Forum Discussion
akshay250692
Jul 17, 2023Brass Contributor
unable to find logs
Hi Guys, I m writing below KQL but result is showing "nothing". Kindly help me. let ExeList = dynamic(["powershell.exe","cmd.exe","wmic.exe","psexec.exe","cacls.exe","rundll32.exe"]); Event ...
Clive_Watson
Jul 17, 2023Bronze Contributor
When you use "in" the two columns need to match, not a partial match, this will work:
| where NewProcessName has_any (ExeList)
You could also use parse() to just take the exe name from the end of the NewProcessName string.