lamehug

Author: t-contreras

detections/endpoint/windows_ai_platform_dns_query.yml

@@ -9,7 +9,8 @@ description: The following analytic detects DNS queries initiated by the Windows
 data_source:
 - Sysmon EventID 22
 search: '`sysmon` EventCode=22 process_name="python.exe" QueryName= "router.huggingface.co"
-  | stats count min(_time) as firstTime max(_time) as lastTime 
+  | rename dvc as dest
+  | stats count min(_time) as firstTime max(_time) as lastTime
   by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id
   vendor_product QueryName QueryResults QueryStatus 
   | `security_content_ctime(firstTime)`