KQL Search

Query Details

Suspicious NS Lookup

Query

Tags:

Query:
         DeviceProcessEvents
            | where FileName contains "nslookup" and ProcessCommandLine has_any ("-querytype", "qt", "q", "-type=*")
Refernces:

Explanation

The query is searching for DeviceProcessEvents where the FileName contains "nslookup" and the ProcessCommandLine contains any of the specified values ("-querytype", "qt", "q", "-type=*").

Details

Ali Hussein

Released: September 24, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents,FileName,ProcessCommandLine,nslookup,-querytype,qt,q,-type=*

Operators

|wherecontainsandhas_any

KQL Search

Suspicious NS Lookup

Query

Explanation

Details

Actions