Skip to content

Commit 3daa20b

Browse files
nazargesyknazargesyk
authored
Merge pull request #225 from UncoderIO/gis-add-anomali-mappings1612
Gis add anomali mappings1612
2 parents 8c4e32a + 9e0c582 commit 3daa20b

File tree

13 files changed

+388
-2
lines changed

13 files changed

+388
-2
lines changed

uncoder-core/app/translator/mappings/platforms/anomali/windows_image_load.yml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
platform: Anomali
2+
source: windows_image_load
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [image_load]
8+
9+
default_log_source:
10+
product: windows
11+
category: image_load
12+
13+
field_mapping:
14+
Image: image
15+
#ImageLoaded: ImageLoaded
16+
#SignatureStatus: SignatureStatus
17+
OriginalFileName: original_file_name
18+
#Signed: Signed

uncoder-core/app/translator/mappings/platforms/anomali/windows_network_connection.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
platform: Anomali
2+
source: windows_network_connection
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [network_connection]
8+
9+
default_log_source:
10+
product: windows
11+
category: network_connection
12+
13+
field_mapping:
14+
Image: image
15+
DestinationHostname: dest
16+
DestinationIp: dest_ip
17+
DestinationPort: dest_port
18+
SourceIp: src_ip
19+
SourcePort: src_port
20+
#Initiated: Initiated

uncoder-core/app/translator/mappings/platforms/anomali/windows_pipe_created.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
platform: Anomali
2+
source: windows_pipe_created
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [pipe_created]
8+
9+
default_log_source:
10+
product: windows
11+
category: pipe_created
12+
13+
field_mapping:
14+
EventID: event_id
15+
#PipeName: PipeName
16+
Image: image

uncoder-core/app/translator/mappings/platforms/anomali/windows_process_access.yml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
2+
platform: Anomali
3+
source: windows_process_access
4+
5+
6+
log_source:
7+
product: [windows]
8+
category: [process_access]
9+
10+
default_log_source:
11+
product: windows
12+
category: process_access
13+
14+
field_mapping:
15+
#SourceProcessGUID: SourceProcessGUID
16+
#SourceProcessId: SourceProcessId
17+
#SourceThreadId: SourceThreadId
18+
#ourceImage: SourceImage
19+
#TargetProcessGUID: TargetProcessGUID
20+
#TargerProcessId: TargerProcessId
21+
#TargetImage: TargetImage
22+
#GrantedAccess: GrantedAccess
23+
#CallTrace: CallTrace
24+
User: user

uncoder-core/app/translator/mappings/platforms/anomali/windows_process_creation.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
platform: Anomali
2+
source: windows_process_creation
3+
4+
5+
log_source:
6+
product: [windows]
7+
category: [process_creation]
8+
9+
default_log_source:
10+
product: windows
11+
category: process_creation
12+
13+
field_mapping:
14+
CommandLine: command_line
15+
#CurrentDirectory: CurrentDirectory
16+
Hashes: file_hash
17+
Image: image
18+
#IntegrityLevel: IntegrityLevel
19+
ParentCommandLine: parent_command_line
20+
ParentImage: parent_image
21+
#ParentUser: ParentUser
22+
#Product: Product
23+
User: user

uncoder-core/app/translator/mappings/platforms/anomali/windows_registry_event.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
platform: Anomali
2+
source: windows_registry_event
3+
4+
log_source:
5+
product: [windows]
6+
category: [registry_event, registry_set, registry_delete, registry_add]
7+
8+
default_log_source:
9+
product: windows
10+
category: registry_event
11+
12+
field_mapping:
13+
TargetObject: reg_key
14+
Image: image
15+
Details: reg_value_data
16+
EventType: event_name
17+
CommandLine: command_line
18+
#LogonId: LogonId
19+
#Product: Product
20+
#Company: Company
21+
#IntegrityLevel: IntegrityLevel
22+
#CurrentDirectory: CurrentDirectory
23+
ProcessId: process_id
24+
ParentProcessId: parent_process_id
25+
ParentCommandLine: parent_command_line
26+
ParentImage: parent_image
27+
#ParentUser: ParentUser
28+
#ParentIntegrityLevel: ParentIntegrityLevel
29+
#ParentLogonId: ParentLogonId
30+
#ParentProduct: ParentProduct
31+
#ParentCompany: ParentCompany

uncoder-core/app/translator/mappings/platforms/anomali/windows_security.yml

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
platform: Anomali
2+
source: windows_security
3+
4+
5+
log_source:
6+
product: [windows]
7+
service: [security]
8+
9+
default_log_source:
10+
product: windows
11+
service: security
12+
13+
field_mapping:
14+
EventID: event_id
15+
ParentImage: parent_image
16+
#AccessMask: AccessMask
17+
AccountName: user
18+
#AllowedToDelegateTo: AllowedToDelegateTo
19+
#AttributeLDAPDisplayName: AttributeLDAPDisplayName
20+
#AuditPolicyChanges: AuditPolicyChanges
21+
#AuthenticationPackageName: AuthenticationPackageName
22+
#CallingProcessName: CallingProcessName
23+
#Channel: Channel
24+
#ComputerName: ComputerName
25+
#EventType: EventType
26+
#FailureReason: FailureReason
27+
#FileName: FileName
28+
#GrantedAccess: GrantedAccess
29+
#Hashes: Hashes
30+
#HiveName: HiveName
31+
#IpAddress: IpAddress
32+
#IpPort: IpPort
33+
#KeyLength: KeyLength
34+
#LogonProcessName: LogonProcessName
35+
#LogonType: LogonType
36+
#LinkName: LinkName
37+
#MemberName: MemberName
38+
#MemberSid: MemberSid
39+
#NewProcessName: NewProcessName
40+
#ObjectClass: ObjectClass
41+
#ObjectType: ObjectType
42+
#ObjectValueName: ObjectValueName
43+
#Path: Path
44+
#CommandLine: CommandLine
45+
#OldUacValue: OldUacValue
46+
#CertIssuerName: CertIssuerName
47+
#SubStatus: SubStatus
48+
#DisplayName: DisplayName
49+
#TaskContent: TaskContent
50+
#ServiceSid: ServiceSid
51+
#CertThumbprint: CertThumbprint
52+
#ObjectName: ObjectName
53+
#ClassName: ClassName
54+
#NotificationPackageName: NotificationPackageName
55+
#NewSd: NewSd
56+
#TestSigning: TestSigning
57+
#TargetInfo: TargetInfo
58+
#ParentProcessId: ParentProcessId
59+
#AccessList: AccessList
60+
#GroupMembership: GroupMembership
61+
#FilterName: FilterName
62+
#ChangeType: ChangeType
63+
#LayerName: LayerName
64+
#ServiceAccount: ServiceAccount
65+
#ClientProcessId: ClientProcessId
66+
#AttributeValue: AttributeValue
67+
#SessionName: SessionName
68+
#TaskName: TaskName
69+
#ObjectDN: ObjectDN
70+
#TemplateContent: TemplateContent
71+
#NewTemplateContent: NewTemplateContent
72+
#SourcePort: SourcePort
73+
#PasswordLastSet: PasswordLastSet
74+
#PrivilegeList: PrivilegeList
75+
#DeviceDescription: DeviceDescription
76+
#TargetServerName: TargetServerName
77+
#NewTargetUserName: NewTargetUserName
78+
#OperationType: OperationType
79+
#DestPort: DestPort
80+
#ServiceStartType: ServiceStartType
81+
#OldTargetUserName: OldTargetUserName
82+
#UserPrincipalName: UserPrincipalName
83+
#Accesses: Accesses
84+
#DnsHostName: DnsHostName
85+
#DisableIntegrityChecks: DisableIntegrityChecks
86+
#AuditSourceName: AuditSourceName
87+
#Workstation: Workstation
88+
#DestAddress: DestAddress
89+
#PreAuthType: PreAuthType
90+
#SecurityPackageName: SecurityPackageName
91+
#SubjectLogonId: SubjectLogonId
92+
#NewUacValue: NewUacValue
93+
#EnabledPrivilegeList: EnabledPrivilegeList
94+
#RelativeTargetName: RelativeTargetName
95+
#CertSerialNumber: CertSerialNumber
96+
#SidHistory: SidHistory
97+
#TargetLogonId: TargetLogonId
98+
#KernelDebug: KernelDebug
99+
#CallerProcessName: CallerProcessName
100+
#Properties: Properties
101+
#UserAccountControl: UserAccountControl
102+
#RegistryValue: RegistryValue
103+
#SecurityID: SecurityID
104+
#ServiceFileName: ServiceFileName
105+
#SecurityDescriptor: SecurityDescriptor
106+
#ServiceName: ServiceName
107+
#ShareName: ShareName
108+
#NewValue: NewValue
109+
#Source: Source
110+
#Status: Status
111+
#SubjectDomainName: SubjectDomainName
112+
#SubjectUserName: SubjectUserName
113+
#SubjectUserSid: SubjectUserSid
114+
#SourceAddr: SourceAddr
115+
#SourceAddress: SourceAddress
116+
#TargetName: TargetName
117+
#ServicePrincipalNames: ServicePrincipalNames
118+
#TargetDomainName: TargetDomainName
119+
#TargetSid: TargetSid
120+
#TargetUserName: TargetUserName
121+
#ObjectServer: ObjectServer
122+
#TargetUserSid: TargetUserSid
123+
#TicketEncryptionType: TicketEncryptionType
124+
#TicketOptions: TicketOptions
125+
#WorkstationName: WorkstationName
126+
#TransmittedServices: TransmittedServices
127+
#AuthenticationAlgorithm: AuthenticationAlgorithm
128+
#LayerRTID: LayerRTID
129+
#BSSID: BSSID
130+
#BSSType: BSSType
131+
#CipherAlgorithm: CipherAlgorithm
132+
#ConnectionId: ConnectionId
133+
#ConnectionMode: ConnectionMode
134+
#InterfaceDescription: InterfaceDescription
135+
#InterfaceGuid: InterfaceGuid
136+
#OnexEnabled: OnexEnabled
137+
#PHYType: PHYType
138+
#ProfileName: ProfileName
139+
#SSID: SSID
140+
#Domain: Domain
141+
#ServiceType: ServiceType
142+
#SourceName: SourceName
143+
#StartType: StartType
144+
#UserID: UserID
145+
#ParentProcessName: ParentProcessName
146+
#Service: Service
147+
#ProcessName: ProcessName

uncoder-core/app/translator/mappings/platforms/anomali/windows_sysmon.yml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
platform: Anomali
2+
source: windows_sysmon
3+
4+
5+
log_source:
6+
product: [windows]
7+
service: [sysmon]
8+
9+
default_log_source:
10+
product: windows
11+
service: sysmon
12+
13+
field_mapping:
14+
CommandLine: command_line
15+
Image: image
16+
ParentImage: parent_image
17+
EventID: event_id
18+
#CallTrace: CallTrace
19+
#Company: Company
20+
#CurrentDirectory: CurrentDirectory
21+
#Description: Description
22+
DestinationHostname: dest
23+
DestinationIp: dest_ip
24+
#DestinationIsIpv6: DestinationIsIpv6
25+
DestinationPort: dest_port
26+
#DestinationPortName: DestinationPortName
27+
Hashes: file_hash
28+
#Initiated: Initiated
29+
#IntegrityLevel: IntegrityLevel
30+
ParentCommandLine: parent_command_line
31+
#Product: Product
32+
#Protocol: Protocol
33+
#RuleName: RuleName
34+
SourceHostname: src
35+
SourceIp: src_ip
36+
#SourceIsIpv6: SourceIsIpv6
37+
SourcePort: src_port
38+
#SourcePortName: SourcePortName
39+
TargetFilename: file_name
40+
User: user
41+
OriginalFileName: original_file_name
42+
#Signed: Signed
43+
#Signature: Signature
44+
#SignatureStatus: SignatureStatus
45+
TargetObject: reg_key
46+
Details: reg_value_data
47+
QueryName: query
48+
QueryResults: record_type
49+
#QueryStatus: QueryStatus
50+
#IsExecutable: IsExecutable
51+
#PipeName: PipeName
52+
#ImageLoaded: ImageLoaded
53+
#ImagePath: ImagePath
54+
#Imphash: Imphash
55+
#SourceImage: SourceImage
56+
#StartModule: StartModule
57+
#TargetImage: TargetImage
58+
Device: dvc_name
59+
ProcessID: process_id
60+
#FileVersion: FileVersion
61+
#StartAddress: StartAddress
62+
#StartFunction: StartFunction
63+
EventType: event_name

uncoder-core/app/translator/mappings/platforms/anomali/windows_system.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
platform: Anomali
2+
source: windows_system
3+
4+
5+
log_source:
6+
product: [windows]
7+
service: [system]
8+
9+
default_log_source:
10+
product: windows
11+
service: system
12+
13+
field_mapping:
14+
EventID: event_id
15+
#AccountName: AccountName
16+
#ImagePath: ImagePath
17+
#ServiceName: ServiceName
18+
#ServiceType: ServiceType
19+
#StartType: StartType
20+
#Provider_Name: Provider_Name
21+
#Origin: Origin
22+
#HiveName: HiveName
23+
#Caption: Caption
24+
#param1: param1
25+
#param2: param2
26+
#Channel: Channel
27+
#DeviceName: DeviceName

0 commit comments

Comments
 (0)