Skip to content

\Log_Searchs\Search.txt (SWELF SEARCH FILE)

Jump to bottom
Ceramicskate0 edited this page Aug 7, 2018 · 34 revisions

Searching:

Example Config

Command Change Summary:

Search commands can be combined in v. 0.1.1.0 to apply to a single log source and/or eventid.

Notes:

~ is "Tilde Char". App only needs {Search Commands in v 0.1.0.9}/{Search Term} to run. But the more details you provide the better the search.

General Searching:

Any combination of the following as long as they are in order. All commands in format required Below:

{Term or statement to search for}{Search Commands in v 0.1.1.0} "Tilde Char" {EventLogName} "Tilde Char" {EventID}

example: powershell.exe "Tilde Char" microsoft-windows-sysmon/operational "Tilde Char" 1 (This will be used to search microsoft-windows-sysmon/operational logs for cmd.exe with event id 1)

example: "Tilde Char" microsoft-windows-sysmon/operational~1 (Return all event id 1 in sysmon log)

example: cmd.exe"Tilde Char"microsoft-windows-sysmon/operational (This will be used to search microsoft-windows-sysmon/operational logs for cmd.exe)

example: cmd.exe "Tilde Char" microsoft-windows-powershell/operational (This will be used to search microsoft-windows-sysmon/operational logs)

example: has been restricted by your Administrator by location with policy rule (This will be used to search ALL logs)

example: csc.exe (This will be used to search ALL logs)

example: log file was cleared (This will be used to search ALL logs)

Search Config Syntax:

{Search Commands in v 0.1.0.9}/{Search Term} "Tilde char" {EventLogName} "Tilde char" {EventID}

Search Commands:

All commands in format required Below:

eventdata_length':'{Minimum chars in eventlog event data section (does this by counting chars in the entire EventData Part of any eventlog)}

List Of Search Commands:

  1. count:{string to find}:{Min num of occurances}

  2. eventdata_length:{Min num of occurances}

  3. commandline_length:{Min num of occurances}

    • (it will evaluate the largest one)

    • (Only works for Sysmon Logs)

    • (Available in Version 0.1.0.6 and later)

  4. commandline_contains:{string to find}:{Min num of occurances}

    • (Available in Version 0.1.0.6 and later)

    • (Only works for Sysmon Logs)

  5. commandline_count:{Min num of occurances}

  6. regex:{Create your own Regular Expression}

    • (Available in Version 0.1.0.9 and later)

  7. not_in_log: It will search the eventlog in search command (must have event log name).

    • It will search to see if it does not contain information.

  8. log_level: {Log Severity Level} ~ EventLog Name ~

    • Will extract logs by the severity assigned to it in windows eventlog. (Warning,Critical,Information,etc...)(must have event log name)

    • (v 0.3.0.0 and later)

  9. search_multiple: search_multiple: thing1 ` thing2 ~ EventLog Name(Not required) ~ EventID(Not required)

    • Maxes at 19. Allows you to search each EventLog for up to 19 things.

  10. network_connect: network_connect:{Port}:{Program Name}

    • Will only work on Sysmon Logs. Allows you to search on appname and/or port to track and fwd only network callouts.

Examples:

example: eventdata_length:200

example: regex:\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b

example: count:;:8

example: eventdata_length:9000

example commandline_length:500

(Only works for Sysmon and Windows Powershell Logs)

example commandline_contains:<script>

example not_in_log:svchost.exe -k ~ Microsoft-Windows-Sysmon/Operational ~

example search_multiple: powershell ` cmd ~ sysmon ~

(the ` char will separate each term to search for. Up to 19 things to find a long that they all exists together in)

example network_connect:443:powershell

(Only works for Sysmon and Windows Powershell Logs)

Clone this wiki locally