`category: antivirus` sigma rules are not being converted

[YamatoSecurity]

@fukusuket
There are about 7 category: antivirus sigma rules that are not being converted.
I checked the logsource and I believe they are not being converted because product: windows is not defined.
I assume this is not defined on purpose so that sigma can detect windows malware on other OSes.
However, this means that we need to make a special exception for the antivirus category to load in Hayabusa when product is not defined.
We already have rules to detect all Windows Defender alerts so we may not need these rules but may be nice to have as they will tell the analyst whether it is a webshell, C2 framework tool, etc...
We would have to add the following mapping though:

        category: antivirus
        conditions:
            EventID:  # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'
                - 1006
                - 1007
                - 1008
                - 1009
                - 1010
                - 1011
                - 1012
                - 1115
                - 1116
                - 1017
                - 1018
                - 1019
                - 1115
                - 1116
        rewrite:
            product: windows
            service: windefend
        fieldmappings:
            Signature: ThreatName
            Filename: Path

What do you think about this issue?

[fukusuket]

@YamatoSecurity
Yes! It would be nice to be able to check Filename and Signature:) I'll see if I can implement it!💪

memo: category: antivirus sigma rules

• Antivirus Hacktool Detection
• Antivirus Relevant File Paths Alerts
• Antivirus Web Shell Detection
• Antivirus Password Dumper Detection
• Antivirus Ransomware Detection
• Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
• Antivirus Exploitation Framework Detection