Update Windows System Shutdown-Reboot(T1529)
This commit is contained in:
Chiheb Chebbi
GitHub
Родитель
9d6913220e
Коммит
c06df21d65
|
|
@ -17,6 +17,7 @@ query: |
|
|||
Event
|
||||
//This query uses sysmon data depending on table name used this may need updataing
|
||||
| where Source == "Microsoft-Windows-Sysmon"
|
||||
| where TimeGenerated >= ago(timeframe)
|
||||
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0])
|
||||
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
|
||||
| mv-expand bagexpansion=array EventData
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче