Forum Discussion
unable to find logs
Hi Guys,
I m writing below KQL but result is showing "nothing". Kindly help me.
let ExeList = dynamic(["powershell.exe","cmd.exe","wmic.exe","psexec.exe","cacls.exe","rundll32.exe"]);
Event
| where EventID==4688
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend CommandLine = EventDetail.[8].["#text"],TargetUserName = EventDetail.[10].["#text"], SubjectUserName = EventDetail.[1].["#text"], TargetUserSid = EventDetail.[9].["#text"], SubjectUserSid = EventDetail.[0].["#text"], NewProcessName = tolower(EventDetail.[5].["#text"]), ParentProcessName = EventDetail.[13].["#text"], SubjectDomainName = EventDetail.[2].["#text"]
| where NewProcessName in (ExeList)
NewProcessName looks like "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
how to write a last line so let statement match ?
- Clive_WatsonBronze Contributor
When you use "in" the two columns need to match, not a partial match, this will work:
| where NewProcessName has_any (ExeList)You could also use parse() to just take the exe name from the end of the NewProcessName string.