let baseline = SecurityEvent
  | where TimeGenerated between (ago(14d) .. ago(1d))
  | where EventID == 4688
  | summarize by FileName = tostring(split(NewProcessName, '\\')[-1]);
SecurityEvent
| where TimeGenerated >= ago(1d) | where EventID == 4688
| extend FileName = tostring(split(NewProcessName, '\\')[-1])
| join kind=leftanti baseline on FileName