From 0984293d0c65ca3729405e8ae2a2beed8ff018a5 Mon Sep 17 00:00:00 2001
From: agold <adam.gold@walmart.com>
Date: Tue, 20 Aug 2019 14:33:08 -0700
Subject: [PATCH] Support for Malicious cmdlets in ATP

---
 tools/sigma/backends/wdatp.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/sigma/backends/wdatp.py b/tools/sigma/backends/wdatp.py
index 55222d0b6..92f46331d 100644
--- a/tools/sigma/backends/wdatp.py
+++ b/tools/sigma/backends/wdatp.py
@@ -138,12 +138,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
 
         if (self.category, self.product, self.service) == ("process_creation", "windows", None):
             self.table = "ProcessCreationEvents"
+        elif (self.category, self.product, self.service) == (None, "windows", "powershell"):
+            self.table = "MiscEvents"
+            self.orToken = ", "
 
         return super().generate(sigmaparser)
 
     def generateBefore(self, parsed):
         if self.table is None:
             raise NotSupportedError("No WDATP table could be determined from Sigma rule")
+        if self.table == "MiscEvents" and self.service == "powershell":
+            return "%s | where tostring(extractjson('$.Command', AdditionalFields)) in~ " % self.table
         return "%s | where " % self.table
 
     def generateMapItemNode(self, node):