Query Details
Detection Template
Query
# *Detection Title* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1134.002 | Access Token Manipulation: Create Process with Token |Access Token Manipulation: Create Process with Token| #### Description Description of the detection rule. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. #### Risk Explain what risk this detection tries to cover #### References - https://kqlquery.com/ - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules - example link 3 ## Defender For Endpoint ``` // Paste your query here DeviceProcessEvents | where FileName == "Example.File" ``` ## Sentinel ``` // Paste your query here DeviceProcessEvents | where FileName == "Example.File" ```
Explanation
The query is searching for events related to a specific file named "Example.File" in both Defender for Endpoint and Sentinel. It retrieves process events from the device and filters them based on the file name.
Details
Bert-Jan Pals
Released: October 4, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Query
Operators
where==