KQL Search

This KQL (Kusto Query Language) query is designed to investigate a potential security incident by analyzing device process and network events. Here's a simplified breakdown of what the query does:

1. Data Source: The query starts by examining the DeviceProcessEvents table, which contains logs of processes that have run on devices.

2. Time Filter: It filters the events to only include those generated after June 1, 2025, which is when the incident is believed to have started.

3. Process Filter: It looks for processes that were initiated with a command line starting with "gup.exe", which might be a suspicious or targeted process in this context.

4. Reordering Columns: The query rearranges the columns to prioritize certain fields like TimeGenerated, DeviceName, ActionType, etc., for easier analysis.

5. Exclusion of Specific Paths: It excludes any processes that have a FolderPath of "C:\\Windows\\explorer.exe" or "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", likely because these are considered legitimate and not part of the incident.

6. Unique Identifiers: It selects distinct SHA256 hashes of the processes, which are unique identifiers for the files involved.

7. Joining with Network Events: The query then joins this filtered process data with the DeviceNetworkEvents table, again filtering for events after June 1, 2025. It matches records where the SHA256 hash from the process events corresponds to the InitiatingProcessSHA256 in the network events.

Overall, this query is used to correlate process execution data with network activity to identify potentially malicious behavior related to the "gup.exe" process starting from June 2025, while excluding known safe processes.