List of processes identified through event id 4688 and listed in the www.eventid.net list of processes that may indicate suspicious activity. To generate event id 4688, a system requires the audit of process creation. See the documentation for more details.Interesting Processes
`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ (EventCode=4688) | lookup processlookup full_path_process as New_Process_Name OUTPUT process | lookup interesting_process_lookup process OUTPUT Category,Process_Details | search Category="*" | table _time, host, Account_Name, Process_Command_Line, process,Category,Process_Details, New_Process_ID,
Creator_Process_ID | rename host as Server,process as Process,Process_Details as "Interesting Process Details"$interval.earliest$$interval.latest$1
Last 100 Processes
`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$
| head 100
| table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
Creator_Process_ID$interval.earliest$$interval.latest$1
Top Processes
`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort -count | rename count as Count$interval.earliest$$interval.latest$1
Least Common Processes
`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort count| rename count as Count$interval.earliest$$interval.latest$1
Unusually Long CLI Commands
`event_sources` (EventCode=4688) AND (ComputerName="*") AND * Account_Name != "*$$*" (Creator_Process_ID="*") (New_Process_ID="*") New_Process_Name = "*" | head 100 | table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
Creator_Process_ID-24h@hnow1