mirror of
https://github.com/marcredhat/kql
synced 2026-06-08 13:23:58 +00:00
marc
10 lines
326 B
Plaintext
10 lines
326 B
Plaintext
SecurityEvent
|
|
| where TimeGenerated > ago(1d)
|
|
| where EventID == 4688
|
|
| summarize Count = count(),
|
|
DistinctComputers = dcount(Computer),
|
|
DistinctAccounts = dcount(Account),
|
|
DistinctParent = dcount(ParentProcessName),
|
|
NoofCommandLines = dcount(CommandLine)
|
|
by NewProcessName
|