Query Details
Silent PA Registration
Query
DeviceProcessEvents | where FileName =~ "PAD.MachineRegistration.Silent.exe" | where ProcessCommandLine contains " -register " | where InitiatingProcessFileName != "PAD.Console.Host.exe"
Explanation
This query is looking for events related to a specific file called "PAD.MachineRegistration.Silent.exe". It then filters those events to only include ones where the process command line contains the phrase " -register ". Finally, it excludes events where the initiating process file name is "PAD.Console.Host.exe".
Details
C.J. May
Released: September 27, 2022
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,PAD.MachineRegistration.Silent.exe,ProcessCommandLine,InitiatingProcessFileName,PAD.Console.Host.exe
Operators
|=~contains!=