More defined searches = faster
# see all source(type)s
| metadata type=source[type]s index=<>
# see all indexes
| eventcount summarize=false index=* index=_* | dedup index | sort -count
# command line using sysmon
Image="*\\\\cmd.exe" | stats values(CommandLine) by host
Image="*\\\\cmd.exe" | stats count by CommandLine
# Failed Logons
sourcetype="WinEventLog:Security" source="WinEventLog:Security" EventCode=4625
| timechart span=2h count
# Chosen Commands
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
AND (CommandLine=*whoami* OR CommandLine=*ssh* OR CommandLine=*ftp* OR CommandLine=*FromBase64String*)
| table _time user CommandLine
# Logins
source="WinEventLog:Security" sourcetype="WinEventLog:Security"
EventCode=4624 AND (Logon_Type=2 OR Logon_Type=7)
| timechart span=2h count
# Top Commands
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*
| top CommandLine
# Event Codes
sourcetype="WinEventLog:Security" source="WinEventLog:Security" host="LAPTOP-OI4EI350"
| stats count by EventCode| sort -count
# USB Devices
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" process_name="WUDFHost.exe"
| dedup _time | table _time Details