Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

Commit

Permalink
Exclude Engine Updates and Empty lines (#101)
Browse files Browse the repository at this point in the history 
* Exclude Engine Updates and Empty lines

This excludes engine updates (so really only signature updates are shown) and excludes empty lines.

Engine Updates where in the result set due to entries like this:

MpSigStub.exe /stub 1.1.16500.1 /payload 1.1.16500.1 /MpWUStub /program C:\windows\SoftwareDistribution\Download\Install\AM_Engine.exe /LastPackage

AM_Engine.exe is the file name of engine updates.

Empty results came from this command line "MpSigStub.exe /Store" and the corresponding file name is wuauclt.exe

* Removed case sensitivity
  • Loading branch information
@manuelhauch @meni-braun
manuelhauch authored and meni-braun committed Dec 11, 2019
1 parent fbb2b73 commit 00dabae
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions General queries/WD AV Signature and Platform Version.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
let startDate = ago(7d);
FileCreationEvents
| where InitiatingProcessCommandLine has "MpSigStub.exe"
//To exclude Engine Updates and non update events
| where InitiatingProcessParentFileName !~ "AM_Engine.exe" and InitiatingProcessParentFileName !~ "wuauclt.exe"
// Comment the below line if you're looking specifically for a computer
| where EventTime > startDate
// Uncomment the line below when looking for info regarding a specific computer
Expand Down

0 comments on commit 00dabae

Please sign in to comment.