clong
08/13/2018, 10:09 PMVadim
08/15/2018, 1:15 PMlvferdi
08/15/2018, 9:13 PMnebi
08/16/2018, 3:04 PMheywoodlh
08/16/2018, 3:10 PMRichard Jones
08/17/2018, 11:10 AMchrishumphries
08/20/2018, 3:39 PMchrishumphries
08/20/2018, 8:08 PMEvgeny Sidorov
08/21/2018, 8:30 AMsamantha.
08/23/2018, 5:12 PMTonyC
08/23/2018, 6:55 PMdefensivedepth
08/23/2018, 8:25 PMvaar
08/23/2018, 8:43 PMJoe Bussing
08/24/2018, 10:00 PMtime
value. If 0 is the default why would this show as empty?
""
This is causing problems for us because we are receiving alerts on command line events that realistically occurred more than 1 year ago and have already been worked and triaged, but we can't make that determination just by looking at the shell_history table.
We have thought about using file integrity monitoring on shell_history files in order to get access to the file_events table data and combine the two tables to give an idea about the last time the shell_history file actually modified, but this seems like overkill and I was hoping someone might have a more elegant solution.groob
Moonlight
08/29/2018, 2:12 PMMoonlight
08/29/2018, 3:04 PMterracatta
clong
09/05/2018, 5:37 PMdarren
09/06/2018, 4:03 PMthor
groob
dallendoug
09/09/2018, 7:25 PMdarren
09/12/2018, 11:42 AMclong
09/12/2018, 11:53 PMSal
09/16/2018, 11:59 PMthor
julient
09/18/2018, 7:10 PMzwass
thor