Skip to content

v0.4.3 - EventID Query Table Inference

Latest
Latest
Compare
Choose a tag to compare
@slincoln-systemtwo slincoln-systemtwo released this 13 Dec 14:55
· 1 commit to main since this release
v0.4.3
b3baeaa

What's Changed

  • add: mapped GrandParentImage with InitiatingProcessParentFileName by @0xFustang in #30
  • add: EventID to query_table mappings by @slincoln-aiq in #32
    • Previously, the query_table was selected by logsource.category, or provided by the user via a pipeline or pipeline arg. query_table is required in order for fieldmappings and valid query tables in the final query. This new feature also allows query_table to be set if an EventID is present in any selection detection sections and logsource.category is missing and the query_table is not supplied by the user. This allows for more rules to be translated to KQL queries
  • fix: SigmaNumber conversion errors when in a grouped as-in expression of mixed types by @slincoln-aiq in #32
    • This fixes #29
  • Minor formatting with black/ruff

New Contributors

Full Changelog: v0.4.2...v0.4.3

Contributors

0xFustang and slincoln-systemtwo
Assets 2
Loading