admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '05f030014c'
${ noResults }
Deploiement_Server/deployment-apps/TA-microsoft-sysmon/default/workflow_actions.conf

48 lines
2.3 KiB
Raw Blame History

[get_parent_process_create]
display_location = both
eventtypes = ms-sysmon-*
fields = ParentProcessGuid, host
label = Get parent process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$ParentProcessGuid$ $ParentProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now
[get_process_create]
display_location = both
eventtypes = ms-sysmon-*
fields = ProcessGuid, host
label = Get process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$ProcessGuid$ $ProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now
[get_process_create_sysmon_create_remote_thread]
display_location = both
eventtypes = ms-sysmon-*
fields = SourceProcessGuid, host
label = Get process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$SourceProcessGuid$ $SourceProcessGuid$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now
[get_process_create_sysmon_process_access]
display_location = both
eventtypes = ms-sysmon-*
fields = SourceProcessGUID, host
label = Get process creation event
search.app = search
search.search_string = source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 host=$host$ ProcessGuid=$SourceProcessGUID$ $SourceProcessGUID$ | head 1 | table _time host EventCode EventDescription LogonId User IntegrityLevel process ProcessId Image CommandLine CurrentDirectory Hashes ParentImage ParentCommandLine | transpose
search.target = blank
type = search
search.earliest = -35d@d
search.latest = now
Reference in new issue View Git Blame Copy Permalink