security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: OriginalFileName mapping in MDATP ImageLoad events

Browse Source
This commit is contained in:
Florian Roth
2021-07-07 18:22:58 +02:00
parent 25dec8a17b
commit cdc434cfc4
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/sigma/backends/mdatp.py
+1
View File
@@ -160,6 +160,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"DeviceName": (self.id_mapping, self.default_value_mapping),
"EventType": ("ActionType", self.default_value_mapping),
"FileName": (self.id_mapping, self.default_value_mapping),
"OriginalFileName": ("OriginalFileName", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"ImageLoaded": ("FolderPath", self.default_value_mapping),
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),