+ "query": "(src.process.name contains:anycase (\"TeamViewer.exe\", \"AnyDesk.exe\", \"ScreenConnect.Client.exe\", \"LogMeIn.exe\", \"SRManager.exe\", \"SplashtopRemoteService.exe\", \"g2comm.exe\", \"g2tray.exe\", \"winvnc.exe\", \"DWRCS.exe\", \"DWRCSMS.exe\", \"rfusclient.exe\", \"rutserv.exe\", \"ZohoAssistService.exe\", \"KaUsrTsk.exe\", \"AgentMon.exe\", \"AteraAgent.exe\", \"pulsewayagent.exe\", \"NinjaRMMAgent.exe\", \"ncentralagent.exe\", \"MWAgent.exe\", \"ITSMService.exe\", \"CloudBerryRemoteAssistant.exe\", \"DomotzAgent.exe\", \"rasagent.exe\", \"client32.exe\", \"pciclient.exe\", \"vncserver.exe\", \"vncviewer.exe\", \"tvnviewer.exe\", \"tvnserver.exe\", \"AA_v3.exe\", \"rpclient.exe\", \"dwagent.exe\", \"isl_light_client.exe\", \"RemoteDesktopManager.exe\", \"Bomgar-scc.exe\", \"bomgar-rep.exe\", \"AweSun.exe\", \"wtserver.exe\", \"Action1Agent.exe\", \"Addigy.app\", \"AeroAdmin.exe\", \"Alpemix.exe\", \"apc_admin.exe\", \"AnyViewer.exe\", \"AuvikAgentService.exe\", \"BYS.exe\", \"BASupSrvc.exe\", \"remoting_host.exe\", \"CrossLoopConnect.exe\", \"CrossTecRemote.exe\", \"CagService.exe\", \"DesktopNow.exe\", \"DistantDesktop.exe\", \"ehorusclientctl.exe\", \"fleetdeck_agent_svc\", \"getscreen.exe\", \"IperiusRemote.exe\", \"JumpCloud.exe\", \"server.exe\", \"MeshAgent.exe\", \"mRemoteNG.exe\", \"naveriskagent.exe\", \"OptiTuneAgent.exe\", \"Panorama9.exe\", \"parsecd.exe\", \"PDQInventory.exe\", \"rserver3.exe\", \"rustdesk.exe\", \"ScreenMeetSupport.app\", \"ScreenMeetSupport.exe\", \"ServerEye.Client.exe\", \"wShowMyPC.exe\", \"simplehelp.exe\", \"Supremo.exe\", \"Syncro.exe\", \"SyspectrAgent.exe\", \"TacticalAgent.exe\", \"techinline.exe\", \"winvnc4.exe\", \"UltraViewer.exe\", \"XMReality.exe\"))\nOR\n(src.process.parent.name contains:anycase (\"TeamViewer\", \"AnyDesk\", \"ScreenConnect.Client\", \"LogMeIn\", \"SRManager\", \"SplashtopRemoteService\", \"g2comm\", \"g2tray\", \"winvnc\", \"DWRCS\", \"DWRCSMS\", \"rfusclient\", \"rutserv\", \"ZohoAssistService\", \"KaUsrTsk\", \"AgentMon\", \"AteraAgent\", \"pulsewayagent\", \"NinjaRMMAgent\", \"ncentralagent\", \"MWAgent\", \"ITSMService\", \"CloudBerryRemoteAssistant\", \"DomotzAgent\", \"rasagent\", \"client32\", \"pciclient\", \"vncserver\", \"vncviewer\", \"tvnviewer\", \"tvnserver\", \"AA_v3\", \"rpclient\", \"dwagent\", \"isl_light_client\", \"RemoteDesktopManager\", \"Bomgar-scc\", \"bomgar-rep\", \"AweSun\", \"wtserver\", \"Action1Agent\", \"Addigy.app\", \"AeroAdmin\", \"Alpemix\", \"apc_admin\", \"AnyViewer\", \"AuvikAgentService\", \"BYS\", \"BASupSrvc\", \"remoting_host\", \"CrossLoopConnect\", \"CrossTecRemote\", \"CagService\", \"DesktopNow\", \"DistantDesktop\", \"ehorusclientctl\", \"fleetdeck_agent_svc\", \"getscreen.exe\", \"IperiusRemote\", \"JumpCloud\", \"server\", \"MeshAgent\", \"mRemoteNG\", \"naveriskagent\", \"OptiTuneAgent\", \"Panorama9\", \"parsecd\", \"PDQInventory\", \"rserver3\", \"rustdesk.exe\", \"ScreenMeetSupport.app\", \"ScreenMeetSupport.exe\", \"ServerEye.Client\", \"wShowMyPC\", \"simplehelp\", \"Supremo\", \"Syncro\", \"SyspectrAgent\", \"TacticalAgent\", \"techinline\", \"winvnc4\", \"UltraViewer\", \"XMReality\"))\nAND\nNOT src.process.cmdline contains:anycase (\"Microsoft.DesktopAppInstaller\",\"Microsoft Azure AD Sync\",\"SAP BusinessObjects\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count() by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.cmdline, tgt.process.cmdline, event.dns.request, Count\n| sort -Count\n| limit 100000"
0 commit comments