From b017157d21a7b32a8163b7593d2279a06d3a776f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Fri, 1 Mar 2024 14:04:56 -0500
Subject: [PATCH 1/2] Add antivirus mapping

---
 salt/soc/files/soc/sigma_so_pipeline.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index 533823e6f..37e9f4a3e 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -16,7 +16,25 @@ transformations:
         src_port: source.port
         dst_ip: destination.ip.keyword
         dst_port: destination.port
-        winlog.event_data.User: user.name   
+        winlog.event_data.User: user.name
+    # Maps "antivirus" category to Windows Defender logs shipped by Elastic Agent Winlog Integration
+    # winlog.event_data.threat_name has to be renamed prior to ingestion, it is originally winlog.event_data.Threat Name
+    - id: antivirus_field-mappings_windows-defender
+      type: field_name_mapping
+      mapping:
+        Signature: winlog.event_data.threat_name
+      rule_conditions:
+      - type: logsource
+        category: antivirus
+    - id: antivirus_add-fields_windows-defender
+      type: add_condition
+      conditions:
+        winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
+        winlog.provider_name: 'Microsoft-Windows-Windows Defender'
+        event.code: "1116"
+      rule_conditions:
+      - type: logsource
+        category: antivirus
     - id: hashes_process-creation
       type: field_name_mapping
       mapping:

From d832158cc52fe7c87d88fe233c38128d425d0a2f Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Fri, 1 Mar 2024 15:26:02 -0500
Subject: [PATCH 2/2] Drop Hashes field

---
 salt/soc/files/soc/sigma_so_pipeline.yaml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
index 37e9f4a3e..d227c3f01 100644
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -35,6 +35,17 @@ transformations:
       rule_conditions:
       - type: logsource
         category: antivirus
+    # Drops the Hashes field which is specific to Sysmon logs
+    # Ingested sysmon logs will have the Hashes field mapped to ECS specific fields
+    - id: hashes_drop_sysmon-specific-field
+      type: drop_detection_item
+      field_name_conditions:
+        - type: include_fields
+          fields:
+          - winlog.event_data.Hashes
+      rule_conditions:
+      - type: logsource
+        product: windows
     - id: hashes_process-creation
       type: field_name_mapping
       mapping:
@@ -67,4 +78,4 @@ transformations:
       rule_conditions:
       - type: logsource
         product: windows
-        category: driver_load
\ No newline at end of file
+        category: driver_load