From c886e7279363a8f0c614dc8a753166f5d418d5dc Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Thu, 22 Feb 2024 08:59:33 -0500
Subject: [PATCH] Imphash mappings

---
 salt/soc/files/soc/sigma_so_pipeline.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index 54ce83eff..8121a6f13 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -15,13 +15,15 @@ transformations:
         src_ip: destination.ip.keyword
         src_port: source.port
         dst_ip: destination.ip.keyword
-        dst_port: destination.port       
+        dst_port: destination.port
+        winlog.event_data.User: user.name   
     - id: hashes_process-creation
       type: field_name_mapping
       mapping:
         winlog.event_data.sha256: process.hash.sha256
         winlog.event_data.sha1: process.hash.sha1
         winlog.event_data.md5: process.hash.md5
+        winlog.event_data.Imphash: process.pe.imphash
       rule_conditions:
       - type: logsource
         product: windows
@@ -32,6 +34,7 @@ transformations:
         winlog.event_data.sha256: dll.hash.sha256
         winlog.event_data.sha1: dll.hash.sha1
         winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
       rule_conditions:
       - type: logsource
         product: windows
@@ -42,6 +45,7 @@ transformations:
         winlog.event_data.sha256: dll.hash.sha256
         winlog.event_data.sha1: dll.hash.sha1
         winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
       rule_conditions:
       - type: logsource
         product: windows