cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender for endpoint - Qualification Query

F0r3nSick
Copper Contributor

‎Feb 16 2024 07:38 AM

‎Feb 16 2024 07:38 AM

Defender for endpoint - Qualification Query

Hi, 
I'm a security and forensic consultant for my entity.
I'm looking to create a standard qualification query which contains multiple Source.

In fact,

I simply want to get a result containing all the events based on my targeted ActionType, with only specific fields.

 

This query would allow me to contextualize a machine, optimizing the visibility of relevant elements.

 

I've tried all conditional structures (iif, case, Structural objects...) without success.

I worked with AIs trying to refine my code, without success.

 

this would result in a set of events filtered on the desired actiontypes, with only the relevant fields properly displayed
190 Views
0 Likes
1 Reply
Reply
1 Reply
F0r3nSick

‎Feb 19 2024 05:41 AM

‎Feb 19 2024 05:41 AM

Re: Defender for endpoint - Qualification Query

@F0r3nSick 

One of my tries :

"

let Nom_machine = "ComputerX";
let DetectionTime = datetime(yyyy-MM-dd HH:mm:ss);
let TimeRangeStart = DetectionTime-5m;
let TimeRangeEnd = DetectionTime+5m;
union withsource=SourceTable DeviceProcessEvents, DeviceFileEvents
| where DeviceName == Nom_machine
    and Timestamp between (TimeRangeStart .. TimeRangeEnd)
        and ActionType == "ProcessCreated"
        | project Timestamp,FileName, FolderPath
| limit 50"
 
then consider adding "or" clause with other Actiontype , projected with its own fields
0 Likes
Reply