any ideas on what kind of query that would be?
@hayden_redd unfortunately, the Insight Agent does not currently collect the endpoint telemetry which would allow an IDR detection to alert when a process reads the memory of another process.
We have heard this request from other customers (as well as our own detection engineering team), but as always, Iād be happy to discuss it more if you have any interest.
A possible workaround would be using a combination between custom alert and file monitoring (eventID 4663) for the creation of *.dmp files under the C:\Users%username%\AppData\Local\Temp on your assets.
1 Like