Jose Rodriguez
Jose Rodriguez
I think the record for event 11 that you are looking for is in capital letters LOL. I got one result when using SCR. In those cases you can use...
Hey @ashwin-patil , I hope you are doing well. Can you provide more details or maybe an example for this issue? Thank you 👍
Interesting event 4104 of PowerShell/Operational has a field **ExecutionProcessID** that can be related to ProcessId of event 1 of Sysmon ``` ps4104 = spark.sql( ''' SELECT `@timestamp`,EventID,ScriptBlockText FROM apt29Table WHERE...
Hey @H1L021 , I agree on that, using event 4611 with user context makes more sense when attributing the registration of the trusted logon process. I think we can add...
You are welcome @jcwilliamsATmitre, we are currently mapping security events within the [OSSEM-DM](https://github.com/OTRF/OSSEM-DM/tree/main/use-cases/mitre_attack) repository. Thank you for your feedback, here some comments: * **Driver**: We considered this relationship within the...
PR files updated 👍
Hey @b1t-hunter , I hope you are doing well 😃 We are happy to hear you are using the project in your environment. Also, thank you for taking the time...
Some notes to consider: - If we add the channel field, we would also need to change/review the log_source names used for Sysmon and PowerShell events in DD and DM.
Hey @b1t-hunter , hope you are doing well 😃 We have decided to add the `channel` field to our YAML schema. I have updated the README file of the repo...