deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Updating query example 2 for 6283

Browse Source
This commit is contained in:
valemieux
2022-02-22 13:22:12 -08:00
parent 424fdec1e8
commit 8776ce74a2
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
View File

@ -82,15 +82,15 @@ DeviceEvents
| where Timestamp > ago(7d) | where Timestamp > ago(7d)
|project DeviceId, // the device ID where the audit block happened |project DeviceId, // the device ID where the audit block happened
FileName, // The audit blocked app's filename FileName, // The audit blocked app's filename
FolderPath, // The audit blocked app's device path FolderPath, // The audit blocked app's system path without the FileName
InitiatingProcessFileName, // The file name of the parent process loading the executable InitiatingProcessFileName, // The file name of the parent process loading the executable
InitiatingProcessVersionInfoCompanyName, // The company name of the parent process loading the executable InitiatingProcessVersionInfoCompanyName, // The company name of the parent process loading the executable
InitiatingProcessVersionInfoOriginalFileName, // The original file name of the parent process loading the executable InitiatingProcessVersionInfoOriginalFileName, // The original file name of the parent process loading the executable
InitiatingProcessVersionInfoProductName, // The product name of the parent process loading the executable InitiatingProcessVersionInfoProductName, // The product name of the parent process loading the executable
InitiatingProcessSHA256, // The SHA256 of the parent process loading the executable InitiatingProcessSHA256, // The SHA256 flat hash of the parent process loading the executable
Timestamp, // The timestamp Timestamp, // The event creation timestamp
ReportId, // The report ID ReportId, // The report ID - randomly generated by MDE AH
InitiatingProcessVersionInfoProductVersion, // The product version of the parent process loading the executable InitiatingProcessVersionInfoProductVersion, // The product version of the parent process loading the executable
InitiatingProcessVersionInfoFileDescription, // The file description of the parent process loading the executable InitiatingProcessVersionInfoFileDescription, // The file description of the parent process loading the executable
AdditionalFields AdditionalFields // Additional fields contains FQBN for signed binaries. These contain the CN of the leaf certificate, product name, original filename and version of the audited binary
``` ```