✄𐘗
text code block:
✄𐘗from logs-endpoint.events.process-* metadata _id, _version, _index
| where host.os.type in ("linux", "macos")
  and event.category == "process"
  and process.name in ("grep", "egrep")
  and (to_lower(process.command_line) like "* -r*" or to_lower(process.command_line) like "*--recursive*")
  and (
    process.command_line like "*password*"
    or process.command_line like "*passwd*"
    or process.command_line like "*pwd*"
    or process.command_line like "*secret*"
    or process.command_line like "*token*"
    or process.command_line like "*apikey*"
    or process.command_line like "*api_key*"
    or process.command_line like "*api.key*"
    or process.command_line like "*access_key*"
    or process.command_line like "*private_key*"
    or process.command_line like "*client_secret*"
    or process.command_line like "*credential*"
    or process.command_line like "*auth*"
    or process.command_line like "*bearer*"
    or process.command_line like "*BEGIN*PRIVATE*KEY*"
    or process.command_line like "*ssh-rsa*"
    or process.command_line like "*ghp_*"
    or process.command_line like "*github_pat*"
    or process.command_line like "*xoxb-*"
    or process.command_line like "*hooks.slack.com*"
    or process.command_line like "*discord.com/api/webhooks*"
    or process.command_line like "*/.aws/*"
    or process.command_line like "*/.git/*"
    or process.command_line like "*/.env*"
  )
  and (process.parent.command_line is null or not (to_lower(process.parent.command_line) like "*shell-snapshots*" and process.parent.name in ("bash", "sh", "zsh")))
| eval Esql.time_bucket = date_trunc(1 minute, @timestamp)
| stats Esql.unique_cmd = count_distinct(process.command_line),
        Esql.cmd_values = values(process.command_line),
        Esql.pcmd_values = values(process.parent.command_line)
  by process.name, host.id, host.name, agent.id, process.parent.name, user.name, Esql.time_bucket
| where Esql.unique_cmd >= 3
| keep host.id, host.name, agent.id, user.name, process.parent.name, Esql.*