No field mapping for ProcessName to FileName

[jeremyhagan]

I'm newish to sigma so please excuse me if i have misunderstood something. I've checked the specificationand I can't find any reason why the specific rules that I am trying to convert are invalid. However i am getting an error saying:

Error while conversion: Invalid SigmaDetectionItem field name encountered: ProcessName. Please use valid fields for the DeviceProcessEvents table, or the following fields that have keymappings in this pipeline:
CommandLine, Company, Description, EventType, FileVersion, Hashes, Image, IntegrityLevel, LogonId, OriginalFileName, ParentCommandLine, ParentImage, ParentProcessId, ParentUser, ProcessId, Product, SourceImage, User, md5, sha1, sha256

I would assume that the applicable DeviceProcessEvents field to map this to would be FileName. Aside from modifying the source YAML, can i add my own field mapping to take care of this?

title: Wscript Execution on script in AppData/Local
id: 3ca0c038-1115-11ec-9235-1d47cec5328f
classification: OFFICIAL
releasable: true
description:
  - Identifies Wscript execution on scripts stored in users AppData/Local directory
  - Execution of scripts in these directories can be suspicious.
  - This detection in conjuction with analysis of the running parent process could lead to the discovery of malicious script execution events.
status: stable
date: 2021/05/26
author: XXXX
references:
  - null
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ProcessName:
      - wscript.exe
    CommandLine|contains:
      - \AppData\Local\
  condition: selection
falsepositives:
  - Multiple business applications use wscript to execute javascript in AppData/Local
  - Scripts executed from a file archive should be investigated
level: low
query:
  sql: |-
    SELECT *
    FROM Process
    WHERE (ltrim(payload.oid.tag, ':?') ILIKE "wscript.exe"
           AND payload.commandline ILIKE "%\\AppData\\Local\\%")

[jeremyhagan]

I think I found the relevant specification for the category. I'll go back to the orginal authors and ask them to fix it.
https://github.com/SigmaHQ/sigma-specification/blob/main/Taxonomy_specification.md#windows-folder