Search_Command that will search only network connections for hits on IP or part of/whole match of Domain/TLD

Question

Search_Command that will search only network connections for hits on IP or part of/whole match of Domain/TLD

ceramicskate0 opened this issue 6 years ago · 1 comments

Feature should be a command in the search config that can be IP or part of domain. Use sysmon by default or if it has a logname in search use search all feature to find if a log has contacted a domain.

Ideas:
possibly use network_connect command and if middle arg is not a number then do this search?

Answer 1 · 2019-04-28T03:18:41.000Z

use search multiple and eventid to do this