more meta for sigma parser + add context for sysmon/sigma

collections/sigmahq/windows_proc_creation.yaml

@@ -1,5 +1,7 @@
 parsers:
  - crowdsecurity/sysmon-logs
+contexts:
+ - crowdsecurity/sysmon_base
 scenarios:
  - sigmahq/proc_creation_win_addinutil_suspicious_cmdline
  - sigmahq/proc_creation_win_adplus_memory_dump

contexts/crowdsecurity/sysmon_base.yaml

@@ -0,0 +1,12 @@
+#Context for sysmon events, mainly intended to be used with the sigma collection
+context:
+  command_line:
+    - evt.Meta.CommandLine
+  current_directory:
+    - evt.Meta.CurrentDirectory
+  user:
+    - evt.Meta.User
+  hashes:
+    - evt.Meta.Hashes
+  parent_image:
+    - evt.Meta.ParentImage

parsers/s01-parse/crowdsecurity/sysmon-logs.yaml

@@ -47,6 +47,16 @@ nodes:
         expression:  XMLGetNodeValue(evt.Line.Raw, "/Event/EventData[1]/Data[@Name='ParentUser']")
       - meta: SysmonEventType
         value: ProcessCreation
+      - meta: CommandLine
+        expression: evt.Parsed.CommandLine
+      - meta: CurrentDirectory
+        expression: evt.Parsed.CurrentDirectory
+      - meta: User
+        expression: evt.Parsed.User
+      - meta: Hashes
+        expression: evt.Parsed.Hashes
+      - meta: ParentImage
+        expression: evt.Parsed.ParentImage
   - filter: evt.Parsed.EventID == '2'
     statics:
       - parsed: ProcessGuid