wagga40
commented
2 years ago Hi,
sorry for the delay.
Powershell classic logs doesn't really have a HostApplication field, all information is stored in <EventData><data> :
After the conversion with evtx_dump, Zircolite remap the content the <EventData><data> field in a Message field using automatic field mappings : here
One quick solution to your problem may be to remap the field directly in the sigmac configuration using sigma field mappings in the Zircolite.yml or powershell.yml file :
fieldmappings:
HostApplication: MessagePlease keep in mind that Powershell classic logs are difficult to handle in such scenarios.
I think, I will leave the issue open, to handle this case in future update.
If you take this rules for example: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
And use sigmac as mentioned in the documentation, you will get something similar to (simplified condition):
"SELECT * FROM logs WHERE (Channel = \"Windows PowerShell\" AND HostApplication LIKE \"%hidden%\" ESCAPE '\')"
However the ingestion of powershell event do not create a HostApplication column so the query fail (silently)
The information is found within the message column.