Query Details
Libraryexecutions
Query
Tags: Query: union DeviceProcessEvents | where Timestamp >= ago(7d) | where InitiatingProcessCommandLine contains @"/Library/Scripts" References:
Explanation
This query combines the results from the "DeviceProcessEvents" table and filters for events that occurred within the last 7 days. It then further filters for events where the command line of the initiating process contains the string "/Library/Scripts".
Details
Ali Hussein
Released: October 28, 2023
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User,Query
Operators
unionwhereagocontains