mirror of https://gitlab.com/curben/blog
fix(defender-incident): combine accountName fields
from evidence{}.userAccount.accountName & evidence{}.loggedOnUsers{}.accountName
This commit is contained in:
Ming Di Leom
parent
643b5ef5c3
commit
e310dd61d1
|
|
@ -2,7 +2,7 @@
|
||||||
title: Splunk Threat Hunting
|
title: Splunk Threat Hunting
|
||||||
layout: page
|
layout: page
|
||||||
date: 2025-01-15
|
date: 2025-01-15
|
||||||
updated: 2025-06-30
|
updated: 2025-07-11
|
||||||
---
|
---
|
||||||
|
|
||||||
Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
|
Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
|
||||||
|
|
@ -535,7 +535,8 @@ index="defender" sourcetype="ms365:defender:incident:alerts"
|
||||||
| eval created=strptime(createdDateTime." +0000", "%Y-%m-%dT%H:%M:%S.%QZ %z")
|
| eval created=strptime(createdDateTime." +0000", "%Y-%m-%dT%H:%M:%S.%QZ %z")
|
||||||
```today```
|
```today```
|
||||||
| where created>=relative_time(now(), "@d")
|
| where created>=relative_time(now(), "@d")
|
||||||
| rename evidence{}.* AS *, fileDetails.* AS *, userAccount.* AS *
|
| rename evidence{}.* AS *, fileDetails.* AS *, userAccount.* AS *, loggedOnUsers{}.accountName AS loggedOnUser
|
||||||
|
| eval accountName=coalesce(accountName, loggedOnUser)
|
||||||
| lookup ad_users sAMAccountName AS accountName OUTPUT displayName AS accountUser
|
| lookup ad_users sAMAccountName AS accountName OUTPUT displayName AS accountUser
|
||||||
| lookup cmdb_ci_list_lookup dv_name AS hostName OUTPUT dv_assigned_to AS lastActiveUser
|
| lookup cmdb_ci_list_lookup dv_name AS hostName OUTPUT dv_assigned_to AS lastActiveUser
|
||||||
| eval Time=strftime(created, "%Y-%m-%d %H:%M:%S %z"), "Last Updated"=strftime(_time, "%Y-%m-%d %H:%M:%S %z"), evidence=if(isnotnull(sha1), mvindex(filePath,0)."\\".mvindex(fileName,0), coalesce(url, processCommandLine, "")), hostName=if(hostName=="null", deviceDnsName, hostName), evidenceType=if(isnotnull(url), "#microsoft.graph.security.urlEvidence", "#microsoft.graph.security.fileEvidence"), remediationStatus=mvindex(remediationStatus, mvfind('@odata.type', evidenceType))
|
| eval Time=strftime(created, "%Y-%m-%d %H:%M:%S %z"), "Last Updated"=strftime(_time, "%Y-%m-%d %H:%M:%S %z"), evidence=if(isnotnull(sha1), mvindex(filePath,0)."\\".mvindex(fileName,0), coalesce(url, processCommandLine, "")), hostName=if(hostName=="null", deviceDnsName, hostName), evidenceType=if(isnotnull(url), "#microsoft.graph.security.urlEvidence", "#microsoft.graph.security.fileEvidence"), remediationStatus=mvindex(remediationStatus, mvfind('@odata.type', evidenceType))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue