Query Details
Renamed Rclone
Query
DeviceNetworkEvents | where InitiatingProcessFileName !~ "rclone.exe" and (InitiatingProcessVersionInfoCompanyName =~ "https://rclone.org" or InitiatingProcessVersionInfoInternalFileName =~ "rclone" or InitiatingProcessVersionInfoFileDescription =~ "Rsync for cloud storage" or InitiatingProcessVersionInfoProductName =~ "Rclone")
Explanation
This query filters a dataset called DeviceNetworkEvents. It excludes any events where the InitiatingProcessFileName is "rclone.exe". It then includes events where the InitiatingProcessVersionInfoCompanyName contains "https://rclone.org", or the InitiatingProcessVersionInfoInternalFileName contains "rclone", or the InitiatingProcessVersionInfoFileDescription contains "Rsync for cloud storage", or the InitiatingProcessVersionInfoProductName contains "Rclone".
Details
C.J. May
Released: September 27, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,InitiatingProcessFileName,InitiatingProcessVersionInfoCompanyName,InitiatingProcessVersionInfoInternalFileName,InitiatingProcessVersionInfoFileDescription,InitiatingProcessVersionInfoProductName
Operators
|where!~and=~or