@@ -33,15 +33,10 @@ questions:
3333 document_id|expand: '%document_id%'
3434 condition: selection
3535 fields:
36- - hostname
3736 - User
3837 - Image
3938 - CommandLine
4039 - ParentImage
41- - ParentCommandLine
42- - ParentUser
43- - ProcessGuid
44- - ParentProcessGuid
4540
4641question : Is history deletion normal for this user?
4742 context : |
@@ -106,7 +101,6 @@ questions:
106101 condition: all of selection*
107102 fields:
108103 - User
109- - CommandLine
110104
111105question : Is this part of a system cleanup script or tool?
112106 context : |
@@ -126,9 +120,10 @@ questions:
126120 ParentProcessGuid|expand: '%ParentProcessGuid%'
127121 condition: selection
128122 fields:
123+ - ParentImage
124+ - ParentCommandLine
129125 - Image
130126 - CommandLine
131- - User
132127
133128# Thread 2: Activity Context (4 questions)
134129 # Understand what happened without assuming malice
@@ -154,7 +149,6 @@ questions:
154149 fields:
155150 - Image
156151 - CommandLine
157- - ParentImage
158152
159153question : Were multiple history files or other logs deleted?
160154 context : |
@@ -187,7 +181,6 @@ questions:
187181 condition: all of selection*
188182 fields:
189183 - CommandLine
190- - Image
191184
192185question : How did the user gain access to this system?
193186 context : |
@@ -217,8 +210,7 @@ questions:
217210 condition: selection
218211 fields:
219212 - Image
220- - CommandLine
221- - ParentImage
213+ - User
222214
223215question : What file operations occurred after the deletion?
224216 context : |
@@ -241,7 +233,6 @@ questions:
241233 fields:
242234 - Image
243235 - CommandLine
244- - ParentImage
245236
246237# Thread 3: Impact Assessment (3 questions)
247238 # Determine scope and risk if unauthorized
@@ -299,7 +290,6 @@ questions:
299290 condition: all of selection*
300291 fields:
301292 - TargetFilename
302- - Image
303293
304294question : Has this deletion pattern occurred on other systems?
305295 context : |
0 commit comments