From dcdfaf66f4a0a29afabc24b8158d285581d50adf Mon Sep 17 00:00:00 2001
From: defensivedepth <josh@defensivedepth.com>
Date: Wed, 16 Oct 2024 15:20:52 -0400
Subject: [PATCH] Add process and file creation mappings

---
 salt/soc/files/soc/sigma_so_pipeline.yaml | 66 +++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index 8314361f5..121bc06a6 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -106,3 +106,69 @@ transformations:
         - type: include_fields
           fields:
           - event.code
+    # Maps Windows + process_creation rules to endpoint process creation logs
+    - id: endpoint_process_create_windows_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'process'
+        event.type: 'start'
+        host.os.type: 'windows'
+      rule_conditions:
+      - type: logsource
+        category: process_creation
+        product: windows
+    # Maps Linux + file_event rules to endpoint file creation logs
+    - id: endpoint_process_create_linux_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'process'
+        event.type: 'start'
+        host.os.type: 'linux'
+      rule_conditions:
+      - type: logsource
+        category: process_creation
+        product: linux
+    # Maps macOS + file_event rules to endpoint file creation logs
+    - id: endpoint_process_create_macos_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'process'
+        event.type: 'start'
+        host.os.type: 'macos'
+      rule_conditions:
+      - type: logsource
+        category: process_creation
+        product: macos
+    # Maps Windows + file_event rules to endpoint file creation logs
+    - id: endpoint_file_create_windows_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'file'
+        event.type: 'creation'
+        host.os.type: 'windows'
+      rule_conditions:
+      - type: logsource
+        category: file_event
+        product: windows
+    # Maps Linux + file_event rules to endpoint file creation logs
+    - id: endpoint_file_create_linux_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'file'
+        event.type: 'creation'
+        host.os.type: 'linux'
+      rule_conditions:
+      - type: logsource
+        category: file_event
+        product: linux
+    # Maps macOS + file_event rules to endpoint file creation logs
+    - id: endpoint_file_create_macos_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'file'
+        event.type: 'creation'
+        host.os.type: 'macos'
+      rule_conditions:
+      - type: logsource
+        category: file_event
+        product: macos
\ No newline at end of file