Hypothesis-driven · federated
Threat hunt
Natural-language → portable query, translated to your connected SIEM, EDR, and cloud-log sources. Search-in-place — no forced migration.
Ask in plain English
scope:Sentinel + Falcon·window: 24h
Translated KQL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("winword.exe","excel.exe","outlook.exe","powerpnt.exe")
| where FileName =~ "powershell.exe"
| project Timestamp, DeviceName, AccountName,
ParentProcess = InitiatingProcessFileName,
ParentCmd = InitiatingProcessCommandLine,
ChildCmd = ProcessCommandLine
| order by Timestamp descResults · 7 rows · 412msfederated across 2 sources
| time | host | user | parent | child cmd |
|---|---|---|---|---|
| 08:14:22 | WIN-FIN-0142 | m.kowalski | winword.exe → cmd.exe | powershell.exe -enc JABz… |
| 07:55:01 | WIN-MKT-0218 | r.ortega | excel.exe | powershell.exe -ExecutionPolicy Bypass -File update.ps1 |
| 07:30:14 | WIN-OPS-0089 | k.iwata | outlook.exe | powershell.exe -nop -w hidden |
| 07:12:55 | WIN-HR-0066 | s.davis | winword.exe | powershell.exe Get-Process |
| 06:48:00 | WIN-FIN-0142 | m.kowalski | outlook.exe → cmd.exe | powershell.exe -nop -enc YQBh… |
| 06:21:33 | WIN-FIN-0220 | n.tran | excel.exe | powershell.exe -File macro.ps1 |
| 05:58:09 | WIN-LEG-0011 | p.lopez | winword.exe | powershell.exe Get-ChildItem C:\ |