02-07-2023 06:50 AM - edited 02-07-2023 07:47 AM
Hi @SARowe_NZ ,
We do not capture event id 4689 specifically, but process termination events are monitored.
However, if your end users are killing processes using cmd or powershell, you can create command line rules to detect and prevent events as such.
In the BIOC you can create a rule for target process cmd parameter as *\taskkill* or *\Stop-Process* (eg.Process [ action type = execution AND target process cmd = *\taskkill*, *\Stop-Process* ] ) and add it to restrictions profile.
You can also monitor the events of process stop using the following XQL query if that works. Choose filter of your own choice and subfilters to create monitoring events. The query below is also a valid BIOC however, this can generate a lot of false positives. As a result recommendation would be to keep this query and rule as granular as possible.
dataset = xdr_data | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_STOP and agent_os_type != ENUM.AGENT_OS_LINUX
Please mark the response as "Accept as Solution" if it answers your query. Hope it helps!
Regards
