Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove _time span #3151

Open
wants to merge 12 commits into
base: develop
Choose a base branch
from
Open

Remove _time span #3151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
3930fcb
fix_some_registry_detections_time
tccontre Oct 4, 2024
bfc6d84
Branch was auto-updated.
patel-bhavin Oct 9, 2024
45f773b
Branch was auto-updated.
patel-bhavin Oct 9, 2024
e39f53c
Branch was auto-updated.
patel-bhavin Oct 10, 2024
897b638
Branch was auto-updated.
patel-bhavin Oct 10, 2024
e24a2c9
Branch was auto-updated.
patel-bhavin Oct 10, 2024
ef3278e
Branch was auto-updated.
patel-bhavin Oct 15, 2024
619284e
Branch was auto-updated.
patel-bhavin Oct 15, 2024
4ce601c
Branch was auto-updated.
patel-bhavin Oct 15, 2024
0426932
Branch was auto-updated.
patel-bhavin Oct 16, 2024
462158b
Branch was auto-updated.
patel-bhavin Oct 16, 2024
1c68b9e
Branch was auto-updated.
patel-bhavin Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions detections/endpoint/active_setup_registry_autostart.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Active Setup Registry Autostart
id: f64579c0-203f-11ec-abcc-acde48001122
version: 5
date: '2024-05-27'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects suspicious modifications to the Active
Expand All @@ -16,9 +16,9 @@ description: The following analytic detects suspicious modifications to the Acti
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active
Setup\\Installed Components*") BY _time span=1h Registry.registry_path Registry.registry_key_name
Setup\\Installed Components*") BY Registry.registry_path Registry.registry_key_name
Registry.registry_value_name Registry.registry_value_data Registry.process_guid
Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/add_defaultuser_and_password_in_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Add DefaultUser And Password In Registry
id: d4a3eb62-0f1e-11ec-a971-acde48001122
version: 5
date: '2024-05-28'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
description: The following analytic detects suspicious registry modifications that
Expand All @@ -17,10 +17,10 @@ description: The following analytic detects suspicious registry modifications th
data_source:
- Sysmon EventID 13
- Sysmon EventID 14
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name=
DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name
DefaultUserName) BY Registry.registry_path Registry.registry_key_name
Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `add_defaultuser_and_password_in_registry_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Allow Inbound Traffic By Firewall Rule Registry
id: 0a46537c-be02-11eb-92ca-acde48001122
version: 6
date: '2024-05-22'
author: Steven Dick, Teoderick Contreras, Splunk
version: 7
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects suspicious modifications to firewall rule
Expand All @@ -16,10 +16,10 @@ description: The following analytic detects suspicious modifications to firewall
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*"
Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data =
"*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY _time span=1h Registry.registry_path
"*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") BY Registry.registry_path
Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/allow_operation_with_consent_admin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Allow Operation with Consent Admin
id: 7de17d7a-c9d8-11eb-a812-acde48001122
version: 5
date: '2024-05-20'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects a registry modification that allows the
Expand All @@ -17,10 +17,10 @@ description: The following analytic detects a registry modification that allows
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*"
Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data
= "0x00000000") BY _time span=1h Registry.registry_path Registry.registry_key_name
= "0x00000000") BY Registry.registry_path Registry.registry_key_name
Registry.registry_value_name Registry.registry_value_data Registry.process_guid
Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/auto_admin_logon_registry_entry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Auto Admin Logon Registry Entry
id: 1379d2b8-0f18-11ec-8ca3-acde48001122
version: 5
date: '2024-05-10'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects a suspicious registry modification that
Expand All @@ -17,10 +17,10 @@ description: The following analytic detects a suspicious registry modification t
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1)
BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name
BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name
Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `auto_admin_logon_registry_entry_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_amsi_through_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable AMSI Through Registry
id: 9c27ec42-d338-11eb-9044-acde48001122
version: 5
date: '2024-05-29'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects modifications to the Windows registry
Expand All @@ -17,9 +17,9 @@ description: The following analytic detects modifications to the Windows registr
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.registry_path
Registry.registry_value_data = "0x00000000") BY Registry.registry_path
Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_defender_antivirus_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Defender AntiVirus Registry
id: aa4f695a-3024-11ec-9987-acde48001122
version: 5
date: '2024-05-28'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects the modification of Windows Defender registry
Expand All @@ -17,10 +17,10 @@ description: The following analytic detects the modification of Windows Defender
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name
IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001)
BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name
BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name
Registry.registry_value_data Registry.process_guid Registry.user Registry.dest |
`drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_defender_blockatfirstseen_feature.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Defender BlockAtFirstSeen Feature
id: 2dd719ac-3021-11ec-97b4-acde48001122
version: 5
date: '2024-05-22'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
data_source:
Expand All @@ -16,9 +16,9 @@ description: The following analytic detects the modification of the Windows regi
files to bypass initial detection by Windows Defender, increasing the risk of malware
infection. If confirmed malicious, this action could enable attackers to execute
malicious code undetected, leading to potential system compromise and data breaches.
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name
= DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h
= DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY
Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
4 changes: 2 additions & 2 deletions detections/endpoint/disable_defender_enhanced_notification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Defender Enhanced Notification
id: dc65678c-301f-11ec-8e30-acde48001122
version: 4
date: '2024-05-24'
author: Steven Dick, Teoderick Contreras, Splunk
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects the modification of the registry to disable
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_defender_mpengine_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Defender MpEngine Registry
id: cc391750-3024-11ec-955a-acde48001122
version: 5
date: '2024-05-21'
author: Steven Dick, Teoderick Contreras, Splunk
version: 7
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects the modification of the Windows Defender
Expand All @@ -16,10 +16,10 @@ description: The following analytic detects the modification of the Windows Defe
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*"
Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000)
BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name
BY Registry.registry_path Registry.registry_key_name Registry.registry_value_name
Registry.registry_value_data Registry.process_guid Registry.user Registry.dest |
`drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_defender_spynet_reporting.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Defender Spynet Reporting
id: 898debf4-3021-11ec-ba7c-acde48001122
version: 5
date: '2024-05-07'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects the modification of the registry to disable
Expand All @@ -16,9 +16,9 @@ description: The following analytic detects the modification of the registry to
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name
= SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path
= SpynetReporting Registry.registry_value_data = 0x00000000) BY Registry.registry_path
Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_defender_submit_samples_consent_feature.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Defender Submit Samples Consent Feature
id: 73922ff8-3022-11ec-bf5e-acde48001122
version: 5
date: '2024-05-14'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk,Steven Dick
status: production
type: TTP
description: The following analytic detects the modification of the Windows registry
Expand All @@ -16,9 +16,9 @@ description: The following analytic detects the modification of the Windows regi
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name
= SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h
= SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY
Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name
Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_etw_through_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable ETW Through Registry
id: f0eacfa4-d33f-11eb-8f9d-acde48001122
version: 5
date: '2024-05-24'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects modifications to the registry that disable
Expand All @@ -16,9 +16,9 @@ description: The following analytic detects modifications to the registry that d
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled"
Registry.registry_value_data = "0x00000000") BY _time span=1h Registry.dest Registry.registry_path
Registry.registry_value_data = "0x00000000") BY Registry.dest Registry.registry_path
Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_registry_tool.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Registry Tool
id: cd2cf33c-9201-11eb-a10a-acde48001122
version: 6
date: '2024-05-14'
author: Steven Dick, Teoderick Contreras, Splunk
version: 7
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects modifications to the Windows registry
Expand All @@ -17,9 +17,9 @@ description: The following analytic detects modifications to the Windows registr
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools"
Registry.registry_value_data = "0x00000001") BY _time span=1h Registry.user Registry.dest
Registry.registry_value_data = "0x00000001") BY Registry.user Registry.dest
Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`'
Expand Down
10 changes: 5 additions & 5 deletions detections/endpoint/disable_security_logs_using_minint_registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Disable Security Logs Using MiniNt Registry
id: 39ebdc68-25b9-11ec-aec7-acde48001122
version: 5
date: '2024-05-29'
author: Steven Dick, Teoderick Contreras, Splunk
version: 6
date: '2024-10-04'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
description: The following analytic detects a suspicious registry modification aimed
Expand All @@ -16,8 +16,8 @@ description: The following analytic detects a suspicious registry modification a
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h Registry.user
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY Registry.user
Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name
Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
Loading
Loading