Forum Discussion

F0r3nSick's avatar
F0r3nSick
Copper Contributor
Feb 16, 2024

Defender for endpoint - Qualification Query

Hi, 
I'm a security and forensic consultant for my entity.
I'm looking to create a standard qualification query which contains multiple Source.

In fact,

I simply want to get a result containing all the events based on my targeted ActionType, with only specific fields.

 

This query would allow me to contextualize a machine, optimizing the visibility of relevant elements.

 

I've tried all conditional structures (iif, case, Structural objects...) without success.

I worked with AIs trying to refine my code, without success.

 

this would result in a set of events filtered on the desired actiontypes, with only the relevant fields properly displayed
  • F0r3nSick's avatar
    F0r3nSick
    Copper Contributor

    F0r3nSick 

    One of my tries :

    "

    let Nom_machine = "ComputerX";
    let DetectionTime = datetime(yyyy-MM-dd HH:mm:ss);
    let TimeRangeStart = DetectionTime-5m;
    let TimeRangeEnd = DetectionTime+5m;
    union withsource=SourceTable DeviceProcessEvents, DeviceFileEvents
    | where DeviceName == Nom_machine
        and Timestamp between (TimeRangeStart .. TimeRangeEnd)
            and ActionType == "ProcessCreated"
            | project Timestamp,FileName, FolderPath
    | limit 50"
     
    then consider adding "or" clause with other Actiontype , projected with its own fields

Share

Resources