Forum Discussion
F0r3nSick
Feb 16, 2024Copper Contributor
Defender for endpoint - Qualification Query
Hi,
I'm a security and forensic consultant for my entity.
I'm looking to create a standard qualification query which contains multiple Source.
In fact,
I simply want to get a result containing all the events based on my targeted ActionType, with only specific fields.
This query would allow me to contextualize a machine, optimizing the visibility of relevant elements.
I've tried all conditional structures (iif, case, Structural objects...) without success.
I worked with AIs trying to refine my code, without success.
this would result in a set of events filtered on the desired actiontypes, with only the relevant fields properly displayed
- F0r3nSickCopper Contributor
One of my tries :
"
let Nom_machine = "ComputerX";let DetectionTime = datetime(yyyy-MM-dd HH:mm:ss);let TimeRangeStart = DetectionTime-5m;let TimeRangeEnd = DetectionTime+5m;union withsource=SourceTable DeviceProcessEvents, DeviceFileEvents| where DeviceName == Nom_machineand Timestamp between (TimeRangeStart .. TimeRangeEnd)and ActionType == "ProcessCreated"| project Timestamp,FileName, FolderPath| limit 50"then consider adding "or" clause with other Actiontype , projected with its own fields