security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType

Browse Source
This commit is contained in:
Chris Brake
2020-06-30 14:49:29 +01:00
parent 0ee47e118c
commit 6ed1ea6509
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/mdatp.py
+4 -4
View File
@@ -92,7 +92,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"DeviceEvents": {
"TargetFilename": ("FolderPath", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
@@ -100,7 +100,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"TargetObject": ("RegistryKey", self.default_value_mapping),
"ObjectValueName": ("RegistryValueName", self.default_value_mapping),
"Details": ("RegistryValueData", self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
@@ -120,13 +120,13 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"SourcePort": ("LocalPort", self.default_value_mapping),
"SourceIp": ("LocalIP", self.default_value_mapping),
"DestinationHostname": ("RemoteUrl", self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceImageLoadEvents": {
"ImageLoaded": ("FolderPath", self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
}