Volver al hub

Windows Store Installs

This query displays all applications installed from the Microsoft Store on a machine. It extracts the package name from the file path and groups the results by computer name and package base. Also features the ability to filter out known good file paths and packages to reduce noise in the results.

EDRmonitoring
FDR intermediatepor Craig Roberts (cql-hub.com) 1 min read

Query

| regex("WindowsApps\\\\(?<PackageName>[^\\\\]+)\\\\", field=FilePath, strict=true)
| regex("^(?<PackageBase>[^_]+)", field=PackageName, strict=false)
| ComputerName=~wildcard(?ComputerName, ignoreCase=true)
| PackageBase=~wildcard(?PackageBase, ignoreCase=true)
// Filter out good filepaths
//| !in(field=FilePath, values=[])
// Filter out good Packages
//| !in(field=PackageBase, values=[])
| groupBy([ComputerName, PackageBase])
| sort(ComputerName, order=asc, limit=max)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.