fix

tomsonpl · tomsonpl · commit af21bcde96e7 · 2025-11-21T15:02:02.000+01:00
diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb.json
@@ -107,7 +107,7 @@
                 }
             }
         ],
-        "id": "powershell_events_windows_elastic",
+        "id": "powershell_history_windows_elastic",
         "interval": "300",
         "platform": "windows",
         "query": "-- Comprehensive PowerShell Forensic Monitoring Query\n-- Captures Event IDs 4103 (Module Logging), 4104 (Script Block Logging), 4688 (Process Creation)\n-- Source: windows_eventlog table - Windows Event Logs (Historical)\n-- Focus: Fileless malware detection, obfuscated command tracking, command line auditing\n-- MITRE ATT&CK: T1059.001 (PowerShell)\n-- Last updated: 2025-11-21\n\n-- Query PowerShell Operational logs for Event IDs 4103 and 4104\nSELECT\n    datetime,\n    eventid,\n    provider_name,\n    level,\n    task,\n    computer_name,\n    channel,\n    pid,\n    tid,\n    data,\n    -- Event ID 4103: Module Logging - Extract obfuscated command context\n    CASE \n        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ProviderName')\n        ELSE NULL\n    END AS ProviderName,\n    CASE \n        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ContextInfo')\n        ELSE NULL\n    END AS ContextInfo,\n    CASE \n        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.Payload')\n        ELSE NULL\n    END AS Payload,\n    -- Event ID 4104: Script Block Logging - Extract full script content\n    CASE \n        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockId')\n        ELSE NULL\n    END AS ScriptBlockId,\n    CASE \n        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockText')\n        ELSE NULL\n    END AS ScriptBlockText,\n    CASE \n        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.Path')\n        ELSE NULL\n    END AS ScriptPath,\n    NULL AS CommandLine,\n    NULL AS ProcessName,\n    NULL AS ParentProcessName\nFROM windows_eventlog\nWHERE \n    channel = 'Microsoft-Windows-PowerShell/Operational'\n    AND eventid IN (4103, 4104)\nUNION ALL\n-- Query Security logs for Event ID 4688 (Process Creation)\nSELECT\n    datetime,\n    eventid,\n    provider_name,\n    level,\n    task,\n    computer_name,\n    channel,\n    pid,\n    tid,\n    data,\n    NULL AS ProviderName,\n    NULL AS ContextInfo,\n    NULL AS Payload,\n    NULL AS ScriptBlockId,\n    NULL AS ScriptBlockText,\n    NULL AS ScriptPath,\n    -- Event ID 4688: Process Creation - Extract command line and process hierarchy\n    json_extract(data, '$.EventData.CommandLine') AS CommandLine,\n    json_extract(data, '$.EventData.NewProcessName') AS ProcessName,\n    json_extract(data, '$.EventData.ParentProcessName') AS ParentProcessName\nFROM windows_eventlog\nWHERE \n    channel = 'Security'\n    AND eventid = 4688\n    AND data LIKE '%powershell%'\nORDER BY datetime DESC;",

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@`
`107`	`107`	`}`
`108`	`108`	`}`
`109`	`109`	`],`
`110`		`- "id": "powershell_events_windows_elastic",`
	`110`	`+ "id": "powershell_history_windows_elastic",`
`111`	`111`	`"interval": "300",`
`112`	`112`	`"platform": "windows",`
`113`	`113`	"query": "-- Comprehensive PowerShell Forensic Monitoring Query\n-- Captures Event IDs 4103 (Module Logging), 4104 (Script Block Logging), 4688 (Process Creation)\n-- Source: windows_eventlog table - Windows Event Logs (Historical)\n-- Focus: Fileless malware detection, obfuscated command tracking, command line auditing\n-- MITRE ATT&CK: T1059.001 (PowerShell)\n-- Last updated: 2025-11-21\n\n-- Query PowerShell Operational logs for Event IDs 4103 and 4104\nSELECT\n datetime,\n eventid,\n provider_name,\n level,\n task,\n computer_name,\n channel,\n pid,\n tid,\n data,\n -- Event ID 4103: Module Logging - Extract obfuscated command context\n CASE \n WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ProviderName')\n ELSE NULL\n END AS ProviderName,\n CASE \n WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ContextInfo')\n ELSE NULL\n END AS ContextInfo,\n CASE \n WHEN eventid = 4103 THEN json_extract(data, '$.EventData.Payload')\n ELSE NULL\n END AS Payload,\n -- Event ID 4104: Script Block Logging - Extract full script content\n CASE \n WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockId')\n ELSE NULL\n END AS ScriptBlockId,\n CASE \n WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockText')\n ELSE NULL\n END AS ScriptBlockText,\n CASE \n WHEN eventid = 4104 THEN json_extract(data, '$.EventData.Path')\n ELSE NULL\n END AS ScriptPath,\n NULL AS CommandLine,\n NULL AS ProcessName,\n NULL AS ParentProcessName\nFROM windows_eventlog\nWHERE \n channel = 'Microsoft-Windows-PowerShell/Operational'\n AND eventid IN (4103, 4104)\nUNION ALL\n-- Query Security logs for Event ID 4688 (Process Creation)\nSELECT\n datetime,\n eventid,\n provider_name,\n level,\n task,\n computer_name,\n channel,\n pid,\n tid,\n data,\n NULL AS ProviderName,\n NULL AS ContextInfo,\n NULL AS Payload,\n NULL AS ScriptBlockId,\n NULL AS ScriptBlockText,\n NULL AS ScriptPath,\n -- Event ID 4688: Process Creation - Extract command line and process hierarchy\n json_extract(data, '$.EventData.CommandLine') AS CommandLine,\n json_extract(data, '$.EventData.NewProcessName') AS ProcessName,\n json_extract(data, '$.EventData.ParentProcessName') AS ParentProcessName\nFROM windows_eventlog\nWHERE \n channel = 'Security'\n AND eventid = 4688\n AND data LIKE '%powershell%'\nORDER BY datetime DESC;",