Skip to content

Commit

Permalink
Update SuspiciousProcessCreation.yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
@v-rusraut
v-rusraut committed Oct 14, 2024
1 parent 8e754bc commit bb13ddf
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,10 @@ query: |
TargetProcessName,
TargetProcessId,
CommandLine
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), '')
| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')
entityMappings:
- entityType: Host
fieldMappings:
Expand Down

0 comments on commit bb13ddf

Please sign in to comment.