Skip to content

Commit e12134b

Browse files
vx3rMeroujan.Antonyanianhelle
authored
Edit process_cmd_line function template to accept list as parameter (#835)
* Cyberint risk key none value * Update process_cmd_line template * indentation --------- Co-authored-by: Meroujan.Antonyan <meroujan.antonyan.external@axa.com> Co-authored-by: Ian Hellen <ianhelle@microsoft.com>
1 parent 14111ff commit e12134b

File tree

3 files changed

+9
-9
lines changed

3 files changed

+9
-9
lines changed

docs/source/data_acquisition/DataQueries.rst

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ M365D list_host_processes Return all process creatio
8484
M365D mail_message_alerts Lists alerts associated with a specified mail message end (datetime), message_id (str), start (datetime) AlertInfo
8585
M365D mailbox_alerts Lists alerts associated with a specified mailbox end (datetime), mailbox (str), start (datetime) AlertInfo
8686
M365D process_alerts Lists alerts associated with a specified process end (datetime), file_name (str), start (datetime) AlertInfo
87-
M365D process_cmd_line Lists all processes with a command line containing a string (all hosts) cmd_line (str), end (datetime), start (datetime) DeviceProcessEvents
87+
M365D process_cmd_line Lists all processes with a command line containing a list of strings (all hosts) cmd_line (list), end (datetime), start (datetime) DeviceProcessEvents
8888
M365D process_creations Return all processes with matching name or hash (all hosts) end (datetime), process_identifier (str), start (datetime) DeviceProcessEvents
8989
M365D process_paths Return all processes with a matching path (part path) (all hosts) end (datetime), file_path (str), start (datetime) DeviceProcessEvents
9090
M365D protocol_connections Returns connections associated with a specified protocol (port number) end (datetime), protocol (str), start (datetime) DeviceNetworkEvents
@@ -232,7 +232,7 @@ M365D list_host_processes Return all process creations for
232232
M365D mail_message_alerts Lists alerts associated with a specified mail message end (datetime), message_id (str), start (datetime) AlertInfo
233233
M365D mailbox_alerts Lists alerts associated with a specified mailbox end (datetime), mailbox (str), start (datetime) AlertInfo
234234
M365D process_alerts Lists alerts associated with a specified process end (datetime), file_name (str), start (datetime) AlertInfo
235-
M365D process_cmd_line Lists all processes with a command line containing a string (all hosts) cmd_line (str), end (datetime), start (datetime) DeviceProcessEvents
235+
M365D process_cmd_line Lists all processes with a command line containing a list of strings (all hosts) cmd_line (list), end (datetime), start (datetime) DeviceProcessEvents
236236
M365D process_creations Return all processes with matching name or hash (all hosts) end (datetime), process_identifier (str), start (datetime) DeviceProcessEvents
237237
M365D process_paths Return all processes with a matching path (part path) (all hosts) end (datetime), file_path (str), start (datetime) DeviceProcessEvents
238238
M365D protocol_connections Returns connections associated with a specified protocol (port number) end (datetime), protocol (str), start (datetime) DeviceNetworkEvents

msticpy/data/queries/m365d/kql_m365_process.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -71,16 +71,16 @@ sources:
7171
description: full or partial path
7272
type: str
7373
process_cmd_line:
74-
description: Lists all processes with a command line containing a string (all hosts)
74+
description: Lists all processes with a command line containing a list of strings (all hosts)
7575
metadata:
7676
args:
7777
query: '
7878
{table}
7979
| where {time_column} >= datetime({start})
8080
| where {time_column} <= datetime({end})
81-
| where ProcessCommandLine contains "{cmd_line}"
81+
| where ProcessCommandLine has_any ({cmd_line})
8282
{add_query_items}'
8383
parameters:
8484
cmd_line:
85-
description: Command line artifact to search for
86-
type: str
85+
description: Command line artifacts to search for
86+
type: list

msticpy/data/queries/mde/kql_mdatp_process.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ sources:
8787
description: full or partial path
8888
type: str
8989
process_cmd_line:
90-
description: Lists all processes with a command line containing a string (all hosts)
90+
description: Lists all processes with a command line containing a list of strings (all hosts)
9191
metadata:
9292
pivot:
9393
short_name: processes_by_cmdline
@@ -96,9 +96,9 @@ sources:
9696
{table}
9797
| where Timestamp >= datetime({start})
9898
| where Timestamp <= datetime({end})
99-
| where ProcessCommandLine contains "{cmd_line}"
99+
| where ProcessCommandLine has_any ({cmd_line})
100100
{add_query_items}'
101101
parameters:
102102
cmd_line:
103-
description: Command line artifact to search for
103+
description: Command line artifacts to search for
104104
type: str

0 commit comments

Comments
 (0)