am trying to get all 500 reports into a csv so I can utilize them as a lookup so the rules that are created can have better uniformity and more scalability and control. I am currently looking into su...
See more...
am trying to get all 500 reports into a csv so I can utilize them as a lookup so the rules that are created can have better uniformity and more scalability and control. I am currently looking into sub searches and Automatic look ups. Do you know would be the best to move a query like `indextime` `sysmon` <SEARCH>
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="",
mitre_category="Defense_Evasion",
mitre_technique="Obfuscated Files or Information",
mitre_technique_id="T1027",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="",
mitre_link="https://attack.mitre.org/techniques/T1027/",
creator="",
upload_date="FIRSTDATE",
last_modify_date="CURRENTDATE",
mitre_version="v16",
priority=""
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
| collect `the_new_index` I'm trying to have a csv with all of the evals as columns and if a field hits in the search_field it will populate the data the same as all of our reports but for only one lookup.