NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commit3aeb7fc

committed

mappings added and fix 7

1 parent5e4f6d4 commit3aeb7fcCopy full SHA for 3aeb7fc

File tree

11 files changed

+66

-9

lines changed

uncoder-core/app/translator/mappings/platforms
- palo_alto_cortex
- sigma

11 files changed

+66

-9

lines changed

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,5 @@ raw_log_fields:`
`32`	`32`	`userIdentity.principalId:object`
`33`	`33`	`userIdentity.sessionContext.sessionIssuer.type:object`
`34`	`34`	`userIdentity.type:object`
`35`		`-userIdentity.userName:object`
	`35`	`+userIdentity.userName:object`
	`36`	`+requestParameters.publiclyAccessible:object`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml‎`

Lines changed: 46 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,46 @@`
	`1`	`+platform:Palo Alto XSIAM`
	`2`	`+source:azure_signinlogs`
	`3`	`+`
	`4`	`+`
	`5`	`+default_log_source:`
	`6`	`+dataset:msft_azure_raw`
	`7`	`+`
	`8`	`+field_mapping:`
	`9`	`+AppDisplayName:properties.appDisplayName`
	`10`	`+AppId:properties.appId`
	`11`	`+AuthenticationRequirement:properties.authenticationRequirement`
	`12`	`+Category:properties.category`
	`13`	`+ConditionalAccessStatus:properties.conditionalAccessStatus`
	`14`	`+DeviceDetail:properties.deviceDetail`
	`15`	`+IsInteractive:properties.isInteractive`
	`16`	`+NetworkLocationDetails:properties.networkLocationDetails`
	`17`	`+ResourceDisplayName:properties.resourceDisplayName`
	`18`	`+ResourceIdentity:properties.resourceIdentity`
	`19`	`+ResultDescription:properties.resultDescription`
	`20`	`+ResultType:properties.resultType`
	`21`	`+Status.errorCode:properties.status.errorCode`
	`22`	`+Status:properties.status`
	`23`	`+Status.failureReason:properties.status.failureReason`
	`24`	`+TokenIssuerType:properties.tokenIssuerType`
	`25`	`+UserAgent:properties.userAgent`
	`26`	`+UserPrincipalName:properties.userPrincipalName`
	`27`	`+`
	`28`	`+raw_log_fields:`
	`29`	`+properties.appDisplayName:object`
	`30`	`+properties.appId:object`
	`31`	`+properties.authenticationRequirement:object`
	`32`	`+properties.category:object`
	`33`	`+properties.conditionalAccessStatus:object`
	`34`	`+properties.deviceDetail:object`
	`35`	`+properties.isInteractive:object`
	`36`	`+properties.networkLocationDetails:object`
	`37`	`+properties.resourceDisplayName:object`
	`38`	`+properties.resourceIdentity:object`
	`39`	`+properties.resultDescription:object`
	`40`	`+properties.resultType:object`
	`41`	`+properties.status.errorCode:object`
	`42`	`+properties.status:object`
	`43`	`+properties.status.failureReason:object`
	`44`	`+properties.tokenIssuerType:object`
	`45`	`+properties.userAgent:object`
	`46`	`+properties.userPrincipalName:object`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,6 @@ field_mapping:`
`8`	`8`	`dns-query:xdm.network.dns.dns_question.name`
`9`	`9`	`dns-answer:xdm.network.dns.dns_resource_record.value`
`10`	`10`	`#dns-record: dns-record`
`11`		`-dns_query_name:xdm.network.dns.dns_question.name`
	`11`	`+dns_query_name:xdm.network.dns.dns_question.name`
	`12`	`+QueryName:xdm.network.dns.dns_question.name`
	`13`	`+query:xdm.network.dns.dns_question.name`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,3 +14,6 @@ field_mapping:`
`14`	`14`	`sc-status:xdm.network.http.response_code`
`15`	`15`	`cs-uri-stem:xdm.network.http.url`
`16`	`16`	`cs-uri-query:xdm.network.http.url`
	`17`	`+c-uri-path:xdm.network.http.url`
	`18`	`+uri_path:xdm.network.http.url`
	`19`	`+cs-uri:xdm.network.http.url`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -16,4 +16,5 @@ raw_log_fields:`
`16`	`16`	`HostApplication:regex`
`17`	`17`	`ContextInfo:regex`
`18`	`18`	`HostName:regex`
`19`		`-EngineVersion:regex`
	`19`	`+EngineVersion:regex`
	`20`	`+Path:regex`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -147,4 +147,5 @@ raw_log_fields:`
`147`	`147`	`ExceptionCode:regex`
`148`	`148`	`Service:regex`
`149`	`149`	`SamAccountName:regex`
`150`		`-ImpersonationLevel:regex`
	`150`	`+ImpersonationLevel:regex`
	`151`	`+PrimaryGroupId:regex`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -57,4 +57,5 @@ raw_log_fields:`
`57`	`57`	`FileVersion:regex`
`58`	`58`	`StartAddress:regex`
`59`	`59`	`StartFunction:regex`
`60`		`-EventType:regex`
	`60`	`+EventType:regex`
	`61`	`+GrantedAccess:regex`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -20,4 +20,6 @@ raw_log_fields:`
`20`	`20`	`param1:regex`
`21`	`21`	`param2:regex`
`22`	`22`	`Channel:regex`
`23`		`-DeviceName:regex`
	`23`	`+DeviceName:regex`
	`24`	`+Message:regex`
	`25`	`+ComputerName:regex`

`‎uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ source: azure_azureactivity`
`4`	`4`
`5`	`5`	`log_source:`
`6`	`6`	`product:[azure]`
`7`		`-service:[azureactivity]`
	`7`	`+service:[azureactivity, activitylogs]`
`8`	`8`
`9`	`9`	`default_log_source:`
`10`	`10`	`product:azure`

`‎uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ source: azure_azuread`
`4`	`4`
`5`	`5`	`log_source:`
`6`	`6`	`product:[azure]`
`7`		`-service:[azuread]`
	`7`	`+service:[azuread, auditlogs]`
`8`	`8`
`9`	`9`	`default_log_source:`
`10`	`10`	`product:azure`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3aeb7fc

File tree

11 files changed

11 files changed

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/aws_cloudtrail.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/azure_signinlogs.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/webserver.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_powershell.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_security.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_sysmon.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/windows_system.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sigma/azure_azureactivity.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/sigma/azure_azuread.yml‎`

0 commit comments