From 2dd99c77e58d796c66d406deeba0fa954e8f59d2 Mon Sep 17 00:00:00 2001
From: Adon Metcalfe <adonm@fastmail.fm>
Date: Thu, 21 Mar 2024 16:01:43 +0800
Subject: [PATCH 1/2] Update microsoft365defender.py

Just drop field initiated in network connections as for endpoints almost all events are outbound
---
 .../microsoft365defender/microsoft365defender.py   | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/sigma/pipelines/microsoft365defender/microsoft365defender.py b/sigma/pipelines/microsoft365defender/microsoft365defender.py
index 862dfdd..47c5a87 100644
--- a/sigma/pipelines/microsoft365defender/microsoft365defender.py
+++ b/sigma/pipelines/microsoft365defender/microsoft365defender.py
@@ -11,7 +11,7 @@
 from sigma.processing.transformations import (FieldMappingTransformation, RuleFailureTransformation,
                                               ReplaceStringTransformation, SetStateTransformation,
                                               DetectionItemTransformation, ValueTransformation,
-                                              DetectionItemFailureTransformation)
+                                              DetectionItemFailureTransformation, DropDetectionItemTransformation)
 from sigma.processing.conditions import (IncludeFieldCondition, ExcludeFieldCondition,
                                          DetectionItemProcessingItemAppliedCondition, LogsourceCondition)
 from sigma.conditions import ConditionOR
@@ -233,7 +233,7 @@ class InvalidHashAlgorithmError(Exception):
         'Image': 'InitiatingProcessFolderPath',
         'User': 'InitiatingProcessAccountName',
         'Protocol': 'Protocol',
-        # 'Initiated': ?,
+        'Initiated': 'Initiated',
         # 'SourceIsIpv6': ?,
         'SourceIp': 'LocalIP',
         'SourceHostname': 'DeviceName',
@@ -368,7 +368,8 @@ class InvalidHashAlgorithmError(Exception):
                             'InitiatingProcessAccountDomain', 'InitiatingProcessAccountName',
                             'InitiatingProcessAccountSid', 'InitiatingProcessAccountUpn',
                             'InitiatingProcessAccountObjectId', 'InitiatingProcessIntegrityLevel',
-                            'InitiatingProcessTokenElevation', 'ReportId', 'AppGuardContainerId', 'AdditionalFields']}
+                            'InitiatingProcessTokenElevation', 'ReportId', 'AppGuardContainerId', 'AdditionalFields',
+                            'Initiated']}
 
 # Mapping from ParentImage to InitiatingProcessParentFileName. Must be used alongside of ParentImageValueTransformation
 parent_image_field_mapping = {'ParentImage': 'InitiatingProcessParentFileName'}
@@ -493,6 +494,13 @@ class InvalidHashAlgorithmError(Exception):
         transformation=HashesValuesTransformation(),
         field_name_conditions=[IncludeFieldCondition(['Hashes'])]
     ),
+    # Processing item to essentially ignore initiated field
+    ProcessingItem(
+        identifier="microsoft_365_defender_network_initiated_field",
+        transformation=DropDetectionItemTransformation(),
+        field_name_conditions=[IncludeFieldCondition(['Initiated'])],
+        rule_conditions=[LogsourceCondition(category='network_connection')],
+    )
 ]
 
 # ParentImage -> InitiatingProcessParentFileName

From 1dee98de73ac34d2af201daef7c19ac516c4df03 Mon Sep 17 00:00:00 2001
From: Adon Metcalfe <adonm@fastmail.fm>
Date: Thu, 21 Mar 2024 16:24:33 +0800
Subject: [PATCH 2/2] Update microsoft365defender.py

Simplify patch a bit as don't need to tweak validation if dropping
---
 sigma/pipelines/microsoft365defender/microsoft365defender.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sigma/pipelines/microsoft365defender/microsoft365defender.py b/sigma/pipelines/microsoft365defender/microsoft365defender.py
index 47c5a87..cdd1412 100644
--- a/sigma/pipelines/microsoft365defender/microsoft365defender.py
+++ b/sigma/pipelines/microsoft365defender/microsoft365defender.py
@@ -233,7 +233,7 @@ class InvalidHashAlgorithmError(Exception):
         'Image': 'InitiatingProcessFolderPath',
         'User': 'InitiatingProcessAccountName',
         'Protocol': 'Protocol',
-        'Initiated': 'Initiated',
+        # 'Initiated': ?,
         # 'SourceIsIpv6': ?,
         'SourceIp': 'LocalIP',
         'SourceHostname': 'DeviceName',
@@ -368,8 +368,7 @@ class InvalidHashAlgorithmError(Exception):
                             'InitiatingProcessAccountDomain', 'InitiatingProcessAccountName',
                             'InitiatingProcessAccountSid', 'InitiatingProcessAccountUpn',
                             'InitiatingProcessAccountObjectId', 'InitiatingProcessIntegrityLevel',
-                            'InitiatingProcessTokenElevation', 'ReportId', 'AppGuardContainerId', 'AdditionalFields',
-                            'Initiated']}
+                            'InitiatingProcessTokenElevation', 'ReportId', 'AppGuardContainerId', 'AdditionalFields']}
 
 # Mapping from ParentImage to InitiatingProcessParentFileName. Must be used alongside of ParentImageValueTransformation
 parent_image_field_mapping = {'ParentImage': 'InitiatingProcessParentFileName'}