Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Sysmon - cmd line for non -local connections

Uncategorized

Description

Submitted by jwalzer

1 3 
sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=3 Protocol=tcp Initiated=true | where DestinationIp!="127.0.0.1" AND DestinationHostname!=SourceHostname| table _time User Computer
 ProcessId ProcessGuid DestinationHostname DestinationPort | join type=inner [ search sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1 | table _time ProcessGuid ProcessId CommandLine]

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom