Microsoft Defender for Endpoint Commonly Used Queries and Examples

Published 10-19-2020 03:48 AM 5,078 Views
Microsoft

 

Hello IT Pros,  

I have collected the Microsoft Defender for Endpoint (Microsoft Defender ATP) advanced hunting queries from mdemo, Microsoft Demo and Github for your convenient reference. As we knew, you or your InfoSec Team may need to run a few queries in your daily security monitoring task.  

To save the query 

  • In Securitycenter.windows.com 
  • go to Advanced hunting and create the query 
  • copy and paste the content, 
  • save them for future re-use 

q1.png

TanTran_2-1603115838367.png

 

Query Purpose 

Content 

Note 

Search Device Events by IP address 

DeviceNetworkEvents 

| where RemoteIP == "52.176.49.76"  

 

 

List Devices with Schedule Task created by Virus 

DeviceProcessEvents  

| where FolderPath endswith "\\schtasks.exe" and ProcessCommandLine has " /create " and AccountName != "system" 

 

 

List Device contained Virus File Name 

DeviceFileEvents 

| where  FileName == 'Invoice.pdf.exe' 

 

 

List Devices with Phising File extension (double extension) as .pdf.exe, .docx.exe, .doc.exe, .mp3.exe  

DeviceProcessEvents  

| where Timestamp > ago(7d) 

| where FileName endswith ".pdf.exe" 

    or FileName endswith ".doc.exe" 

    or FileName contains ".docx.exe" 

    or FileName contains ".mp3.exe" 

| project Timestamp, DeviceName, FileName, AccountSid, AccountName, AccountDomain 

| top 100 by Timestamp 

 

 

List Device blocked by Windows Defender ExploitGuard 

DeviceEvents 

| where  ActionType  =~ "ExploitGuardNetworkProtectionBlocked" 

| summarize count(RemoteUrl) by InitiatingProcessFileName, RemoteUrl,Audit_Only=tostring(parse_json(AdditionalFields).IsAudit) 

| sort by count_RemoteUrl desc 

 

 

List All Files Create during the last hour 

DeviceFileEvents 

| where Timestamp > ago(1h) 

| project FileName, FolderPath, SHA1, DeviceName, Timestamp 

| limit 1000 

 

 

List Device who has a specific File Hash 

DeviceFileEvents 

| where SHA1 == "4aa9deb33c936c0087fb05e312ca1f09369acd27 

 

 

List IP address blocked by FW rule 

DeviceEvents 

| where ActionType in ("FirewallOutboundConnectionBlocked", "FirewallInboundConnectionBlocked", "FirewallInboundConnectionToAppBlocked") 

| project DeviceId , Timestamp , InitiatingProcessFileName , InitiatingProcessParentFileName, RemoteIP, RemotePort, LocalIP, LocalPort 

| summarize MachineCount=dcount(DeviceId) by RemoteIP 

| top 100 by MachineCount desc 

 

 

Look for public the IP addresses of devices that failed to logon multiple times, using multiple accounts, and eventually succeeded. 

 

DeviceLogonEvents 

| where isnotempty(RemoteIP)  

    and AccountName !endswith "$" 

    and RemoteIPType == "Public" 

| extend Account=strcat(AccountDomain, "\\", AccountName) 

| summarize  

    Successful=countif(ActionType == "LogonSuccess"), 

    Failed = countif(ActionType == "LogonFailed"), 

    FailedAccountsCount = dcountif(Account, ActionType == "LogonFailed"), 

    SuccessfulAccountsCount = dcountif(Account, ActionType == "LogonSuccess"), 

    FailedAccounts = makeset(iff(ActionType == "LogonFailed", Account, ""), 5), 

    SuccessfulAccounts = makeset(iff(ActionType == "LogonSuccess", Account, ""), 5) 

    by DeviceName, RemoteIP, RemoteIPType 

| where Failed > 10 and Successful > 0 and FailedAccountsCount > 2 and SuccessfulAccountsCount == 1  

 

From WD ATP  

Demo 

Look for machines failing to log-on to multiple machines or using multiple accounts 

// Note - RemoteDeviceName is not available in all remote logon attempts 

DeviceLogonEvents 

| where isnotempty(RemoteDeviceName) 

| extend Account=strcat(AccountDomain, "\\", AccountName) 

| summarize  

    Successful=countif(ActionType == "LogonSuccess"), 

    Failed = countif(ActionType == "LogonFailed"), 

    FailedAccountsCount = dcountif(Account, ActionType == "LogonFailed"), 

    SuccessfulAccountsCount = dcountif(Account, ActionType == "LogonSuccess"), 

    FailedComputerCount = dcountif(DeviceName, ActionType == "LogonFailed"), 

    SuccessfulComputerCount = dcountif(DeviceName, ActionType == "LogonSuccess") 

    by RemoteDeviceName 

| where 

    Successful > 0 and 

    ((FailedComputerCount > 100 and FailedComputerCount > SuccessfulComputerCount) or 

        (FailedAccountsCount > 100 and FailedAccountsCount > SuccessfulAccountsCount)) 

 

From WD ATP 

Demo 

List all devices named start with prefix FC- 

DeviceInfo   

| where  DeviceName startswith "FC-" 

 

 

List Windows Defender Scan Actions completed or Cancelled 

DeviceEvents 

| where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled") 

| extend A=parse_json(AdditionalFields)  

| project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User 

| sort by Timestamp desc 

 

 

List Devices access to bad URL 

DeviceNetworkEvents 

| where RemoteUrl == "www.advertising.com" 

| project Timestamp, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine 

 

 

List All URL access by a Device named contained the word FC-DC 

DeviceNetworkEvents 

| where RemoteUrl != "www.advertising.com" and DeviceName contains "fc-dc" 

| project Timestamp, DeviceName, ActionType, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine 

 

 

 

Github Advanced Hunting Cheat Sheet: 

Query Purpose 

Query Content 

Notes 

Find endpoints communicating to a specific domain. 

 Author: @maarten_goet 

let Domain = "http://domainxxx.com"; DeviceNetworkEvents | where Timestamp > ago(7d) and RemoteUrl contains Domain | project Timestamp, DeviceName, RemotePort, RemoteUrl | top 100 by Timestamp desc 

 

let is the command to introduce variables.  

Variable name: “Domain” 

with value: http://domainxxx.com" 

Finds PowerShell execution events that could involve a download. 

Author: @MicrosoftMTP  

union DeviceProcessEvents, DeviceNetworkEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe", "powershell_ise.exe") | where ProcessCommandLine has_any("WebClient", "DownloadFile", "DownloadData", "DownloadString", "WebRequest", "Shellcode", "http", "https") | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp 

“union” is the command to combine multiple Device Query Tables 

Find scheduled tasks created by a non-system account 

Author: @maarten_goet 

DeviceProcessEvents 

| where FolderPath endswith "\\schtasks.exe" and ProcessCommandLine has "/create" and AccountName != "system" 

| where Timestamp > ago(7d) 

 

 

 

 

Find possible clear text passwords in Windows registry.  

Author: @MicrosoftMTP 

DeviceRegistryEvents  

| where ActionType == "RegistryValueSet"  

| where RegistryValueName == "DefaultPassword"  

| where RegistryKey has @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 

| project Timestamp, DeviceName, RegistryKey | top 100 by Timestamp 

 

Lookup process executed from binary hidden in Base64 encoded file.  

Author: @MicrosoftMTP 

DeviceProcessEvents 

| where Timestamp > ago(14d) 

| where ProcessCommandLine contains ".decode('base64')" or ProcessCommandLine contains "base64 --decode" or ProcessCommandLine contains ".decode64(" 

| project Timestamp , DeviceName , FileName , FolderPath , ProcessCommandLine , InitiatingProcessCommandLine  

| top 100 by Timestamp 

 

Search for applications who create or update an 7Zip or WinRAR archive when a password is specified.  

Author: @PowershellPoet 

DeviceProcessEvents | where ProcessCommandLine matches regex @"\s[aukfAUKF]\s.*\s-p"  

| extend SplitLaunchString = split(ProcessCommandLine, ' ') 

 | where array_length(SplitLaunchString) >= 5 and SplitLaunchString[1] in~ ('a','u','k','f')  

| mv-expand SplitLaunchString  

| where SplitLaunchString startswith "-p"  

| extend ArchivePassword = substring(SplitLaunchString, 2, strlen(SplitLaunchString)) 

 | project-reorder ProcessCommandLine, ArchivePassword  

 

 

 

 

 

 

 

 

-p is the password switch and is immediately followed by a password without a space  

 

 

 

 

 More query tips directly provided by MD for Endpoint - Device Timeline \ Hunt for related Event 

TanTran_0-1606303773771.png

 
 

Query for Event happened 30 minutes before and after an attack, showing result as "selected event" (the attack event itself),  "earlier event" and "later event"

let selectedEventTimestamp = datetime(2020-11-10T19:03:11);

search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents, ResponseEvents)

Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m))

and DeviceId == “f2606c4a7d6c275040937820dc0fcc9ba694549e"

| sort by Timestamp desc

| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event"))

| project-reorder Relevance 

 

Q2.png

For all M365 Security Queries:
You could get the queries' contents from Github link here.
 

Reference: 

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/agofunction 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-... 

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/MTPAHCheatSheetv01-l... 

 

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. 
The sample scripts are provided AS IS without warranty of any kind.
Microsoft further disclaims all implied warranties including, without limitation,
any implied warranties of merchantability or of fitness for a particular purpose.
The entire risk arising out of the use or performance of the sample scripts and documentation
remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation,
production, or delivery of the scripts be liable for any damages whatsoever (including,
without limitation, damages for loss of business profits, business interruption,
loss of business information, or other pecuniary loss) arising out of the use of or inability
to use the sample scripts or documentation, even if Microsoft has been advised of the possibility
of such damages.

 

1 Comment
Microsoft

This is super useful and will bookmark! Thanks and excellent article. 

%3CLINGO-SUB%20id%3D%22lingo-sub-1796977%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Endpoint%20Protection%20(MD%20ATP)%20Commonly%20Used%20Queries%20and%20Examples%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1796977%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20super%20useful%20and%20will%20bookmark!%20Thanks%20and%20excellent%20article.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1795046%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20for%20Endpoint%20Commonly%20Used%20Queries%20and%20Examples%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1795046%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHello%20I%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ET%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BPros%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EI%20have%20collected%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Defender%20for%20Endpoint%20(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Defender%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EATP)%20a%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edvanced%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eh%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eunting%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eq%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eueries%20from%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Em%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ey%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ed%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eemo%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Demo%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGithub%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfor%20your%20convenient%20reference.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BAs%20we%20knew%2C%20y%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eou%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eor%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byour%20InfoSec%20Team%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bmay%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eneed%20to%20run%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%20few%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Equeries%20in%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byour%20daily%20security%20monitoring%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etask%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETo%20save%20the%20query%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESecuritycenter.windows.com%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ego%20to%20Advanced%20hunting%20and%20create%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%26nbsp%3Bquery%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecopy%20and%20past%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthe%20content%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esave%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethem%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfor%20future%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ere-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Euse%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22q1.png%22%20style%3D%22width%3A%201269px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F227703i9F2C5A3CAD439C69%2Fimage-dimensions%2F1269x344%3Fv%3Dv2%22%20width%3D%221269%22%20height%3D%22344%22%20role%3D%22button%22%20title%3D%22q1.png%22%20alt%3D%22q1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TanTran_2-1603115838367.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F227706i43F544B486404484%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22TanTran_2-1603115838367.png%22%20alt%3D%22TanTran_2-1603115838367.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20data-tablestyle%3D%22MsoTableGrid%22%20data-tablelook%3D%221184%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EQuery%20Purpose%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EContent%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ENote%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESearch%20Device%20Events%20by%20IP%20address%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceNetworkEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3BRemoteIP%26nbsp%3B%3D%3D%20%2252.176.49.76%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20Devices%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewith%20Schedule%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BTask%20created%20by%26nbsp%3BVirus%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceProcessEvents%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3BFolderPath%26nbsp%3Bendswith%26nbsp%3B%22%5C%5Cschtasks.exe%22%20and%26nbsp%3BProcessCommandLine%26nbsp%3Bhas%20%22%20%2Fcreate%20%22%20and%26nbsp%3BAccountName%26nbsp%3B!%3D%20%22system%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20Device%20contained%20Virus%20File%20Name%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceFileEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3B%26nbsp%3BFileName%26nbsp%3B%3D%3D%20'Invoice.pdf.exe'%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20Devices%20with%26nbsp%3BPhising%26nbsp%3BFile%20extension%20(double%20extension)%26nbsp%3Bas%20.pdf.exe%2C%20.docx.exe%2C%20.doc.exe%2C%20.mp3.exe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceProcessEvents%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(7d)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3BFileName%26nbsp%3Bendswith%26nbsp%3B%22.pdf.exe%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%26nbsp%3BFileName%26nbsp%3Bendswith%26nbsp%3B%22.doc.exe%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%26nbsp%3BFileName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Econtains%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%22.docx.exe%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20or%26nbsp%3BFileName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Econtains%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%22.mp3.exe%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20project%20Timestamp%2C%26nbsp%3BDeviceName%2C%26nbsp%3BFileName%2C%26nbsp%3BAccountSid%2C%26nbsp%3BAccountName%2C%26nbsp%3BAccountDomain%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20top%20100%20by%20Timestamp%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20Device%20blocked%20by%20Windows%20Defender%26nbsp%3BExploitGuard%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3B%26nbsp%3BActionType%26nbsp%3B%20%3D~%20%22ExploitGuardNetworkProtectionBlocked%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20summarize%20count(RemoteUrl)%20by%26nbsp%3BInitiatingProcessFileName%2C%26nbsp%3BRemoteUrl%2CAudit_Only%3Dtostring(parse_json(AdditionalFields).IsAudit)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20sort%20by%26nbsp%3Bcount_RemoteUrl%26nbsp%3Bdesc%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20All%20Files%20Create%20during%20the%20last%26nbsp%3Bhour%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceFileEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(1h)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20project%26nbsp%3BFileName%2C%26nbsp%3BFolderPath%2C%20SHA1%2C%26nbsp%3BDeviceName%2C%20Timestamp%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20limit%201000%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20Device%20who%20has%20a%20specific%20File%20Hash%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceFileEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20SHA1%20%3D%3D%20%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E4aa9deb33c936c0087fb05e312ca1f09369acd27%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20IP%20address%20blocked%20by%20FW%26nbsp%3Brule%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3BActionType%26nbsp%3Bin%20(%22FirewallOutboundConnectionBlocked%22%2C%20%22FirewallInboundConnectionBlocked%22%2C%20%22FirewallInboundConnectionToAppBlocked%22)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20project%26nbsp%3BDeviceId%26nbsp%3B%2C%26nbsp%3BTimestamp%20%2C%26nbsp%3BInitiatingProcessFileName%26nbsp%3B%2C%26nbsp%3BInitiatingProcessParentFileName%2C%26nbsp%3BRemoteIP%2C%26nbsp%3BRemotePort%2C%26nbsp%3BLocalIP%2C%26nbsp%3BLocalPort%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20summarize%26nbsp%3BMachineCount%3Ddcount(DeviceId)%20by%26nbsp%3BRemoteIP%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20top%20100%20by%26nbsp%3BMachineCount%26nbsp%3Bdesc%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ELook%20for%26nbsp%3Bpublic%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bthe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3BIP%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eaddresses%20of%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edevices%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ethat%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Efailed%20to%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Blogon%26nbsp%3Bmultiple%26nbsp%3Btimes%2C%20using%20multiple%20accounts%2C%20and%20eventually%20succeeded.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceLogonEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3Bisnotempty(RemoteIP)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20and%26nbsp%3BAccountName%26nbsp%3B!endswith%26nbsp%3B%22%24%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20and%26nbsp%3BRemoteIPType%26nbsp%3B%3D%3D%20%22Public%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20extend%20Account%3Dstrcat(AccountDomain%2C%20%22%5C%5C%22%2C%26nbsp%3BAccountName)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20summarize%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Successful%3Dcountif(ActionType%26nbsp%3B%3D%3D%20%22LogonSuccess%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Failed%20%3D%26nbsp%3Bcountif(ActionType%26nbsp%3B%3D%3D%20%22LogonFailed%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BFailedAccountsCount%26nbsp%3B%3D%26nbsp%3Bdcountif(Account%2C%26nbsp%3BActionType%26nbsp%3B%3D%3D%20%22LogonFailed%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BSuccessfulAccountsCount%26nbsp%3B%3D%26nbsp%3Bdcountif(Account%2C%26nbsp%3BActionType%26nbsp%3B%3D%3D%20%22LogonSuccess%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BFailedAccounts%26nbsp%3B%3D%26nbsp%3Bmakeset(iff(ActionType%26nbsp%3B%3D%3D%20%22LogonFailed%22%2C%20Account%2C%20%22%22)%2C%205)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BSuccessfulAccounts%26nbsp%3B%3D%26nbsp%3Bmakeset(iff(ActionType%26nbsp%3B%3D%3D%20%22LogonSuccess%22%2C%20Account%2C%20%22%22)%2C%205)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20by%26nbsp%3BDeviceName%2C%26nbsp%3BRemoteIP%2C%26nbsp%3BRemoteIPType%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20Failed%20%26gt%3B%2010%20and%20Successful%20%26gt%3B%200%20and%26nbsp%3BFailedAccountsCount%26nbsp%3B%26gt%3B%202%20and%26nbsp%3BSuccessfulAccountsCount%26nbsp%3B%3D%3D%201%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFrom%20WD%20ATP%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDemo%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ELook%20for%20machines%20failing%20to%20log-on%20to%20multiple%20machines%20or%20using%20multiple%26nbsp%3Baccounts%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2F%2F%20Note%20-%26nbsp%3BRemoteDeviceName%26nbsp%3Bis%20not%20available%20in%20all%20remote%20logon%26nbsp%3Battempts%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceLogonEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20isnotempty(RemoteDeviceName)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20extend%20Account%3Dstrcat(AccountDomain%2C%20%22%5C%5C%22%2C%20AccountName)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20summarize%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Successful%3Dcountif(ActionType%20%3D%3D%20%22LogonSuccess%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Failed%20%3D%20countif(ActionType%20%3D%3D%20%22LogonFailed%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20FailedAccountsCount%20%3D%20dcountif(Account%2C%20ActionType%20%3D%3D%20%22LogonFailed%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SuccessfulAccountsCount%20%3D%20dcountif(Account%2C%20ActionType%20%3D%3D%20%22LogonSuccess%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20FailedComputerCount%20%3D%20dcountif(DeviceName%2C%20ActionType%20%3D%3D%20%22LogonFailed%22)%2C%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SuccessfulComputerCount%20%3D%20dcountif(DeviceName%2C%20ActionType%20%3D%3D%20%22LogonSuccess%22)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20by%20RemoteDeviceName%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Successful%20%26gt%3B%200%20and%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20((FailedComputerCount%20%26gt%3B%20100%20and%20FailedComputerCount%20%26gt%3B%20SuccessfulComputerCount)%20or%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20(FailedAccountsCount%20%26gt%3B%20100%20and%20FailedAccountsCount%20%26gt%3B%20SuccessfulAccountsCount))%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFrom%20WD%20ATP%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDemo%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20all%20devices%20named%20start%20with%20prefix%20FC-%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceInfo%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%26nbsp%3B%20DeviceName%20startswith%20%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EFC%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20Windows%20Defender%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EScan%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EActions%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcompleted%20or%20Cancelled%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20ActionType%20in%20(%22AntivirusScanCompleted%22%2C%20%22AntivirusScanCancelled%22)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20extend%20A%3Dparse_json(AdditionalFields)%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20project%20Timestamp%2C%20DeviceName%2C%20ActionType%2CScanType%20%3D%20A.ScanTypeIndex%2C%20StartedBy%3D%20A.User%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20sort%20by%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ETimestamp%20desc%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20Device%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eaccess%20to%20bad%20URL%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceNetworkEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20RemoteUrl%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3D%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3D%20%22www.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eadvertising%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ecom%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20project%20Timestamp%2C%20DeviceName%2C%20ActionType%2C%20RemoteIP%2C%20RemoteUrl%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EList%20All%20URL%20access%20by%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%20Device%20named%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Econtained%20the%20word%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFC-DC%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceNetworkEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20RemoteUrl%20!%3D%20%22%3CA%20href%3D%22http%3A%2F%2Fwww.advertising.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ewww.advertising.com%3C%2FA%3E%22%20and%20DeviceName%20contains%20%22fc-dc%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20project%20Timestamp%2C%20DeviceName%2C%20ActionType%2C%20RemoteIP%2C%20RemoteUrl%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CFONT%20size%3D%224%22%20color%3D%22%23000080%22%3E%3CSTRONG%3EGithub%26nbsp%3BAdvanced%20Hunting%20Cheat%20Sheet%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CTABLE%20data-tablestyle%3D%22MsoTableGrid%22%20data-tablelook%3D%221184%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EQuery%20Purpose%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EQuery%20Content%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ENotes%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFind%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eendpoints%20communicating%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20a%20specific%20domain%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BAuthor%3A%20%40maarten_goet%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3Elet%20Domain%20%3D%20%22http%3A%2F%2Fdomain%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Exxx%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.com%22%3B%20DeviceNetworkEvents%20%7C%20where%20Timestamp%20%26gt%3B%20ago(7d)%20and%20RemoteUrl%20contains%20Domain%20%7C%20project%20Timestamp%2C%20DeviceName%2C%20RemotePort%2C%20RemoteUrl%20%7C%20top%20100%20by%20Timestamp%20desc%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3El%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eet%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9D%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecommand%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bintroduc%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Evariable%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EVariable%20name%3A%20%E2%80%9C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDomain%E2%80%9D%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewith%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bvalue%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CA%20href%3D%22http%3A%2F%2Fdomainxxx.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Fdomainxxx.com%3C%2FA%3E%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFinds%20PowerShell%20execution%20events%20that%20could%20involve%20a%20download%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAuthor%3A%20%40MicrosoftMTP%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eunion%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDeviceProcessEvents%2C%20DeviceNetworkEvents%20%7C%20where%20Timestamp%20%26gt%3B%20ago(7d)%20%7C%20where%20FileName%20in~%20(%22powershell.exe%22%2C%20%22powershell_ise.exe%22)%20%7C%20where%20ProcessCommandLine%20has_any(%22WebClient%22%2C%20%22DownloadFile%22%2C%20%22DownloadData%22%2C%20%22DownloadString%22%2C%20%22WebRequest%22%2C%20%22Shellcode%22%2C%20%22http%22%2C%20%22https%22)%20%7C%20project%20Timestamp%2C%20DeviceName%2C%20InitiatingProcessFileName%2C%20InitiatingProcessCommandLine%2C%20FileName%2C%20ProcessCommandLine%2C%20RemoteIP%2C%20RemoteUrl%2C%20RemotePort%2C%20RemoteIPType%20%7C%20top%20100%20by%20Timestamp%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9Cunion%E2%80%9D%20is%20the%20command%20to%20combine%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emultiple%20Device%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EQuery%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETable%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFind%20scheduled%20tasks%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecreated%20by%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%20non%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E-system%20account%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAuthor%3A%20%40maarten_goet%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeviceProcessEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20FolderPath%20endswith%20%22%5C%5Cschtasks.exe%22%20and%20ProcessCommandLine%20has%20%22%2Fcreate%22%20and%20AccountName%20!%3D%20%22system%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(7d)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFind%20possible%20clear%20text%20passwords%20in%20Windows%20registry.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAuthor%3A%20%40MicrosoftMTP%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDeviceRegistryEvents%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20where%20ActionType%20%3D%3D%20%22RegistryValueSet%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20where%20RegistryValueName%20%3D%3D%20%22DefaultPassword%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20where%20RegistryKey%20has%20%40%22SOFTWARE%5CMicrosoft%5CWindows%20NT%5CCurrentVersion%5CWinlogon%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20project%20Timestamp%2C%20DeviceName%2C%20RegistryKey%20%7C%20top%20100%20by%20Timestamp%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELookup%20process%20executed%20from%20binary%20hidden%20in%20Base64%20encoded%20file.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAuthor%3A%20%40MicrosoftMTP%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDeviceProcessEvents%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20where%20Timestamp%20%26gt%3B%20ago(14d)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20where%20ProcessCommandLine%20contains%20%22.decode('base64')%22%20or%20ProcessCommandLine%20contains%20%22base64%20--decode%22%20or%20ProcessCommandLine%20contains%20%22.decode64(%22%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20project%20Timestamp%20%2C%20DeviceName%20%2C%20FileName%20%2C%20FolderPath%20%2C%20ProcessCommandLine%20%2C%20InitiatingProcessCommandLine%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20top%20100%20by%20Timestamp%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESearch%20for%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bapplications%20wh%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eo%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcreate%20or%20update%20an%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E7Zip%20or%20WinR%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAR%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Earchive%20when%20a%20password%20is%20specified.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAuthor%3A%20%40PowershellPoet%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDeviceProcessEvents%20%7C%20where%20ProcessCommandLine%20matches%20regex%20%40%22%5Cs%5BaukfAUKF%5D%5Cs.*%5Cs-p%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20extend%20SplitLaunchString%20%3D%20split(ProcessCommandLine%2C%20'%20')%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%7C%20where%20array_length(SplitLaunchString)%20%26gt%3B%3D%205%20and%20SplitLaunchString%5B1%5D%20in~%20('a'%2C'u'%2C'k'%2C'f')%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20mv-expand%20SplitLaunchString%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20where%20SplitLaunchString%20startswith%20%22-p%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%7C%20extend%20ArchivePassword%20%3D%20substring(SplitLaunchString%2C%202%2C%20strlen(SplitLaunchString))%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%7C%20project-reorder%20ProcessCommandLine%2C%20ArchivePassword%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E-p%20is%20the%20password%20switch%20and%20is%20immediately%20followed%20by%20a%20password%20without%20a%20space%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%2265536%22%3E%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CFONT%20color%3D%22%23000080%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CSTRONG%3EMore%20query%20tips%20directly%20provided%20by%20MD%20for%20Endpoint%20-%20Device%20Timeline%20%5C%20Hunt%20for%20related%20Event%3C%2FSTRONG%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22TanTran_0-1606303773771.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235973i0C88B5FEB13A3279%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22TanTran_0-1606303773771.png%22%20alt%3D%22TanTran_0-1606303773771.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%20id%3D%22tinyMceEditorTanTran_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CTABLE%20style%3D%22width%3A%20920px%3B%22%20width%3D%22920%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22216%22%3E%3CP%3EQuery%20for%20Event%20happened%2030%20minutes%20before%20and%20after%20an%20attack%2C%20showing%20result%20as%20%22selected%20event%22%20(the%20attack%20event%20itself)%2C%26nbsp%3B%20%22earlier%20event%22%20and%20%22later%20event%22%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22486%22%3E%3CP%3Elet%20selectedEventTimestamp%20%3D%20datetime(2020-11-10T19%3A03%3A11)%3B%3C%2FP%3E%0A%3CP%3Esearch%20in%20(DeviceFileEvents%2C%20DeviceProcessEvents%2C%20DeviceEvents%2C%20DeviceRegistryEvents%2C%20DeviceNetworkEvents%2C%20DeviceImageLoadEvents%2C%20DeviceLogonEvents%2C%20ResponseEvents)%3C%2FP%3E%0A%3CP%3ETimestamp%20between%20((selectedEventTimestamp%20-%2030m)%20..%20(selectedEventTimestamp%20%2B%2030m))%3C%2FP%3E%0A%3CP%3Eand%20DeviceId%20%3D%3D%20%E2%80%9Cf2606c4a7d6c275040937820dc0fcc9ba694549e%22%3C%2FP%3E%0A%3CP%3E%7C%20sort%20by%20Timestamp%20desc%3C%2FP%3E%0A%3CP%3E%7C%20extend%20Relevance%20%3D%20iff(Timestamp%20%3D%3D%20selectedEventTimestamp%2C%20%22Selected%20event%22%2C%20iff(Timestamp%20%26lt%3B%20selectedEventTimestamp%2C%20%22Earlier%20event%22%2C%20%22Later%20event%22))%3C%2FP%3E%0A%3CP%3E%7C%20project-reorder%20Relevance%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CDIV%20id%3D%22tinyMceEditorTanTran_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Q2.png%22%20style%3D%22width%3A%20993px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235978i4BB1E44929E4B4AD%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Q2.png%22%20alt%3D%22Q2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%3CFONT%20color%3D%22%230000FF%22%3E%3CSTRONG%3EFor%20all%20M365%20Security%20Queries%3A%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FDIV%3E%0A%3CDIV%3EYou%20could%20get%20the%20queries'%20contents%20from%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGithub%20link%20here.%3C%2FA%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%20aria-level%3D%222%22%3E%3CSTRONG%3EReference%3A%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fagofunction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fa%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eg%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eofunction%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fadvanced-hunting-query-language%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fadvanced-hunting-query-language%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FMTPAHCheatSheetv01-light.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FMTPAHCheatSheetv01-light.pdf%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EDisclaimer%0AThe%20sample%20scripts%20are%20not%20supported%20under%20any%20Microsoft%20standard%20support%20program%20or%20service.%20%3CBR%20%2F%3EThe%20sample%20scripts%20are%20provided%20AS%20IS%20without%20warranty%20of%20any%20kind.%20%3CBR%20%2F%3EMicrosoft%20further%20disclaims%20all%20implied%20warranties%20including%2C%20without%20limitation%2C%20%3CBR%20%2F%3Eany%20implied%20warranties%20of%20merchantability%20or%20of%20fitness%20for%20a%20particular%20purpose.%20%3CBR%20%2F%3EThe%20entire%20risk%20arising%20out%20of%20the%20use%20or%20performance%20of%20the%20sample%20scripts%20and%20documentation%20%3CBR%20%2F%3Eremains%20with%20you.%20In%20no%20event%20shall%20Microsoft%2C%20its%20authors%2C%20or%20anyone%20else%20involved%20in%20the%20creation%2C%3CBR%20%2F%3Eproduction%2C%20or%20delivery%20of%20the%20scripts%20be%20liable%20for%20any%20damages%20whatsoever%20(including%2C%20%3CBR%20%2F%3Ewithout%20limitation%2C%20damages%20for%20loss%20of%20business%20profits%2C%20business%20interruption%2C%20%3CBR%20%2F%3Eloss%20of%20business%20information%2C%20or%20other%20pecuniary%20loss)%20arising%20out%20of%20the%20use%20of%20or%20inability%20%3CBR%20%2F%3Eto%20use%20the%20sample%20scripts%20or%20documentation%2C%20even%20if%20Microsoft%20has%20been%20advised%20of%20the%20possibility%20%3CBR%20%2F%3Eof%20such%20damages.%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1795046%22%20slang%3D%22en-US%22%3E%3CP%3ESometimes%20you%20forgot%20a%20few%20content%20lines%20in%20the%20needed%20%22Advanced%20Hunting%20Query%22%20of%20Microsoft%20Endpoint%20Protection%20(Microsoft%20Defender%20ATP)%2C%20the%20following%20cheat%20sheet%20of%20commonly%20used%20MD%20ATP%20Queries%20may%20be%20able%20to%20help%20regain%20the%20memory%20of%20content%2C%20the%20cheat%20sheet%20also%20come%20with%20examples.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1795046%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ETanTran%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Apr 07 2021 05:05 PM
Updated by: