-
-
Notifications
You must be signed in to change notification settings - Fork 7
\Log_Searchs\Search.txt (SWELF SEARCH FILE)
-
~ is "Tilde Char".
-
App only needs {Search Commands in v 0.1.0.9}/{Search Term} to run. But the more details you provide the better the search.
-
{Term or statement to search for}{Search Commands in v 0.1.1.0} "Tilde Char" {EventLogName} "Tilde Char" {EventID}
All commands in format required Below:
Search Command | Example | Notes |
---|---|---|
count: | count:{string to find}:{Min num of occurances} | |
logging_level: | log_level: {Log Severity Level} ~ EventLog Name ~ | |
eventdata_length: | eventdata_length:{Min num of occurances} | |
regex: | regex:{Create your own Regular Expression} | |
not_in_log: | ||
commandline_count: | commandline_count:{Key Phrase/Word}:{Min num of occurances} | Sysmon and Security Log Only |
commandline_contains: | commandline_contains:{Key Phrase/Word}:{Min num of occurances} | Sysmon and Security Log Only |
commandline_length: | commandline_length:{Min num of occurances} | Sysmon and Security Log Only |
network_connect: | Sysmon Only | |
search_multiple: | search_multiple: thing1 ` thing2 ~ EventLogName(Not required) ~ EventID(Not required) |
example: eventdata_length:200
example: regex:\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b
example: count:;:8
example: eventdata_length:9000
example commandline_length:500
(Only works for Sysmon and Windows Powershell Logs)
example commandline_contains:<script>
example not_in_log:svchost.exe -k ~ Microsoft-Windows-Sysmon/Operational ~
example search_multiple: powershell ` cmd ~ Microsoft-Windows-Sysmon/Operational~
(the ` char will separate each term to search for. Up to 19 things to find a long that they all exists together in)
example network_connect:443:powershell
(Only works for Sysmon and Windows Powershell Logs)
- Home
- How it Works
- Knowledge Base
- Configuration
- Searchs
- Plugins
- Usage
- Extras
- SWELF Logging
- SWELF Development