Initial commit: KQL ↔ SDL PowerQuery proof of equivalence

kql/09_new_processes_24h.kql

@@ -0,0 +1,8 @@
+let baseline = SecurityEvent
+  | where TimeGenerated between (ago(14d) .. ago(1d))
+  | where EventID == 4688
+  | summarize by FileName = tostring(split(NewProcessName, '\\')[-1]);
+SecurityEvent
+| where TimeGenerated >= ago(1d) | where EventID == 4688
+| extend FileName = tostring(split(NewProcessName, '\\')[-1])
+| join kind=leftanti baseline on FileName