From 65eb183a6de3d8dd07d31e4247eb9089589d15ca Mon Sep 17 00:00:00 2001
From: cccs-kevin <kevin.hardy-cooper@cyber.gc.ca>
Date: Mon, 25 Jul 2022 15:06:02 +0000
Subject: [PATCH] Adding powershell_scriptblock_logging to dropped sigs

---
 cape/cape_result.py | 5 ++++-
 cape/signatures.py  | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/cape/cape_result.py b/cape/cape_result.py
index 1f86a87..d8c5412 100644
--- a/cape/cape_result.py
+++ b/cape/cape_result.py
@@ -23,7 +23,7 @@
 from assemblyline_v4_service.common.safelist_helper import is_tag_safelisted
 from assemblyline_v4_service.common.tag_helper import add_tag
 
-from cape.signatures import get_category_id
+from cape.signatures import get_category_id, CAPE_DROPPED_SIGNATURES
 from cape.safe_process_tree_leaf_hashes import SAFE_PROCESS_TREE_LEAF_HASHES
 from assemblyline_v4_service.common.dynamic_service_helper import (
     extract_iocs_from_text_blob,
@@ -385,6 +385,9 @@ def process_signatures(
     for sig in sigs:
         sig_name = sig["name"]
 
+        if sig_name in CAPE_DROPPED_SIGNATURES:
+            continue
+
         if not is_process_martian and sig_name == "process_martian":
             is_process_martian = True
 
diff --git a/cape/signatures.py b/cape/signatures.py
index 6e2d4cc..ac3f337 100644
--- a/cape/signatures.py
+++ b/cape/signatures.py
@@ -873,7 +873,7 @@
     "Virus": {"id": 54, "description": "Malicious software program."},
 }
 
-CAPE_DROPPED_SIGNATURES = []
+CAPE_DROPPED_SIGNATURES = ["powershell_scriptblock_logging"]
 
 
 def get_category_id(sig: str) -> int: