cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Kz
Engager
Member since: ‎05-23-2021
‎05-24-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎05-23-2021
Topics I've Started
No posts to display.
View All

Re: How to properly map windows Endpoint DataModel...

by in Splunk Enterprise Security
‎05-23-2021 07:33 PM
1 Karma
‎05-23-2021 07:33 PM
1 Karma
Windows Event 4688 + tick the Command Line logging wineventlog : EVAL-parent_process_id parent_process_id Creator_Process_ID wineventlog : EVAL-parent_process_name parent_process_name case(EventCode=="4688", replace(Creator_Process_Name,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)","")) wineventlog : EVAL-parent_process_path parent_process_path Creator_Process_Name wineventlog : EVAL-process_command_line process_command_line Process_Command_Line wineventlog : EVAL-process_id process_id New_Process_ID wineventlog : EVAL-process_name process_name case(EventCode=="4688",replace(New_Process_Name,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"") wineventlog : EVAL-process_path process_path case(EventCode=="4688",New_Process_Name) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-24-2021 07:18 PM
Karma from
View All
Top