From 1dec1a49fa6c6aa280c760fbe02b804548e94008 Mon Sep 17 00:00:00 2001
From: albchen <albertbchen@gmail.com>
Date: Fri, 10 Sep 2021 15:51:32 -0700
Subject: [PATCH] Mapped OriginalFileName in DeviceProcessEvents

Mapped OriginalFileName to ProcessVersionInfoOriginalFileName in DeviceProcessEvents. Tested and works for rules such as https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml
---
 tools/sigma/backends/mdatp.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py
index 1d45b747d..0becb7a6f 100644
--- a/tools/sigma/backends/mdatp.py
+++ b/tools/sigma/backends/mdatp.py
@@ -83,6 +83,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
                 "ImageLoaded": ("FolderPath", self.default_value_mapping),
                 "LogonType": (self.id_mapping, self.logontype_mapping),
                 "NewProcessName": ("FolderPath", self.default_value_mapping),
+                "OriginalFileName": ("ProcessVersionInfoOriginalFileName", self.default_value_mapping),
                 "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
                 "ParentName": ("InitiatingProcessFileName", self.default_value_mapping),
                 "ParentProcessName": ("InitiatingProcessFileName", self.default_value_mapping),