KQL Search

Query Details

HomeAI ToolsDevice Query

P Sexec Named Pipe

Query

Tags:

Query:
  DeviceEvents
    | where ActionType contains "pipe"
    | extend parsed = parse_json(AdditionalFields)
    | where parsed.PipeName contains "psexesvc"
References:

Explanation

This KQL (Kusto Query Language) query is designed to search through device event logs for specific activities related to a particular type of named pipe. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the DeviceEvents table.
  2. Filter by ActionType: It filters the events to only include those where the ActionType field contains the word "pipe".
  3. Parse JSON: It then parses the AdditionalFields column as JSON and creates a new column called parsed.
  4. Filter by PipeName: Finally, it filters the results further to include only those events where the PipeName field within the parsed JSON contains the string "psexesvc".

In summary, this query is looking for device events involving pipes, specifically those where the pipe name includes "psexesvc".

Details

Ali Hussein profile picture

Ali Hussein

Released: October 11, 2023

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

containsextendparse_jsonwhere

Actions