From 6ed1ea650902f7dd589d18eaec784a8b36be9d29 Mon Sep 17 00:00:00 2001 From: Chris Brake Date: Tue, 30 Jun 2020 14:49:29 +0100 Subject: [PATCH] Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType --- tools/sigma/backends/mdatp.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index f373c0427..ad5d0960a 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -92,7 +92,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "DeviceEvents": { "TargetFilename": ("FolderPath", self.default_value_mapping), "TargetImage": ("FolderPath", self.default_value_mapping), - + "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "User": (self.decompose_user, ), }, @@ -100,7 +100,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "TargetObject": ("RegistryKey", self.default_value_mapping), "ObjectValueName": ("RegistryValueName", self.default_value_mapping), "Details": ("RegistryValueData", self.default_value_mapping), - + "EventType": ("ActionType", self.default_value_mapping), "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "User": (self.decompose_user, ), }, @@ -120,13 +120,13 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "SourcePort": ("LocalPort", self.default_value_mapping), "SourceIp": ("LocalIP", self.default_value_mapping), "DestinationHostname": ("RemoteUrl", self.default_value_mapping), - + "EventType": ("ActionType", self.default_value_mapping), "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "User": (self.decompose_user, ), }, "DeviceImageLoadEvents": { "ImageLoaded": ("FolderPath", self.default_value_mapping), - + "EventType": ("ActionType", self.default_value_mapping), "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), "User": (self.decompose_user, ), }