Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How i can add ScriptBlockText field ?

zksvc
Contributor
‎08-26-2024 09:25 PM

When i want to enable use case "ESCU - Windows Gather Victim Host Information Camera - Rule" the query in corellation search is like this 

index=* source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=* ScriptBlockText= "* Win32_PnPEntity *" ScriptBlockText= "*SELECT*" ScriptBlockText= "*WHERE*" ScriptBlockText = "*PNPClass*" ScriptBlockText IN ("*Image*", "*Camera*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_host_information_camera_filter` 

 

From this query it calling ScriptBlockText field but when i check it in all fields i only can find ScriptBlock_ID fields

zksvc_0-1724731841273.png

 

Question is how i can get field ScriptBlockText ? because when i explore more Use Case too much Correlation Search using ScriptBlockText field.

 

Thankyou



Labels (2)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...

Index This | What is feather-light but cannot be held long?

May 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...