From ab7f37f968e16f4b3694b55cfae6b23449427bc7 Mon Sep 17 00:00:00 2001 From: Nazar Gesyk Date: Thu, 13 Jun 2024 16:43:57 +0300 Subject: [PATCH] Updated qradar and palo_alto mappings --- .../platforms/palo_alto_cortex/default.yml | 3 +++ .../platforms/palo_alto_cortex/proxy.yml | 3 ++- .../mappings/platforms/qradar/default.yml | 16 ++++++++++------ .../mappings/platforms/qradar/proxy.yml | 9 +++++---- 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml index d042787d..81d9dcc8 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/default.yml @@ -35,6 +35,7 @@ field_mapping: DestinationIp: xdm.target.ipv4 dst-port: xdm.target.port DestinationPort: xdm.target.port + destinationPort: xdm.target.port src-bytes: xdm.source.sent_bytes dst-bytes: xdm.target.sent_bytes src-hostname: xdm.source.host.hostname @@ -82,6 +83,7 @@ field_mapping: SourceAddress: xdm.source.ipv4 TargetSid: xdm.target.user.identifier TargetUserName: xdm.target.user.username + SourceUserName: xdm.source.user.username ParentProcessName: xdm.source.process.executable.path client.user.full_name: xdm.target.user.username source.user.full_name: xdm.source.user.username @@ -122,3 +124,4 @@ field_mapping: DestinationMAC: xdm.target.host.mac_addresses SourceOS: xdm.source.host.os DestinationOS: xdm.target.host.os + url_category: xdm.network.http.url_category diff --git a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml index 1d114dac..c546dc4e 100644 --- a/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml +++ b/uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/proxy.yml @@ -19,4 +19,5 @@ field_mapping: cs-cookie: xdm.network.http.http_header.value #cs-version: cs-version r-dns: xdm.network.http.domain - post-body: xdm.network.http.http_header.value \ No newline at end of file + post-body: xdm.network.http.http_header.value + url_category: xdm.network.http.url_category \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml index ffd0644f..df7d8daa 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/default.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/default.yml @@ -27,7 +27,7 @@ field_mapping: - destination_ip - destinationIP - destinationaddress - User: + User: - userName - EventUserName CommandLine: Command @@ -35,13 +35,14 @@ field_mapping: Application: - Application - application - SourceHostName: + SourceHostName: - HostCount-source - identityHostName - sourceAssetName - DestinationHostname: + DestinationHostname: - HostCount-destination - Recipient Host + - DestinationHostName src-packets: - PacketRatio-src - src-packets @@ -51,11 +52,14 @@ field_mapping: src-bytes: src-bytes dst-bytes: dst-bytes ExternalSeverity: External Severity - SourceMAC: + SourceMAC: - SourceMAC - MAC DestinationMAC: DestinationMAC - SourceOS: + SourceOS: - SourceOS - OS - DestinationOS: DestinationOS \ No newline at end of file + DestinationOS: DestinationOS + TargetUserName: DestinationUserName + SourceUserName: SourceUserName + url_category: XForceCategoryByURL \ No newline at end of file diff --git a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml index 2acad313..58393ac0 100644 --- a/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml +++ b/uncoder-core/app/translator/mappings/platforms/qradar/proxy.yml @@ -17,14 +17,14 @@ field_mapping: cs-bytes: Bytes Sent #cs-cookie-vars: cs-cookie-vars c-uri-extension: URL - c-uri-query: + c-uri-query: - URL - URL Path #cs-cookie: cs-cookie - cs-host: + cs-host: - UrlHost - URL Host - cs-referrer: + cs-referrer: - URL Referrer - Referrer URL cs-version: HTTP Version @@ -32,4 +32,5 @@ field_mapping: - UrlHost - URL Host sc-status: HTTP Response Code - #post-body: post-body \ No newline at end of file + #post-body: post-body + url_category: XForceCategoryByURL \ No newline at end of file