Search for Command Line String

Search for command line string after / and before @ using a regular expression

Query

logscale

#event_simpleName=ProcessRollup2
| CommandLine=/@/
| CommandLine=/\/.*@/

Introduction

A regular expression can be used to run a query that looks for command line strings containing any characters after / and before @. It is important to perform as much filtering as possible to not exceed resource limits.

In this example, a regular expression is used to filter and search for specific process events in the CrowdStrike Falcon platform. Note that the query filters on the @ alone first to perform as much filtering as possible.

Step-by-Step

Starting with the source repository events.
logscale
```
#event_simpleName=ProcessRollup2
```
Filters for events of the type ProcessRollup2 in the #event_simpleName field.
logscale
```
| CommandLine=/@/
```
Filters for any command line containing the @ symbol.
logscale
```
| CommandLine=/\/.*@/
```
Uses a regular expression to search the returned results for command lines that contain a forward slash (/) followed by any number of characters, and then a @ symbol.
Event Result set.

Summary and Results

The query is used to search for command line strings that contain any characters after / and before @. The query could, for example, be used to help security analysts identify potentially suspicious processes that might be interacting with email addresses or using email-like syntax in their command lines.

Versions of this Page

Examples Library