Query Details
Tempexecutions
Query
union DeviceProcessEvents | where Timestamp >= ago(7d) | where InitiatingProcessCommandLine has "/tmp/"
Explanation
This query retrieves DeviceProcessEvents data from the past 7 days and filters for events where the InitiatingProcessCommandLine contains "/tmp/".
Details
Ali Hussein
Released: October 28, 2023
Tables
DeviceProcessEvents
Keywords
Union,DeviceProcessEvents,Timestamp,Ago,InitiatingProcessCommandLine,/tmp/
Operators
unionwhereagohas