KQL Search

Query Details

Track The Working Directories Of Processes

Query

Use Case: Analyzing and auditing system processes for security or operational efficiency by listing their names, IDs, working directories, start times, and command lines in chronological order.

Query: 

Process
| project ProcessName, ProcessId, CurrentWorkingDirectory, StartDateTime, CommandLine
| where isnotnull(CurrentWorkingDirectory) and CurrentWorkingDirectory != '' // Filter out null or empty working directories
| order by ProcessName, StartDateTime

Explanation

This query retrieves information about system processes such as their names, IDs, working directories, start times, and command lines. It filters out processes with null or empty working directories and sorts the results in chronological order based on the process name and start time.

Details

Ugur Koc

Released: February 4, 2024

Tables

Process

Keywords

Process,Project,ProcessName,ProcessId,CurrentWorkingDirectory,StartDateTime,CommandLine,Where,IsNotNull,!=,Orderby

Operators

projectwhereisnotnull!=order by

KQL Search

Track The Working Directories Of Processes

Query

Explanation

Details

Actions