Skip to content

\Log_Searchs\Search.txt (SWELF SEARCH FILE)

Jump to bottom
Ceramicskate0 edited this page Jul 27, 2018 · 34 revisions

Searching:

Example Config

Command Change Summary:

Search commands can be combined in v. 0.1.1.0 to apply to a single log source and/or eventid.

Notes:

~ is "Tilde Char". App only needs {Search Commands in v 0.1.0.9}/{Search Term} to run. But the more details you provide the better the search.

General Searching:

Any combination of the following as long as they are in order. All commands in format required Below:

{Term or statement to search for}{Search Commands in v 0.1.1.0} "Tilde Char" {EventLogName} "Tilde Char" {EventID}

example: powershell.exe "Tilde Char" microsoft-windows-sysmon/operational "Tilde Char" 1 (This will be used to search microsoft-windows-sysmon/operational logs for cmd.exe with event id 1)

example: "Tilde Char" microsoft-windows-sysmon/operational~1 (Return all event id 1 in sysmon log)

example: cmd.exe"Tilde Char"microsoft-windows-sysmon/operational (This will be used to search microsoft-windows-sysmon/operational logs for cmd.exe)

example: cmd.exe "Tilde Char" microsoft-windows-powershell/operational (This will be used to search microsoft-windows-sysmon/operational logs)

example: has been restricted by your Administrator by location with policy rule (This will be used to search ALL logs)

example: csc.exe (This will be used to search ALL logs)

example: log file was cleared (This will be used to search ALL logs)

Search Config Syntax:

{Search Commands in v 0.1.0.9}/{Search Term} "Tilde char" {EventLogName} "Tilde char" {EventID}

Search Commands:

All commands in format required Below:

eventdata_length':'{Minimum chars in eventlog event data section (does this by counting chars in the entire EventData Part of any eventlog)}

List Of Search Commands:

  1. count:{string to find}:{Min num of occurances}

  2. eventdata_length:{Min num of occurances}

  3. commandline_length:{Min num of occurances}

  4. commandline_contains:{string to find}:{Min num of occurances}

  5. commandline_count:{Min num of occurances}

  6. regex:{Create your own Regular Expression}

  7. not_in_log: It will search the eventlog in search command (must have event log name).

  • It will search to see if it does not contain information.
  1. log_level: {Log Severity Level} ~ EventLog Name ~
  • Will extract logs by the severity assigned to it in windows eventlog. (Warning,Critical,Information,etc...)(must have event log name)
  • (v 0.3.0.0 and later)

Commands Info:

count':'{Term or statement to count}':'{Number of times in log before its a counted event}

commandline_length':'{Number of chars in either target or parent commandline argument (it will evaluate the largest one)(Only works for Sysmon Logs)}

  • (Available in Version 0.1.0.6 and later)

commandline_contains':'{The string in only the command line that you want to forward (Only works for Sysmon Logs)}

  • (Available in Version 0.1.0.6 and later)

regex':'{Regex string}

  • (Available in Version 0.1.0.9 and later)

Examples:

example: eventdata_length:200

example: regex:\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b

example: count:;:8

example: eventdata_length:9000

example commandline_length:500

(Only works for Sysmon and Windows Powershell Logs)

example commandline_contains:<script>

example not_in_log:svchost.exe -k ~ Microsoft-Windows-Sysmon/Operational ~

(Only works for Sysmon and Windows Powershell Logs)

Clone this wiki locally