I want to implement this correlation search:
`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`
I do not have the required fields from Sysmon log data. I have fields like Image,ParentImage,Processid but do not have TargetImage, TargetProcessId, SourceImage, SourceProcessId. How do I build the above query using the fields I have.
This is a very strange request. If you don't have fields needed for your task, how can other people invent them? Maybe you have some definition that you have in mind but have difficulty implement your ideas? Else, you can illustrate sample data and desired outcome to explain what you really wanted from this correlation?