-
Notifications
You must be signed in to change notification settings - Fork 511
Added AH query, identify accounts logged on to endpoints affected by cobalt strike #145
Conversation
identify accounts logged on to endpoints affected by cobalt strike
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for contributing !
Currently this query will run on MDATP only(DeviceAlertEvents exist only in MDATP), can you please adjust it to work on MTP as well using the tables: AlertInfo and AlertEvidence?
Can you please add time limit to the query? for example | where Timestamp > ago(7d)
In addition, can you please put it in the folder of Credential access, which I saw this is the technique it represents :)
@tali-ash Thanks for the review. I was out for a week, so didn't see until today. I just pushed a commit that should address the changes requested. |
@endisphotic, @tali-ash, Marty is helping add the threat analytics queries to this repo, but might need your help adjust the queries as necessary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @martyav , I made some changes to the query, updated the file itself, this is how it should be written as I understand, please review it before I am inserting into master.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review. It looks good -- other queries in the older docs I am drawing upon will probably need similar updates
@lomayor I updated the file to replace "Ploty" with "Cosipor" |
I'm an internal contributor, tasked with adding AH queries from TA reports.
Before I get too far in, I wanted to get a review.
This file covers a query that identifies accounts logged on to endpoints affected by cobalt strike