Sysmon /operational is not in Event table
Hi Team,
Need to create usecase base on Sysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of defender table.
Windows Binaries Lolbins Renamed
KQL :
Event
| where EventLog =~ “Microsoft-Windows-Sysmon/Operational” and EventID==1
| parse EventData with * ‘Image”>’ Image “<” * ‘OriginalFileName”>’ OriginalFileName “<” *
| where OriginalFileName has_any (procList) and not (Image has_any (procList))
| parse EventData with * ‘ProcessGuid”>’ ProcessGuid “<” * ‘Description”>’ Description “<” * ‘CommandLine”>’ CommandLine “<” * ‘CurrentDirectory”>’ CurrentDirectory “<” * ‘User”>’ User “<” * ‘LogonGuid”>’ LogonGuid “<” * ‘Hashes”>’ Hashes “<” * ‘ParentProcessGuid”>’ ParentProcessGuid “<” * ‘ParentImage”>’ ParentImage “<” * ‘ParentCommandLine”>’ ParentCommandLine “<” * ‘ParentUser”>’ ParentUser “<” *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes
| extend HostName = iif(Computer has ‘.’,substring(Computer,0,indexof(Computer,’.’)),Computer) , DnsDomain = iif(Computer has ‘.’,substring(Computer,indexof(Computer,’.’)+1),”)
Now same usecase need to be configured with the help of defender table “DeviceProcessEvents”. But don’t now how to find out Image information which is in Event Table.
Hi Team, Need to create usecase base on Sysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of defender table. Windows Binaries Lolbins RenamedKQL :Event| where EventLog =~ “Microsoft-Windows-Sysmon/Operational” and EventID==1| parse EventData with * ‘Image”>’ Image “<” * ‘OriginalFileName”>’ OriginalFileName “<” *| where OriginalFileName has_any (procList) and not (Image has_any (procList))| parse EventData with * ‘ProcessGuid”>’ ProcessGuid “<” * ‘Description”>’ Description “<” * ‘CommandLine”>’ CommandLine “<” * ‘CurrentDirectory”>’ CurrentDirectory “<” * ‘User”>’ User “<” * ‘LogonGuid”>’ LogonGuid “<” * ‘Hashes”>’ Hashes “<” * ‘ParentProcessGuid”>’ ParentProcessGuid “<” * ‘ParentImage”>’ ParentImage “<” * ‘ParentCommandLine”>’ ParentCommandLine “<” * ‘ParentUser”>’ ParentUser “<” *| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes| extend HostName = iif(Computer has ‘.’,substring(Computer,0,indexof(Computer,’.’)),Computer) , DnsDomain = iif(Computer has ‘.’,substring(Computer,indexof(Computer,’.’)+1),”) Now same usecase need to be configured with the help of defender table “DeviceProcessEvents”. But don’t now how to find out Image information which is in Event Table. Read More
