Skip to content

Commit

Permalink
Merge pull request #4063 from samikroy/patch-6
Browse files Browse the repository at this point in the history 
Fix for #4060
  • Loading branch information
@aprakash13
aprakash13 committed Feb 2, 2022
2 parents bc5f158 + ae46770 commit f269e39
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions Detections/MultipleDataSources/SOURGUM_IOC.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ query: |
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"], Image = EventDetail.[4].["#text"]
| extend SourceIP = tostring(EventDetail.[9].["#text"]), DestinationIP = tostring(EventDetail.[14].["#text"]), Image = EventDetail.[4].["#text"]
| where Image has_any (file_path1) or Image has_any (file_path3)
| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = 'SOURGUM IOC detected'
Expand Down Expand Up @@ -179,5 +179,5 @@ entityMappings:
columnName: AlgorithmCustomEntity
- identifier: Value
columnName: FileHashCustomEntity
version: 1.0.1
kind: Scheduled
version: 1.0.2
kind: Scheduled

0 comments on commit f269e39

Please sign in to comment.