security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1396 from albchen/patch-1

Browse Source 
Updated for use with Image Load events
This commit is contained in:
Florian Roth
2021-03-20 08:28:19 +01:00
committed by GitHub
parent 6b2bcd3d87 42e82c95df
commit a6cd34dbc4
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/mdatp.py
+4
View File
@@ -162,6 +162,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"EventType": ("ActionType", self.default_value_mapping),
"FileName": (self.id_mapping, self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"ImageLoaded": ("FolderPath", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
@@ -262,6 +263,9 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
elif (self.category, self.product, self.service) == ("file_event", "windows", None):
self.tables.append("DeviceFileEvents")
self.current_table = "DeviceFileEvents"
elif (self.category, self.product, self.service) == ("image_load", "windows", None):
self.tables.append("DeviceImageLoadEvents")
self.current_table = "DeviceImageLoadEvents"
elif (self.category, self.product, self.service) == ("network_connection", "windows", None):
self.tables.append("DeviceNetworkEvents")
self.current_table = "DeviceNetworkEvents"