From 6ffe463abe20e328e2ee58e135793edd89fa261b Mon Sep 17 00:00:00 2001
From: Grant Haywood <grant@phaseshift.studio>
Date: Thu, 29 Dec 2022 16:01:27 -0700
Subject: [PATCH] updated ad_ldap mappings

Signed-off-by: Grant Haywood <grant@phaseshift.studio>
---
 src/main/resources/OSMapping/ad_ldap/fieldmappings.yml |  7 +------
 src/main/resources/OSMapping/ad_ldap/mappings.json     | 10 +++-------
 2 files changed, 4 insertions(+), 13 deletions(-)

diff --git a/src/main/resources/OSMapping/ad_ldap/fieldmappings.yml b/src/main/resources/OSMapping/ad_ldap/fieldmappings.yml
index 9ab79f08f..70ebfe168 100644
--- a/src/main/resources/OSMapping/ad_ldap/fieldmappings.yml
+++ b/src/main/resources/OSMapping/ad_ldap/fieldmappings.yml
@@ -1,7 +1,2 @@
-# this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under windows log group to their corresponding ECS Fields.
 fieldmappings:
-    EventID: event_uid
-    HiveName: unmapped.HiveName
-    fieldB: mappedB
-    fieldA1: mappedA
-    CommandLine: windows-event_data-CommandLine
+    TargetUserName: winlog-event_data-TargetUserName
diff --git a/src/main/resources/OSMapping/ad_ldap/mappings.json b/src/main/resources/OSMapping/ad_ldap/mappings.json
index ea77f2460..f68692f5a 100644
--- a/src/main/resources/OSMapping/ad_ldap/mappings.json
+++ b/src/main/resources/OSMapping/ad_ldap/mappings.json
@@ -1,12 +1,8 @@
 {
   "properties": {
-    "windows-event_data-CommandLine": {
-      "type": "alias",
-      "path": "CommandLine"
-    },
-    "event_uid": {
-      "type": "alias",
-      "path": "EventID"
+    "winlog-event_data-TargetUserName": {
+      "path": "winlog.event_data.TargetUserName",
+      "type": "alias"
     }
   }
 }
\ No newline at end of file