Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

casting Syslog ProcessId to string to match V3

This commit is contained in:
Yaron Fruchtmann 2020-09-29 15:41:43 +03:00
Родитель e0e4e2ce18
Коммит 80c153ae5c
5 изменённых файлов: 9 добавлений и 9 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
Exploration Queries/InputEntity_Host/LeastPrevIn_ByHost.yaml
Просмотреть файл

@ -26,8 +26,8 @@ query: |
| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID
| extend Process_Aux_info = IP_Aux_info
| top 10 by count_ asc
| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=ProcessID
| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName
};
// change <HostName> value below
GetWireDataInboundWithHost('<HostName>')

4
Exploration Queries/InputEntity_Host/LeastPrevOut_ByHost.yaml
Просмотреть файл

@ -26,8 +26,8 @@ query: |
| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID
| extend Process_Aux_info = IP_Aux_info
| top 10 by count_ asc
| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=ProcessID
| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName
};
// change <HostName> value below
GetWireDataOutboundWithHost('<HostName>')

2
Exploration Queries/InputEntity_Host/LeastPrevProcess_ByHost.yaml
Просмотреть файл

@ -24,7 +24,7 @@ query: |
| extend info = pack('HostName', HostName, 'HostIP', HostIP)
| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID
| top 10 by count_ asc nulls last
| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=ProcessID, Process_ImageFile_FullPath=ProcessName, Process_Aux_info
| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info
};
// change <HostName> value below
GetSysLogEventsOnHost('<HostName>')

4
Exploration Queries/InputEntity_IP/LeastPrevIn_ByIPAddress.yaml
Просмотреть файл

@ -27,8 +27,8 @@ query: |
| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID
| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
| top 10 by count_ asc
| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer
};
// change <Address> value below
GetWireDataInboundWithIp('<Address>')

4
Exploration Queries/InputEntity_IP/LeastPrevOut_ByIPAddress.yaml
Просмотреть файл

@ -27,8 +27,8 @@ query: |
| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID
| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
| top 10 by count_ asc
| project Computer, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer
};
// change <Address> value below
GetWireDataOutboundWithIp('<Address>')