From cdc434cfc485bfd7b0cfafbc7df7347c67d5eec1 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 7 Jul 2021 18:22:58 +0200
Subject: [PATCH] feat: OriginalFileName mapping in MDATP ImageLoad events

---
 tools/sigma/backends/mdatp.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py
index eb535835a..b9e1b82d9 100644
--- a/tools/sigma/backends/mdatp.py
+++ b/tools/sigma/backends/mdatp.py
@@ -160,6 +160,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
                 "DeviceName": (self.id_mapping, self.default_value_mapping),
                 "EventType": ("ActionType", self.default_value_mapping),
                 "FileName": (self.id_mapping, self.default_value_mapping),
+                "OriginalFileName": ("OriginalFileName", self.default_value_mapping),
                 "Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
                 "ImageLoaded": ("FolderPath", self.default_value_mapping),
                 "ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),