Forum Discussion

akshay25june's avatar
akshay25june
Copper Contributor
Oct 10, 2024
Solved

Sysmon /operational is not in Event table

Hi Team,   Need to create usecase base on Sysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of...
KQL
  • G_Wilson3468's avatar
    G_Wilson3468
    Nov 25, 2024

    I mapped the fields to the corresponding Defender table. Hopefully this helps. Please mark "Solved" if this works. 

    G.

    DeviceProcessEvents | where EventID == 1 | extend Image = tostring(parse_json(AdditionalFields).Image) | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, DeviceName, InitiatingProcessAccountName, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, FileName, ProcessId, ProcessCommandLine, FileDescription, FileName, FolderPath, SHA1 | extend HostName = iif(DeviceName has '.',substring(DeviceName,0,indexof(DeviceName,'.')),DeviceName), DnsDomain = iif(DeviceName has '.',substring(DeviceName,indexof(DeviceName,'.')+1),'')

adminhacker's avatar
adminhacker
Copper Contributor
Nov 25, 2024

adfasd awesdf qwaes qweasf qwetr

 

134"><img src="/" =_=" title="onerror='prompt(document.cookie)'"> .jpeg

Resources