KQL Search

Query Details

Follina

Query

DeviceProcessEvents
| where ProcessCommandLine contains "msdt.exe"
| where InitiatingProcessFileName has_any (@"WINWORD.EXE", @"EXCEL.EXE", @"OUTLOOK.EXE")

Explanation

This query is looking for events related to a specific process called "msdt.exe". It then filters those events to only include cases where the initiating process is either "WINWORD.EXE", "EXCEL.EXE", or "OUTLOOK.EXE".

Details

C.J. May

Released: June 30, 2022

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents,ProcessCommandLine,msdt.exe,InitiatingProcessFileName,WINWORD.EXE,EXCEL.EXE,OUTLOOK.EXE

Operators

|wherecontains"msdt.exe"has_any(@"WINWORD.EXE"@"EXCEL.EXE"@"OUTLOOK.EXE")

KQL Search

Follina

Query

Explanation

Details

Actions