-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathSearches.txt
65 lines (42 loc) · 3.31 KB
/
Searches.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Base search to get Events by Event Code
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational | stats count by EventCode
EventCode 1:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=1 | stats values(Image) AS Image, values(CommandLine) AS CommandLine, values(Hashes) AS Hashes, count by ParentImage
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=1 | stats values(ParentImage) AS ParentImage, values(CommandLine) AS CommandLine, values(Hashes) AS Hashes, count by Image
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=1 | stats values(Image) AS Image, values(ParentImage) AS ParentImage, values(Hashes) AS Hashes, count by CommandLine
EventCode 2:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=2 | stats values(TargetFilename) AS TargetFilename, count by Image
EventCode 3:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=3 | stats values(DestinationIp) AS DestinationIp, count by Image
EventCode 5:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=5 | stats values(Hashes) AS Hashes, count by Image
EventCode 6:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=6 | stats values(Signature) AS Signature, values(Hashes) AS Hashes, count by ImageLoaded
EventCode 7:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=7 | stats values(ImageLoaded) AS ImageLoaded, values(Hashes) AS Hashes, count by Image
EventCode 8:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=8 | stats count by SourceImage, TargetImage
EventCode 9:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=9 | stats values(Device) AS Device, count by Image
EventCode 10:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=10 | stats count by SourceImage, TargetImage
EventCode 11:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=11 | stats values(TargetFilename) AS TargetFilename, count by Image
EventCode 12:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=12 | stats values(TargetObject) AS TargetObject, count by Image
EventCode 13:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=13 | stats values(TargetObject) AS TargetObject, count by Image
EventCode 14:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=14 | stats values(TargetObject) AS TargetObject, count by Image
EventCode 15:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=15 | stats values(TargetFilename) AS TargetFilename, values(Hashes) AS Hashes, count by Image
EventCode 17:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=17 | stats values(PipeName) AS PipeName, count by Image
EventCode 18:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=18 | stats values(PipeName) AS PipeName, count by Image
EventCode 22:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=22 | stats count by Image
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=22 | stats count by QueryName
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=22 | stats count by QueryResults
EventCode 23:
source=xmlwineventlog:Microsoft-Windows-Sysmon/Operational EventCode=11 | stats values(TargetFilename) AS TargetFilename, count by Image