Closed olafhartong closed 3 years ago
Cyb3rWard0g
commented
3 years ago Thank you very much for the contributing to the project @olafhartong ! I believe you have talked to @Cyb3rPandaH already about some of it. We will review it this week. Thank you again! 🍻
Cyb3rPandaH
commented
3 years ago Hey @olafhartong , thank you very much for your contribution to the project 🍺 💜
I only modified those files that involved Sysmon EID 12, 7, 5 for relationships that considered the user entitiy. The metadata provided by these events does not contains user information.
I also modified the relationship WMI Object created and removed events 19,20, and 21 because those events are already considered within the relationship User created WMI Object.
Please let me know if you have any comments 😃 🙌
I've renamed the Windows Defender Advanced Threat Protection to the new name > Microsoft Defender for Endpoint
For the even_id I used the ActionType to add more granularity/detail to the mapping and changed the Log channel to the Table name, like DeviceNetworkEvents etc.