09-19-2025 06:51 AM
Hi @Bouzeghoub
Let me give you a couple of examples that you can fine tune accordingly to your needs
Example 1:
dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter actor_process_image_name = "powershell.exe" and action_process_image_command_line contains "systeminfo"
| fields action_process_image_path, action_process_image_name, actor_process_image_md5, actor_process_image_name, actor_process_image_sha256, event_type, actor_process_command_line, action_process_image_command_line, causality_actor_process_image_md5, causality_actor_process_image_sha256, actor_process_signature_product, event_sub_type, actor_process_execution_time
Example 2:
dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter actor_process_image_name = "powershell.exe" and action_process_image_command_line contains "systeminfo"
| fields action_process_image_path, action_process_image_name, actor_process_image_md5, actor_process_image_name, actor_process_image_sha256, event_type, actor_process_command_line, action_process_image_command_line, causality_actor_process_image_md5, causality_actor_process_image_sha256, actor_process_signature_product, event_sub_type, actor_process_execution_time
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
KR,
Luis
