Forum Discussion

Jacques van Zijl's avatar
Jacques van Zijl
Icon for Microsoft rankMicrosoft
Apr 30, 2019

how do i quarry a process in Kusto for MATP (Microsoft advance threat protection)

Hi guys, I'm pretty new to the channel and also kusto quarrying so my apologies if i do get things wrong, i have done some research and i'm trying to build a Kusto quarry to detect when a program s...
Daniel Naim's avatar
Daniel Naim
Former Employee
May 02, 2019

Jacques van Zijl 

Hi, hope you are all good!

This is Daniel from MDATP.

 

You started off great, ProcessCreationEvents is a great source to get information about process creation events. But, as I understand from your case, you are more interested in adding network communication data. This is why I would suggest taking a look at the NetworkCommunicationEvents table. I would use the initiating process file name in case you want to include only AnyDesk process communication event and to exclude the svchost events. For the remote destination you can use the following fields as well:

  • RemoteUrl
  • RemoteIP
  • RemotePort
  • LocalPort

It should look something like that:

NetworkCommunicationEvents

| where InitiatingProcessFileName =~'AnyDesk.exe'

| where InitiatingProcessFileName != 'svchost.exe'

| where RemoteUrl in "bing.com"

| project EventTime, ComputerName, InitiatingProcessAccountName , InitiatingProcessCommandLine, MachineId, ReportId, RemoteIP, RemotePort

| take 10

 

Let me know if that's helps!

Jacques van Zijl's avatar
Jacques van Zijl
Icon for Microsoft rankMicrosoft
May 02, 2019

Daniel Naim thank you so much, im going to update and run it now, will send the results soon