Query Details
Wscript Internet Connection
Query
DeviceNetworkEvents | where InitiatingProcessFileName contains "wscript.exe"| where RemoteIPType == @"Public" | where RemoteUrl !endswith @".entrust.net"
Explanation
This query is looking at network events on devices and filtering them based on specific criteria:
- It checks for events where the initiating process (the process that started the network activity) is "wscript.exe".
- It further filters these events to only include those where the remote IP address is of the type "Public".
- Finally, it excludes events where the remote URL ends with ".entrust.net".
In simple terms, the query is identifying network activities initiated by "wscript.exe" that are connecting to public IP addresses, but excluding connections to URLs ending in ".entrust.net".
Details
Ali Hussein
Released: March 20, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
contains==!endswith