History | eval “Nation City” = Nation

| lookup assistance_learn assistance Returns Area Nation ComputerName MachineDomain | rex job=UserPrincipal “^(? \w+).(? \w+)(*)” | eval “Name”= First.” “.”,”.

[browse ComputerName=”EHTT1-DHD2NH2″ event_simpleName=”ProcessRollup2″ earliest=- |regex CommandLine!=”(?i)iexplore\.exe|chrome\.exe|MicrosoftEdgeCP\.exe|firefox\.exe|google|smartscreen\.exe|OneDrive\.exe|SearchUI\.exe|mimecast\|MicrosoftEdge\.exe”] |rex industry=CommandLine “(? [^\\\\]+)$” | eval “Last Viewed (UTC)”=strftime(_go out, “%m/%d/%y %I:%M%p”) |statistics sparkline count philosophy(CommandLine) values(DomainName) dc(“History Viewed (UTC)”) from the FileName SHA256HashData

event_platform=Mac computer skills_simpleName=ProcessSelfDeleted |chart search=”look feel_simpleName=*ProcessRollup2 help=$aid$ TargetProcessId_decimal=$ContextProcessId_decimal$” |dedup support,SHA256HashData |eval CommandLine=substr(CommandLine,1,50) |stats values(CommandLine) since Purchases, dc(aid) just like the UniqueAgentCount from the SHA256HashData |register sorts of=outside SHA256HashData [lookup feel_platform=Mac event_simpleName=*ProcessRollup2 |better SHA256HashData maximum=10000 from the support |statistics dc(aid) because the CommonGPopCount from the SHA256HashData] |sign-up particular=outer SHA256HashData [look enjoy_platform=Mac skills_simpleName=*ProcessRollup2 |rare SHA256HashData restriction=10000 by the assistance |stats dc(aid) as the RareGPopCount of the SHA256HashData] |fillnull worthy of=0 CommonGPopCount |fillnull really worth=0 RareGPopCount |search UniqueAgentCount=step one CommonGPopCount

|eval ParentCommandLine=coalesce(ParentCommandLine,”IamAnOrphan”) |lookup ParentCommandLine=”IamAnOrphan” |eval ChildCommandLine=substr(ChildCommandLine,1,50) |stats philosophy(ChildCommandLine) due to the fact Commands, max(duration) because the stage, dc(aid) just like the AgentsWithHash by SHA256HashData |research AgentsWithHash=1 |sign-up type=external SHA256HashData [lookup event_platform=Mac computer feel_simpleName=VT |statistics share(detectionCount) given that VTCount of the sha256 |rename sha256 because SHA256HashData]

| inputlookup managedassets.csv | eval “History Seen (UTC)”=strfday(_big date, “%m/%d/%y %I:%M%p”)| kinds 0 -“Past Viewed (UTC)” | look oui.csv MACPrefix Output Name brand | fillnull really worth=NA Name brand | eval Brand name=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer)

| sign up aid [| inputlookup assistance_grasp where cid=* | eval “Past Viewed (UTC)”=strfgo out(_date, “%m/%d/%y %I:%M%p”) | kinds 0 -“History Seen (UTC)” | browse oui.csv MACPrefix Returns Name brand | fillnull value=NA Brand name | eval Brand=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) | dedup help]

| append [| inputlookup append=t unmanaged_high.csv in which cid=* MACPrefix!=not one LocalAddressIP4=* LocalAddressIP4!=not one | rename ComputerName As “Past Located Of the”| append [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none | rename ComputerName Due to the fact “History Discover By the”]| append [| inputlookup append=t unmanaged_reasonable.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName As “Last Discovered By the”] | append [| inputlookup notsupported.csv in which cid=* MACPrefix!=nothing LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Because the “Last Found Of the” ] | eval “Past Viewed (UTC)”=strftime(_date, “%m/%d/%y %I:%M%p”) | fillnull worth=null help | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,” “))) | eval discoverer_aid=mvsort(mvdedup(split(discoverer_help,” “))) | eval aip=mvsort(mvdedup(split(aip,” “))) | kinds 0 -“Past Viewed (UTC)” | lookup oui.csv MACPrefix Yields Name brand, ManufacturerAddress | fillnull worthy of=NA Manufacturer | eval Brand name=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) ]

|head a hundred |stats amount very first(_time) due to the fact basic of the username sourcetype | eval basic=strftime(basic,”%m/%d/%y %H:%M:%S”) | eval username=lower(username) | stats count from the login name sourcetype very first | dedup username

| inputlookup managedassets.csv | eval “History Seen (UTC)”=strftime(_date, “%m/%d/%y %I:%M%p”) | sort 0 -“Last Seen (UTC)” | research oui.csv MACPrefix Output Brand | fillnull value=NA Brand name | eval Manufacturer=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer)

| sign up support [| inputlookup help_grasp in escort in Thousand Oaks which cid=* | eval “Past Seen (UTC)”=strfbig date(_time, “%m/%d/%y %I:%M%p”) | type 0 -“Past Seen (UTC)” | research oui.csv MACPrefix Output Brand name | fillnull worth=NA Brand name | eval Company=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) | dedup help]

| append [| inputlookup append=t unmanaged_high.csv where cid=* MACPrefix!=not one LocalAddressIP4=* LocalAddressIP4!=not one | rename ComputerName Because “Last Found From the” | append [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=nothing LocalAddressIP4=* LocalAddressIP4!=none | rename ComputerName Because “Last Discover Of the”] | append [| inputlookup append=t unmanaged_reasonable.csv in which cid=* MACPrefix!=not one LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName As “History Receive By the”] | append [| inputlookup notsupported.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Because the “History Found Of the” ] | eval “Last Viewed (UTC)”=strfgo out(_time, “%m/%d/%y %I:%M%p”) | fillnull worthy of=null support | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4,” “))) | eval discoverer_assistance=mvsort(mvdedup(split(discoverer_support,” “))) | eval aip=mvsort(mvdedup(split(aip,” “))) | types 0 -“History Seen (UTC)” | look oui.csv MACPrefix Returns Name brand, ManufacturerAddress | fillnull really worth=NA Brand | eval Brand=if(Manufacturer=”NA”,InterfaceDescription,Manufacturer) ]