Query Details
Related Processes Via Device Process Events
Query
//This query searches for a specific process by name and ID, identifies its child processes and parent process
//Then finds sibling processes (those initiated by the same parent, excluding the original process)
//Useful in environments without Defender access
let Process = ""; // Looking for process name, etc process.exe
let PID = ""; // Looking for specific PID
let OriginalProcess = DeviceProcessEvents
| where FileName == Process and ProcessId == PID
| extend Hierarchy = "TargetProcess",
ParentProcessFileName = InitiatingProcessFileName,
ParentProcessPID = InitiatingProcessId
| project TimeGenerated, Hierarchy, FileName, FolderPath, FileSize, ProcessCommandLine, ParentProcessFileName, ParentProcessPID;
let ChildProcess = DeviceProcessEvents
| where InitiatingProcessFileName == Process and InitiatingProcessId == PID
| extend Hierarchy = "ChildProcess"
| project TimeGenerated, Hierarchy, FileName, FolderPath, FileSize, ProcessCommandLine;
let ParentProcessFileName = toscalar(OriginalProcess | project ParentProcessFileName | limit 1);
let ParentProcessPID = toscalar(OriginalProcess | project ParentProcessPID | limit 1);
let ParentProcess = DeviceProcessEvents
| where FileName == ParentProcessFileName and ProcessId == ParentProcessPID
| extend Hierarchy = "ParentProcess"
| project TimeGenerated, Hierarchy, FileName, FolderPath, FileSize, ProcessCommandLine;
// New query to find Sibling Processes - those initiated by the same parent as the original process
let SiblingProcesses = DeviceProcessEvents
| where InitiatingProcessFileName == ParentProcessFileName and InitiatingProcessId == ParentProcessPID
and not(FileName == Process and ProcessId == PID) // Exclude the original process itself
| extend Hierarchy = "SiblingProcess"
| project TimeGenerated, Hierarchy, FileName, FolderPath, FileSize, ProcessCommandLine;
union OriginalProcess, ChildProcess, ParentProcess, SiblingProcesses
| project-away ParentProcessFileName, ParentProcessPID
| order by TimeGenerated desc Explanation
This query is designed to analyze a specific process in a system by examining its relationships with other processes. Here's a simplified breakdown:
-
Identify the Target Process: The query starts by finding a specific process using its name and process ID (PID). This is referred to as the "TargetProcess."
-
Find Child Processes: It then identifies any child processes that were initiated by this target process.
-
Identify the Parent Process: The query retrieves information about the parent process that initiated the target process.
-
Find Sibling Processes: It looks for sibling processes, which are other processes initiated by the same parent process as the target process, excluding the target process itself.
-
Combine Results: Finally, it combines all the information about the target process, its child processes, parent process, and sibling processes into a single result set, ordered by the time each process event was generated.
This query is particularly useful in environments where Microsoft Defender is not available, as it helps in understanding the process hierarchy and relationships without relying on Defender's capabilities.
Details
Jason Walker
Released: November 10, 2024
Tables
Keywords
Operators