Copy regular expressions to a single click

Audit CVE Event

Detects events generated by Windows to indicate the exploitation of a known vulnerability.

# Elastic Query

(winlog.channel:Application AND winlog.event_data.Source:Microsoft\-Windows\-Audit\-CVE)

# QRadar AQL

SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike '%Microsoft Windows Security Event Log%' and search_payload ilike '%Microsoft-Windows-Audit-CVE%')

# Splunk

(source="WinEventLog:Application" Source="Microsoft-Windows-Audit-CVE")

# EDR Carbon Black

Source:Microsoft-Windows-Audit-CVE

# Windows PowerShell

Get-WinEvent -LogName Application | where {($_.message -match "Source.*Microsoft-Windows-Audit-CVE") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

# RegEx

^Microsoft-Windows-Audit-CVE