Describe the bug
When running a query searching for filemods, the returned data doesn't include the responsible process or process command line.
What side of Surveyor is impacted?
[ ] Definition File
[x] Code/Logic
What product is impacted?
[ ] Carbon Black Response
[ ] Carbon Black Threat Hunter
[x] Defender for Endpoints
[ ] SentinelOne
[ ] Other
To ReproduceWhat did you do?
What is the command line you're running that is causing the error?
python surveyor.py --deffile test.json dfe --creds credentials.ini
Contents of test.json
{
"Test for PS Scripts":{
"filemod":["__PSScriptPolicytest"]
}
}
Expected behavior
When querying for a filemod, results should include info on the responsible process.
Screenshots
N/A
Additional context
Based on the logs, this is the generated KQL query
union DeviceProcessEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceFileCertificateInfo, DeviceEvents
| where FileName contains "__PSScriptPolicytest"
| project DeviceName, AccountName, ProcessCommandLine, FolderPath, Timestamp
Describe the bug When running a query searching for filemods, the returned data doesn't include the responsible process or process command line.
What side of Surveyor is impacted?
What product is impacted?
To Reproduce What did you do? What is the command line you're running that is causing the error?
python surveyor.py --deffile test.json dfe --creds credentials.ini
Contents of
test.json
Expected behavior When querying for a filemod, results should include info on the responsible process.
Screenshots N/A
Additional context Based on the logs, this is the generated KQL query