APT demo Detections of the APT simulator

Range -24h@h now

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | eval tags = split(tag," ") | mvexpand tag | search tag!=report tag!=process tag="APT_*" | timechart count(tag) by dvc $field1.earliest$ $field1.latest$ 1 ellipsisNone 0 visible visible visible none linear none linear none 0 inherit column 50 10 area gaps all 0.01 default shiny none 0 0 ellipsisMiddle standard right 2 progressbar 0 1 medium index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | eval tags = split(tag," ") | mvexpand tag | search tag!=report tag!=process tag="APT_*" | timechart count by tag $field1.earliest$ $field1.latest$ 1 ellipsisNone 0 visible visible visible none linear none linear none 0 inherit column 50 10 area gaps all 0.01 default shiny none 0 0 ellipsisMiddle standard right 2 progressbar 0 1 medium index=* sourcetype="XmlWinEventLog:*" process!="splunk.exe" process!="btool.exe" | eval tags = split(tag," ") | mvexpand tag | search tag!=report tag!=process tag="APT_*" | fillnull value="n.a." | stats count by host user EventDescription tag parent_process CommandLine | fields - count rt-30m rt 1 20nonenonefalsepreviewfalsefalsetrue index=* sourcetype="XmlWinEventLog:*" EventID=11 | table Image file_path -60m@m now 1 20nonenonefalsefalsefalsetrue index=* sourcetype="XmlWinEventLog:*" EventID=* EventDescription="Network Connect" | eval tags = split(tag," ") | mvexpand tag | search tag!=report tag!=process Image!="*svchost*" protocol!="netbios-ns"| fillnull value="n.a." | stats count by tag app action EventDescription direction dest_host DestinationIp protocol $field1.earliest$ $field1.latest$ 1 20nonenonefalseprogressbarfalsefalsetrue