Merge pull request #132 from UncoderIO/gis-7980

saltar-ua · web-flow · commit b5b79dc2c250 · 2024-06-10T12:13:13.000+03:00
Add XQL mappings
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml
@@ -2,7 +2,7 @@ platform: Palo Alto XSIAM
 source: webserver
 
 default_log_source:
-  dataset: [apache_tomcat_raw, nginx_nginx_raw, apache_tomcat_raw]
+  datamodel: datamodel
 
 field_mapping:
   c-uri: xdm.network.http.url
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_pipe_created.yml
@@ -0,0 +1,12 @@
+platform: Palo Alto XSIAM
+source: windows_pipe_created
+
+default_log_source:
+  preset: xdr_event_log
+
+field_mapping:
+  EventID: action_evtlog_event_id
+
+raw_log_fields:
+  - PipeName
+  - Image
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_process_access.yml
@@ -0,0 +1,19 @@
+platform: Palo Alto XSIAM
+source: windows_process_access
+
+default_log_source:
+  preset: xdr_event_log
+
+field_mapping:
+  User: action_process_username
+
+raw_log_fields:
+  - SourceProcessGUID
+  - SourceProcessId
+  - SourceThreadId
+  - SourceImage
+  - TargetProcessGUID
+  - TargerProcessId
+  - TargetImage
+  - GrantedAccess
+  - CallTrace
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml
@@ -8,6 +8,7 @@ default_log_source:
 field_mapping:
   EventID: action_evtlog_event_id
   OriginalFileName: actor_process_file_original_name
+  Description: action_evtlog_description
 
 raw_log_fields:
   - CommandLine
@@ -16,7 +17,6 @@ raw_log_fields:
   - CallTrace
   - Company
   - CurrentDirectory
-  - Description
   - DestinationHostname
   - DestinationIp
   - DestinationIsIpv6
diff --git a/uncoder-core/app/translator/mappings/platforms/sigma/windows_process_access.yml b/uncoder-core/app/translator/mappings/platforms/sigma/windows_process_access.yml
@@ -0,0 +1,24 @@
+
+platform: Sigma
+source: windows_process_access
+
+
+log_source:
+  product: [windows]
+  category: [process_access]
+
+default_log_source:
+  product: windows
+  category: process_access
+
+field_mapping:
+  SourceProcessGUID: SourceProcessGUID
+  SourceProcessId: SourceProcessId
+  SourceThreadId: SourceThreadId
+  SourceImage: SourceImage
+  TargetProcessGUID: TargetProcessGUID
+  TargerProcessId: TargerProcessId
+  TargetImage: TargetImage
+  GrantedAccess: GrantedAccess
+  CallTrace: CallTrace
+  User: User
