From d832158cc52fe7c87d88fe233c38128d425d0a2f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Fri, 1 Mar 2024 15:26:02 -0500
Subject: [PATCH] Drop Hashes field

---
 salt/soc/files/soc/sigma_so_pipeline.yaml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index 37e9f4a3e..d227c3f01 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -35,6 +35,17 @@ transformations:
       rule_conditions:
       - type: logsource
         category: antivirus
+    # Drops the Hashes field which is specific to Sysmon logs
+    # Ingested sysmon logs will have the Hashes field mapped to ECS specific fields
+    - id: hashes_drop_sysmon-specific-field
+      type: drop_detection_item
+      field_name_conditions:
+        - type: include_fields
+          fields:
+          - winlog.event_data.Hashes
+      rule_conditions:
+      - type: logsource
+        product: windows
     - id: hashes_process-creation
       type: field_name_mapping
       mapping:
@@ -67,4 +78,4 @@ transformations:
       rule_conditions:
       - type: logsource
         product: windows
-        category: driver_load
\ No newline at end of file
+        category: driver_load