Query Details
Malware Eng Shutdown
Query
//Accounts that shutdown the Microsoft antimalware engine search in (SecurityEvent) EventID == 4689 and "MsMpEng.exe" | summarize TerminationCount = count() by Account
Explanation
This query searches for security events with Event ID 4689 that involve the shutdown of the Microsoft antimalware engine (MsMpEng.exe). It then summarizes the number of times this has occurred for each user account.
Details
Rod Trent
Released: May 25, 2021
Tables
SecurityEvent
Keywords
Accounts,Microsoft,Antimalware,Engine,SecurityEvent,EventID,MsMpEng.exe,TerminationCount,Account
Operators
searchinEventID==and"MsMpEng.exe"|summarizeTerminationCount=count()byAccount.