Query Details
Top Apps Crashing
Query
// This query identifies crashing processes based on werfault parameters
// This query was updated from https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/General%20queries/Crashing%20Applications.yaml
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ 'werfault.exe'
| project CrashTime = Timestamp, DeviceId, WerFaultCommand = ProcessCommandLine, CrashProcessId = extract("-p ([0-9]{1,5})", 1, ProcessCommandLine)
| join kind= inner hint.strategy=shuffle DeviceProcessEvents on DeviceId
| where CrashProcessId == ProcessId and Timestamp between (datetime_add('day',-1,CrashTime) .. CrashTime)
| project-away ActionType
| project-rename ProcessStartTimestamp = Timestamp
| summarize DeviceCrashes = count(), LastCrashTimestamp = max(CrashTime) by FileName, DeviceName
| sort by DeviceCrashes
| summarize TotalCrashes = sum(DeviceCrashes),
TotalDevices = dcount(DeviceName),
DeviceCrashCounts = make_list(pack(DeviceName, DeviceCrashes)),
LastCrashPerDevice = make_list(pack(DeviceName, LastCrashTimestamp))
by FileName
| sort by TotalCrashesExplanation
This query identifies crashing processes based on the werfault parameters. It looks for processes with the file name "werfault.exe" that occurred within the past day. It extracts the crash time, device ID, werfault command, and crash process ID from the process events. It then joins the process events based on the device ID and checks if the crash process ID matches the process ID. It projects and renames certain columns, and then summarizes the data by counting the number of device crashes and finding the last crash timestamp for each file name and device name. It also calculates the total number of crashes, total number of devices, and creates lists of device crash counts and last crash timestamps for each file name. Finally, it sorts the results by the total number of crashes.
Details
C.J. May
Released: October 13, 2022
Tables
Keywords
Operators