Query Details
Allexes
Query
//Lists all captures .exe's. For Sentinel or Defender Advanced Hunting DeviceProcessEvents | where Timestamp > ago(7d) | where FileName endswith ".exe" | project Timestamp, DeviceName, FileName, AccountSid, AccountName, AccountDomain | top 100 by Timestamp
Explanation
This query lists all the .exe files captured by Sentinel or Defender Advanced Hunting in the past 7 days. It includes information such as the timestamp, device name, file name, account SID, account name, and account domain. The results are limited to the top 100 entries based on the timestamp.
Details
Rod Trent
Released: February 2, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,Sentinel,Defender,AdvancedHunting,Timestamp,DeviceName,FileName,AccountSid,AccountName,AccountDomain
Operators
| whereendswithagoprojecttopby