NotificationsYou must be signed in to change notification settings
Fork33
Star165

Commitc1dddc7

committed

merge prod into gis-8036

1 parent0c9b2a0 commitc1dddc7Copy full SHA for c1dddc7

File tree

9 files changed

+53

-19

lines changed

uncoder-core/app/translator
- mappings/platforms
  - palo_alto_cortex
    - dns.yml
    - linux_process_creation.yml
  - qradar
- platforms/palo_alto/renders
  - cortex_xsiam.py

9 files changed

+53

-19

lines changed

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,4 @@ field_mapping:`
`11`	`11`	`dns_query_name:xdm.network.dns.dns_question.name`
`12`	`12`	`QueryName:xdm.network.dns.dns_question.name`
`13`	`13`	`query:xdm.network.dns.dns_question.name`
`14`		`-dns-record-type:xdm.network.dns.dns_question.type`
	`14`	`+dns-record-type:xdm.network.dns.dns_question.type`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -26,4 +26,5 @@ field_mapping:`
`26`	`26`	`ParentProduct:actor_process_signature_product`
`27`	`27`	`ParentCompany:actor_process_signature_vendor`
`28`	`28`	`md5:action_process_image_md5`
`29`		`-sha256:action_process_image_sha256`
	`29`	`+sha256:action_process_image_sha256`
	`30`	`+EventID:action_evtlog_event_id`

`‎uncoder-core/app/translator/mappings/platforms/qradar/default.yml‎`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,9 @@ field_mapping:`
`59`	`59`	`-dst-packets`
`60`	`60`	`src-bytes:src-bytes`
`61`	`61`	`dst-bytes:dst-bytes`
`62`		`-ExternalSeverity:External Severity`
	`62`	`+ExternalSeverity:`
	`63`	`+ -External Severity`
	`64`	`+ -Observeit Severity`
`63`	`65`	`SourceMAC:`
`64`	`66`	`-SourceMAC`
`65`	`67`	`-MAC`
`@@ -73,6 +75,6 @@ field_mapping:`
`73`	`75`	`SourceUserName:SourceUserName`
`74`	`76`	`url_category:XForceCategoryByURL`
`75`	`77`	`EventSeverity:EventSeverity`
`76`		`-Source:`
	`78`	`+Source:`
`77`	`79`	`-Source`
`78`		`- -source`
	`80`	`+ -source`

`‎uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,10 +11,13 @@ default_log_source:`
`11`	`11`	`field_mapping:`
`12`	`12`	`src-ip:`
`13`	`13`	`-sourceip`
	`14`	`+ -sourceIP`
	`15`	`+ -SourceIP`
`14`	`16`	`-SrcHost`
`15`	`17`	`-LocalHost`
`16`	`18`	`-Source`
`17`	`19`	`-NetworkView`
	`20`	`+ -HostName`
`18`	`21`	`src-port:`
`19`	`22`	`-sourceport`
`20`	`23`	`-SrcPort`

`‎uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml‎`

Lines changed: 5 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,9 +11,12 @@ default_log_source:`
`11`	`11`	`category:8110`
`12`	`12`
`13`	`13`	`field_mapping:`
`14`		`-CommandLine:Command`
	`14`	`+CommandLine:`
	`15`	`+ -Command`
	`16`	`+ -ASACommand`
`15`	`17`	`Image:Process Path`
`16`	`18`	`ParentCommandLine:Parent Command`
`17`	`19`	`ParentImage:Parent Process Path`
`18`	`20`	`User:username`
`19`		`-LogonId:Logon ID`
	`21`	`+LogonId:Logon ID`
	`22`	`+EventID:ASASyslogCode`

`‎uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml‎`

Lines changed: 10 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,13 +11,20 @@ default_log_source:`
`11`	`11`	`category:8110`
`12`	`12`
`13`	`13`	`field_mapping:`
`14`		`-CommandLine:Command`
	`14`	`+CommandLine:`
	`15`	`+ -Command`
	`16`	`+ -Encoded Argument`
`15`	`17`	`CurrentDirectory:CurrentDirectory`
`16`	`18`	`Hashes:File Hash`
`17`		`-Image:Process Path`
	`19`	`+Image:`
	`20`	`+ -Process Path`
	`21`	`+ -Process Name`
	`22`	`+ -DGApplication`
`18`	`23`	`IntegrityLevel:IntegrityLevel`
`19`	`24`	`ParentCommandLine:Parent Command`
`20`	`25`	`ParentImage:Parent Process Path`
`21`	`26`	`ParentUser:ParentUser`
`22`	`27`	`Product:Product`
`23`		`-User:username`
	`28`	`+User:`
	`29`	`+ -username`
	`30`	`+ -userName`

`‎uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ default_log_source:`
`11`	`11`	`category:8113`
`12`	`12`
`13`	`13`	`field_mapping:`
`14`		`-Image:Process Path`
	`14`	`+Image:`
	`15`	`+ -Process Path`
	`16`	`+ -Terminated Process Name`
`15`	`17`	`ProcessId:ProcessId`
`16`	`18`	`# ProcessGuid: ProcessGuid`

`‎uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml‎`

Lines changed: 18 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,9 @@ default_log_source:`
`9`	`9`	`devicetype:12`
`10`	`10`
`11`	`11`	`field_mapping:`
`12`		`-EventID:Event ID`
	`12`	`+EventID:`
	`13`	`+ -Event ID`
	`14`	`+ -EventID`
`13`	`15`	`ParentImage:Parent Process Path`
`14`	`16`	`AccessMask:AccessMask`
`15`	`17`	`AccountName:Account Name`
`@@ -22,13 +24,16 @@ field_mapping:`
`22`	`24`	`ComputerName:`
`23`	`25`	`-Machine Identifier`
`24`	`26`	`-Hostname`
	`27`	`+ -identityNetBiosName`
`25`	`28`	`EventType:EventType`
`26`	`29`	`FailureReason:FailureReason`
`27`	`30`	`FileName:Filename`
`28`	`31`	`GrantedAccess:GrantedAccess`
`29`	`32`	`Hashes:File Hash`
`30`	`33`	`HiveName:HiveName`
`31`		`-IpAddress:`
	`34`	`+IpAddress:`
	`35`	`+ -sourceIP`
	`36`	`+ -SourceIP`
`32`	`37`	`-sourceip`
`33`	`38`	`-identityIP`
`34`	`39`	`IpPort:sourceport`
`@@ -45,7 +50,7 @@ field_mapping:`
`45`	`50`	`-Process Name`
`46`	`51`	`-New Process Name`
`47`	`52`	`ObjectClass:ObjectClass`
`48`		`-ObjectName:`
	`53`	`+ObjectName:`
`49`	`54`	`-Object Name`
`50`	`55`	`-objectname`
`51`	`56`	`-MSFileObjectName`
`@@ -76,6 +81,7 @@ field_mapping:`
`76`	`81`	`GroupMembership:`
`77`	`82`	`-GroupMembership`
`78`	`83`	`-GroupName`
	`84`	`+ -Group Name`
`79`	`85`	`FilterName:FilterName`
`80`	`86`	`ChangeType:ChangeType`
`81`	`87`	`LayerName:LayerName`
`@@ -95,7 +101,9 @@ field_mapping:`
`95`	`101`	`TargetServerName:TargetServerName`
`96`	`102`	`NewTargetUserName:NewTargetUserName`
`97`	`103`	`OperationType:OperationType`
`98`		`-DestPort:destinationport`
	`104`	`+DestPort:`
	`105`	`+ -destinationport`
	`106`	`+ -DstPort`
`99`	`107`	`ServiceStartType:ServiceStartType`
`100`	`108`	`OldTargetUserName:OldTargetUserName`
`101`	`109`	`UserPrincipalName:UserPrincipalName`
`@@ -104,7 +112,10 @@ field_mapping:`
`104`	`112`	`DisableIntegrityChecks:DisableIntegrityChecks`
`105`	`113`	`AuditSourceName:AuditSourceName`
`106`	`114`	`Workstation:Machine Identifier`
`107`		`-DestAddress:destinationip`
	`115`	`+DestAddress:`
	`116`	`+ -destinationip`
	`117`	`+ -DestinationIP`
	`118`	`+ -destinationaddress`
`108`	`119`	`PreAuthType:PreAuthType`
`109`	`120`	`SecurityPackageName:SecurityPackageName`
`110`	`121`	`SubjectLogonId:SubjectLogonId`
`@@ -150,6 +161,8 @@ field_mapping:`
`150`	`161`	`TargetSid:TargetSid`
`151`	`162`	`TargetUserName:`
`152`	`163`	`-Target Username`
	`164`	`+ -User`
	`165`	`+ -userName`
`153`	`166`	`-Target User Name`
`154`	`167`	`ObjectServer:ObjectServer`
`155`	`168`	`TargetUserSid:TargetUserSid`

`‎uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py‎`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,6 @@`
`50`	`50`	`}`
`51`	`51`
`52`	`52`
`53`		`-`
`54`	`53`	`classCortexXQLFieldValueRender(BaseFieldValueRender):`
`55`	`54`	`details:PlatformDetails=cortex_xql_query_details`
`56`	`55`	`str_value_manager=cortex_xql_str_value_manager`
`@@ -72,7 +71,7 @@ def _wrap_str_value(value: str) -> str:`
`72`	`71`	`defequal_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
`73`	`72`	`ifisinstance(value,list):`
`74`	`73`	`values=", ".join(`
`75`		`-f"{self._pre_process_value(field,v,value_type=ValueType.value,wrap_str=True)}"forvinvalue`
	`74`	`+f"{self._pre_process_value(field,str(v),value_type=ValueType.value,wrap_str=True)}"forvinvalue`
`76`	`75`	`)`
`77`	`76`	`returnf"{field} in ({values})"`
`78`	`77`
`@@ -123,7 +122,11 @@ def startswith_modifier(self, field: str, value: DEFAULT_VALUE_TYPE) -> str:`
`123`	`122`	`defregex_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
`124`	`123`	`ifisinstance(value,list):`
`125`	`124`	`returnf"({self.or_token.join(self.regex_modifier(field=field,value=v)forvinvalue)})"`
`126`		`-returnf"{field} ~={self._pre_process_value(field ,value,value_type=ValueType.regex_value,wrap_str=True)}"`
	`125`	`+value=self._pre_process_value(field,value,value_type=ValueType.regex_value,wrap_str=True)`
	`126`	`+ifvalue.endswith('\\\\"'):`
	`127`	`+value=value[:-1]+"]"+value[-1:]`
	`128`	`+value=value[:-4]+"["+value[-4:]`
	`129`	`+returnf"{field} ~={value}"`
`127`	`130`
`128`	`131`	`defnot_regex_modifier(self,field:str,value:DEFAULT_VALUE_TYPE)->str:`
`129`	`132`	`ifisinstance(value,list):`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc1dddc7

File tree

9 files changed

9 files changed

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/dns.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/palo_alto_cortex/linux_process_creation.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/default.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/firewall.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/linux_process_creation.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/windows_process_creation.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/windows_process_termination.yml‎`

`‎uncoder-core/app/translator/mappings/platforms/qradar/windows_security.yml‎`

`‎uncoder-core/app/translator/platforms/palo_alto/renders/cortex_xsiam.py‎`

0 commit comments