+ "query": "(tgt.process.name = \"attrib.exe\" AND tgt.process.cmdline contains:anycase \" +h \") NOT (tgt.process.cmdline contains:anycase (\"+R +H +S +A *.cui\", \"\\\\desktop.ini\", \"c:\\\\windows\\\\temp\",\".drawio.dtmp\",\".drawio.bkp\"))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline), UniqueTgtCmdlines=array_agg_distinct(tgt.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, tgt.process.name, tgt.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', '), AllTgtCmdlines = UniqueTgtCmdlines.to_string(', ')\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, tgt.process.name, tgt.process.verified, AllSrcCmdlines, AllTgtCmdlines, Count\n| sort -Count\n| limit 100000"
0 commit comments