all the access protection "detections" in events table have ThreatName the actual rule name and ThreatType the string "access protection".
I recommend you create a new query for this.
So, there is not a way to do a query for specific components on Access Protection?
1 of 1 people found this helpful
I think what Attila was trying to say was that for the Threat Name it says what rule it is. In your case, in the Threat Event, it would say "Prevent launching of files from the Downloaded Program Files folder" as part of the Threat Name. So I think the easiest way to query this would be with a custom query that says:
Threat Name > Contains > "Prevent launching of files from the Downloaded Program Files folder".
This should give you all the AP events.
Right, i miss understood the reply.
I got the query. Thank you for both of you.
Have a nice day.
If you were interested in expanding beyond just AP violations, you could just look for the Threat Target File Name contains TEMP or TMP.
That would give you a much broader query, but I'm not sure if that's really what you are looking for.