
+
+field_mapping:
+  ClientInfoString: properties.clientInfoString
+  LogonError: properties.logonError
+  ModifiedProperties: properties.modifiedProperties
+  OfficeObjectId: properties.officeObjectId
+  OfficeWorkload: properties.officeWorkload
+  Operation: properties.operation
+  Parameters: properties.parameters
+  RecordType: properties.recordType
+  ResultStatus: properties.resultStatus
+  SourceFileExtension: properties.sourceFileExtension
+  SourceFileName: properties.sourceFileName
+  UserAgent: properties.userAgent
+
+raw_log_fields:
+  properties.clientInfoString: object
+  properties.logonError: object
+  properties.modifiedProperties: object
+  properties.officeObjectId: object
+  properties.officeWorkload: object
+  properties.operation: object
+  properties.parameters: object
+  properties.recordType: object
+  properties.resultStatus: object
+  properties.sourceFileExtension: object
+  properties.sourceFileName: object
+  properties.userAgent: object

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml

@@ -0,0 +1,11 @@
+platform: Palo Alto XSIAM
+source: dns
+
+default_log_source:
+  datamodel: datamodel
+
+field_mapping:
+  dns-query: xdm.network.dns.dns_question.name
+  dns-answer: xdm.network.dns.dns_resource_record.value
+  #dns-record: dns-record
+  dns_query_name: xdm.network.dns.dns_question.name

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml

@@ -7,4 +7,5 @@ default_log_source:
   dataset: okta_okta_raw
 
 field_mapping:
-  eventType: xdm.event.type
+  eventType: xdm.event.type
+  eventtype: xdm.event.type

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml

@@ -12,3 +12,5 @@ field_mapping:
   c-uri-query: xdm.network.http.url
   cs-referrer: xdm.network.http.referrer
   sc-status: xdm.network.http.response_code
+  cs-uri-stem: xdm.network.http.url
+  cs-uri-query: xdm.network.http.url

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml

@@ -27,4 +27,5 @@ field_mapping:
   ParentIntegrityLevel: causality_actor_process_integrity_level
   ParentLogonId: causality_actor_process_logon_id
   ParentProduct: causality_actor_process_signature_product
-  ParentCompany: causality_actor_process_signature_vendor
+  ParentCompany: causality_actor_process_signature_vendor
+  Signed: actor_process_signature_status #Signature status of the process: Signed = 1 SignedInvalid = 2 Unsigned = 3 FailedToObtain = 4 WeakHash = 5, where the MD5 is used as the hash algorithm. Unsupported = 6, which means the signature was not calculated. InvalidCVE2020_0601 = 7, which means the executable is malicious and is trying to exploit the windows vulnerability CVE2020-0601. Deleted = 8, which means that the file was deleted by the time the agent tried to calculate the signature.

uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml

@@ -145,4 +145,6 @@ raw_log_fields:
   UserID: regex
   ParentProcessName: regex
   ExceptionCode: regex
-  Service: regex
+  Service: regex
+  SamAccountName: regex
+  ImpersonationLevel: regex