MHaggis/UT_Toolbox Examples

## UT_Toolbox Examples
Source: https://www.splunk.com/blog/2017/11/03/you-can-t-hyde-from-dr-levenshtein-when-you-use-url-toolbox.html
Data type required: Carbon Black Response, CrowdStrike Falcon

`cb` process_path=*\\users\\*
| `ut_shannon(process_path)`
| where ut_shannon > 4.5
| stats values(ut_shannon)  as "Shannon Entropy Score" by process_path, computer_name
| rename process_path as Process, computer_name as Endpoint

sourcetype="crowdstrike:falconhost:json" ImageFileName=*\\users\\*
| `ut_shannon(ImageFileName)`
| where ut_shannon > 4.5
| stats values(ut_shannon)  as "Shannon Entropy Score" by ImageFileName, ComputerName
| rename ImageFileName as Process, ComputerName as Endpoint
	Source: https://www.splunk.com/blog/2017/11/03/you-can-t-hyde-from-dr-levenshtein-when-you-use-url-toolbox.html
	Data type required: Carbon Black Response, CrowdStrike Falcon

	`cb` process_path=\\users\\
	\| `ut_shannon(process_path)`
	\| where ut_shannon > 4.5
	\| stats values(ut_shannon) as "Shannon Entropy Score" by process_path, computer_name
	\| rename process_path as Process, computer_name as Endpoint

	sourcetype="crowdstrike:falconhost:json" ImageFileName=\\users\\
	\| `ut_shannon(ImageFileName)`
	\| where ut_shannon > 4.5
	\| stats values(ut_shannon) as "Shannon Entropy Score" by ImageFileName, ComputerName
	\| rename ImageFileName as Process, ComputerName as Endpoint