From 0aa05f53e91963540fe53a87caa1d7586d5ce9cf Mon Sep 17 00:00:00 2001
From: Remco Hofman <remcohofman98@gmail.com>
Date: Thu, 3 Jun 2021 21:43:52 +0200
Subject: [PATCH] MDATP ServiceInstalled event mapping

---
 tools/sigma/backends/mdatp.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py
index 9a2a6387f..eb535835a 100644
--- a/tools/sigma/backends/mdatp.py
+++ b/tools/sigma/backends/mdatp.py
@@ -102,6 +102,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
                 "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
                 "ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
                 "ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
+                "ServiceFileName": ("FileName", self.default_value_mapping),
                 "SourceIp": ("LocalIP", self.default_value_mapping),
                 "SourcePort": ("LocalPort", self.porttype_mapping),
                 "TargetFilename": ("FolderPath", self.default_value_mapping),
@@ -347,6 +348,10 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
                 self.tables.append("DeviceLogonEvents")
                 self.current_table = "DeviceLogonEvents"
                 return None
+            elif self.service == "system" and event_id == 7045: # New Service Install
+                self.tables.append("DeviceEvents")
+                self.current_table = "DeviceEvents"
+                return "ActionType == \"ServiceInstalled\""
             else:
                 if not self.tables:
                     raise NotSupportedError("No sysmon Event ID provided")