Add Microsoft-Windows-Windows Defender/Operational

2024-11-07 01:45:21 +00:00 · 2021-08-06 11:12:34 +02:00 · 2021-08-06 11:12:34 +02:00 · f4bef0fc39
commit f4bef0fc39
parent 65251e13e9
2 changed files with 42 additions and 2 deletions
--- a/rules/windows/other/win_defender_amsi_trigger.yml
+++ b/rules/windows/other/win_defender_amsi_trigger.yml
@ -2,6 +2,7 @@ title: Windows Defender AMSI Trigger Detected
 id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
 description: Detects triggering of AMSI by Windows Defender.
 date: 2020/09/14
+modified: 2021/08/06
 author: Bhabesh Raj
 references:
    - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
@ -12,7 +13,7 @@ logsource:
 detection:
    selection:
        EventID: 1116
-        DetectionSource: 'AMSI'
+        Source Name: 'AMSI'
    condition: selection
 falsepositives:
    - unlikely
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@ -116,7 +116,6 @@ fieldmappings:
    FailureCode: winlog.event_data.FailureCode
    FileName: file.path
    HiveName: winlog.event_data.HiveName
-    Path: winlog.event_data.Path
    ProcessCommandLine: winlog.event_data.ProcessCommandLine
    SecurityID: winlog.event_data.SecurityID
    Source: winlog.event_data.Source
@ -506,3 +505,43 @@ fieldmappings:
    SourceLine: winlog.event_data.SourceLine
    SourceTag: winlog.event_data.SourceTag
    CallStack: winlog.event_data.CallStack
+    #
+    # Microsoft-Windows-Windows Defender/Operational
+    #
+    Action ID: winlog.event_data.Action ID
+    Action Name: winlog.event_data.Action Name
+    Additional Actions ID: winlog.event_data.Additional Actions ID
+    Additional Actions String: winlog.event_data.Additional Actions String
+    Category ID: winlog.event_data.Category ID
+    Category Name: winlog.event_data.Category Name
+    Detection ID: winlog.event_data.Detection ID
+    Detection Time: winlog.event_data.Detection Time
+    Detection User: winlog.event_data.Detection User
+    Engine Version: winlog.event_data.Engine Version
+    Error Code: winlog.event_data.Error Code
+    Error Description: winlog.event_data.Error Description
+    Execution ID: winlog.event_data.Execution ID
+    Execution Name: winlog.event_data.Execution Name
+    FWLink: winlog.event_data.FWLink
+    New Value: winlog.event_data.New Value
+    Old Value: winlog.event_data.Old Value
+    Origin ID: winlog.event_data.Origin ID
+    Origin Name: winlog.event_data.Origin Name
+    Path: winlog.event_data.Path
+    Post Clean Status: winlog.event_data.Post Clean Status
+    Pre Execution Status: winlog.event_data.Pre Execution Status
+    Process Name: winlog.event_data.Process Name
+    Product Name: winlog.event_data.Product Name
+    Product Version: winlog.event_data.Product Version
+    Remediation User: winlog.event_data.Remediation User
+    Security intelligence Version: winlog.event_data.Security intelligence Version
+    Severity ID: winlog.event_data.Severity ID
+    Severity Name: winlog.event_data.Severity Name
+    Source ID: winlog.event_data.Source ID
+    Source Name: winlog.event_data.Source Name
+    Status Code: winlog.event_data.Status Code
+    Status Description: winlog.event_data.Status Description
+    Threat ID: winlog.event_data.Threat ID
+    Threat Name: winlog.event_data.Threat Name
+    Type ID: winlog.event_data.Type ID
+    Type Name: winlog.event_data.Type Name