Past | eval “Nation City” = Nation

Past | eval “Nation City” = Nation

[lookup knowledge_simpleName=”ProcessRollup2″ earliest=- |rename ParentProcessId_age FilePath once the ChildPath |dedup services TargetProcessId_quantitative SHA256HashData |industries aid TargetProcessId_age CommandLine |rex career=CommandLine “(? [^\\\\]+)$”]

City | join ComputerName [look supply=PlatformEvents DetectDescription=”*” | dining table ComputerName DetectDescription ] | dining table DetectDescription ComputerName LocalAddressIP4 MachineDomain Login name “Name” UserPrincipal “Nation City” | fillnull really worth=NULL | dedup UserPrincipal DetectDescription ComputerName

Urban area | sign-up ComputerName [browse source=PlatformEvents DetectDescription=”*” | dining table ComputerName DetectDescription ] | table DetectDescription ComputerName LocalAddressIP4 MachineDomain Login name “Complete name” UserPrincipal “Country Town” | fillnull worth=NULL | dedup UserPrincipal DetectDescription ComputerName

21 CS ComputerName twenty two CS ComputerName 74 CS ComputerName Regkey content Incident Reaction 75 CS ComputerName 76 CS ComputerName

| research assistance_master aid Output City Country ComputerName MachineDomain | rex industry=UserPrincipal “^(? \w+).(? \w+)(*)” | eval “Full name”= Earliest.” “.”,”.

81 CS ComputerName

[look ComputerName=”EHTT1-DHD2NH2″ event_simpleName=”ProcessRollup2″ earliest=- |regex CommandLine!=”(?i)iexplore\.exe|chrome\.exe|MicrosoftEdgeCP\.exe|firefox\.exe|google|smartscreen\.exe|OneDrive\.exe|SearchUI\.exe|mimecast\|MicrosoftEdge\.exe”] |rex community=CommandLine “(? [^\\\\]+)$” | eval “Past Seen (UTC)”=strfday(_day, “%m/%d/%y %I:%M%p”) |stats sparkline amount thinking(CommandLine) values(DomainName) dc(“Last Seen (UTC)”) of the FileName SHA256HashData

88 CS ComputerName 89 CS ComputerName 91 CS ComputerName 94 Parece DST_Ip 95 Es DST_DNS

event_platform=Mac computer event_simpleName=ProcessSelfDeleted |chart search=”search event_simpleName=*ProcessRollup2 assistance=$aid$ TargetProcessId_decimal=$ContextProcessId_decimal$” |dedup assistance,SHA256HashData |eval CommandLine=substr(CommandLine,1,50) |stats thinking(CommandLine) given that Purchases, dc(aid) given that UniqueAgentCount because of the SHA256HashData |signup type of=exterior SHA256HashData [look knowledge_platform=Mac computer experiences_simpleName=*ProcessRollup2 |most useful SHA256HashData maximum=10000 by the services |stats dc(aid) as the CommonGPopCount by SHA256HashData] |subscribe variety of=external SHA256HashData [browse event_platform=Mac feel_simpleName=*ProcessRollup2 |rare SHA256HashData restrict=10000 by the support |stats dc(aid) as the RareGPopCount by SHA256HashData] |fillnull value=0 CommonGPopCount |fillnull worthy of=0 RareGPopCount |research UniqueAgentCount=1 CommonGPopCount

|eval ParentCommandLine=coalesce(ParentCommandLine,”IamAnOrphan”) |lookup ParentCommandLine=”IamAnOrphan” |eval ChildCommandLine=substr(ChildCommandLine,1,50) |statistics thinking(ChildCommandLine) because Purchases, max(duration) just like the duration, dc(aid) since the AgentsWithHash because of the SHA256HashData |browse AgentsWithHash=step 1 |join types of=outer SHA256HashData [lookup feel_platform=Mac experience_simpleName=VT |statistics sum(detectionCount) since the VTCount by the sha256 |rename sha256 as SHA256HashData]

124 CS DST_DNS

| inputlookup managedassets.csv | Tyler live escort reviews eval “Last Viewed (UTC)”=strftime(_big date, “%m/%d/%y %I:%M%p”)| type 0 -“History Viewed (UTC)” | search oui.csv MACPrefix Output Name brand | fillnull worth=NA Brand name | eval Name brand=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer)

| sign up help [| inputlookup services_master in which cid=* | eval “Past Seen (UTC)”=strfday(_go out, “%m/%d/%y %I:%M%p”) | type 0 -“Past Viewed (UTC)” | research oui.csv MACPrefix Output Company | fillnull well worth=NA Company | eval Name brand=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) | dedup services]

| append [| inputlookup append=t unmanaged_highest.csv in which cid=* MACPrefix!=not one LocalAddressIP4=* LocalAddressIP4!=none | rename ComputerName Given that “History Discovered Because of the”| append [ inputlookup append=t unmanaged_med.csv in which cid=* MACPrefix!=not one LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Once the “Last Located By the”]| append [| inputlookup append=t unmanaged_lower.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=not one | rename ComputerName Once the “Past Found Because of the”] | append [| inputlookup notsupported.csv where cid=* MACPrefix!=nothing LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Due to the fact “Past Discovered From the” ] | eval “Last Seen (UTC)”=strfdate(_date, “%m/%d/%y %I:%M%p”) | fillnull value=null aid | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,” “))) | eval discoverer_assistance=mvsort(mvdedup(split(discoverer_aid,” “))) | eval aip=mvsort(mvdedup(split(aip,” “))) | types 0 -“Past Seen (UTC)” | research oui.csv MACPrefix Efficiency Manufacturer, ManufacturerAddress | fillnull worthy of=NA Brand name | eval Manufacturer=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) ]

|head 100 |stats amount earliest(_time) as the very first by login name sourcetype | eval earliest=strftime(basic,”%m/%d/%y %H:%M:%S”) | eval login name=lower(username) | stats number from the login name sourcetype first | dedup username

| inputlookup managedassets.csv | eval “Past Seen (UTC)”=strfday(_time, “%m/%d/%y %I:%M%p”) | sort 0 -“Past Seen (UTC)” | search oui.csv MACPrefix Yields Company | fillnull really worth=NA Company | eval Manufacturer=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer)

| sign up aid [| inputlookup services_master in which cid=* | eval “Last Seen (UTC)”=strfbig date(_go out, “%m/%d/%y %I:%M%p”) | type 0 -“Last Seen (UTC)” | browse oui.csv MACPrefix Output Manufacturer | fillnull worthy of=NA Manufacturer | eval Brand=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) | dedup assistance]

| append [| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=not one LocalAddressIP4=* LocalAddressIP4!=none | rename ComputerName Since the “Last Discovered By the” | append [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=nothing LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Since the “Last Discovered Of the”] | append [| inputlookup append=t unmanaged_reduced.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none | rename ComputerName Given that “Past Receive From the”] | append [| inputlookup notsupported.csv in which cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=not one | rename ComputerName Because the “History Discovered Of the” ] | eval “Past Seen (UTC)”=strfgo out(_day, “%m/%d/%y %I:%M%p”) | fillnull worthy of=null aid | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,” “))) | eval discoverer_aid=mvsort(mvdedup(split(discoverer_aid,” “))) | eval aip=mvsort(mvdedup(split(aip,” “))) | sort 0 -“Last Seen (UTC)” | look oui.csv MACPrefix Production Name brand, ManufacturerAddress | fillnull worth=NA Brand | eval Brand name=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) ]

Leave a Comment

Your email address will not be published.