added filter to improve performance and added Account entity type

Azure · Sep 17, 2021 · 6289347 · 6289347
1 parent 1ced1b3
commit 6289347
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/Hunting Queries/Syslog/SCXRunAsProviderExecuteShellCommand.yml b/Hunting Queries/Syslog/SCXRunAsProviderExecuteShellCommand.yml
@@ -24,18 +24,20 @@ tags:
 query: |
   Syslog
   | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
-  | project TimeGenerated, EventType, Computer, EventData 
-  // Extract AUOMS_EXECVE details from EventData
-  | where EventType =~ "AUOMS_EXECVE"
+  | where EventType =~ "AUOMS_EXECVE" and EventData has '/var/opt/microsoft/scx/tmp'
+  | project TimeGenerated, EventType, Computer, EventData
   | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid "effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\" containerid=" containerid
-  // Find wget and curl commands
   | where uid == '0'
   | where cwd == '/var/opt/microsoft/scx/tmp'
   | where comm == 'sh'
-  | extend Timestamp = TimeGenerated, HostCustomEntity = Computer
+  | extend Timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = user
 entityMappings: 
   - entityType: Host
     fieldMappings:
       - identifier: FullName
         columnName: HostCustomEntity
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
 version: 1.0.0