KQL Search

Query Details

Cert Req

Query

Tags:

Query:
      DeviceProcessEvents
          | where (FileName contains "CertReq.exe" or ProcessVersionInfoInternalFileName contains "CertReq.exe") and ProcessCommandLine contains "Post"
References:

Explanation

This KQL (Kusto Query Language) query is searching through DeviceProcessEvents for events where:

The FileName or ProcessVersionInfoInternalFileName contains "CertReq.exe".
The ProcessCommandLine contains the word "Post".

In simple terms, it looks for any process events involving the "CertReq.exe" file that also have "Post" in their command line.

Details

Ali Hussein

Released: September 24, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsFileNameProcessVersionInfoInternalFileNameProcessCommandLine

Operators

wherecontainsorand

KQL Search

Cert Req

Query

Explanation

Details

Actions