search

ManderVoronwe / soc-g3

1 stars 0 forks source link

Ajout d'une tâche planifiée #2

Open tidalwaave opened 7 months ago

tidalwaave commented 7 months ago

Splunk Query

eventtype=wineventlog_security EventCode=4698 
| xmlkv Message 
| search Command IN ("*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden

Alert Priority :

LOW

tidalwaave commented 7 months ago

SUR UN DC : HIGH

PAS SUR UN DC : Medium

tidalwaave commented 7 months ago

SUR UN DC : source="WinEventLog:Security" EventCode=4698 ComputerName="DC01.reynholm.inc"

PAS SUR UN DC : source="WinEventLog:Security" EventCode=4698 ComputerName!="DC01.reynholm.inc"

tidalwaave commented 7 months ago

On / Off DC Added