File tree Expand file tree Collapse file tree 1 file changed +5
-3
lines changed
playbook/dev/sigma/category Expand file tree Collapse file tree 1 file changed +5
-3
lines changed Original file line number Diff line number Diff line change @@ -48,6 +48,7 @@ questions:
4848 selection:
4949 hostname|expand: '%hostname%'
5050 Image|expand: '%Image%'
51+ User|expand: '%User%'
5152 condition: selection
5253 fields:
5354 - User
@@ -140,12 +141,13 @@ questions:
140141 - source.port
141142 - destination.ip
142143 - destination.port
143- - initiated
144+ - network. initiated
144145
145146question : What registry changes did this process make?
146147 context : |
147- On Windows systems, registry activity can reveal further intent. The query looks for registry changes made by both the process and its parent.
148- range : +30m
148+ On Windows systems, registry activity can reveal further intent.
149+ The query looks for registry changes made by both the process and its parent.
150+ range : +/-15m
149151 answer_sources :
150152 - registry_event
151153 query : |
You can’t perform that action at this time.
0 commit comments