Developing A Baseline For Sensitive Process Access

eric_capuano · February 18, 2025, 10:57pm

Description of the query:
A starter query which leverages field projection to provide a high-level view of SENSITIVE_PROCESS_ACCESS activity for an org for developing a baseline or identifying outliers.

Query:

-24h | * | SENSITIVE_PROCESS_ACCESS | event/*/event/TARGET/FILE_PATH contains "lsass" | ts as Timestamp event/*/event/SOURCE/FILE_PATH as SOURCE  event/*/event/TARGET/FILE_PATH as TARGET

Topic		Replies	Views
Detecting Suspicious LSASS Access + Template String Example Detection & Response Rules detection , windows	0	9	February 18, 2025
Tracking Failed Windows Logons for Threat Hunting LCQL Queries lcql	0	5	February 17, 2025
About the LCQL Queries category LCQL Queries	1	2	February 17, 2025
Quickly Find Remote Desktop Logons LCQL Queries	0	12	February 17, 2025
Is rundll32.exe Executed Without Expected Dll Path? LCQL Queries lcql	0	3	February 17, 2025

Developing A Baseline For Sensitive Process Access

Related topics