diff --git a/stix_shifter_modules/sumologic/README.md b/stix_shifter_modules/sumologic/README.md index bd84007be..10de12a2a 100644 --- a/stix_shifter_modules/sumologic/README.md +++ b/stix_shifter_modules/sumologic/README.md @@ -18,6 +18,10 @@ Result Endpoint: `https://api.sumologic.com/api/v1/search/jobs//m [SumoLogic Search Job API](https://help.sumologic.com/APIs/Search-Job-API/About-the-Search-Job-API) +## Dialects + +The connector supports two dialects: the default one and [the cloud_siem one](https://help.sumologic.com/docs/cse/get-started-with-cloud-siem/insight-generation-process/#entities-in-messages-are-mapped-to-entity-type-schema-attributes) + ### Format for making STIX translation calls via the CLI `python main.py ` diff --git a/stix_shifter_modules/sumologic/sumologic_supported_stix.md b/stix_shifter_modules/sumologic/sumologic_supported_stix.md index ad7d31b9f..36def131e 100644 --- a/stix_shifter_modules/sumologic/sumologic_supported_stix.md +++ b/stix_shifter_modules/sumologic/sumologic_supported_stix.md @@ -15,6 +15,7 @@ | IN | OR | | OR (Observation) | OR | | AND (Observation) | AND | +| LIKE | = | |
| | ### Searchable STIX objects and properties | STIX Object and Property | Mapped Data Source Fields | @@ -41,6 +42,39 @@ | **user-account**:account_created | createdAt | | **user-account**:account_last_login | lastLoginTimestamp | |
| | +### Searchable STIX objects and properties for Cloud_Siem dialect +| STIX Object and Property | Mapped Data Source Fields | +|--|--| +| **ipv4-addr**:value | device_ip, device_natIp, dns_replyIp, dstDevice_ip, srcDevice_ip, dstDevice_natIp, srcDevice_natIp | +| **ipv4-addr**:resolves-to-ref.value | srcDevice_mac, dstDevice_mac | +| **network-traffic**:dst_port | dstPort | +| **network-traffic**:src_port | srcPort | +| **network-traffic**:dst_ref.value | dstDevice_ip | +| **network-traffic**:src_ref.value | srcDevice_ip | +| **x-oca-event**:network_ref.src_ref.value | srcDevice_ip | +| **x-oca-event**:network_ref.dst_ref.value | dstDevice_ip | +| **x-oca-event**:process_ref.binary_ref.name | baseImage | +| **x-oca-event**:process_ref.command_line | commandLine | +| **x-oca-event**:parent_process_ref.binary_ref.name | parentBaseImage | +| **x-oca-event**:user_ref.user_id | user_username, user_username_raw | +| **x-oca-event**:code | metadata_deviceEventId | +| **mac-addr**:value | device_mac, srcDevice_mac, dstDevice_mac | +| **file**:name | baseImage, parentBaseImage, file_basename, file_path | +| **file**:parent_directory_ref.binary_ref.name | baseImage, parentBaseImage | +| **file**:hashes.SHA-256 | file_hash_sha256 | +| **file**:hashes.MD5 | file_hash_md5 | +| **file**:hashes.SHA-1 | file_hash_sha1 | +| **directory**:path | baseImage, parentBaseImage, file_path | +| **process**:binary_ref.name | baseImage, parentBaseImage | +| **process**:command_line | commandLine | +| **process**:parent_ref.binary_ref.name | parentBaseImage | +| **process**:creator_user_ref.user_id | user_username, user_username_raw | +| **user-account**:user_id | user_username, user_username_raw, fromUser_username, fromUser_username_raw | +| **user-account**:display_name | user_username, user_username_raw, fromUser_username, fromUser_username_raw | +| **domain-name**:value | http_referer_fqdn, http_url_fqdn | +| **url**:value | http_url | +| **email-addr**:value | targetUser_email, user_email | +|
| | ### Supported STIX Objects and Properties for Query Results | STIX Object | STIX Property | Data Source Field | |--|--|--|