Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

List Tamper Protection Alert Triggered By VMware Carbon Black App Control

January 17, 2025 Wayne Andes 1 min read

Description

This KQL query looks for where Tamper Protection is detected by VMware Carbon Black App Control.

Query

Microsoft Sentinel

Kusto

CommonSecurityLog
| where DeviceVendor == "VMware Carbon Black"
| where DeviceProduct == "App Control"
| where Activity == "Tamper Protection"
| project TimeGenerated, DestinationHostName, DestinationIP, DestinationUserName, FilePath, FileName

References

https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/vmware-carbon-black-cloud
https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/8.10/cb-ac-events-guide.pdf

List Suspicious Process Accessing A Website Not Blocked By Symantec Endpoint Protection
List Generic Directory Traversal Not Blocked By Symantec Endpoint Protection

Description

Query

Microsoft Sentinel

References

You May Also Like

Hunt For Malicious HTTP Traffic

Hunt For Newly Identified Lateral Movement Paths To Sensitive Accounts

List All Global Admins In Your Tenant

Leave a Reply Cancel reply