[Hunt] Remove Default Namespace from indexes (#4866)

* [Hunt] Remove Default Namespace from indexes * markdown
2025-07-03 11:08:29 -03:00
parent 715e3f44f4
commit 1e416b64da
4 changed files with 4 additions and 4 deletions
@@ -14,7 +14,7 @@
 ## Query

 ```sql
-from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-*
+from logs-endpoint.events.file-*, logs-windows.sysmon_operational-*
 | where  @timestamp > now() - 7 day
 | where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and
  file.path rlike """(C:\\Users\\.+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.+*|C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.+)"""
@@ -15,7 +15,7 @@
 ## Query

 ```sql
-from logs-system.security-default-*
+from logs-system.security-*
 | where  @timestamp > now() - 7 day
 | where host.os.family == "windows" and event.code == "4698" and event.action == "scheduled-task-created"
 /* parsing unstructured data from winlog message to extract a scheduled task Exec command */
@@ -14,7 +14,7 @@ notes = [
 mitre = [ "T1547", "T1547.001"]
 query = [
 '''
-from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-*
+from logs-endpoint.events.file-*, logs-windows.sysmon_operational-*
 | where  @timestamp > now() - 7 day
 | where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and
  file.path rlike """(C:\\Users\\.+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.+*|C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.+)"""
@@ -15,7 +15,7 @@ notes = [
 mitre = [ "T1053", "T1053.005"]
 query = [
 '''
-from logs-system.security-default-*
+from logs-system.security-*
 | where  @timestamp > now() - 7 day
 | where host.os.family == "windows" and event.code == "4698" and event.action == "scheduled-task-created"
 /* parsing unstructured data from winlog message to extract a scheduled task Exec command */