Query Details
Security Event New EX Edeployedvia Default Domainor Default Domain Controller Policies
Query
let query_frequency = 1h;
let query_period = 14d;
SecurityEvent
| where TimeGenerated > ago(query_frequency)
| where EventID == 4688
| where NewProcessName has_any (@"Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}", @"Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| join kind=leftanti (
SecurityEvent
| where TimeGenerated between(ago(query_period) .. ago(query_frequency))
| where EventID == 4688
| where NewProcessName has_any (@"Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}", @"Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}")
| distinct Process
) on Process
| summarize
minTimeGenerated = arg_min(TimeGenerated, *),
maxTimeGenerated = max(TimeGenerated)
by Computer, Account
| project
minTimeGenerated,
maxTimeGenerated,
Computer,
Account,
AccountType,
Activity,
CommandLine,
Process,
NewProcessName,
ParentProcessName
Explanation
This query looks for security events where a specific process is executed on a computer. It filters the events based on the time they were generated and the event ID. It then joins the filtered events with a set of distinct processes from a specific time period. Finally, it summarizes the results by computer and account, and projects various attributes of the events.
Details
Jose Sebastián Canós
Released: January 11, 2023
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
wherehas_anyjoinkind=leftantibetweendistinctsummarizearg_minmaxbyproject