Imphash mappings

salt/soc/files/soc/sigma_so_pipeline.yaml

@@ -15,13 +15,15 @@ transformations:
         src_ip: destination.ip.keyword
         src_port: source.port
         dst_ip: destination.ip.keyword
-        dst_port: destination.port       
+        dst_port: destination.port
+        winlog.event_data.User: user.name   
     - id: hashes_process-creation
       type: field_name_mapping
       mapping:
         winlog.event_data.sha256: process.hash.sha256
         winlog.event_data.sha1: process.hash.sha1
         winlog.event_data.md5: process.hash.md5
+        winlog.event_data.Imphash: process.pe.imphash
       rule_conditions:
       - type: logsource
         product: windows
@@ -32,6 +34,7 @@ transformations:
         winlog.event_data.sha256: dll.hash.sha256
         winlog.event_data.sha1: dll.hash.sha1
         winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
       rule_conditions:
       - type: logsource
         product: windows
@@ -42,6 +45,7 @@ transformations:
         winlog.event_data.sha256: dll.hash.sha256
         winlog.event_data.sha1: dll.hash.sha1
         winlog.event_data.md5: dll.hash.md5
+        winlog.event_data.Imphash: dll.pe.imphash
       rule_conditions:
       - type: logsource
         product: windows