24 строки
838 B
Plaintext
24 строки
838 B
Plaintext
// Name: Office Activity related to File
|
|
// Description: Any Office Activity related to a given File during the range of +6h and -6h
|
|
//
|
|
// Id: 736cb754-e31d-40b0-9e60-7da321e91da4
|
|
//
|
|
// Entity: #File
|
|
// Input: Filename
|
|
// Output: Host, Account
|
|
//
|
|
// QueryPeriod: +6h and -6h default, change as needed
|
|
//
|
|
// DataSource: OfficeActivity
|
|
//
|
|
// Tactics: #Persistence, #Discovery, #Lateral Movement, #Collection
|
|
//
|
|
let GetOfficeActWithFile = (suspiciousEventTime:datetime, v_File:string){
|
|
let v_StartTime = suspiciousEventTime-6h;
|
|
let v_EndTime = suspiciousEventTime+6h;
|
|
OfficeActivity
|
|
| where TimeGenerated between (v_StartTime .. v_EndTime)
|
|
| where DestinationFileName contains v_File or SourceFileName contains v_File
|
|
};
|
|
// change datetime value and <filename> value below
|
|
GetOfficeActWithFile(datetime('2019-01-18T10:36:07Z'), "<filename>") |