diff --git a/src/main/resources/OSMapping/others_cloud/fieldmappings.yml b/src/main/resources/OSMapping/others_cloud/fieldmappings.yml index 8d5691ea4..ea0592520 100644 --- a/src/main/resources/OSMapping/others_cloud/fieldmappings.yml +++ b/src/main/resources/OSMapping/others_cloud/fieldmappings.yml @@ -1,7 +1,24 @@ # this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under cloud log group to their corresponding ECS Fields. fieldmappings: - EventID: event_uid - HiveName: unmapped.HiveName - fieldB: mappedB - fieldA1: mappedA - creationTime: timestamp + eventSource: winlog-provider_name + status: azure-platformlogs-status + eventService: winlog-event_data-ServiceName + ResultType: azure-platformlogs-result_type + ResultDescription: azure-signinlogs-result_description + Operation: azure-activitylogs-operation_name + Resultdescription: azure-signinlogs-result_description + AuthenticationRequirement: azure-signinlogs-properties-authentication_requirement + Status: azure-platformlogs-status + OperationName: azure-auditlogs-operation_name + ResourceId: azure-resource-id + OperationNameValue: azure-auditlogs-operation_name + TargetResources: azure-auditlogs-properties-target_resources + NetworkLocationDetails: azure-signinlogs-properties-network_location_details + DeviceDetail.deviceId: azure-signinlogs-properties-device_detail-device_id + ResourceDisplayName: azure-signinlogs-properties-resource_display_name + conditionalAccessStatus: azure-signinlogs-properties-conditional_access_status + LoggedByService: azure-auditlogs-properties-logged_by_service + DeviceDetail.isCompliant: azure-signinlogs-properties-device_detail-is_compliant + ActivityDisplayName: azure-auditlogs-properties-activity_display_name + gcp.audit.method_name: gcp-audit-method_name + diff --git a/src/main/resources/OSMapping/others_cloud/mappings.json b/src/main/resources/OSMapping/others_cloud/mappings.json index 0e9426a6e..22a361427 100644 --- a/src/main/resources/OSMapping/others_cloud/mappings.json +++ b/src/main/resources/OSMapping/others_cloud/mappings.json @@ -1,32 +1,76 @@ { "properties": { - "windows-event_data-CommandLine": { - "type": "alias", - "path": "CommandLine" + "winlog-provider_name": { + "path": "winlog.provider_name", + "type": "alias" + }, + "azure-platformlogs-status": { + "path": "azure.platformlogs.status", + "type": "alias" + }, + "winlog-event_data-ServiceName": { + "path": "winlog.event_data.ServiceName", + "type": "alias" + }, + "azure-platformlogs-result_type": { + "path": "azure.platformlogs.result_type", + "type": "alias" + }, + "azure-signinlogs-result_description": { + "path": "azure.signinlogs.result_description", + "type": "alias" + }, + "azure-activitylogs-operation_name": { + "path": "azure.activitylogs.operation_name", + "type": "alias" + }, + "azure-signinlogs-properties-authentication_requirement": { + "path": "azure.signinlogs.properties.authentication_requirement", + "type": "alias" + }, + "azure-auditlogs-operation_name": { + "path": "azure.auditlogs.operation_name", + "type": "alias" + }, + "azure-resource-id": { + "path": "azure.resource.id", + "type": "alias" + }, + "azure-auditlogs-properties-target_resources": { + "path": "azure.auditlogs.properties.target_resources", + "type": "alias" + }, + "azure-signinlogs-properties-network_location_details": { + "path": "azure.signinlogs.properties.network_location_details", + "type": "alias" }, - "event_uid": { - "type": "alias", - "path": "EventID" + "azure-signinlogs-properties-device_detail-device_id": { + "path": "azure.signinlogs.properties.device_detail.device_id", + "type": "alias" }, - "windows-hostname": { - "type": "alias", - "path": "HostName" + "azure-signinlogs-properties-resource_display_name": { + "path": "azure.signinlogs.properties.resource_display_name", + "type": "alias" }, - "windows-message": { - "type": "alias", - "path": "Message" + "azure-signinlogs-properties-conditional_access_status": { + "path": "azure.signinlogs.properties.conditional_access_status", + "type": "alias" }, - "windows-provider-name": { - "type": "alias", - "path": "Provider_Name" + "azure-auditlogs-properties-logged_by_service": { + "path": "azure.auditlogs.properties.logged_by_service", + "type": "alias" }, - "windows-servicename": { - "type": "alias", - "path": "ServiceName" + "azure-signinlogs-properties-device_detail-is_compliant": { + "path": "azure.signinlogs.properties.device_detail.is_compliant", + "type": "alias" + }, + "azure-auditlogs-properties-activity_display_name": { + "path": "azure.auditlogs.properties.activity_display_name", + "type": "alias" }, - "creationTime": { - "path": "creationTime", + "gcp-audit-method_name": { + "path": "gcp.audit.method_name", "type": "alias" } } -} \ No newline at end of file +}