├── CVEs ├── HiveNightmare - SeriousSAM (CVE-2021-36934) ├── Log4j (CVE-2021-44228) ├── PrintNightmare (CVE-2021-1675) └── pwnkit (CVE-2021-4034) ├── General hunting ├── ASEP for Java executables ├── All versions of a given app ├── BITS transfers ├── CLI Programs running via Hidden Window ├── Command line parsing (obfuscated cmds) ├── CreateService events ├── DNS low-volume requests ├── DNS requests spawning from javaw.exe process ├── File search ├── Firewall disabled responsible process ├── Firewall rules created with key value pairs ├── FirewallChangeOption events ├── FirewallChangeOption responsible process ├── FirewallDeleteRule events ├── FirewallDeleteRule events by host ├── FirewallDeleteRule responsible processes ├── FirewallSetRule events ├── FirewallSetRule events by host ├── FirewallSetRule responsible process ├── JAR files executed from %AppData ├── Java.exe process writing executable files ├── Office files (new written events) ├── Parsing the call stack ├── Password age & reused local passwords ├── Process responsible for Network connections ├── RDP connections ├── RDP login events ├── Recon spawning underneath java ├── Registry run keys (set remotely) ├── Rogue DNS servers ├── Scheduled tasks (hidden) ├── System Resources ├── User Logons (failed) in Windows ├── User accounts (deleted) ├── User accounts created with logon ├── Windows dump files ├── attachments sent from Outlook ├── binaries running as a service that do not originate from “System32” ├── command history ├── common recon tools ├── endpoints by # of DNS resolutions ├── expected service running from an unexpected location ├── links opened from Outlook in the last hour ├── listening machines ├── log on events ├── macOS kernel extensions ├── network connections from uncommon processes ├── network connections made by a process by ComputerName ├── network connections to well-known ports ├── non-System32 binaries running as a hosted service ├── outbound traffic on non-standard ports ├── powershell (find processes which spawned) ├── powershell downloads ├── powershell encoded commands ├── powershell executions by parent ├── powershell executions by system ├── process integrity levels in windows ├── process responsible for starting a service ├── processes executed from recycle bin ├── processes executing from User Profile file paths ├── processes executing from browser file paths ├── processes infrequently executed ├── renamed command line programs ├── responsible process for the UserAccountCreated event ├── scheduled tasks by logon type ├── scheduled tasks by run level ├── scheduled tasks by user id ├── scheduled tasks registered by host ├── scheduled tasks registered remotely by host ├── scheduled tasks with ComHandler ├── startup events ├── user accounts added to administrator groups (local or domain) ├── user logons └── web servers or database processes running under a Local System account ├── cheat sheets ├── Combine Falcon Process UUIDs ├── Linux Kernel version ├── Mac filevault status ├── SCP or other events ├── SSH connections on linux ├── UTC localization ├── combine context & target timestamps ├── endpoint time ├── epoch to human readable ├── regex ├── shorten string ├── string swaps └── time stamps └── rtr scripts.xlsx /CVEs/HiveNightmare - SeriousSAM (CVE-2021-36934): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/CVEs/HiveNightmare - SeriousSAM (CVE-2021-36934) -------------------------------------------------------------------------------- /CVEs/Log4j (CVE-2021-44228): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/CVEs/Log4j (CVE-2021-44228) -------------------------------------------------------------------------------- /CVEs/PrintNightmare (CVE-2021-1675): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/CVEs/PrintNightmare (CVE-2021-1675) -------------------------------------------------------------------------------- /CVEs/pwnkit (CVE-2021-4034): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/CVEs/pwnkit (CVE-2021-4034) -------------------------------------------------------------------------------- /General hunting/ASEP for Java executables: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/ASEP for Java executables -------------------------------------------------------------------------------- /General hunting/All versions of a given app: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/All versions of a given app -------------------------------------------------------------------------------- /General hunting/BITS transfers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/BITS transfers -------------------------------------------------------------------------------- /General hunting/CLI Programs running via Hidden Window: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/CLI Programs running via Hidden Window -------------------------------------------------------------------------------- /General hunting/Command line parsing (obfuscated cmds): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Command line parsing (obfuscated cmds) -------------------------------------------------------------------------------- /General hunting/CreateService events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/CreateService events -------------------------------------------------------------------------------- /General hunting/DNS low-volume requests: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/DNS low-volume requests -------------------------------------------------------------------------------- /General hunting/DNS requests spawning from javaw.exe process: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/DNS requests spawning from javaw.exe process -------------------------------------------------------------------------------- /General hunting/File search: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/File search -------------------------------------------------------------------------------- /General hunting/Firewall disabled responsible process: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Firewall disabled responsible process -------------------------------------------------------------------------------- /General hunting/Firewall rules created with key value pairs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Firewall rules created with key value pairs -------------------------------------------------------------------------------- /General hunting/FirewallChangeOption events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallChangeOption events -------------------------------------------------------------------------------- /General hunting/FirewallChangeOption responsible process: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallChangeOption responsible process -------------------------------------------------------------------------------- /General hunting/FirewallDeleteRule events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallDeleteRule events -------------------------------------------------------------------------------- /General hunting/FirewallDeleteRule events by host: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallDeleteRule events by host -------------------------------------------------------------------------------- /General hunting/FirewallDeleteRule responsible processes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallDeleteRule responsible processes -------------------------------------------------------------------------------- /General hunting/FirewallSetRule events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallSetRule events -------------------------------------------------------------------------------- /General hunting/FirewallSetRule events by host: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallSetRule events by host -------------------------------------------------------------------------------- /General hunting/FirewallSetRule responsible process: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/FirewallSetRule responsible process -------------------------------------------------------------------------------- /General hunting/JAR files executed from %AppData: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/JAR files executed from %AppData -------------------------------------------------------------------------------- /General hunting/Java.exe process writing executable files: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Java.exe process writing executable files -------------------------------------------------------------------------------- /General hunting/Office files (new written events): -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /General hunting/Parsing the call stack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Parsing the call stack -------------------------------------------------------------------------------- /General hunting/Password age & reused local passwords: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Password age & reused local passwords -------------------------------------------------------------------------------- /General hunting/Process responsible for Network connections: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Process responsible for Network connections -------------------------------------------------------------------------------- /General hunting/RDP connections: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/RDP connections -------------------------------------------------------------------------------- /General hunting/RDP login events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/RDP login events -------------------------------------------------------------------------------- /General hunting/Recon spawning underneath java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Recon spawning underneath java -------------------------------------------------------------------------------- /General hunting/Registry run keys (set remotely): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Registry run keys (set remotely) -------------------------------------------------------------------------------- /General hunting/Rogue DNS servers: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Rogue DNS servers -------------------------------------------------------------------------------- /General hunting/Scheduled tasks (hidden): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Scheduled tasks (hidden) -------------------------------------------------------------------------------- /General hunting/System Resources: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/System Resources -------------------------------------------------------------------------------- /General hunting/User Logons (failed) in Windows: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/User Logons (failed) in Windows -------------------------------------------------------------------------------- /General hunting/User accounts (deleted): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/User accounts (deleted) -------------------------------------------------------------------------------- /General hunting/User accounts created with logon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/User accounts created with logon -------------------------------------------------------------------------------- /General hunting/Windows dump files: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/Windows dump files -------------------------------------------------------------------------------- /General hunting/attachments sent from Outlook: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/attachments sent from Outlook -------------------------------------------------------------------------------- /General hunting/binaries running as a service that do not originate from “System32”: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/binaries running as a service that do not originate from “System32” -------------------------------------------------------------------------------- /General hunting/command history: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/command history -------------------------------------------------------------------------------- /General hunting/common recon tools: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/common recon tools -------------------------------------------------------------------------------- /General hunting/endpoints by # of DNS resolutions: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /General hunting/expected service running from an unexpected location: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/expected service running from an unexpected location -------------------------------------------------------------------------------- /General hunting/links opened from Outlook in the last hour: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/links opened from Outlook in the last hour -------------------------------------------------------------------------------- /General hunting/listening machines: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/listening machines -------------------------------------------------------------------------------- /General hunting/log on events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/log on events -------------------------------------------------------------------------------- /General hunting/macOS kernel extensions: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/macOS kernel extensions -------------------------------------------------------------------------------- /General hunting/network connections from uncommon processes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/network connections from uncommon processes -------------------------------------------------------------------------------- /General hunting/network connections made by a process by ComputerName: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/network connections made by a process by ComputerName -------------------------------------------------------------------------------- /General hunting/network connections to well-known ports: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/network connections to well-known ports -------------------------------------------------------------------------------- /General hunting/non-System32 binaries running as a hosted service: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/non-System32 binaries running as a hosted service -------------------------------------------------------------------------------- /General hunting/outbound traffic on non-standard ports: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/outbound traffic on non-standard ports -------------------------------------------------------------------------------- /General hunting/powershell (find processes which spawned): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/powershell (find processes which spawned) -------------------------------------------------------------------------------- /General hunting/powershell downloads: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/powershell downloads -------------------------------------------------------------------------------- /General hunting/powershell encoded commands: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/powershell encoded commands -------------------------------------------------------------------------------- /General hunting/powershell executions by parent: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/powershell executions by parent -------------------------------------------------------------------------------- /General hunting/powershell executions by system: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/powershell executions by system -------------------------------------------------------------------------------- /General hunting/process integrity levels in windows: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/process integrity levels in windows -------------------------------------------------------------------------------- /General hunting/process responsible for starting a service: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/process responsible for starting a service -------------------------------------------------------------------------------- /General hunting/processes executed from recycle bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/processes executed from recycle bin -------------------------------------------------------------------------------- /General hunting/processes executing from User Profile file paths: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/processes executing from User Profile file paths -------------------------------------------------------------------------------- /General hunting/processes executing from browser file paths: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/processes executing from browser file paths -------------------------------------------------------------------------------- /General hunting/processes infrequently executed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/processes infrequently executed -------------------------------------------------------------------------------- /General hunting/renamed command line programs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/renamed command line programs -------------------------------------------------------------------------------- /General hunting/responsible process for the UserAccountCreated event: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/responsible process for the UserAccountCreated event -------------------------------------------------------------------------------- /General hunting/scheduled tasks by logon type: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/scheduled tasks by logon type -------------------------------------------------------------------------------- /General hunting/scheduled tasks by run level: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/scheduled tasks by run level -------------------------------------------------------------------------------- /General hunting/scheduled tasks by user id: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/scheduled tasks by user id -------------------------------------------------------------------------------- /General hunting/scheduled tasks registered by host: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/scheduled tasks registered by host -------------------------------------------------------------------------------- /General hunting/scheduled tasks registered remotely by host: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/scheduled tasks registered remotely by host -------------------------------------------------------------------------------- /General hunting/scheduled tasks with ComHandler: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/scheduled tasks with ComHandler -------------------------------------------------------------------------------- /General hunting/startup events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/startup events -------------------------------------------------------------------------------- /General hunting/user accounts added to administrator groups (local or domain): -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/user accounts added to administrator groups (local or domain) -------------------------------------------------------------------------------- /General hunting/user logons: -------------------------------------------------------------------------------- 1 | rdsh1-vm1 -------------------------------------------------------------------------------- /General hunting/web servers or database processes running under a Local System account: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/General hunting/web servers or database processes running under a Local System account -------------------------------------------------------------------------------- /cheat sheets/Combine Falcon Process UUIDs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/Combine Falcon Process UUIDs -------------------------------------------------------------------------------- /cheat sheets/Linux Kernel version: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/Linux Kernel version -------------------------------------------------------------------------------- /cheat sheets/Mac filevault status: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/Mac filevault status -------------------------------------------------------------------------------- /cheat sheets/SCP or other events: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/SCP or other events -------------------------------------------------------------------------------- /cheat sheets/SSH connections on linux: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/SSH connections on linux -------------------------------------------------------------------------------- /cheat sheets/UTC localization: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/UTC localization -------------------------------------------------------------------------------- /cheat sheets/combine context & target timestamps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/combine context & target timestamps -------------------------------------------------------------------------------- /cheat sheets/endpoint time: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/endpoint time -------------------------------------------------------------------------------- /cheat sheets/epoch to human readable: -------------------------------------------------------------------------------- 1 | | convert ctime(ProcessStartTime_decimal) -------------------------------------------------------------------------------- /cheat sheets/regex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/regex -------------------------------------------------------------------------------- /cheat sheets/shorten string: -------------------------------------------------------------------------------- 1 | | eval shortCmd=substr(CommandLine,1,250) -------------------------------------------------------------------------------- /cheat sheets/string swaps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/string swaps -------------------------------------------------------------------------------- /cheat sheets/time stamps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/cheat sheets/time stamps -------------------------------------------------------------------------------- /rtr scripts.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NorthfieldCreative/splunk-crowdstrike-event-queries/HEAD/rtr scripts.xlsx --------------------------------------------------------------------------------