| lookup aid_master help Returns City Nation ComputerName MachineDomain | rex community=UserPrincipal "^(? \w+).(? \w+)(*)" | eval "Complete name"= Basic." ".",".

[look ComputerName="EHTT1-DHD2NH2" event_simpleName="ProcessRollup2" earliest=- |regex CommandLine!="(?i)iexplore\.exe|chrome\.exe|MicrosoftEdgeCP\.exe|firefox\.exe|google|smartscreen\.exe|OneDrive\.exe|SearchUI\.exe|mimecast\|MicrosoftEdge\.exe"] |rex career=CommandLine "(? [^\\\\]+)$" | eval "Last Viewed (UTC)"=strfday(_go out, "%m/%d/%y %I:%M%p") |stats sparkline count values(CommandLine) values(DomainName) dc("Past Seen (UTC)") by the FileName SHA256HashData

event_platform=Mac computer skills_simpleName=ProcessSelfDeleted |chart browse="search enjoy_simpleName=*ProcessRollup2 assistance=$aid$ TargetProcessId_decimal=$ContextProcessId_decimal$" |dedup aid,SHA256HashData |eval CommandLine=substr(CommandLine,step 1,50) |stats opinions(CommandLine) as the Requests, dc(aid) as the UniqueAgentCount by the SHA256HashData |sign up method of=external SHA256HashData [research experience_platform=Mac knowledge_simpleName=*ProcessRollup2 |better SHA256HashData restrict=10000 by the aid |stats dc(aid) since CommonGPopCount because of the SHA256HashData] |subscribe type=outside SHA256HashData [research feel_platform=Mac feel_simpleName=*ProcessRollup2 |unusual SHA256HashData restrict=10000 from the help |stats dc(aid) as the RareGPopCount because of the SHA256HashData] |fillnull worthy of=0 CommonGPopCount |fillnull really worth=0 RareGPopCount |look UniqueAgentCount=1 CommonGPopCount

|eval ParentCommandLine=coalesce(ParentCommandLine,"IamAnOrphan") |search seks randki milf ParentCommandLine="IamAnOrphan" |eval ChildCommandLine=substr(ChildCommandLine,step 1,50) |stats opinions(ChildCommandLine) given that Commands, max(duration) as stage, dc(aid) because the AgentsWithHash by SHA256HashData |lookup AgentsWithHash=1 |signup type=exterior SHA256HashData [browse skills_platform=Mac event_simpleName=VT |stats sum(detectionCount) as VTCount by sha256 |rename sha256 because the SHA256HashData]

| inputlookup managedassets.csv | eval "Last Seen (UTC)"=strfdate(_time, "%m/%d/%y %I:%M%p")| types 0 -"Past Viewed (UTC)" | search oui.csv MACPrefix Output Brand | fillnull worth=NA Name brand | eval Name brand=if(Manufacturer="NA",InterfaceDescription,Manufacturer)

| sign-up help [| inputlookup services_learn in which cid=* | eval "Past Seen (UTC)"=strfgo out(_go out, "%m/%d/%y %I:%M%p") | sort 0 -"Past Seen (UTC)" | search oui.csv MACPrefix Output Manufacturer | fillnull really worth=NA Brand name | eval Name brand=if(Manufacturer="NA",InterfaceDescription,Manufacturer) | dedup aid]

| append [| inputlookup append=t unmanaged_higher.csv in which cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=none | rename ComputerName Given that "History Found By the"| append [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName While the "Past Discover By"]| append [| inputlookup append=t unmanaged_low.csv in which cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Because "Last Found From the"] | append [| inputlookup notsupported.csv in which cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=not one | rename ComputerName Just like the "History Discovered By" ] | eval "Last Viewed (UTC)"=strfday(_time, "%m/%d/%y %I:%M%p") | fillnull worthy of=null aid | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4," "))) | eval discoverer_help=mvsort(mvdedup(split(discoverer_help," "))) | eval aip=mvsort(mvdedup(split(aip," "))) | types 0 -"Past Seen (UTC)" | search oui.csv MACPrefix Output Name brand, ManufacturerAddress | fillnull worth=NA Brand | eval Company=if(Manufacturer="NA",InterfaceDescription,Manufacturer) ]

|head 100 |stats count very first(_time) given that basic of the username sourcetype | eval very first=strftime(very first,"%m/%d/%y %H:%M:%S") | eval login name=lower(username) | statistics count by the username sourcetype earliest | dedup login name

| inputlookup managedassets.csv | eval "Past Seen (UTC)"=strfgo out(_day, "%m/%d/%y %I:%M%p") | kinds 0 -"History Seen (UTC)" | browse oui.csv MACPrefix Output Brand | fillnull value=NA Manufacturer | eval Name brand=if(Manufacturer="NA",InterfaceDescription,Manufacturer)

| sign-up support [| inputlookup assistance_grasp in which cid=* | eval "Past Viewed (UTC)"=strfday(_go out, "%m/%d/%y %I:%M%p") | kinds 0 -"History Seen (UTC)" | browse oui.csv MACPrefix Productivity Manufacturer | fillnull value=NA Company | eval Manufacturer=if(Manufacturer="NA",InterfaceDescription,Manufacturer) | dedup support]

| append [| inputlookup append=t unmanaged_large.csv in which cid=* MACPrefix!=none LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Because "Past Located By" | append [ inputlookup append=t unmanaged_med.csv where cid=* MACPrefix!=nothing LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Since the "Last Receive By the"] | append [| inputlookup append=t unmanaged_reduced.csv where cid=* MACPrefix!=not one LocalAddressIP4=* LocalAddressIP4!=not one | rename ComputerName Due to the fact "Past Discover From the"] | append [| inputlookup notsupported.csv in which cid=* MACPrefix!=nothing LocalAddressIP4=* LocalAddressIP4!=nothing | rename ComputerName Given that "Last Receive Because of the" ] | eval "Last Viewed (UTC)"=strfbig date(_time, "%m/%d/%y %I:%M%p") | fillnull worth=null support | eval LocalAddressIP4=mvsort(mvdedup(split(LocalAddressIP4," "))) | eval discoverer_support=mvsort(mvdedup(split(discoverer_aid," "))) | eval aip=mvsort(mvdedup(split(aip," "))) | sort 0 -"Past Seen (UTC)" | look oui.csv MACPrefix Productivity Manufacturer, ManufacturerAddress | fillnull worth=NA Brand name | eval Brand=if(Manufacturer="NA",InterfaceDescription,Manufacturer) ]