Jul 17 2023 05:37 AM - edited Jul 17 2023 05:40 AM
Hi Guys,
I m writing below KQL but result is showing "nothing". Kindly help me.
let ExeList = dynamic(["powershell.exe","cmd.exe","wmic.exe","psexec.exe","cacls.exe","rundll32.exe"]);
Event
| where EventID==4688
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend CommandLine = EventDetail.[8].["#text"],TargetUserName = EventDetail.[10].["#text"], SubjectUserName = EventDetail.[1].["#text"], TargetUserSid = EventDetail.[9].["#text"], SubjectUserSid = EventDetail.[0].["#text"], NewProcessName = tolower(EventDetail.[5].["#text"]), ParentProcessName = EventDetail.[13].["#text"], SubjectDomainName = EventDetail.[2].["#text"]
| where NewProcessName in (ExeList)
NewProcessName looks like "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
how to write a last line so let statement match ?
Jul 17 2023 06:40 AM
When you use "in" the two columns need to match, not a partial match, this will work:
| where NewProcessName has_any (ExeList)
You could also use parse() to just take the exe name from the end of the NewProcessName string.