Create AlertsWithProcess.txt

Hunting Queries/SecurityAlert/AlertsWithProcess.txt

@@ -0,0 +1,26 @@
+// Name: Alerts With This Process
+// Description: Any Alerts that fired on any host with this same process in the range of +-1d
+//
+// Entity: Process
+// Input: ProcessName
+// Output: Alerts
+//
+// QueryPeriod: +-1d, change as needed
+//
+// Data Source: SecurityAlert
+//
+// Tactics: #Execution, #Persistence, #Discovery, #Lateral Movement, #Collection
+//
+let GetAllAlertsWithProcess = (suspiciousEventTime:datetime, v_Process:string){
+let v_StartTime = suspiciousEventTime-1d;
+let v_EndTime = suspiciousEventTime+1d;
+SecurityAlert
+| where TimeGenerated between (v_StartTime .. v_EndTime)
+| extend Computer = toupper(parse_json(ExtendedProperties).["Compromised Host"])
+| extend ProcessName = parse_json(ExtendedProperties).["Suspicious Process"]
+| where ProcessName has v_Process
+| project TimeGenerated, AlertName, Computer
+| top 10 by TimeGenerated desc nulls last 
+};
+// change datetime value and <processname> value below
+GetAllAlertsWithProcess(datetime('2019-01-18T10:36:07Z'), "<processname>")