Forum Discussion

Hamza_Bilal's avatar
Hamza_Bilal
Copper Contributor
Jul 03, 2022
Solved

AmsiScriptContent not under DeviceEvents table? MITRE Eval 2022

I was going through the MITRE eval results for 2022.   One of the queries for script executions is documented as a DeviceEvent table search for ActionType "AmsiScriptContent". Looks like a very use...
  • jbmartin6's avatar
    jbmartin6
    Jul 05, 2022
    Scratch that. The ActionType is now just 'ScriptContent'
jbmartin6's avatar
jbmartin6
Iron Contributor
Jul 05, 2022
I also get 0 results. Perhaps this event only registers when AMSI tags something
  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    Jul 05, 2022
    Scratch that. The ActionType is now just 'ScriptContent'
    • Hamza_Bilal's avatar
      Hamza_Bilal
      Copper Contributor
      Jul 05, 2022

      Under which table? DeviceEvents? Update: You nailed it. It is indeed changed to ScriptContent ActionType under DeviceEvents Table.

      It is not documented in the schema though... :happyface: