valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

added eventid to sysmon process creation

Browse Source
This commit is contained in:
John Tuckner 2019-03-05 20:58:23 -06:00
parent 971bd49071
commit 283bd278f4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tools/sigma/backends/ala.py
View File

@ -109,7 +109,7 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend):
raise NotSupportedError("No table could be determined from Sigma rule")
if self.table is "Event":
parse_string = self.map_sysmon_schema(self.eventid)
before = "{0} | parse EventData with * {1} | where ".format(self.table, parse_string)
before = "{0} | parse EventData with * {1} | where EventID == {2} | where ".format(self.table, parse_string, self.eventid)
else:
before = "%s | where " % self.table
return before