From 2fd88c837d6abcfab64a3ca38faa3b72bce48645 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Mon, 14 Jan 2019 23:54:05 +0100
Subject: [PATCH] Added generic sigma rule support to WDATP backend

* Process creation rules
---
 tools/sigma/backends/wdatp.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/tools/sigma/backends/wdatp.py b/tools/sigma/backends/wdatp.py
index 8d5407a28..44cae5471 100644
--- a/tools/sigma/backends/wdatp.py
+++ b/tools/sigma/backends/wdatp.py
@@ -123,12 +123,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
     def generate(self, sigmaparser):
         self.table = None
         try:
-            self.product = sigmaparser.parsedyaml['logsource']['product']
-            self.service = sigmaparser.parsedyaml['logsource']['service']
+            self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None)
+            self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None)
+            self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None)
         except KeyError:
+            self.category = None
             self.product = None
             self.service = None
 
+        if (self.category, self.product, self.service) == ("process_creation", "windows", None):
+            self.table = "ProcessCreationEvents"
+
         return super().generate(sigmaparser)
 
     def generateBefore(self, parsed):