surveyor icon indicating copy to clipboard operation
surveyor copied to clipboard

Published 20 hours ago verified publisher icon redcanaryco

Add support for criteria-level query customization

Open keithmccammon opened this issue 6 years ago • 1 comments

When running Surveyor, it may be desirable to customize the query at runtime to make results more accurate.

As an example, when searching for instances of the net.exe command, one may want to exclude processes where the command line includes the parameter "TPAutoConnSvc". In Cb Response queries, this would require appending "-cmdline:TPAutoConnSvc" to the net.exe query at runtime.

keithmccammon avatar Jan 16 '19 02:01 keithmccammon

This is being tracked via branch https://github.com/redcanaryco/cb-response-surveyor/tree/criteria-query-base.

See the notes associated with commit dbcf3dde4901ac22be62e95da7f49e8560c4ddbb for guidance re: using this via a newly formatted definition file.

keithmccammon avatar Jan 16 '19 02:01 keithmccammon

Related to #86

rc-csmith avatar Jan 18 '23 16:01 rc-csmith