05-04-2023 07:49 AM
Good Day,
I am fairly new to Cortex but have been looking to detect git related activity not associated to Github. I believe I have a decent grasp on the volume as well as the observed destinations. I am running into issues differentiating what initiated these flows (HTTP/S, SSH, Etc.). The only remote port that shows in the network story is DNS(53).
I am wondering if I need to join another dataset and how would I go about doing so? Or if there is a better way to get this result set outside of network story
Below is what I have so far, any help would be greatly appreciated:
| config case_sensitive = false | preset = network_story | filter (dns_resolutions != null) | arrayexpand dns_resolutions | alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{} | fields agent_hostname , actor_process_image_name , actor_process_image_name , actor_process_command_line , Resolution_Name , Resolution_Value , dns_query_type , dns_resolutions , dns_query_name , dns_reply_code, user_id , actor_effective_username , action_local_port , action_remote_port | filter Resolution_Name not contains "github" and actor_process_command_line contains "http" and actor_process_command_line contains "git" | sort desc actor_process_command_line | dedup actor_process_command_line |
05-07-2023 04:42 PM
Hi @PV_Byrd, thank you for writing to Live Community.
Please allow me some time to figure out an answer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
