Question Analysis

let threshold = 10; // Minimum count value we consider 'large' let PingProcs = DeviceProcessEvents | where FileName == "ping" | extend CountVal = toint(extract("-c +([0-9]+)", 1, ProcessCommandLine)) | where isnotnull(CountVal) and CountVal >= threshold | project DeviceId, DeviceName, AccountName, AccountDomain, SessionId=CreatedProcessSessionId, PingProcessId=ProcessId, PingCommand=ProcessCommandLine, PingStart=ProcessCreationTime, PingCount=CountVal, PingEnd=ProcessCreationTime + 1s * CountVal; DeviceProcessEvents | where ProcessCreationTime > ago(30d) // Remove or adapt timerange as needed | project DeviceId, DeviceName, AccountName, AccountDomain, ProcessId, ProcessCommandLine, ProcessCreationTime, SessionId=CreatedProcessSessionId | join kind=inner ( PingProcs ) on DeviceId, DeviceName, AccountName, AccountDomain, SessionId | where ProcessCreationTime > PingEnd and ProcessCreationTime < PingEnd + 2m // Next process soon after ping | extend dt = ProcessCreationTime - PingEnd | summarize NextProcessTime=min(ProcessCreationTime) by DeviceName, AccountName, SessionId, PingProcessId, PingCommand, PingStart, PingEnd, PingCount, DeviceId, AccountDomain | join kind=inner ( DeviceProcessEvents | project DeviceId, DeviceName, AccountName, CreatedProcessSessionId, ProcessCreationTime, ProcessCommandLine, ProcessId ) on $left.DeviceId == $right.DeviceId and $left.DeviceName == $right.DeviceName and $left.AccountName == $right.AccountName and $left.SessionId == $right.CreatedProcessSessionId and $left.NextProcessTime == $right.ProcessCreationTime | project DeviceName, AccountName, PingCommand, PingStart, PingEnd, PingCount, NextCommand=ProcessCommandLine, NextStart=ProcessCreationTime | sort by PingEnd asc

DeviceProcessEvents | where InitiatingProcessCommandLine contains "ping" and InitiatingProcessCommandLine matches regex @"\-c \d{2,}" | project InitiatingProcessCommandLine, ProcessCommandLine, ProcessCreationTime | sort by ProcessCreationTime asc | extend SubsequentProcess = next(ProcessCommandLine)

DeviceProcessEvents | where ProcessCommandLine contains "ping" and ProcessCommandLine contains "-c" | where ProcessCommandLine matches regex "-c\\s*([1-9][0-9]|[0-9]{3,})" | project DeviceName, PingProcessId=ProcessId, PingCommandLine=ProcessCommandLine, PingCreationTime=ProcessCreationTime, SessionId=CreatedProcessSessionId | join kind=inner ( DeviceProcessEvents | project DeviceName, SubsequentProcessId=ProcessId, SubsequentCommandLine=ProcessCommandLine, SubsequentCreationTime=ProcessCreationTime, SessionId=CreatedProcessSessionId ) on DeviceName, SessionId | where SubsequentCreationTime > PingCreationTime | summarize arg_min(SubsequentCreationTime, SubsequentCommandLine, SubsequentProcessId) by DeviceName, PingProcessId, PingCommandLine, PingCreationTime | project DeviceName, PingCommandLine, SubsequentCommandLine, PingCreationTime, SubsequentCreationTime

let LinuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where InitiatingProcessCommandLine contains "ping" and InitiatingProcessCommandLine matches regex @"-c\s+\d+" | extend countValue = extract(@"-c\s+(\d+)", 1, InitiatingProcessCommandLine, typeof(long)) | where countValue > 10 | project DeviceId, Timestamp, InitiatingProcessCommandLine, ProcessCommandLine | summarize arg_max(Timestamp, *) by DeviceId, InitiatingProcessCommandLine, ProcessCommandLine | project-away Timestamp

let LinuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; // Identify ping processes on Linux endpoints with a large -c value let PingProcesses = DeviceProcessEvents | where DeviceId in (LinuxDevices) | where ActionType == "ProcessCreated" | where FileName =~ "ping" or ProcessCommandLine contains "ping" | parse kind=regex flags=U ProcessCommandLine with * "-c " Count:int " " | where isnotnull(Count) and Count > 50 | project DeviceId, PingParentProcessId = InitiatingProcessId, PingStartTime = ProcessCreationTime, LargeCount = Count; // Find the next process launched by the same parent after the ping start time DeviceProcessEvents | where DeviceId in (LinuxDevices) | where ActionType == "ProcessCreated" | join kind=inner PingProcesses on DeviceId | where InitiatingProcessId == PingParentProcessId | where ProcessCreationTime > PingStartTime | summarize arg_min(ProcessCreationTime, *) by DeviceId, PingParentProcessId, PingStartTime | project DeviceName, NextProcessCreationTime = ProcessCreationTime, NextCommand = ProcessCommandLine, LargeCount

DeviceProcessEvents | join hint.strategy=broadcast kind=inner ( DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId ) on DeviceId | where FileName == "ping" | extend CountValue = toint(extract(@"-c\s+(\d+)", 1, ProcessCommandLine)) | where isnotnull(CountValue) and CountValue > 100 | order by DeviceId asc, ProcessCreationTime asc | serialize | extend NextDeviceId = next(DeviceId), NextProcessCommandLine_raw = next(ProcessCommandLine), NextProcessCreationTime_raw = next(ProcessCreationTime) | extend NextProcessCommandLine = iif(NextDeviceId == DeviceId, NextProcessCommandLine_raw, ""), NextProcessCreationTime = iif(NextDeviceId == DeviceId, NextProcessCreationTime_raw, datetime(1970-01-01)) | project DeviceName, PingProcessCommandLine = ProcessCommandLine, PingProcessCreationTime = ProcessCreationTime, NextProcessCommandLine, NextProcessCreationTime

// Identify ping executions on Linux hosts that use a high count as a delay mechanism // (Assuming ping command includes '-c <number>' and we use a threshold of 50 counts). let PingEvents = DeviceProcessEvents // Filter events where the command contains 'ping' and '-c' | where ProcessCommandLine has "ping" and ProcessCommandLine has "-c" // Extract the count value provided in '-c <number>' using regex; if extraction fails, toint returns 0 | extend Count = toint(extract(@'-c\s+(\d+)', 1, ProcessCommandLine)) // Filter to events with a large count value (threshold here set to 50; adjust as needed) | where Count >= 50 | project DeviceId, PingProcessId = ProcessId, PingTime = ProcessCreationTime, ParentProcId = InitiatingProcessParentId, PingCmd = ProcessCommandLine; // Get all process execution events with their parent process id let AllProcesses = DeviceProcessEvents | project DeviceId, ProcId = ProcessId, ProcessTime = ProcessCreationTime, CommandLine = ProcessCommandLine, ParentProcId = InitiatingProcessParentId; // For each ping event, find the next process executed by the same parent process PingEvents | join kind=inner (AllProcesses) on DeviceId, ParentProcId // ensure the candidate process event happened after the ping event | where ProcessTime > PingTime // For each ping event, pick the process event with the minimum ProcessTime (i.e. the one immediately after) | summarize NextProcessTime = min(ProcessTime) by DeviceId, PingProcessId, PingTime, ParentProcId, PingCmd // join back to get details of the process that occurred immediately after the ping | join kind=inner (AllProcesses) on DeviceId, ParentProcId | where ProcessTime == NextProcessTime | project DeviceId, PingTime, PingCmd, NextProcessTime, NextProcId = ProcId, NextCommand = CommandLine, ParentProcId | order by PingTime desc

let pingEvents = DeviceProcessEvents | where ProcessCommandLine has "ping" // extract the count value passed to ping (e.g. 'ping -c 100') | extend PingCount = toint(extract(@"-c\s+(\d+)", 1, ProcessCommandLine)) | where isnotempty(PingCount) and PingCount >= 100 | project DeviceId, PingTime = ProcessCreationTime, PingProcessId = ProcessId, PingCommandLine = ProcessCommandLine; let nextProcesses = DeviceProcessEvents | project DeviceId, ProcessCreationTime, NextProcessCommandLine = ProcessCommandLine; // For each ping event, join with subsequent process events on the same device and select the earliest event that occurred after the ping pingEvents | join kind=inner (nextProcesses) on DeviceId | where ProcessCreationTime > PingTime | summarize NextProcessTime = min(ProcessCreationTime) by DeviceId, PingTime, PingProcessId, PingCommandLine | join kind=inner (nextProcesses) on DeviceId | where ProcessCreationTime == NextProcessTime | project DeviceId, PingTime, PingProcessId, PingCommandLine, NextProcessTime, NextProcessCommandLine