Question Analysis

DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "arp" and ProcessCommandLine contains "-a" | project Timestamp, DeviceName, ProcessCommandLine | order by Timestamp asc

DeviceProcessEvents | where ActionType == 'ProcessCreated' and ProcessCommandLine contains 'arp -a' | project ProcessCommandLine, ProcessCreationTime, InitiatingProcessCommandLine, InitiatingProcessCreationTime

DeviceProcessEvents | where InitiatingProcessCommandLine has 'arp' and InitiatingProcessCommandLine has '-a' | project DeviceName, InitiatingProcessCommandLine, ProcessCreationTime

DeviceProcessEvents | where (tolower(FileName) has "arp" or tolower(ProcessCommandLine) has "arp") | where ProcessCommandLine matches regex @"arp(.exe)?\s+(-a|-g)" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine

DeviceProcessEvents | where FileName =~ "arp.exe" or ProcessCommandLine contains "arp" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine contains 'arp -a' | project ProcessCreationTime, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine | order by ProcessCreationTime desc

DeviceProcessEvents | where ProcessCommandLine contains 'arp' and ProcessCommandLine contains ' -a' | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

DeviceProcessEvents | where ActionType == "ProcessCreated" | where isnotempty(ProcessCommandLine) | where ( (FileName =~ "arp.exe" or ProcessCommandLine matches regex @"(?i)\barp(\.exe)?\b") and ProcessCommandLine matches regex @"(?i)\s-(a|g)\b" ) or ( (FileName =~ "netsh.exe" or ProcessCommandLine matches regex @"(?i)\bnetsh(\.exe)?\b") and ProcessCommandLine matches regex @"(?i)\binterface\s+(ip|ipv4)\s+show\s+neighbors?\b" ) | project Timestamp, DeviceName, AccountDomain, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Executions=count() by DeviceName, AccountDomain, AccountName, ProcessCommandLine | order by LastSeen desc

union DeviceProcessEvents, DeviceEvents | extend cmd = tolower(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "")) // Filter for common ways to list ARP neighbors/cache: arp.exe (arp -a), Get-NetNeighbor / Get-NetIPNeighbor, and netsh neighbor show | where cmd contains "arp" or cmd contains "get-netneighbor" or cmd contains "get-netipneighbor" or (cmd contains "netsh" and (cmd contains "neighbor" or cmd contains "show neighbors")) | extend matched = case( cmd contains "get-netneighbor" or cmd contains "get-netipneighbor", "Get-NetNeighbor", cmd contains "arp", "arp.exe", cmd contains "netsh" and (cmd contains "neighbor" or cmd contains "show neighbors"), "netsh neighbors", "other") | project TimeGenerated, ProcessCreationTime, DeviceName, AccountName, FileName, ProcessId, InitiatingProcessId, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, matched | order by ProcessCreationTime desc

// Query to find when built-in utilities were used to list ARP cache (arp.exe, netsh show neighbors, Get-NetNeighbor) // Timerange should be set by the caller; uncomment/adjust the where Timestamp >= ago(...) line if needed. let arp_regex = @"(?i)\barp(\.(exe))?\b(\s+(-a|-g|/a|/g)\b)?"; let netsh_neighbors_regex = @"(?i)\bnetsh\b.*\b(interface|ip|ipv4)\b.*\b(show)\b.*\b(neighb|neighbors|arp)\b"; let get_netneighbor_regex = @"(?i)\bGet-NetNeighbor\b|\bGet\-NetNeighbor\b|\bGetNeighbors\b"; // Preferred: DeviceProcessEvents DeviceProcessEvents // | where Timestamp >= ago(30d) // set timerange externally | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend cmd = tostring(ProcessCommandLine), exe = tolower(tostring(FileName)) | where cmd matches regex arp_regex or cmd matches regex netsh_neighbors_regex or cmd matches regex get_netneighbor_regex or exe contains "arp" | extend MatchedCommand = iff(cmd matches regex arp_regex, extract(arp_regex, 0, cmd), iff(cmd matches regex netsh_neighbors_regex, extract(netsh_neighbors_regex, 0, cmd), iff(cmd matches regex get_netneighbor_regex, extract(get_netneighbor_regex, 0, cmd), exe))) | summarize arg_max(Timestamp, *) by ProcessId | project Timestamp, DeviceName, AccountName, AccountDomain = AccountDomain, ProcessId, FileName, ProcessCommandLine = cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedCommand | union ( DeviceEvents // | where Timestamp >= ago(30d) | where isnotempty(ProcessCommandLine) or isnotempty(FileName) | extend cmd = tostring(ProcessCommandLine), exe = tolower(tostring(FileName)) | where cmd matches regex arp_regex or cmd matches regex netsh_neighbors_regex or cmd matches regex get_netneighbor_regex or exe contains "arp" | extend MatchedCommand = iff(cmd matches regex arp_regex, extract(arp_regex, 0, cmd), iff(cmd matches regex netsh_neighbors_regex, extract(netsh_neighbors_regex, 0, cmd), iff(cmd matches regex get_netneighbor_regex, extract(get_netneighbor_regex, 0, cmd), exe))) | summarize arg_max(Timestamp, *) by ReportId, ProcessId | project Timestamp, DeviceName, AccountName, AccountDomain = AccountDomain, ProcessId, FileName, ProcessCommandLine = cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, MatchedCommand ) | order by Timestamp desc | where isnotempty(MatchedCommand)

DeviceProcessEvents | where (InitiatingProcessFileName endswith "arp.exe" or InitiatingProcessFileName endswith "arp" or FileName endswith "arp.exe" or FileName endswith "arp") | extend ExactCommand = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | where ExactCommand contains "arp" and (ExactCommand contains "-a" or ExactCommand contains "-g") | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCreationTime, ExactCommand | sort by TimeGenerated desc

DeviceProcessEvents | where ProcessCommandLine has "arp -a" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType in~ ("ProcessCreated", "Create", "CreateProcess") | where ProcessCommandLine has_all ("arp", "-a") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where ActionType in ("CreateProcess", "ProcessCreated") | where isnotempty(ProcessCommandLine) // Look for typical ways to reveal ARP cache (arp.exe -a, netsh interface ip show neighbors, etc.) | where tolower(ProcessCommandLine) has_any ("arp -a", "arp /a", "arp -g", "arp /g", "netsh interface ip show neighbors", "netsh interface ip show arpcache", "get-netneighbor") | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "arp.exe" or FileName == "arp" | where ProcessCommandLine has " -a" or ProcessCommandLine has " -g" // Optional: focus only on definite process creation events (normally the table already has only those) // | where ActionType == "ProcessCreated" | project TimeGenerated, DeviceName, DeviceId, AccountDomain, AccountName, ProcessCommandLine, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, ReportId | order by TimeGenerated asc

DeviceProcessEvents | where tolower(InitiatingProcessCommandLine) contains "arp -a" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where isnotempty(InitiatingProcessCommandLine) and (InitiatingProcessCommandLine has "arp") | where InitiatingProcessCommandLine has_any ("-a", "/a") | project TimeGenerated, DeviceName, FileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessCreationTime | sort by TimeGenerated desc

DeviceProcessEvents | where ActionType == "ProcessCreated" // Match either "arp" or "arp.exe" | where FileName has_cs "arp" // Look for the common ARP list switches (case-insensitive): -a, -g, /a, /g | where ProcessCommandLine matches regex @"(?i)\barp\s+[-/][ag]\b" | project ProcessCreationTime, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by ProcessCreationTime asc