Field Mapping: Add OriginalFileName -> Processes.original_file_name

SigmaHQ / pySigma-backend-splunk

pySigma Splunk backend

GNU Lesser General Public License v2.1

32 stars 19 forks source link

Field Mapping: Add OriginalFileName -> Processes.original_file_name #20

Closed Rivosyke closed 1 year ago

Rivosyke commented 1 year ago

In the file below, it looks like OriginalFileName is missing from the splunk_sysmon_process_creation_cim_mapping dict.

Splunk added Processes.original_file_name in CIM v4.20.2.

https://github.com/SigmaHQ/pySigma-backend-splunk/blob/main/sigma/pipelines/splunk/splunk.py

thomaspatzke commented 1 year ago

Thanks for the hint! Can you provide a pull request?

Rivosyke commented 1 year ago

I was going to but didn't know if there were other sections that needed modification as well. Looks like maybe the tests need to be updated to include that as well but I'll give it a looksee.

thomaspatzke commented 1 year ago

Now it works 😉