Query Details
Gpresult
Query
Tags:
Query:
DeviceProcessEvents
| where FileName has_any("gpresult.exe","gprslt.exe") | where ProcessCommandLine has_any ("/z", "/v", "/r", "/x") and InitiatingProcessCommandLine !contains "Connect-ExchangeServer"
//(process.name: "gpresult.exe" or process.pe.original_file_name == "gprslt.exe") and process.args: ("/z", "/v", "/r", "/x")
References:
Explanation
This query is searching for DeviceProcessEvents where the FileName contains either "gpresult.exe" or "gprslt.exe". It also filters for events where the ProcessCommandLine contains any of the strings "/z", "/v", "/r", or "/x", but excludes events where the InitiatingProcessCommandLine contains the string "Connect-ExchangeServer".
Details
Ali Hussein
Released: September 19, 2023
Tables
DeviceProcessEvents
Keywords
Device,Process,Events,FileName,ProcessCommandLine,InitiatingProcessCommandLine,Connect-ExchangeServer
Operators
|wherehas_anycontains!contains==:and