Query Details
Tarfilexecutions
Query
DeviceProcessEvents | where ProcessCommandLine has_all ('tar', ' -xvf', ' -C')| where InitiatingProcessParentFileName != @"Cisco WebEx Start"
Explanation
This query is looking for events related to a process that includes the commands 'tar', ' -xvf', and ' -C', but excludes events where the parent process is 'Cisco WebEx Start'.
Details
Ali Hussein
Released: March 20, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ProcessCommandLine,InitiatingProcessParentFileName,CiscoWebExStart
Operators
has_all!=