From b017157d21a7b32a8163b7593d2279a06d3a776f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Fri, 1 Mar 2024 14:04:56 -0500
Subject: [PATCH] Add antivirus mapping

---
 salt/soc/files/soc/sigma_so_pipeline.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index 533823e6f..37e9f4a3e 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -16,7 +16,25 @@ transformations:
         src_port: source.port
         dst_ip: destination.ip.keyword
         dst_port: destination.port
-        winlog.event_data.User: user.name   
+        winlog.event_data.User: user.name
+    # Maps "antivirus" category to Windows Defender logs shipped by Elastic Agent Winlog Integration
+    # winlog.event_data.threat_name has to be renamed prior to ingestion, it is originally winlog.event_data.Threat Name
+    - id: antivirus_field-mappings_windows-defender
+      type: field_name_mapping
+      mapping:
+        Signature: winlog.event_data.threat_name
+      rule_conditions:
+      - type: logsource
+        category: antivirus
+    - id: antivirus_add-fields_windows-defender
+      type: add_condition
+      conditions:
+        winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
+        winlog.provider_name: 'Microsoft-Windows-Windows Defender'
+        event.code: "1116"
+      rule_conditions:
+      - type: logsource
+        category: antivirus
     - id: hashes_process-creation
       type: field_name_mapping
       mapping: