Merge pull request #12482 from Security-Onion-Solutions/2.4/sigma-pip…

…eline

2.4/sigma pipeline

salt/soc/files/soc/sigma_so_pipeline.yaml

@@ -16,7 +16,36 @@ transformations:
         src_port: source.port
         dst_ip: destination.ip.keyword
         dst_port: destination.port
-        winlog.event_data.User: user.name   
+        winlog.event_data.User: user.name
+    # Maps "antivirus" category to Windows Defender logs shipped by Elastic Agent Winlog Integration
+    # winlog.event_data.threat_name has to be renamed prior to ingestion, it is originally winlog.event_data.Threat Name
+    - id: antivirus_field-mappings_windows-defender
+      type: field_name_mapping
+      mapping:
+        Signature: winlog.event_data.threat_name
+      rule_conditions:
+      - type: logsource
+        category: antivirus
+    - id: antivirus_add-fields_windows-defender
+      type: add_condition
+      conditions:
+        winlog.channel: 'Microsoft-Windows-Windows Defender/Operational'
+        winlog.provider_name: 'Microsoft-Windows-Windows Defender'
+        event.code: "1116"
+      rule_conditions:
+      - type: logsource
+        category: antivirus
+    # Drops the Hashes field which is specific to Sysmon logs
+    # Ingested sysmon logs will have the Hashes field mapped to ECS specific fields
+    - id: hashes_drop_sysmon-specific-field
+      type: drop_detection_item
+      field_name_conditions:
+        - type: include_fields
+          fields:
+          - winlog.event_data.Hashes
+      rule_conditions:
+      - type: logsource
+        product: windows
     - id: hashes_process-creation
       type: field_name_mapping
       mapping:
@@ -49,4 +78,4 @@ transformations:
       rule_conditions:
       - type: logsource
         product: windows
-        category: driver_load
+        category: driver_load