KQL Search

Query Details

HomeAI ToolsDevice Query

Sharp Hound Output

Query

DeviceFileEvents
| where FileName endswith "_BloodHound.zip"
     or FileName endswith "_computers.json"
     or FileName endswith "_containers.json"
     or FileName endswith "_domains.json"
     or FileName endswith "_gpos.json"
     or FileName endswith "_groups.json"
     or FileName endswith "_ous.json"
     or FileName endswith "_users.json"

Explanation

This query is searching for events related to specific file names. It looks for files that end with certain extensions, such as "_BloodHound.zip", "_computers.json", "_containers.json", and so on.

Details

C.J. May profile picture

C.J. May

Released: September 27, 2022

Tables

DeviceFileEvents

Keywords

Device,File,Events,FileName,BloodHound,zip,computers,json,containers,domains,gpos,groups,ous,users

Operators

whereendswithor

Actions