Add Service Mappings to Sigma Event Logs #130
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on my comment at #122 I decided to try implementing more service mappings and providers. I used thor.yml for inspiration and based on my tests so far it seems promising as a solution to #122. Let me know what you think.
I did leave out some including
System,Applicationand PowerShelldue to not being sure what the Provider Name is for System and Application.I presume they are both the same name as their title?For PowerShell I was unsure how to represent multiple Providers so I chose to leave that one for now. I did attempt multiple providers with a problematic rule at the bottom of the commit but I am unsure if it is correct
Edit: Service: System and Service: Application appears to specify multiple providers in their rules already so won't need to add System or Application to this PR