\Log_Searchs\Search.txt (SWELF SEARCH FILE)
-
~ is "Tilde Char".
-
App only needs {Search Commands in v 0.1.0.9}/{Search Term} to run. But the more details you provide the better the search.
-
{Term or statement to search for}{Search Commands in v 0.1.1.0} "Tilde Char" {EventLogName} "Tilde Char" {EventID}
| Search Command | Example | Notes |
|---|---|---|
| count: | count:{string to find}:{Min num of occurances} | |
| logging_level: | log_level: {Log Severity Level} ~ EventLog Name ~ | |
| eventdata_length: | eventdata_length:{Min num of occurances} | |
| regex: | regex:{Create your own Regular Expression} | |
| not_in_log: | not_in_log:thing1'thing2'etc~ EventLog Name ~ EventID | This now works logically like !search_multiple in version 0.5.0.2 and later |
| commandline_count: | commandline_count:{Key Phrase/Word}:{Min num of occurances} | Sysmon and Security Log Only |
| commandline_contains: | commandline_contains:{Key Phrase/Word}:{Min num of occurances} | Sysmon and Security Log Only |
| commandline_length: | commandline_length:{Min num of occurances} | Sysmon and Security Log Only |
| network_connect: | Sysmon Only | |
| search_multiple: | search_multiple: thing1 ` thing2 ~ EventLogName(Not required) ~ EventID(Not required) |
example: eventdata_length:200
example: regex:\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b
example: count:;:8
example: eventdata_length:9000
example commandline_length:500
(Only works for Sysmon and Windows Powershell Logs)
example commandline_contains:<script>
example not_in_log:svchost.exe -k ~ Microsoft-Windows-Sysmon/Operational ~
example search_multiple: powershell ` cmd ~ Microsoft-Windows-Sysmon/Operational~
(the ` char will separate each term to search for. Up to 19 things to find a long that they all exists together in)
example network_connect:443:powershell
(Only works for Sysmon)
- Home
- How it Works
- Knowledge Base
- Configuration
- Searchs
- Plugins
- Usage
- Extras
- SWELF Logging
- SWELF Development