Last active
August 29, 2021 05:39
-
-
Save aaronparker/f11553ff51118bd8936a7103b2abacf2 to your computer and use it in GitHub Desktop.
Defender for Endpoint application control events
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Defender for Endpoint query | |
| DeviceEvents | |
| | where Timestamp > ago(1d) | |
| and ActionType startswith "AppControlExecutableAudited" | |
| | where AccountName !has "system" | |
| and AccountName !has "local service" | |
| and AccountName !has "network service" | |
| and AccountName !has "dwm-1" | |
| | where FolderPath startswith "%OSDRIVE%" | |
| //| order by Timestamp desc | |
| // DeviceProcessEvents with additional executable details | |
| DeviceProcessEvents | |
| | where Timestamp > ago(1d) | |
| | where FolderPath startswith "C:\\Users" | |
| or FolderPath startswith "C:\\ProgramData" | |
| | where AccountName !has "system" | |
| and AccountName !has "local service" | |
| and AccountName !has "network service" | |
| and AccountName !has "dwm-1" | |
| | project Timestamp, DeviceName, AccountUpn, FileName, FolderPath, SHA256, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion, ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName, ProcessVersionInfoFileDescription | |
| | limit 1000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment