security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added generic sigma rule support to WDATP backend

Browse Source 
* Process creation rules
This commit is contained in:
Thomas Patzke
2019-01-14 23:54:05 +01:00
parent 4e83bfeb16
commit 2fd88c837d
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/wdatp.py
+7 -2
View File
@@ -123,12 +123,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
def generate(self, sigmaparser):
self.table = None
try:
self.product = sigmaparser.parsedyaml['logsource']['product']
self.service = sigmaparser.parsedyaml['logsource']['service']
self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None)
self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None)
except KeyError:
self.category = None
self.product = None
self.service = None
if (self.category, self.product, self.service) == ("process_creation", "windows", None):
self.table = "ProcessCreationEvents"
return super().generate(sigmaparser)
def generateBefore(self, parsed):