gis-8825 added sentinel one power query mappings

Author: nazargesyk

uncoder-core/app/translator/mappings/platforms/sentinel_one/default.yml

@@ -0,0 +1,2 @@
+platform: Sentinel One Power Query
+source: default

uncoder-core/app/translator/mappings/platforms/sentinel_one/dns.yml

@@ -0,0 +1,12 @@
+platform: Sentinel One Power Query
+source: dns
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  query: event.dns.request
+  answer: event.dns.response
+  QueryName: event.dns.request
+  record_type: event.dns.response

uncoder-core/app/translator/mappings/platforms/sentinel_one/linux_file_event.yml

@@ -0,0 +1,11 @@
+platform: Sentinel One Power Query
+source: linux_file_event
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  TargetFilename: tgt.file.path
+  SourceFilename: tgt.file.oldPath
+  User: src.process.use

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_image_load.yml

@@ -0,0 +1,9 @@
+platform: Sentinel One Power Query
+source: windows_image_load
+
+field_mapping:
+  Image: Image
+  ImageLoaded: ImageLoaded
+  SignatureStatus: SignatureStatus
+  OriginalFileName: OriginalFileName
+  Signed: Signed

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_network_connection.yml

@@ -0,0 +1,21 @@
+platform: Sentinel One Power Query
+source: windows_network_connection
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  DestinationHostname:
+    - url.address
+    - event.dns.request
+  DestinationPort: dst.port.number
+  DestinationIp: dst.ip.address
+  User: src.process.user
+  SourceIp: src.ip.address
+  SourcePort: src.port.number
+  Protocol: NetProtocolName
+  dst_ip: dst.ip.address
+  src_ip: src.ip.address
+  dst_port: dst.port.number
+  src_port: src.port.number

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_pipe_created.yml

@@ -0,0 +1,9 @@
+platform: Sentinel One Power Query
+source: windows_pipe_created
+
+field_mapping:
+  PipeName: namedPipe.name
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_process_creation.yml

@@ -0,0 +1,21 @@
+platform: Sentinel One Power Query
+source: windows_process_creation
+
+field_mapping:
+  ProcessId: tgt.process.pid
+  Image: tgt.process.image.path
+  Description: tgt.process.displayName
+  Publisher:  tgt.process.publisher
+  Product: tgt.process.displayName
+  Company: tgt.process.publisher
+  CommandLine: tgt.process.cmdline
+  CurrentDirectory: tgt.process.image.path
+  User: tgt.process.user
+  TerminalSessionId: tgt.process.sessionid
+  IntegrityLevel: tgt.process.integrityLevel
+  md5: tgt.process.image.md5
+  sha1: tgt.process.image.sha1
+  sha256: tgt.process.image.sha256
+  ParentProcessId: src.process.pid
+  ParentImage: src.process.image.path
+  ParentCommandLine: src.process.cmdline

uncoder-core/app/translator/mappings/platforms/sentinel_one/windows_registry_event.yml

@@ -0,0 +1,10 @@
+platform: Sentinel One Power Query
+source: windows_registry_event
+
+field_mapping:
+  Image: src.process.image.path
+  CommandLine: src.process.cmdline
+  ParentImage: src.process.parent.image.path
+  ParentCommandLine: src.process.parent.cmdline
+  TargetObject: registry.keyPath
+  Details: registry.value

uncoder-core/app/translator/platforms/sentinel_one/const.py

@@ -18,3 +18,4 @@
 }
 
 sentinel_one_events_query_details = PlatformDetails(**SENTINEL_ONE_EVENTS_QUERY_DETAILS)
+sentinel_one_power_query_details = PlatformDetails(**SENTINEL_ONE_POWER_QUERY_DETAILS)