velociraptor icon indicating copy to clipboard operation
velociraptor copied to clipboard

Published 20 hours ago verified publisher icon Velocidex

Add Timebox to Windows.Hayabusa.Rules and Windows.Registry.Hunter

Open mtreanor-r7 opened this issue 5 months ago • 9 comments

As discussed internally, it would be great to add a Timebox to Windows.Hayabusa.Rules and Windows.Registry.Hunter to pre cut out noisy output when running all rule level/status across in scope compromised assets.

Understand WHERE Timestamp>'2024-09-20' could be applied to the notebook after the fact by focusing only on in scope cells but by doing it during the hunt parameters would reduce the noise when building timelines in Velociraptor.

Normally during an IR, we have pre indicators and a known date/time of bad compromise and using the above hunts to triage would lift our pivot points.

Thanks,

mtreanor-r7 avatar Sep 24 '24 06:09 mtreanor-r7