keithmccammon
commented
5 years ago This is being tracked via branch https://github.com/redcanaryco/cb-response-surveyor/tree/criteria-query-base.
See the notes associated with commit dbcf3dde4901ac22be62e95da7f49e8560c4ddbb for guidance re: using this via a newly formatted definition file.
rc-csmith
When running Surveyor, it may be desirable to customize the query at runtime to make results more accurate.
As an example, when searching for instances of the net.exe command, one may want to exclude processes where the command line includes the parameter "TPAutoConnSvc". In Cb Response queries, this would require appending "-cmdline:TPAutoConnSvc" to the net.exe query at runtime.