StealthDefend

id: 7c07e75c-27ed-4b62-b8e6-9a845207c18c
Function:
  Title:  StealthBits StealthDefend Parser
  Version: '1.0.0'
  LastUpdated: '2023-10-31'
Category: Microsoft Sentinel Parser
FunctionName:  StealthBits StealthDefend Parser
FunctionAlias: StealthDefend
FunctionQuery:
CommonSecurityLog
| where DeviceVendor == "STEALTHbits Technologies"
| where DeviceProduct == "StealthDEFEND"
| extend 
    threatType = extract("threatType=([^;]+)", 1, AdditionalExtensions),
    threatTime = todatetime(extract("threatTime=([^;]+)", 1, AdditionalExtensions)),
    users = extract("users=([^;]+)", 1, AdditionalExtensions),
    computers = extract("computers=([^;]+)", 1, AdditionalExtensions),
    fileName = extract("fileName=([^;]*)", 1, AdditionalExtensions), 
    newFileName = extract("newFileName=([^;]*)", 1, AdditionalExtensions), 
    process = extract("process=([^;]*)", 1, AdditionalExtensions), 
    evidence = extract("evidence=(.+)", 1, AdditionalExtensions)