Query Details
Noise Process Creation
Query
// SecurityEvent - Process Creation Noise (EventID 4688)
// Process creation is typically the #1 cost driver in SecurityEvent.
// This query identifies the noisiest process names that could be
// filtered via DCR transform (where EventID != 4688 or ProcessName !in (...))
// =====================================================================
let _TotalProcessEvents = toscalar(
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4688
| count
);
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4688
| extend ProcessName = tostring(split(NewProcessName, "\\")[-1])
| summarize
EventCount = count(),
DistinctComputers = dcount(Computer),
DistinctAccounts = dcount(SubjectAccount)
by ProcessName
| extend
PctOfAllProcessEvents = round(toreal(EventCount) * 100.0 / _TotalProcessEvents, 2),
CumulativeCount = row_cumsum(EventCount)
| extend
CumulativePct = round(toreal(CumulativeCount) * 100.0 / _TotalProcessEvents, 2)
| extend
FilterAction = case(
PctOfAllProcessEvents > 10, "FILTER: >10% of all process events - Strong DCR exclude candidate",
PctOfAllProcessEvents > 5, "REVIEW: >5% - Likely low-value, evaluate security need",
PctOfAllProcessEvents > 2, "CONSIDER: >2% - Check if covered by EDR/MDE already",
"KEEP"
)
| project
ProcessName, EventCount, PctOfAllProcessEvents, CumulativePct,
DistinctComputers, DistinctAccounts, FilterAction
| order by EventCount desc
| take 50
Explanation
This query is designed to analyze and identify the most frequently occurring process creation events in security logs, specifically those with EventID 4688, over the past seven days. Here's a simplified breakdown of what the query does:
-
Calculate Total Process Events: It first calculates the total number of process creation events (EventID 4688) that occurred in the last seven days.
-
Filter and Extract Process Names: It then filters the security events to only include those with EventID 4688, extracts the process name from the full path, and counts how many times each process name appears.
-
Summarize Data: For each process name, it calculates:
- The total number of events (EventCount).
- The number of distinct computers and accounts associated with these events.
- The percentage of these events relative to all process creation events.
- A cumulative count and percentage to see how these processes add up in terms of total event volume.
-
Determine Filter Action: Based on the percentage of total events each process represents, it suggests actions:
- FILTER: If a process accounts for more than 10% of all events, it's a strong candidate for exclusion.
- REVIEW: If it accounts for more than 5%, it should be reviewed for its security relevance.
- CONSIDER: If it accounts for more than 2%, check if it's already monitored by other security tools.
- KEEP: Otherwise, keep monitoring it.
-
Output and Order: Finally, it lists the top 50 process names by event count, along with their calculated metrics and suggested actions, ordered by the number of events.
In essence, this query helps identify and prioritize which process creation events might be generating excessive noise in security logs, allowing for more efficient monitoring and potential filtering to focus on more significant security events.
Details
David Alonso
Released: April 8, 2026
Tables
Keywords
Operators