Forum Discussion
Solved
Sysmon /operational is not in Event table
Hi Team,
Need to create usecase base on Sysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of defender table.
Windows Binaries Lolbins Renamed
KQL :
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1
| parse EventData with * 'Image">' Image "<" * 'OriginalFileName">' OriginalFileName "<" *
| where OriginalFileName has_any (procList) and not (Image has_any (procList))
| parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Description">' Description "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
Now same usecase need to be configured with the help of defender table "DeviceProcessEvents". But don't now how to find out Image information which is in Event Table.
I mapped the fields to the corresponding Defender table. Hopefully this helps. Please mark "Solved" if this works.
G.
DeviceProcessEvents | where EventID == 1 | extend Image = tostring(parse_json(AdditionalFields).Image) | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, DeviceName, InitiatingProcessAccountName, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, FileName, ProcessId, ProcessCommandLine, FileDescription, FileName, FolderPath, SHA1 | extend HostName = iif(DeviceName has '.',substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName), DnsDomain = iif(DeviceName has '.',substring(DeviceName,indexof(DeviceName,'.')+1),'')
adfasd awesdf qwaes qweasf qwetr
134"><img src="/" =_=" title="onerror='prompt(document.cookie)'"> .jpeg
I mapped the fields to the corresponding Defender table. Hopefully this helps. Please mark "Solved" if this works.
G.
DeviceProcessEvents | where EventID == 1 | extend Image = tostring(parse_json(AdditionalFields).Image) | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, DeviceName, InitiatingProcessAccountName, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, FileName, ProcessId, ProcessCommandLine, FileDescription, FileName, FolderPath, SHA1 | extend HostName = iif(DeviceName has '.',substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName), DnsDomain = iif(DeviceName has '.',substring(DeviceName,indexof(DeviceName,'.')+1),'')
