security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support macOS file_event.

Browse Source
This commit is contained in:
Maxime Lamothe-Brassard
2023-01-26 15:51:24 -08:00
parent ff7794225b
commit aa341ab38f
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/limacharlie.py
+18
View File
@@ -250,6 +250,24 @@ _allFieldMappings = {
postOpMapper = _mapProcessCreationOperations,
isCaseSensitive = ['event/FILE_PATH']
),
"macos/file_event/": SigmaLCConfig(
topLevelParams = {
"events": [
"FILE_CREATE",
"NEW_DOCUMENT",
]
},
preConditions = {
"op": "is mac",
},
fieldMappings = {
"TargetFilename": "event/FILE_PATH",
},
isAllStringValues = False,
keywordField = None,
postOpMapper = None,
isCaseSensitive = ['event/FILE_PATH']
),
},
"artifact": {
"windows//": SigmaLCConfig(