valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Reordered fields

Browse Source
This commit is contained in:
Wietze 2020-05-02 14:46:55 +01:00
parent 661108903b
commit 5abf4cbea9
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tools/sigma/backends/mdatp.py
View File

@ -64,14 +64,13 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"ParentImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
"SourceImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"TargetObject": ("RegistryKey", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceEvents": {
"TargetFilename": ("FolderPath", self.default_value_mapping),
"TargetImage": ("FolderPath", self.default_value_mapping),
"Image": ("InitiatingFolderPath", self.default_value_mapping),
"TargetImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceRegistryEvents": {
@ -79,8 +78,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
"ObjectValueName": ("RegistryValueName", self.default_value_mapping),
"Details": ("RegistryValueData", self.default_value_mapping),
"Image": ("InitiatingFolderPath", self.default_value_mapping),
"TargetImage": ("InitiatingProcessFolderPath", self.default_value_mapping),
"Image": ("InitiatingProcessFolderPath", self.default_value_mapping),
"User": (self.decompose_user, ),
},
"DeviceFileEvents": {