Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Edit process_cmd_line function template to accept list as parameter #835

Merged
merged 6 commits into from
Mar 6, 2025
Merged

Edit process_cmd_line function template to accept list as parameter #835

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
22ceb03
Cyberint risk key none value
Feb 17, 2025
280396a
Merge branch 'microsoft:main' into main
vx3r Feb 21, 2025
df9f75b
Update process_cmd_line template
Mar 5, 2025
b521fc1
indentation
Mar 5, 2025
ef6fdeb
Merge branch 'main' into process_cmd_line-accept-list
ianhelle Mar 5, 2025
5752c6f
Merge branch 'main' into process_cmd_line-accept-list
ianhelle Mar 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/source/data_acquisition/DataQueries.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ M365D list_host_processes Return all process creatio
M365D mail_message_alerts Lists alerts associated with a specified mail message end (datetime), message_id (str), start (datetime) AlertInfo
M365D mailbox_alerts Lists alerts associated with a specified mailbox end (datetime), mailbox (str), start (datetime) AlertInfo
M365D process_alerts Lists alerts associated with a specified process end (datetime), file_name (str), start (datetime) AlertInfo
M365D process_cmd_line Lists all processes with a command line containing a string (all hosts) cmd_line (str), end (datetime), start (datetime) DeviceProcessEvents
M365D process_cmd_line Lists all processes with a command line containing a list of strings (all hosts) cmd_line (list), end (datetime), start (datetime) DeviceProcessEvents
M365D process_creations Return all processes with matching name or hash (all hosts) end (datetime), process_identifier (str), start (datetime) DeviceProcessEvents
M365D process_paths Return all processes with a matching path (part path) (all hosts) end (datetime), file_path (str), start (datetime) DeviceProcessEvents
M365D protocol_connections Returns connections associated with a specified protocol (port number) end (datetime), protocol (str), start (datetime) DeviceNetworkEvents
Expand Down Expand Up @@ -232,7 +232,7 @@ M365D list_host_processes Return all process creations for
M365D mail_message_alerts Lists alerts associated with a specified mail message end (datetime), message_id (str), start (datetime) AlertInfo
M365D mailbox_alerts Lists alerts associated with a specified mailbox end (datetime), mailbox (str), start (datetime) AlertInfo
M365D process_alerts Lists alerts associated with a specified process end (datetime), file_name (str), start (datetime) AlertInfo
M365D process_cmd_line Lists all processes with a command line containing a string (all hosts) cmd_line (str), end (datetime), start (datetime) DeviceProcessEvents
M365D process_cmd_line Lists all processes with a command line containing a list of strings (all hosts) cmd_line (list), end (datetime), start (datetime) DeviceProcessEvents
M365D process_creations Return all processes with matching name or hash (all hosts) end (datetime), process_identifier (str), start (datetime) DeviceProcessEvents
M365D process_paths Return all processes with a matching path (part path) (all hosts) end (datetime), file_path (str), start (datetime) DeviceProcessEvents
M365D protocol_connections Returns connections associated with a specified protocol (port number) end (datetime), protocol (str), start (datetime) DeviceNetworkEvents
Expand Down
8 changes: 4 additions & 4 deletions msticpy/data/queries/m365d/kql_m365_process.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,16 +71,16 @@ sources:
description: full or partial path
type: str
process_cmd_line:
description: Lists all processes with a command line containing a string (all hosts)
description: Lists all processes with a command line containing a list of strings (all hosts)
metadata:
args:
query: '
{table}
| where {time_column} >= datetime({start})
| where {time_column} <= datetime({end})
| where ProcessCommandLine contains "{cmd_line}"
| where ProcessCommandLine has_any ({cmd_line})
{add_query_items}'
parameters:
cmd_line:
description: Command line artifact to search for
type: str
description: Command line artifacts to search for
type: list
6 changes: 3 additions & 3 deletions msticpy/data/queries/mde/kql_mdatp_process.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ sources:
description: full or partial path
type: str
process_cmd_line:
description: Lists all processes with a command line containing a string (all hosts)
description: Lists all processes with a command line containing a list of strings (all hosts)
metadata:
pivot:
short_name: processes_by_cmdline
Expand All @@ -96,9 +96,9 @@ sources:
{table}
| where Timestamp >= datetime({start})
| where Timestamp <= datetime({end})
| where ProcessCommandLine contains "{cmd_line}"
| where ProcessCommandLine has_any ({cmd_line})
{add_query_items}'
parameters:
cmd_line:
description: Command line artifact to search for
description: Command line artifacts to search for
type: str