Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Baseline Comparison. Author: miflower. The purpose of this query is to perform a comparison between "known good" machines and suspected bad machines. The original concept for this query was born due to reapplying the same 'whitelist' filters over and over. It brings deltas between a baseline and another machine quickly to the analyst's view. This query supports multiple suspected bad machines and multiple "known good" machines. It also supports providing a timeframe for how far back in time to b
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 4d17ae75-87e8-4272-9aec-16448b1430bc |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AlertEvidence |
✓ | ✗ | ? | |
AlertInfo |
✓ | ✗ | ? | |
DeviceEvents |
✓ | ✗ | ? | |
DeviceFileEvents |
✓ | ✗ | ? | |
DeviceImageLoadEvents |
✓ | ✗ | ? | |
DeviceInfo |
✓ | ✗ | ? | |
DeviceLogonEvents |
✓ | ✗ | ? | |
DeviceNetworkEvents |
✓ | ✗ | ? | |
DeviceNetworkInfo |
✓ | ✗ | ? | |
DeviceProcessEvents |
ActionType == "PowerShellCommand" |
✓ | ✗ | ? |
DeviceRegistryEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊