From 29d8e5032bdc6408ad159b3b0145d9d456f59476 Mon Sep 17 00:00:00 2001 From: phaseshiftg <115187865+phaseshiftg@users.noreply.github.com> Date: Mon, 20 Feb 2023 15:54:47 -0700 Subject: [PATCH] update others_apt (#278) Signed-off-by: Grant Haywood Co-authored-by: Subhobrata Dey --- .../OSMapping/others_apt/fieldmappings.yml | 7 ++--- .../OSMapping/others_apt/mappings.json | 28 +++---------------- 2 files changed, 6 insertions(+), 29 deletions(-) diff --git a/src/main/resources/OSMapping/others_apt/fieldmappings.yml b/src/main/resources/OSMapping/others_apt/fieldmappings.yml index 41f5d688f..26234ae87 100644 --- a/src/main/resources/OSMapping/others_apt/fieldmappings.yml +++ b/src/main/resources/OSMapping/others_apt/fieldmappings.yml @@ -1,7 +1,4 @@ # this file provides pre-defined mappings for Sigma fields defined for all Sigma rules under apt log group to their corresponding ECS Fields. fieldmappings: - EventID: event_uid - HiveName: unmapped.HiveName - fieldB: mappedB - fieldA1: mappedA - creationTime: timestamp + Image: process-exe + CommandLine: process-command_line diff --git a/src/main/resources/OSMapping/others_apt/mappings.json b/src/main/resources/OSMapping/others_apt/mappings.json index a3ccdca77..2f12a6177 100644 --- a/src/main/resources/OSMapping/others_apt/mappings.json +++ b/src/main/resources/OSMapping/others_apt/mappings.json @@ -1,32 +1,12 @@ { "properties": { - "windows-event_data-CommandLine": { + "process-exe": { "type": "alias", - "path": "CommandLine" + "path": "process.exe" }, - "event_uid": { + "process-command_line": { "type": "alias", - "path": "EventID" - }, - "windows-hostname": { - "type": "alias", - "path": "HostName" - }, - "windows-message": { - "type": "alias", - "path": "Message" - }, - "windows-provider-name": { - "type": "alias", - "path": "Provider_Name" - }, - "windows-servicename": { - "type": "alias", - "path": "ServiceName" - }, - "timestamp": { - "path": "creationTime", - "type": "alias" + "path": "process.command_line" } } } \ No newline at end of file