Query Details
Msbuild
Query
Tags: Query: DeviceProcessEvents | where ProcessVersionInfoInternalFileName contains "msbuild.exe" | where InitiatingProcessFileName != @"devenv.exe" and InitiatingProcessVersionInfoInternalFileName != "MSBuild.exe" References:
Explanation
The query is searching for DeviceProcessEvents where the ProcessVersionInfoInternalFileName contains "msbuild.exe". It then filters out any results where the InitiatingProcessFileName is not "devenv.exe" and the InitiatingProcessVersionInfoInternalFileName is not "MSBuild.exe".
Details
Ali Hussein
Released: September 14, 2023
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ProcessVersionInfoInternalFileName,msbuild.exe,InitiatingProcessFileName,InitiatingProcessVersionInfoInternalFileName,devenv.exe,MSBuild.exe
Operators
|wherecontains!=and