08-02-2022 02:48 PM
Hello dear community,
Has anyone build a xql query for this case:
Should this help?
And how do we Set this two queries up?
BR
Rob
08-03-2022 07:10 AM
Hi Cyber1985,
If you have a Pro per Endpoint license then the Analytics Engine will identify this sort of thing for you, here are some relevant Analytics alerts that can fire:
Each of these alerts will generate incidents if they fire within your tenant. If you want to create your own XQL search you can go to Incident Response -> Query Builder -> XQL Search, here you can paste the query from the second article you linked and then you have the option to Run, Run in Background, Save or Schedule. If you want this to generate alerts if data is returned, you can save it as a correlation rule and it will then be run periodically and can create incidents (depending on the severity you set, medium and high severity generate alerts).
If you are a Prevent customer, then you do not have EDR data collection as a feature and will be unable to detect this sort of behavior.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
