Sigmac WDATP backend: renamed action types

2024-11-07 09:48:58 +00:00 · 2018-07-10 22:49:38 +02:00 · 2018-07-10 22:49:38 +02:00 · d064d24fbe
commit d064d24fbe
parent 57727d2397
1 changed files with 2 additions and 2 deletions
--- a/tools/sigma/backends.py
+++ b/tools/sigma/backends.py
@ -1027,14 +1027,14 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend):
                    return None
                elif self.service == "sysmon" and value == 8:      # Create Remote Thread
                    self.table = "MiscEvents"
-                    return "ActionType == \"CreateRemoteThread\""
+                    return "ActionType == \"CreateRemoteThreadApiCall\""
                elif self.service == "sysmon" and value == 11:     # File Creation
                    self.table = "FileCreationEvents"
                    return None
                elif self.service == "sysmon" and value == 13 \
                    or self.service == "security" and value == 4657:    # Set Registry Value
                    self.table = "RegistryEvents"
-                    return "ActionType == \"SetValue\""
+                    return "ActionType == \"RegistryValueSet\""
                elif self.service == "security" and value == 4624:
                    self.table = "LogonEvents"
                    return None