fix field SubjectAccountName

spsocprime · spsocprime · commit ca238161c39b · 2024-06-19T13:59:29.000+03:00
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml
@@ -77,6 +77,7 @@ field_mapping:
   OldTargetUserName: xdm.target.user.username
   UserPrincipalName: xdm.source.user.username
   DestAddress: xdm.target.ipv4
+  SubjectAccountName: xdm.source.user.username
   SubjectUserName: xdm.source.user.username
   SubjectUserSid: xdm.source.user.identifier
   SourceAddr: xdm.source.ipv4
@@ -117,7 +118,6 @@ field_mapping:
   method: xdm.network.http.method
   notice.user_agent: xdm.network.http.browser
   hasIdentity: xdm.source.user.identity_type
-  SubjectAccountName: xdm.source.user.username
   ComputerName: xdm.source.host.hostname
   ExternalSeverity: xdm.alert.severity
   SourceMAC: xdm.source.host.mac_addresses
diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml
@@ -7,7 +7,8 @@ default_log_source:
 field_mapping:
   EventID: action_evtlog_event_id
   Provider_Name: provider_name
-
+  SubjectAccountName: actor_effective_username
+  
 raw_log_fields:
   ParentImage: regex
   AccessMask: regex
diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml
@@ -130,6 +130,9 @@ field_mapping:
   NewValue: NewValue
   Source: Source
   Status: Status
+  SubjectAccountName: 
+    - Subject Account Name
+    - SubjectAccountName
   SubjectDomainName: SubjectDomainName
   SubjectUserName: Target Username
   SubjectUserSid: SubjectUserSid
@@ -171,5 +174,4 @@ field_mapping:
   UserID: UserID
   ParentProcessName: Parent Process Name
   Service: Service
-  hasIdentity: hasIdentity
-  SubjectAccountName: SubjectAccountName
+  hasIdentity: hasIdentity
