(query:Suspicious_SystemRoot AND exe NOT mpam NOT Google AND Temp AND GUR*:>:1|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Google Update malware (query:cmd.exe:>:1|and:programname=WHORUProc message=cmd.exe|time:5:@timestamp|index:logstash|timebase:true),(query:net1.exe:>:1|and:programname=WHORUProc message=net1.exe|time:5:@timestamp|index:logstash|timebase:true),(query:net.exe:>:1|and:programname=WHORUProc message=net.exe|time:5:@timestamp|index:logstash|timebase:true),(query:route.exe:>:1|and:programname=WHORUProc message=route.exe|time:5:@timestamp|index:logstash|timebase:true),title:Hacking Suspicious process 4 (query:THREAT:>:1|not:message=spyware|time:5:@timestamp|index:logstash|timebase:true),title:Firewall Vulnerability (query:*.h:>:1|and:message=WHORUFile sysloghost=192.|time:5:@timestamp|index:logstash|timebase:true),title:Create Header File (query:SuspiciousModule:>:1|time:5:@timestamp|index:logstash|timebase:true),title:SVCHOST Suspicious module (query:net.exe:>:1|and:programname=WHORUProc message=net.exe|time:5:@timestamp|index:logstash|timebase:true),(query:route.exe:>:1|and:programname=WHORUProc message=route.exe|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 1 (query:ipconfig.exe:>:1|and:programname=WHORUProc message=ipconfig.exe|time:5:@timestamp|index:logstash|timebase:true),(query:reg.exe:>:1|and:programname=WHORUProc message=reg.exe|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 2 (query:net.exe:>:1|and:programname=WHORUProc message=nc.exe|time:5:@timestamp|index:logstash|timebase:true),(query:ping.exe:>:1|and:programname=WHORUProc message=netstat.exe|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 3 (query:nc.exe:>:1|and:programname=WHORUProc message=nc.exe|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 5 (query:DownloadString:>:1|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 7 (query:cscript.exe:>:1|and:message=nologo|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 8 (query:wmi.dll:>:1|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 9 (query:wmi.vbs:>:1|time:5:@timestamp|index:logstash|timebase:true),address:sysloghost,title:Hacking Suspicious process 10 (query:logon AND fail:>:3|time:5:@timestamp|index:logstash|timebase:true|same:procid),address:sysloghost,title:Logon Fail (query:ping AND n:>:1|time:5:@timestamp|index:logstash|timebase:true|not:message=127.0.0.1),address:sysloghost,title:Hacker Ping Test