valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

MDATP ServiceInstalled event mapping

Browse Source
This commit is contained in:
Remco Hofman 2021-06-03 21:43:52 +02:00
parent bcd6d3c9ba
commit 0aa05f53e9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
tools/sigma/backends/mdatp.py
View File

@ -102,6 +102,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"ParentCommandLine": ("InitiatingProcessCommandLine", self.default_value_mapping),
"ParentProcessName": ("InitiatingProcessParentFileName", self.default_value_mapping),
"ProcessName": ("InitiatingProcessFileName", self.default_value_mapping),
"ServiceFileName": ("FileName", self.default_value_mapping),
"SourceIp": ("LocalIP", self.default_value_mapping),
"SourcePort": ("LocalPort", self.porttype_mapping),
"TargetFilename": ("FolderPath", self.default_value_mapping),
@ -347,6 +348,10 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
self.tables.append("DeviceLogonEvents")
self.current_table = "DeviceLogonEvents"
return None
elif self.service == "system" and event_id == 7045: # New Service Install
self.tables.append("DeviceEvents")
self.current_table = "DeviceEvents"
return "ActionType == \"ServiceInstalled\""
else:
if not self.tables:
raise NotSupportedError("No sysmon Event ID provided")