2.0 KiB
2.0 KiB
`indextime` `sysmon` <SEARCH>
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="",
mitre_category="Defense_Evasion",
mitre_technique="Obfuscated Files or Information",
mitre_technique_id="T1027",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T",
creator="Cpl Iverson",
last_tested="",
upload_date="2024-01-01",
last_modify_date="2025-01-09",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link last_tested creator upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
Permissions
- Display For: App
- Read: Everyone
- Write: admin
Schedule
- Schedule: Run on Cron Schedule
- */15 * * * *
- Time Range: Since date time
- Schedule Priority: Default
- Schedule Window: Auto
Macros
- jarvis_index: index=jarvis
- indextime: _index_earliest=-15m@m AND _index_latest=now
Network Whitelist
table _time indextime event_description host_fqdn user_name process_path process_id process_parent_id process_command_line process_guid src_ip dst_ip dst_port src_host_name dst_host_name
WMI Whitelist
| table _time indextime host_fqdn user_name wmi_consumer_name wmi_consumer_destination
File Create
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger