![]() | stats sum(isAcceptEULA) as isAcceptEULA, sum(isEncoded) as isEncoded, sum(ipconfig) as ipconfig, sum(reg) as reg, count(CommandLine) as countcommand by UserName, FileName, CommandLine | lookup local=true aid_master.csv aid OUTPUT ProductType I'm not exactly following you because Reddit is kind of eating your example syntax, however, try playing with this and see if it's closer to what you're looking for: event_platform=win event_simpleName=ProcessRollup2 (FileName=cmd.exe OR FileName=powershell.exe) OR (ParentBaseFileName=cmd.exe OR ParentBaseFileName=powershell.exe) AND (GrandParentBaseFileName=explorer.exe) Is that possible by leaving the stats BY UserName? As I would like to maintain scoring based on all commands made by a user in a specific timeframe, not based on single commands. What I am really looking for is this (assuming I executed regedit x2, regedit /s x1 and ipconfig x2) so for CountCommand to also be a multi-value field like CommandLine: | table UserName, FileName, CommandLine, countcommand, cmdScoreTotal, isAcceptEULA, isEncoded, ipconfig, regĬurrently it results in something like this (if the same command is executed multiple times, it will be added to the total count of commands for a user): | eval cmdScoreTotal=isAcceptEULA+isEncoded+ipconfig+reg | stats sum(isAcceptEULA) as isAcceptEULA, sum(isEncoded) as isEncoded, sum(ipconfig) as ipconfig, sum(reg) as reg, count(CommandLine) as countcommand, values(FileName) as FileName, values(CommandLine) as CommandLine by UserName | eval ipconfig=if(like(cmdNoEscape, "%ipconfig%"), "1", "0") | eval isAcceptEULA=if(like(cmdNoEscape, "%accepteula%"), "6", "0") ![]() | eval cmdNoEscape=trim(replace(cmdNoEscape, "", "")) | eval cmdNoEscape=trim(replace(CommandLine, "^", "")) | lookup aid_master.csv aid OUTPUT ProductType | lookup local=true userinfo.csv UserSid_readable OUTPUT AccountType, LocalAdminAccess I'll use as an example this query based on command scoring CQF, I’m focusing now on the countcommand variable:Įvent_platform=win event_simpleName=ProcessRollup2 (FileName=cmd.exe OR FileName=powershell.exe) OR (ParentBaseFileName=cmd.exe OR ParentBaseFileName=powershell.exe) AND (GrandParentBaseFileName=explorer.exe) Hi! I was wondering if it’s possible to count instances of each distinct command made by a specific user in the following example query (the command line is a multi-value field in this case, as multiple commands are being scored for a user in a given timeframe). ![]() Live chat available 6-6PT M-F via the Support Portal ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |