From e976f27d565c4bb001f7432811352e5adf3a6f74 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Wed, 26 Apr 2023 09:46:48 +0530 Subject: [PATCH] Update FileExecutionWithOneCharacterInTheName.yaml --- .../Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml b/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml index 61b61c7dcc..05a3751943 100644 --- a/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml +++ b/Solutions/Endpoint Threat Protection Essentials/Hunting Queries/FileExecutionWithOneCharacterInTheName.yaml @@ -19,7 +19,7 @@ query: | | where CommandLine matches regex @'\\[a-zA-Z0-9]\.[a-zA-Z0-9]{2,5}["]{1}' | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Image">' Image "<" * 'Description">' Description "<" * 'OriginalFileName">' OriginalFileName "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'IntegrityLevel">' IntegrityLevel "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes - | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), UserName = tostring(split(User, '\\', 1)[0]) + | extend NTDomain = tostring(split(User, '\\', 0)[0]), UserName = tostring(split(User, '\\', 1)[0]) | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')) | extend Account_0_Name = UserName | extend Account_0_NTDomain = NTDomain