From 42e82c95dfbbfa12662b2498a122059247fc3b43 Mon Sep 17 00:00:00 2001 From: albchen Date: Thu, 18 Mar 2021 15:49:25 -0700 Subject: [PATCH] Updated for use with Image Load events Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping. --- tools/sigma/backends/mdatp.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index cead68be0..348227bb1 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -162,6 +162,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): "EventType": ("ActionType", self.default_value_mapping), "FileName": (self.id_mapping, self.default_value_mapping), "Image": ("InitiatingProcessFolderPath", self.default_value_mapping), + "ImageLoaded": ("FolderPath", self.default_value_mapping), "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping), "ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping), "ProcessName": ("InitiatingProcessFileName", self.default_value_mapping), @@ -262,6 +263,9 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): elif (self.category, self.product, self.service) == ("file_event", "windows", None): self.tables.append("DeviceFileEvents") self.current_table = "DeviceFileEvents" + elif (self.category, self.product, self.service) == ("image_load", "windows", None): + self.tables.append("DeviceImageLoadEvents") + self.current_table = "DeviceImageLoadEvents" elif (self.category, self.product, self.service) == ("network_connection", "windows", None): self.tables.append("DeviceNetworkEvents") self.current_table = "DeviceNetworkEvents"