Query Details
File Execution Over5times
Query
//Locating a file that was executed more than 5 times search in (SecurityEvent) EventID == 4688 and "<yourfile.exe>" | summarize ExecutionCount = count() by Computer | limit 500000 | where ExecutionCount > 5
Explanation
This query searches for a specific file (yourfile.exe) that has been executed more than 5 times. It looks for events with EventID 4688 in the SecurityEvent table, counts the number of executions for each computer, and limits the results to 500,000. Finally, it filters the results to only include computers where the execution count is greater than 5.
Details
Rod Trent
Released: May 25, 2021
Tables
SecurityEvent
Keywords
File,Executed,Times,Search,SecurityEvent,EventID,ExecutionCount,Computer,Limit,Where
Operators
searchinEventID==and|summarizecount()bylimit500000where>