Detection Query 1 | (resourcename in ("Sysmon") AND eventtype = "11") AND targetfilename IN ("\Andrew.dmp","\Coredump.dmp","\lsass.dmp","\lsass.rar","\lsass.zip","\NotLSASS.zip","\PPLBlade.dmp","\rustive.dmp","\lsass_2","\lsassdmp","\lsassdump","\lsass",".dmp","SQLDmpr",".mdmp","\nanodump","\proc_",".dmp") |
Detection Query 2 | (technologygroup = "EDR") AND targetfilename IN ("\Andrew.dmp","\Coredump.dmp","\lsass.dmp","\lsass.rar","\lsass.zip","\NotLSASS.zip","\PPLBlade.dmp","\rustive.dmp","\lsass_2","\lsassdmp","\lsassdump","\lsass",".dmp","SQLDmpr",".mdmp","\nanodump","\proc_",".dmp") |
Detection Query 3 | (resourcename in ("Windows Security") AND eventtype = "4663") AND winmessage IN ("\Andrew.dmp","\Coredump.dmp","\lsass.dmp","\lsass.rar","\lsass.zip","\NotLSASS.zip","\PPLBlade.dmp","\rustive.dmp","\lsass_2","\lsassdmp","\lsassdump","\lsass",".dmp","SQLDmpr",".mdmp","\nanodump","\proc_",".dmp") |
Detection Query 4 | (technologygroup = "EDR") AND winmessage IN ("\Andrew.dmp","\Coredump.dmp","\lsass.dmp","\lsass.rar","\lsass.zip","\NotLSASS.zip","\PPLBlade.dmp","\rustive.dmp","\lsass_2","\lsassdmp","\lsassdump","\lsass",".dmp","SQLDmpr",".mdmp","\nanodump","\proc_",".dmp") |