Validation of query logic in Hunting-Queries-Detection-Rules/DefenderXDR /Threat Hunting BYOVD Scenarios.kql

[ErnieBot]

Hi,

Would it be possible to validate the query logic inside the Hunting-Queries-Detection-Rules/DefenderXDR/Threat Hunting BYOVD Scenarios.kql file?
More specifically the following part regarding the DeviceEvents table

DeviceEvents
// Event ID 3004 — Kernel-mode Driver Validation
| where ReportId == "3004"
| where ActionType == @"DriverLoad"
| where FileName has_any(DriverwithLowPrevalence)

Within the Microsoft documentation the ReportId field is described as follows:
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.

See: https://learn.microsoft.com/en-us/defender-xdr/ad`vanced-hunting-deviceevents-table

Based on the field description, the query logic to look for event ID 3004 is not valid as the field is a repeating counter and is not related to actual Windows event IDs.

Kind regards,

ErnieBot