Update Win Logsource Mapping

SigmaHQ · Oct 19, 2022 · a4338e0 · a4338e0 · thomaspatzke · Jan 5, 2023
1 parent 04955c5
commit a4338e0
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/sigma/pipelines/common.py b/sigma/pipelines/common.py
@@ -5,7 +5,7 @@
     "application": "Application",
     "system": "System",
     "sysmon": "Microsoft-Windows-Sysmon/Operational",
-    "powershell": "Microsoft-Windows-PowerShell/Operational",
+    "powershell": ["Microsoft-Windows-PowerShell/Operational", "PowerShellCore/Operational"],
     "powershell-classic": "Windows PowerShell",
     "taskscheduler": "Microsoft-Windows-TaskScheduler/Operational",
     "wmi": "Microsoft-Windows-WMI-Activity/Operational",
@@ -15,7 +15,7 @@
     "ntlm": "Microsoft-Windows-NTLM/Operational",
     "dhcp": "Microsoft-Windows-DHCP-Server/Operational",
     "msexchange-management": "MSExchange Management",
-    "applocker": "Microsoft-Windows-AppLocker/EXE and DLL Management",
+    "applocker": ["Microsoft-Windows-AppLocker/MSI and Script", "Microsoft-Windows-AppLocker/EXE and DLL", "Microsoft-Windows-AppLocker/Packaged app-Deployment", "Microsoft-Windows-AppLocker/Packaged app-Execution"],
     "printservice-admin": "Microsoft-Windows-PrintService/Admin",
     "printservice-operational": "Microsoft-Windows-PrintService/Operational",
     "codeintegrity-operational": "Microsoft-Windows-CodeIntegrity/Operational",
@@ -26,6 +26,9 @@
     "terminalservices-localsessionmanager": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
     "microsoft-servicebus-client": "Microsoft-ServiceBus-Client",
     "ldap_debug": "Microsoft-Windows-LDAP-Client/Debug",
+    "security-mitigations": ["Microsoft-Windows-Security-Mitigations/Kernel Mode", "Microsoft-Windows-Security-Mitigations/User Mode"],
+    "diagnosis-scripted": "Microsoft-Windows-Diagnosis-Scripted/Operational",
+    "shell-core": "Microsoft-Windows-Shell-Core/Operational",
 }
 
 def logsource_windows(service : str) -> LogsourceCondition: