Update windows_process_with_netexec_command_line_parameters.yml

Adding drilldowns

Author: nterl0k

detections/endpoint/windows_process_with_netexec_command_line_parameters.yml

@@ -21,6 +21,19 @@ references:
 - https://www.netexec.wiki/
 - https://www.johnvictorwolfe.com/2024/07/21/the-successor-to-crackmapexec/
 - https://attack.mitre.org/software/S0488/
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate processes on $dest$ 
+  search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story: 
   - Active Directory Kerberos Attacks