Merge pull request #1757 from wietze/fix/carbon-black-eedr/field_renames

[CarbonBlack EEDR] Several updates to config file
2024-11-07 09:48:58 +00:00 · 2021-07-29 18:13:47 +02:00 · 2021-07-29 18:13:47 +02:00 · f06f8a1191
commit f06f8a1191
parent d7710cdf03 687631ee20
1 changed files with 13 additions and 41 deletions
--- a/tools/config/carbon-black-eedr.yml
+++ b/tools/config/carbon-black-eedr.yml
@ -16,68 +16,56 @@ fieldmappings:
    - process_product_version
    - process_publisher
    - process_file_description
-  DestPort:
-    - netconn_port
-    - netconn_remote_port
+  DestPort: netconn_port
  Destination:
    - netconn_domain
  DestinationAddress:
    - netconn_domain
    - netconn_ipv4
    - netconn_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  DestinationHostname: 
+  DestinationHostname:
    - netconn_domain
    - netconn_proxy_domain
  DestinationIp:
    - netconn_ipv4
    - netconn_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  DestinationPort:
-    - netconn_port
-    - netconn_remote_port
+  DestinationPort: netconn_port
  Device: device_name
  FileName:
-    - process_internal_name
    - process_name
    - process_original_filename
  FileVersion: process_product_version
  Image:
    - process_name
-    - process_internal_name
  IntegrityLevel: process_integrity_level
  IpAddress:
    - netconn_ipv4
    - netconn_ipv6
    - netconn_local_ipv4
    - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
  LogonId:
    - childproc_username
    - process_username
  md5: hash
-  NewName: regmod_new_name
+  NewName: regmod_name
  OriginalFileName: process_original_filename
  ParentCommandLine: parent_cmdline
  ParentImage: parent_name
  ParentIntegrityLevel: process_integrity_level
  ProcessCommandLine: process_cmdline
  ProcessName: process_name
-  Product: 
+  Product:
    - process_product_name
    - process_file_description
  RelativeTargetName: childproc_name
-  ScriptBlockText: 
+  ScriptBlockText:
    - childproc_cmdline
    - crossproc_cmdline
    - process_cmdline
  ServiceFileName: process_service_name
  ServiceName: process_service_name
  sha256: hash
-  Signature: 
+  Signature:
    - childproc_publisher
    - filemod_publisher
    - modload_publisher
@ -98,27 +86,17 @@ fieldmappings:
    - netconn_local_port
    - netconn_port
  SourceWorkstation: device_name
-  TargetFilename: 
-    - filemod_name
-    - crossproc_name
-  TargetImage:
-    - filemod_name
-    - crossproc_name
-  TargetName:
-    - filemod_name
-    - crossproc_name
+  TargetFilename: filemod_name
+  TargetImage: filemod_name
+  TargetName: filemod_name
  TargetUserName:
    - childproc_username
    - process_username
-  TargetObject: 
-    - regmod_name
-    - regmod_new_name
+  TargetObject: regmod_name
  User:
    - childproc_username
    - process_username
-  Value:
-    - regmod_name
-    - regmod_new_name
+  Value: regmod_name
  Workstation: device_name
  WorkstationName: device_name

@ -127,15 +105,9 @@ fieldmappings:
    - netconn_ipv6
    - netconn_local_ipv4
    - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  dst_port:
-    - netconn_port
-    - netconn_remote_port
+  dst_port: netconn_port
  src_ip:
    - netconn_ipv4
    - netconn_ipv6
    - netconn_local_ipv4
    - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6