Query Details

Executed Processes

Query

//All processes executed and how many times

search in (SecurityEvent) EventID == 4688 
| summarize ExecutionCount = count() by NewProcessName

Explanation

This query searches for a specific event ID (4688) in the SecurityEvent table. It then summarizes the count of how many times each new process name has been executed.

Details

Rod Trent profile picture

Rod Trent

Released: May 25, 2021

Tables

SecurityEvent

Keywords

SearchSecurityEventEventIDNewProcessNameExecutionCount

Operators

searchinEventID==4688summarizeExecutionCount=count()byNewProcessName.

Actions

GitHub