diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index 34f8378e..f54c98a6 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -2,9 +2,26 @@ platform: Qradar source: default description: Text that describe current mapping -log_source: - devicetype: - - 12 default_log_source: - devicetype: 12 \ No newline at end of file + devicetype: 12 + + +field_mapping: + icmp.type: IcmpType + dst-port: + - DstPort + - DestinationPort + dst-hostname: DstHost + src-port: SourcePort + src-ip: + - sourceip + - source_ip + - SourceIP + dst-ip: + - DestinationIP + - destinationip + - destination_ip + User: userName + CommandLine: Command + Protocol: IPProtocol \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_auditd.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_auditd.yml index 3d9f6d94..50e310b0 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_auditd.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_auditd.yml @@ -1,6 +1,6 @@ platform: Qradar source: linux_auditd -description: Auditd field mappings to QRadar default CEPs. +description: Text that describe current mapping log_source: devicetype: [11] @@ -14,8 +14,10 @@ field_mapping: a2: Command a3: Command exe: Process Path - CommandLine: Command + CommandLine: + - Process CommandLine + - Command Image: Process Path User: username LogonId: Logon ID - ParentImage: Parent Process Path \ No newline at end of file + ParentImage: Parent Process Path diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml index ec7fa6ea..2c6bc4c1 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml @@ -14,4 +14,6 @@ field_mapping: CommandLine: Command Image: Process Path ParentCommandLine: Parent Command - ParentImage: Parent Process Path \ No newline at end of file + ParentImage: Parent Process Path + User: username + LogonId: Logon ID \ No newline at end of file