KQL Search

Query Details

Chainbreaker

Query

Tags:

Query:
DeviceFileEvents
| where FolderPath contains @"/private/var/db/SystemKey"

Explanation

The query is searching for events related to device files. It filters the results to only include events where the folder path contains "/private/var/db/SystemKey".

Details

Ali Hussein

Released: October 26, 2023

Tables

DeviceFileEvents

Keywords

DeviceFileEvents,FolderPath

Operators

| where EventID == 4656 | where EventData contains "File Write" | project TimeGeneratedComputerEventDataFolderPath

KQL Search

Chainbreaker

Query

Explanation

Details

Actions