cbecks2 · July 12, 2023 19:55
diff --git a/gistfile1.txt b/gistfile1.txt
 index=your_index  event_simpleName=ProcessRollup2 
 (CommandLine="*remote-debugging-port*" OR CommandLine="*remote-debug-port*" )

 ```Use "NOT ParentBaseFileName=foo" instead of "ParentBaseFileName!=foo" here because ParentBaseFileName may not be recorded in every event and those would get thrown out using !=```
 NOT ParentBaseFileName IN ("tuning","goes","here") 
 | fillnull ParentBaseFileName value="na" 
 ~ identity enrichment here ~
 ~ asset enrichment here ~

 ```Rex magic to pull the flags from the CommandLine argument field. We then can count the number of flags and do additional filtering```
 | rex field=CommandLine max_match=0 "\-\-(?<Params>.*?)(\s+|(\-\-))"

 ``` Stats to find individual instances of this occurring ```
 | stats values(user) AS user values(email) AS email values(dest_host) AS dest_host values(dest_ip) AS dest_ip dc(CommandLine) AS uniqcmd values(CommandLine) AS CommandLine values(Params) AS values_params dc(Params) as uniqparams by _time dest ParentBaseFileName ImageFileName index

 ```Tune this for your org. If you see the debug flag being passed with a small number of other parameters, its likely suspect.```
 | where uniqparams < 10

 ``` Stats to roll those instances up by dest ParentBaseFileName ImageFileName so this only fires once for each combination instead of for each CommandLine```
 | stats earliest(_time) AS _time values(user) AS user values(email) AS email values(dest_host) AS dest_host values(dest_ip) AS dest_ip dc(CommandLine) AS uniqcmd values(CommandLine) AS CommandLine values(values_params) AS values_params dc(values_params) as uniqparams by dest ParentBaseFileName ImageFileName index
	index=your_index event_simpleName=ProcessRollup2
	(CommandLine="remote-debugging-port" OR CommandLine="remote-debug-port" )

	```Use "NOT ParentBaseFileName=foo" instead of "ParentBaseFileName!=foo" here because ParentBaseFileName may not be recorded in every event and those would get thrown out using !=```
	NOT ParentBaseFileName IN ("tuning","goes","here")
	\| fillnull ParentBaseFileName value="na"
	~ identity enrichment here ~
	~ asset enrichment here ~

	```Rex magic to pull the flags from the CommandLine argument field. We then can count the number of flags and do additional filtering```
	\| rex field=CommandLine max_match=0 "\-\-(?<Params>.*?)(\s+\|(\-\-))"

	``` Stats to find individual instances of this occurring ```
	\| stats values(user) AS user values(email) AS email values(dest_host) AS dest_host values(dest_ip) AS dest_ip dc(CommandLine) AS uniqcmd values(CommandLine) AS CommandLine values(Params) AS values_params dc(Params) as uniqparams by _time dest ParentBaseFileName ImageFileName index

	```Tune this for your org. If you see the debug flag being passed with a small number of other parameters, its likely suspect.```
	\| where uniqparams < 10

	``` Stats to roll those instances up by dest ParentBaseFileName ImageFileName so this only fires once for each combination instead of for each CommandLine```
	\| stats earliest(_time) AS _time values(user) AS user values(email) AS email values(dest_host) AS dest_host values(dest_ip) AS dest_ip dc(CommandLine) AS uniqcmd values(CommandLine) AS CommandLine values(values_params) AS values_params dc(values_params) as uniqparams by dest ParentBaseFileName ImageFileName index