Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

unable to find logs

Brass Contributor

Hi Guys,

 

I m writing below KQL but result is showing "nothing". Kindly help me.

 

let ExeList = dynamic(["powershell.exe","cmd.exe","wmic.exe","psexec.exe","cacls.exe","rundll32.exe"]);
Event
| where EventID==4688
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend CommandLine = EventDetail.[8].["#text"],TargetUserName = EventDetail.[10].["#text"], SubjectUserName = EventDetail.[1].["#text"], TargetUserSid = EventDetail.[9].["#text"], SubjectUserSid = EventDetail.[0].["#text"], NewProcessName = tolower(EventDetail.[5].["#text"]), ParentProcessName = EventDetail.[13].["#text"], SubjectDomainName = EventDetail.[2].["#text"]
| where NewProcessName in (ExeList)

 

NewProcessName looks like "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"

how to write a last line so let statement match ?

1 Reply

@akshay250692 

 

When you use "in" the two columns need to match, not a partial match, this will work:

| where NewProcessName has_any (ExeList)

 

You could also use parse() to just take the exe name from the end of the NewProcessName string.