CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add antivirus mapping

Browse Source
This commit is contained in:
Josh Brower
2024-03-01 14:04:56 -05:00
parent d1e55d5ab7
commit b017157d21
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -17,6 +17,24 @@ transformations:
dst_ip: destination.ip.keyword dst_ip: destination.ip.keyword
dst_port: destination.port dst_port: destination.port
winlog.event_data.User: user.name winlog.event_data.User: user.name
# Maps "antivirus" category to Windows Defender logs shipped by Elastic Agent Winlog Integration
# winlog.event_data.threat_name has to be renamed prior to ingestion, it is originally winlog.event_data.Threat Name
- id: antivirus_field-mappings_windows-defender
type: field_name_mapping
mapping:
Signature: winlog.event_data.threat_name
rule_conditions:
- type: logsource
category: antivirus
- id: antivirus_add-fields_windows-defender
type: add_condition
conditions:
winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
winlog.provider_name: 'Microsoft-Windows-Windows Defender'
event.code: "1116"
rule_conditions:
- type: logsource
category: antivirus
- id: hashes_process-creation - id: hashes_process-creation
type: field_name_mapping type: field_name_mapping
mapping: mapping: