From 3976f15025c2a3da00fea85e61306aeed7099e31 Mon Sep 17 00:00:00 2001
From: "Anna G. Arbeiter" <annaeg@quantenbotanik.de>
Date: Wed, 9 Dec 2020 13:11:22 +0100
Subject: [PATCH] Update qakbot-campaign-esentutl.md

"has" works only for full tokens. The query has to use "contains" instead. I have tested it and it won't work with "has".
Also changed == to =~ according to the best practices.
---
 Discovery/qakbot-campaign-esentutl.md | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/Discovery/qakbot-campaign-esentutl.md b/Discovery/qakbot-campaign-esentutl.md
index 00da7416..155b2bc2 100644
--- a/Discovery/qakbot-campaign-esentutl.md
+++ b/Discovery/qakbot-campaign-esentutl.md
@@ -10,11 +10,10 @@ The following query detects possible use of the system process, *esentutl.exe*,
 
 ```Kusto
 DeviceProcessEvents
-| where FileName == "esentutl.exe"
-| where ProcessCommandLine has "WebCache"
-| where ProcessCommandLine has_any ("V01", "/s", "/d")
-| project ProcessCommandLine, 
-InitiatingProcessParentFileName, DeviceId, Timestamp
+| where FileName =~ "esentutl.exe"
+| where ProcessCommandLine contains "WebCache"
+| where ProcessCommandLine contains "V01" or ProcessCommandLine contains @"/s" or ProcessCommandLine contains @"/d"
+| project ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp
 ```
 
 ## Category