fix: incorrect mapping for provider name

The sigma provider name mapping was pointing to the wrong field in the event log. This is now fixed. Fixes: WithSecureLabs#149
nidogski · Nov 27, 2023 · 315e1ce · 315e1ce
1 parent 81011af
commit 315e1ce
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/mappings/sigma-event-logs-all.yml b/mappings/sigma-event-logs-all.yml
@@ -66,7 +66,7 @@ extensions:
     - for:
         logsource.service: certificateservicesclient-lifecycle-system
       filter:
-        Provider: Microsoft-Windows-CertificateServicesClient-Lifecycle-System  
+        Provider: Microsoft-Windows-CertificateServicesClient-Lifecycle-System
     - for:
         logsource.service: ntlm
       filter:
@@ -134,7 +134,7 @@ extensions:
     - for:
         logsource.service: dns-server
       filter:
-        Provider: Microsoft-Windows-DNS-Server-Service   
+        Provider: Microsoft-Windows-DNS-Server-Service
     - for:
         logsource.service: appxpackaging-om
       filter:
@@ -146,9 +146,9 @@ extensions:
     - for:
         id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 #Remote Service Creation Rule
       filter:
-        - Provider: Microsoft-Windows-Security-Auditing 
-        - Provider: System 
-        
+        - Provider: Microsoft-Windows-Security-Auditing
+        - Provider: System
+
 groups:
   - name: Sigma
     timestamp: Event.System.TimeCreated
@@ -459,10 +459,10 @@ groups:
         to: Event.EventData.Properties
         visible: false
       - from: ProviderName
-        to: Event.EventData.ProviderName
+        to: Event.System.Provider
         visible: false
       - from: Provider_Name
-        to: Event.EventData.Provider_Name
+        to: Event.System.Provider
         visible: false
       - from: QNAME
         to: Event.EventData.QNAME