Forum Discussion
Microsofthow do i quarry a process in Kusto for MATP (Microsoft advance threat protection)
Hi, hope you are all good!
This is Daniel from MDATP.
You started off great, ProcessCreationEvents is a great source to get information about process creation events. But, as I understand from your case, you are more interested in adding network communication data. This is why I would suggest taking a look at the NetworkCommunicationEvents table. I would use the initiating process file name in case you want to include only AnyDesk process communication event and to exclude the svchost events. For the remote destination you can use the following fields as well:
- RemoteUrl
- RemoteIP
- RemotePort
- LocalPort
It should look something like that:
NetworkCommunicationEvents
| where InitiatingProcessFileName =~'AnyDesk.exe'
| where InitiatingProcessFileName != 'svchost.exe'
| where RemoteUrl in "bing.com"
| project EventTime, ComputerName, InitiatingProcessAccountName , InitiatingProcessCommandLine, MachineId, ReportId, RemoteIP, RemotePort
| take 10
Let me know if that's helps!
MicrosoftDaniel Naim ok good news its a better report thank you for that, question why is it showing AnyDesk.exe failed to establish connection with 172.107.198.38:80 but i do have a connection?? see attached screen shot
- Failed to established connection means that in this instance the connection didn't go through. If you do have a successful connection from this process to this IP this can appear later in time in advanced hunting or machine timeline