Query Details
Identify Endpoints Running Wsl
Query
# Identify endpoints that run WSL ## Description The following query will identify endpoints running Windows Subsystem for Linux (WSL). ### Microsoft Sentinel & Defender XDR ``` DeviceProcessEvents | where ActionType has "ProcessCreated" | where ProcessVersionInfoOriginalFileName has "wsl.exe" | where ProcessVersionInfoFileDescription has "Windows Subsystem for Linux" | summarize by DeviceName ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 15/06/2024 | Initial publish |
Explanation
This query identifies endpoints that are running Windows Subsystem for Linux (WSL) by looking for processes with the file name "wsl.exe" and description "Windows Subsystem for Linux".
Details
Michalis Michalos
Released: June 15, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,ActionType,ProcessCreated,ProcessVersionInfoOriginalFileName,ProcessVersionInfoFileDescription,DeviceName
Operators
wherehassummarize