The correct field is FilePath because the investigation is focused on events executing from a specific directory on the host. In Falcon Event Search, path-based filtering is used when a responder wants to identify activity tied to a folder location such as a user profile, temp directory, startup folder, or suspicious staging path. TreeId is related to process lineage and is not the right field for directory matching. @source identifies the data source or index-related context, not the executable location. ParentBaseFileName is useful when searching for child processes launched by a specific parent executable, but it does not identify where the executing file resides. FilePath directly maps to the file location, making it the correct field for directory-based event hunting.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit