Merge pull request #221 from UncoderIO/gis-9284

nazargesyk · web-flow · commit 4c4f2441a554 · 2024-12-17T13:07:26.000+02:00
gis-9284 add strict mapping to Anomali
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml b/uncoder-core/app/translator/mappings/platforms/anomali/proxy.yml
@@ -1,9 +1,19 @@
 platform: Anomali
-description: Common field mapping
+source: proxy
 
 field_mapping:
   c-uri-query: url
   c-useragent: user_agent
+  c-uri: url
+  cs-method: http_method
+  cs-bytes: bytes_out
+  cs-referrer: http_referrer
+  sc-status: return_code
+
+  dns-query: query
+  dns-answer: answer
+  dns-record: record_type
+
   CommandLine: command_line
   DestinationHostname: dest
   DestinationIp: dest_ip
diff --git a/uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml b/uncoder-core/app/translator/mappings/platforms/anomali/webserver.yml
@@ -0,0 +1,41 @@
+platform: Anomali
+source: webserver
+
+field_mapping:
+  c-uri-query: url
+  c-useragent: user_agent
+  c-uri: url
+  cs-method: http_method
+  cs-bytes: bytes_out
+  cs-referrer: http_referrer
+  sc-status: return_code
+
+  dns-query: query
+  dns-answer: answer
+  dns-record: record_type
+
+  CommandLine: command_line
+  DestinationHostname: dest
+  DestinationIp: dest_ip
+  DestinationPort: dest_port
+  Details: reg_value_data
+  dst_ip: dest_ip
+  dst_port: dest_port
+  EventID: event_id
+  EventName: event_name
+  FileName: file_name
+  FilePath: file_path
+  Image: image
+  NewProcessName: image
+  OriginalFileName: original_file_name
+  ParentCommandLine: parent_command_line
+  ParentImage: parent_image
+  ParentProcessID: parent_process_id
+  Platform: platform
+  ProcessCommandLine: command_line
+  ProcessID: process_id
+  SourceImage: parent_image
+  SourcePort: src_port
+  TargetFilename: file_name
+  TargetObject: reg_key
+  UserAgent: user_agent
diff --git a/uncoder-core/app/translator/platforms/anomali/mapping.py b/uncoder-core/app/translator/platforms/anomali/mapping.py
@@ -1,4 +1,4 @@
-from app.translator.core.mapping import BaseCommonPlatformMappings, LogSourceSignature
+from app.translator.core.mapping import BaseStrictLogSourcesPlatformMappings, LogSourceSignature
 from app.translator.platforms.anomali.const import anomali_query_details
 
 
@@ -10,7 +10,7 @@ def __str__(self) -> str:
         return ""
 
 
-class AnomaliMappings(BaseCommonPlatformMappings):
+class AnomaliMappings(BaseStrictLogSourcesPlatformMappings):
     def prepare_log_source_signature(self, mapping: dict) -> AnomaliLogSourceSignature:  # noqa: ARG002
         return AnomaliLogSourceSignature()
 
