Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
One of the challenges in making an AppLocker policy is knowing where applications launch from. This query normalizes process launch paths through aliasing, then counts the number of processes launched from that path, how many distinct machines it was launched on, and how many distinct file names \ hashes these processes had. The path is broken into subfolders to help simplify analysis.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | GitHub Only |
| ID | 7ae72c80-c114-43cd-bd99-46dab7c13338 |
| Required Connectors | MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
DeviceProcessEvents |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊