diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml index f3e64cc0..cd489ccb 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_aadnoninteractiveusersigninlogs.yml @@ -13,4 +13,4 @@ field_mapping: raw_log_fields: properties.userAgent: object properties.type: object - properties.authenticationProcessingDetails: object \ No newline at end of file + properties.authenticationProcessingDetails: list \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml new file mode 100644 index 00000000..b6605a61 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azureactivity.yml @@ -0,0 +1,33 @@ +platform: Palo Alto XSIAM +source: azure_azureactivity + + +default_log_source: + dataset: msft_azure_raw + +field_mapping: + ActivityStatus: properties.activityStatus + ActivityStatusValue: properties.activityStatusValue + ActivitySubstatusValue: properties.activitySubstatusValue + Authorization: properties.authorization + Category: properties.category + CategoryValue: properties.categoryValue + OperationName: properties.operationName + OperationNameValue: oproperties.perationNameValue + ResourceId: properties.resourceId + ResourceProviderValue: properties.resourceProviderValue + Type: properties.type + operationName: properties.operationName + +raw_log_fields: + properties.activityStatus: object + properties.activityStatusValue: object + properties.activitySubstatusValue: object + properties.authorization: object + properties.category: object + properties.categoryValue: object + properties.operationName: object + properties.operationNameValue: object + properties.resourceId: object + properties.resourceProviderValue: object + properties.type: object \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml new file mode 100644 index 00000000..c05ce310 --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_azuread.yml @@ -0,0 +1,34 @@ +platform: Palo Alto XSIAM +source: azure_azuread + + +default_log_source: + dataset: msft_azure_raw + +field_mapping: + ActivityDisplayName: properties.activityDisplayName + Category: properties.category + LoggedByService: properties.loggedByService + Result: properties.result + OperationName: properties.operationName + TargetResources: properties.targetResources + AADOperationType: properties.AADOperationType + InitiatedBy: properties.initiatedBy + ResultReason: properties.resultReason + Status: properties.status + #Status.errorCode: properties.status_errorCode + UserAgent: properties.userAgent + +raw_log_fields: + properties.activityDisplayName: object + properties.category: object + properties.loggedByService: object + properties.result: object + properties.operationName: object + properties.targetResources: object + properties.AADOperationType: object + properties.initiatedBy: object + properties.resultReason: object + properties.status: object + properties.status_errorCode: object + properties.userAgent: object \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml new file mode 100644 index 00000000..ea4cfecf --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_m365.yml @@ -0,0 +1,34 @@ +platform: Palo Alto XSIAM +source: azure_m365 + + +default_log_source: + dataset: msft_azure_raw + +field_mapping: + ClientInfoString: properties.clientInfoString + LogonError: properties.logonError + ModifiedProperties: properties.modifiedProperties + OfficeObjectId: properties.officeObjectId + OfficeWorkload: properties.officeWorkload + Operation: properties.operation + Parameters: properties.parameters + RecordType: properties.recordType + ResultStatus: properties.resultStatus + SourceFileExtension: properties.sourceFileExtension + SourceFileName: properties.sourceFileName + UserAgent: properties.userAgent + +raw_log_fields: + properties.clientInfoString: object + properties.logonError: object + properties.modifiedProperties: object + properties.officeObjectId: object + properties.officeWorkload: object + properties.operation: object + properties.parameters: object + properties.recordType: object + properties.resultStatus: object + properties.sourceFileExtension: object + properties.sourceFileName: object + properties.userAgent: object \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml new file mode 100644 index 00000000..65cbbbad --- /dev/null +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml @@ -0,0 +1,11 @@ +platform: Palo Alto XSIAM +source: dns + +default_log_source: + datamodel: datamodel + +field_mapping: + dns-query: xdm.network.dns.dns_question.name + dns-answer: xdm.network.dns.dns_resource_record.value + #dns-record: dns-record + dns_query_name: xdm.network.dns.dns_question.name \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml index 6700e0a0..c0ed1066 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/okta_okta.yml @@ -7,4 +7,5 @@ default_log_source: dataset: okta_okta_raw field_mapping: - eventType: xdm.event.type \ No newline at end of file + eventType: xdm.event.type + eventtype: xdm.event.type \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml index 49a58521..505d2498 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml @@ -12,3 +12,5 @@ field_mapping: c-uri-query: xdm.network.http.url cs-referrer: xdm.network.http.referrer sc-status: xdm.network.http.response_code + cs-uri-stem: xdm.network.http.url + cs-uri-query: xdm.network.http.url diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml index 23b288b3..69a100ec 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_image_load.yml @@ -27,4 +27,5 @@ field_mapping: ParentIntegrityLevel: causality_actor_process_integrity_level ParentLogonId: causality_actor_process_logon_id ParentProduct: causality_actor_process_signature_product - ParentCompany: causality_actor_process_signature_vendor \ No newline at end of file + ParentCompany: causality_actor_process_signature_vendor + Signed: actor_process_signature_status #Signature status of the process: Signed = 1 SignedInvalid = 2 Unsigned = 3 FailedToObtain = 4 WeakHash = 5, where the MD5 is used as the hash algorithm. Unsupported = 6, which means the signature was not calculated. InvalidCVE2020_0601 = 7, which means the executable is malicious and is trying to exploit the windows vulnerability CVE2020-0601. Deleted = 8, which means that the file was deleted by the time the agent tried to calculate the signature. \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml index bb77e430..a1a1e613 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml @@ -145,4 +145,6 @@ raw_log_fields: UserID: regex ParentProcessName: regex ExceptionCode: regex - Service: regex \ No newline at end of file + Service: regex + SamAccountName: regex + ImpersonationLevel: regex \ No newline at end of file