While working on the following analytic, mappings on the datamodel could not be completed properly due to process and registry items not mapping correctly.
Full query with Join:
| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
where Registry.registry_path IN ("*\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*") AND Registry.registry_value_name="SD" AND Registry.user="SYSTEM"
by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data
| `drop_dm_object_name(Registry)`
| join process_guid _time
[| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.process_guid
| `drop_dm_object_name(Processes)`]
| table
_time dest user process_name process process_guid registry_path registry_value_name registry_value_data registry_key_name action
Without join
| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") Registry.user="SYSTEM" Registry.registry_value_name="SD" (Registry.action=Deleted OR Registry.action=modified)
by _time Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_key_name Registry.registry_value_data Registry.status Registry.action
| `drop_dm_object_name(Registry)`
Works best, but you miss the context of which process performed the action. The action field is modified or deleted because that is not being mapped correctly with the TA.