mirror of
https://github.com/marcredhat/kql
synced 2026-06-08 13:23:58 +00:00
marc
9 lines
355 B
Plaintext
9 lines
355 B
Plaintext
let baseline = SecurityEvent
|
|
| where TimeGenerated between (ago(14d) .. ago(1d))
|
|
| where EventID == 4688
|
|
| summarize by FileName = tostring(split(NewProcessName, '\\')[-1]);
|
|
SecurityEvent
|
|
| where TimeGenerated >= ago(1d) | where EventID == 4688
|
|
| extend FileName = tostring(split(NewProcessName, '\\')[-1])
|
|
| join kind=leftanti baseline on FileName
|