I am trying to create an alert when specific file extensions are found in any system, an alert is triggered.
For which I have file extensions in a watchlist, I want to write a query that reads data from the file creation event in sysmon and matches each extension with those in the watchlist if any of them exists in the watchlist an alert will be triggered.
So far this is what I am able to process, which is retuning an error saying, Tabular expression is not expected in the current context.
Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == '11' or EventID == '15' | where EventData contains _GetWatchlist('EncryptedFileExtensions') | parse EventData with * 'TargetFilename">C:' FilePathAndExt ':Zone.Identifier<' * | where FilePathAndExt matches regex@'([\.]\w+)' | project EventID, FilePathAndExt