Hypothesis-driven · federated

Threat hunt

Natural-language → portable query, translated to your connected SIEM, EDR, and cloud-log sources. Search-in-place — no forced migration.

Ask in plain English
scope:Sentinel + Falcon·window: 24h
Translated KQL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe","excel.exe","outlook.exe","powerpnt.exe")
| where FileName =~ "powershell.exe"
| project Timestamp, DeviceName, AccountName,
          ParentProcess = InitiatingProcessFileName,
          ParentCmd = InitiatingProcessCommandLine,
          ChildCmd = ProcessCommandLine
| order by Timestamp desc
Results · 7 rows · 412msfederated across 2 sources
timehostuserparentchild cmd
08:14:22WIN-FIN-0142m.kowalskiwinword.exe → cmd.exepowershell.exe -enc JABz…
07:55:01WIN-MKT-0218r.ortegaexcel.exepowershell.exe -ExecutionPolicy Bypass -File update.ps1
07:30:14WIN-OPS-0089k.iwataoutlook.exepowershell.exe -nop -w hidden
07:12:55WIN-HR-0066s.daviswinword.exepowershell.exe Get-Process
06:48:00WIN-FIN-0142m.kowalskioutlook.exe → cmd.exepowershell.exe -nop -enc YQBh…
06:21:33WIN-FIN-0220n.tranexcel.exepowershell.exe -File macro.ps1
05:58:09WIN-LEG-0011p.lopezwinword.exepowershell.exe Get-ChildItem C:\