Update Detection_of_External_Direct_IP_Usage_in_CommandLine_Windows_and_Mac.yml

Polaceka · web-flow · commit e117b9a4d75f · 2025-12-05T16:05:03.000+01:00
diff --git a/queries/Detection_of_External_Direct_IP_Usage_in_CommandLine_Windows_and_Mac.yml b/queries/Detection_of_External_Direct_IP_Usage_in_CommandLine_Windows_and_Mac.yml
@@ -34,23 +34,26 @@ tags:
 # The actual CrowdStrike Query Language (CQL) code.
 # Using the YAML block scalar `|` allows for multi-line strings.
 cql: |
-  in(#event_simpleName, values=["ProcessRollup2","SyntheticProcessRollup2"]) 
+  in(#event_simpleName, values=["ProcessRollup2","SyntheticProcessRollup2"])
   | CommandLine=*http* event_platform!="Lin"
-  // Basline to exclude legitimate process | !in(field="ParentBaseFileName", values=//["UmbrellaDiagnostic.exe","HPClickExe","Eagle" ,"HPClick.exe"])
-  //| !in(field="FileName", values=["Google Chrome","chrome.exe"])
+  // Basline to exclude legitimate process 
+  //| !in(field="ParentBaseFileName", values=//["UmbrellaDiagnostic.exe","HPClickExe","Eagle" ,"HPClick.exe"])
+  //| !in(field="FileName", values=["Google Chrome","chrome.exe"]) 
   //| !in(field="CommandLine", values=["Google Chrome.app"])
   | regex("(?<Urlink>\\bhttps?://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\/\\b)", field=CommandLine)
   | regex("(?<Ipaddress>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})", field=Urlink)
   | !cidr(Ipaddress, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "168.63.0.0/16", "0.0.0.0/8"])
-  | // Basline to exclude legitimate url !in(field="Urlink", values=[
-    // Basline to exclude legitimate url  "http://100.1.1.1"  
-  ])
+  // Basline to exclude legitimate url | !in(field="Urlink", values=[
+  // Basline to exclude legitimate url  "http://100.1.1.1"
+  // Basline to exclude legitimate url ])
   | default(field=GrandParentBaseFileName, value="Unknown")
   | rootURL := "https://falcon.crowdstrike.com/"
   | ProcessStartTime := round(ProcessStartTime)
   | processStart:=formattime(field=ProcessStartTime, format="%m/%d %H:%M:%S")
   // If Context Process ID is available utilize it, if not utilize Target Process ID
-  | case{ ContextProcessId ="*" | ContextId:=ContextProcessId; TargetProcessId="*" | ContextId:=TargetProcessId}
+  | case{ ContextProcessId ="*"
+  | ContextId:=ContextProcessId; TargetProcessId="*"
+  | ContextId:=TargetProcessId}
   // Create URLs for Process and Graph Explorers
   | format("[ProcessExplorer]%sinvestigate/process-explorer/%s/%s?_cid=%s", field=["rootURL", "aid", "ContextId", "cid"], as="ProcessExplorer")
   | format("[GraphExplorer]%sgraphs/process-explorer/graph?id=pid:%s:%s", field=["rootURL", "aid", "TargetProcessId"], as="GraphExplorer")
