The query is used to identify and analyze the processes in a system that have taken the longest time to complete. It helps prioritize efforts to optimize these processes. The query selects the process name, start date and time, elapsed time in minutes, and elapsed time in milliseconds. It filters out processes with zero duration and orders the results in descending order of elapsed time in minutes to highlight the processes with the longest durations.

Analyze Start Times and Run Durations of Processes.kql

The query is asking for information about the processor type, socket designation, and address width. This information is useful for hardware upgrades or compatibility checks. The query is selecting these specific columns from the "Cpu" table.

Assess CPU Physical Characteristics.kql

The query is looking for security events in the Windows Event log that occurred within the last 7 days. It specifically filters for events that contain the message "primary token was assigned". The purpose is to monitor for any potential unauthorized privilege escalations or access attempts.

Assigned Primary Tokens.kql

The query is asking to display information about the BIOS, including the manufacturer, release date and time, serial number, and SMBIOS version.

BIOS Details.kql

The query is looking for recent critical system errors with Event ID 1001 in the Windows Event Viewer within the last 7 days.

Blue Screen of Death.kql

The query is used to generate a list of SSL certificates that will expire within the next 90 days. It selects specific information about each certificate, such as the subject name, validity period, and common name. The query filters the results to only include certificates that have a validity end date greater than the current date and less than 90 days in the future. This allows for proactive renewal of expiring certificates.

Certificates That Will Expire in the Next 90 days.kql

The query is looking for Windows events in the 'Application' category that occurred within the last 7 days. It then filters the events to only include those where the message is 'Machine restart is required'. This query is used for monitoring and alerting on systems that need to be restarted due to recent application installations or updates.

Check if Device Restart Is Required.kql

This query is designed to check if TPM (Trusted Platform Module) version 2.0 is available. It does this by searching through a dataset named `Tpm` and filtering the results to only include entries where the `SpecVersion` field contains the text '2.0'. Essentially, it's looking for any records that indicate the presence of TPM version 2.0.

Check if TPM 2.0 is available.kql

This query is used to monitor and analyze the execution of processes on a computer. It selects the process name, command line, and start date and time for each process. It filters out any processes with empty or null command lines. The results are then ordered by process name and start date and time.

Command Lines Used to Start Processes.kql

The query compares the current clock speed of a CPU with its maximum clock speed to determine if the CPU is being overclocked. It projects the ProcessorId, CurrentClockSpeed, MaxClockSpeed, and a column called Overclocked which indicates whether the CPU is overclocked or not.

Detect CPU Overclocking.kql

This query is used to monitor and identify processes that have high disk input/output (I/O) activity. It looks for processes that have either read or written more than 10 MB of data to the disk. The query then projects the process ID, process name, file path, and the amount of data read and written in megabytes. Finally, the results are ordered in descending order based on the amount of data written to the disk.

Detect Processes That Are Reading or Writing Significantly to Disk.kql

The query is used to identify and analyze unique processes executed by Windows user accounts. It sorts the results by the user account and process name for security or auditing purposes. It selects the Windows user account, process name, process ID, and command line for each process. It then removes any duplicate entries and orders the results by the user account and process name.

Determine Which Users Are Running Which Processes.kql

The query is used to retrieve security event logs from the Windows Event Viewer. It specifically looks for events with ID 1102, which indicates the clearing of security logs. The query is limited to events that occurred within the past 7 days.

Event Log was Cleared.kql

The query is looking for failed login attempts on Windows systems within the last 7 days. It filters the results to only include events with an EventId of 4625, which typically indicates a failed login attempt. This query is useful for security analysis and detecting potential breaches.

Failed User Account Login.kql

This query is looking for security-related processes in a system log. It filters the log based on the process name, looking for any processes that contain the words 'Defender', 'Sense', or 'Security'. The purpose is to identify these processes for further analysis or monitoring.

Find All System Processes Related to Defender, Sense or Security.kql

This query is designed to find devices where BitLocker encryption is not turned on for the C: drive. It looks at a table called `EncryptableVolume` and filters for entries where the drive letter is "C:" and the protection status is not "PROTECTED." The query then displays the device name, drive letter, protection status, encryption method, and the percentage of the drive that is encrypted.

Find Devices with BitLocker Not Enabled.kql

This query is designed to find devices that have multiple physical disks. Here's a simple breakdown of what it does:

1. **Data Source**: It starts with a table or dataset called `DiskDrive`, which contains information about physical disks on various devices.

2. **Summarize**: It groups the data by each device and counts the number of physical disks associated with each device. This is done using the `summarize` function, which creates a new column called `DiskCount` that holds the count of disks for each device.

3. **Filter**: It then filters the results to only include devices that have more than one disk. This is achieved with the `where` clause, which specifies that only devices with a `DiskCount` greater than 1 should be included in the final output.

In summary, the query lists all devices that have more than one physical disk attached to them.

Find Devices with Multiple Physical Disks.kql

This query is used to display all the details about the physical disks in a system.

Find Disk Information.kql

The query is looking for Windows drivers that do not have an associated INF file in the system's database.

Find Drivers That Don’t Have Associated Inf Files.kql

The query analyzes processes and calculates their average, maximum, and minimum memory usage. It groups the results by process name and orders them based on the average memory usage in descending order. The final output includes the process name, average memory usage, maximum memory usage, and minimum memory usage. This information can be used to identify memory-intensive applications for optimization or troubleshooting purposes.

Find Processes With High Memory Usage.kql

This query is designed to help identify processes on a system that might be using an unusually high number of threads or handles, which can be useful for performance analysis and optimization. Here's a simple breakdown of what the query does:

1. **Data Source**: It starts by looking at data from a table or dataset named `Process`, which contains information about running processes.

2. **Filter Criteria**: It filters the processes to find those that have more than 100 threads or more than 1000 handles. These thresholds are set to identify processes that might be consuming more resources than usual.

3. **Select Information**: For each of these processes, it selects (or "projects") specific pieces of information: the name of the process (`ProcessName`), its ID (`ProcessId`), the number of threads it is using (`ThreadCount`), the number of handles it is using (`HandleCount`), and the file path where the process is located (`Path`).

4. **Order Results**: Finally, it orders the results by the number of threads in descending order, and if there are ties, by the number of handles also in descending order. This means the processes with the highest thread counts will appear first in the results.

Overall, this query helps in quickly identifying and examining processes that might be impacting system performance due to high resource usage.

Find Processes With Unusually High Thread or Handle Counts.kql

The query checks if TPM 2.0 is available by filtering the Tpm table to only include entries where the SpecVersion contains '2.0'.

Find Windows 11 Compatible Tpms.kql

This query is designed to find processes on a system that are using an unusually large amount of virtual memory compared to their physical memory usage. Here's a breakdown of what it does:

1. **Filter Processes**: It looks at all running processes and filters out those where the total virtual memory size (`TotalSizeBytes`) is more than ten times the size of the physical memory currently being used (`WorkingSetSizeBytes`).

2. **Select Information**: For the processes that meet this condition, it selects and displays the following details:
   - `ProcessName`: The name of the process.
   - `ProcessId`: The unique identifier for the process.
   - `WorkingSetSizeBytes`: The amount of physical memory the process is using.
   - `TotalSizeBytes`: The total virtual memory size allocated to the process.

3. **Order Results**: It sorts the results in descending order based on the total virtual memory size (`TotalSizeBytes`), so the processes using the most virtual memory appear first.

In simple terms, this query helps identify processes that might be inefficiently using system resources by having a large virtual memory footprint compared to their actual physical memory usage.

Flag Processes With Disproportionately Large Virtual Memory Usage.kql

This query is used to find the driver providers that appear most frequently in a Windows system's event logs. It counts the occurrences of each driver provider and summarizes the results.

Group Drivers by Their Provider Name.kql

This query is analyzing data about devices and is focused on understanding the variety of CPU architectures present. It does this by counting how many devices there are for each combination of CPU architecture, manufacturer, and model. The result will show you how many devices exist for each specific architecture-manufacturer-model trio.

Identify CPU Architecture Distribution.kql

The query extracts information about the CPU's architecture, core count, and logical processor count. This information helps understand the computing capabilities of the device.

Identify CPU Configuration.kql

This query is designed to find devices that have a BIOS release date older than one year. It does this by:

1. Accessing the `BiosInfo` data table.
2. Filtering the records to include only those where the `ReleaseDateTime` (the date the BIOS was released) is more than 365 days ago.
3. Displaying the results with specific details: the `Device` name, `Manufacturer`, `SmBiosVersion`, and the `ReleaseDateTime`.

Identify Devices with Outdated BIOS.kql

The query is used to identify and prioritize processes that have a high amount of data stored on the disk. This information is important for optimizing system resources. The query selects processes where the data is stored on the disk, and then projects the process name, file path, and working set size in megabytes. The results are then ordered in descending order based on the working set size.

Identify Processes That Are Heavily Using Disk Space.kql

This query is designed to help identify programs that are configured to automatically run when a Windows system starts up. It looks into a specific part of the Windows Registry, which is a database that stores settings and options for the operating system. The query specifically examines the "Run" section under "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" in the registry. 

The query retrieves and displays four pieces of information for each entry found in this section:
1. **RegistryKey**: The path in the registry where the entry is located.
2. **ValueName**: The name of the entry, which typically represents the program or service.
3. **ValueType**: The type of data stored in the entry (e.g., string, binary).
4. **ValueData**: The actual data or command that is executed at startup.

This information is useful for system analysis and security auditing, as it helps identify which programs are set to launch automatically when the computer boots up, potentially highlighting unwanted or malicious software.

Identify Programs Set to Auto-Run at Startup.kql

This query is designed to identify and prioritize processes that are using a large amount of disk resources, specifically focusing on those with high on-disk working set sizes. Here's a simple breakdown of what it does:

1. **Filter Processes**: It looks at processes that have read or written more than 50,000,000 bytes to disk.
2. **Select Information**: For these processes, it selects and displays the process name, process ID, and the amount of data read from and written to the disk.
3. **Order Processes**: It sorts the processes in descending order, first by the amount of data read from the disk and then by the amount of data written.
4. **Limit Results**: Finally, it shows the top 5 processes based on this sorting.

In summary, the query helps in identifying the top 5 processes that are using the most disk resources, which can be useful for optimizing system performance.

Identify Top Disk IO Processes.kql

The query filters and sorts non-system processes running on a Windows computer. It excludes processes with paths containing specific directories like 'C:\Windows\', 'C:\Program Files\', 'C:\Program Files (x86)\', and 'C:\Users\'. It then selects and displays the process ID, process name, and path, and finally sorts the results by process name.

Identify Unexpected or Unknown Processes Running From Unusual Paths.kql

The query is used to identify processes on a system that are running for a long time and using a lot of resources. It retrieves information about the process name, start time, elapsed time in minutes, thread count, and handle count. The results are filtered to only include processes with a reported elapsed time, and then sorted in descending order based on elapsed time, thread count, and handle count.

Impact of Processes Over Time by Looking at How Long They Run.kql

The query is looking for certificates that have the word "Intune" in their CommonName. It is used for managing and monitoring Intune related certificates.

Intune MDM Device Certificate.kql

The query is looking for certificates that are certificate authorities and extracting information such as whether it is a CA, the common name, and the subject name.

List All CA Certificates.kql

This query is used to identify processes that are started by system accounts for security auditing or anomaly detection. It filters the processes based on the Windows user account that starts with 'NT AUTHORITY' and selects specific columns like process ID, process name, path, command line, user account, and start date and time.

List All Process That Running Under NT Authority.kql

The query is used to monitor and troubleshoot application failures in Windows environments. It specifically looks for Windows application crash events.

List of Applications Crashes.kql

The query is used to retrieve all software-related configurations and settings from the Windows Registry for the purpose of auditing the system or creating a software inventory. It searches for keys in the HKEY_LOCAL_MACHINE\SOFTWARE\ path.

Lookup Registry Keys Wildcard.kql

The query is used to find the current clock speed, maximum clock speed, and status of the CPU. This information can help determine if the CPU is being throttled or operating normally.

Monitor CPU Performance and Health.kql

The query retrieves information about the hosts file located at C:\Windows\System32\drivers\etc\hosts. It includes details such as the file path, name, size, last modified date, and attributes.

Monitor Hosts File.kql

This query is used to identify the processes that run most frequently on a system. It counts the occurrences of each process and then orders them based on the count. This information can be useful for analyzing and optimizing system performance.

Most frequently running Processes.kql

The query is used to monitor how often certain events occur in an application over the past week. It summarizes the count of events by the name of the provider. This helps identify any patterns or unusual behavior in the software.

Number of Events per Provider.kql

This query is used to monitor the number of signed and unsigned drivers in a Windows environment. It counts the occurrences of each type of driver and summarizes the results.

Number of Signed and Unsigned Drivers.kql

This query is designed to find BIOS versions that are older than one year. It does this by looking at a data source called `BiosInfo` and filtering out entries where the `ReleaseDateTime` (the date when the BIOS was released) is more than 365 days ago. After filtering, it selects and displays three pieces of information for each of these older BIOS versions: the `Manufacturer`, the `SmBiosVersion` (the version of the BIOS), and the `ReleaseDateTime`.

Old BIOS Versions.kql

This query is used to monitor the frequency of application-level events on Windows systems. It looks at events from the 'Application' log over the past hour and summarizes the count of events by their severity level.

Overview Event Level Types for Windows Applications Events.kql

This query is used to monitor and analyze service start events on a Windows system within the last hour. It specifically looks for events with ID 3, which indicate that a service has started. The results are then ordered by the time they were logged, with the most recent events appearing first.

Query Recent Windows System Event Logs.kql

The query is searching for files in the C:\Windows directory and ordering them by their creation date in descending order.

Search Recently Created Files at a Location.kql

The query is looking for instances of Service Control Manager events on Windows systems where a service failed to start within the past 7 days. It specifically focuses on events with Event ID 7000.

Service Start Failure.kql

The query retrieves all application-related events from the Windows Event Log that occurred within the last day. It is used to quickly review these events for troubleshooting a reported issue.

Show All Application Events.kql

The query is used to retrieve the store location, common name, and subject name of SSL certificates for monitoring and ensuring their security across different locations.

Show All Certificates That Are Not Stored in Localmachine.kql

The query is searching for unsigned drivers in a Windows operating system for the purpose of security auditing and compliance.

Show All Drivers That Are Not Signed.kql

This query is used to find digital certificates that may be outdated or insecure for a cybersecurity audit. It looks for certificates that use the SHA-1 or MD5 hashing algorithms. The query then projects the signing algorithm, subject name, common name, and whether the certificate is self-signed.

Show All Insecure Certificates.kql

The query is asking to display a list of all the local drives on a Windows PC.

Show All Local Drives.kql

Show all locally available User Groups including Privileged Groups.

Show all Local Groups on Device.kql

The query is looking for certificates in a network that are self-signed, meaning they were not issued by a trusted certificate authority. It retrieves the subject name, common name, and self-signed status of these certificates. This information helps assess potential security risks.

Show All Self-Signed Certificates.kql

The query is looking for application crashes or errors on Windows systems that have occurred in the past week. It specifically filters for events with an EventId of 1000.

Show Application Crashes.kql

The query is looking for application hang events in Windows systems that have occurred in the past 7 days. It filters the events to only include those with an EventId of 1002.

Show Application Hangs.kql

The query is looking for expired certificates in order to prevent security issues and ensure that encrypted communication is uninterrupted. It selects the expiration date, subject name, and common name of the certificates.

Show Expired Certificates on Device.kql

This query is used to monitor and troubleshoot license activation errors in applications on Windows systems within the last 7 days. It searches for events in the 'Application' log that contain the phrase 'License Activation' in the message and filters for events with an error level.

Show Failed Licence Activations.kql

The query is looking for Windows events related to application installations that have been successfully completed in the last 7 days.

Show Latest Application Installations.kql

The query is looking for service startup events in Windows applications that have occurred within the last 7 days. It filters the events to only include those that have a message containing the phrase "Service started".

Show Services That Have Started.kql

The query is looking for recent shutdowns of application services within the last 7 days in the Windows event logs. It filters the events to only include those where the message contains the phrase 'Service stopped'.

Show Services That Have Stopped.kql

The query is used to identify and monitor SSL/TLS certificates that are currently active. It selects certificates where the expiration date is in the future and displays the expiration date, subject name, and common name of each certificate.

Show Valid Certificates on Device.kql

The query is looking for successful logon events in the Windows Security log within the last 7 days. It filters the events to only include those with an EventId of 4624, which typically indicates a successful logon. This is done to monitor for any unauthorized access attempts.

Successful User Account Login.kql

This query is designed to find devices that have an operating system (OS) installed for more than three years and determine how many days have passed since they were last updated with a patch. Here's a breakdown of what it does:

1. **Identify Devices with Old OS Installations**: It looks for devices where the OS was installed more than 1,095 days ago (which is equivalent to three years).

2. **Find the Last Patch Date**: It retrieves the most recent patch installation date for each device.

3. **Calculate Days Since Last Patch**: For each device, it calculates the number of days that have passed since the last patch was installed.

4. **Output**: The query outputs a list of devices, including their OS name, installation date, the date of the last patch, and the number of days since the last patch was applied.

System Age and Update Status Analysis.kql

The query is looking for instances of system time changes in the security logs of Windows events that have occurred within the last 7 days. It filters the results to only include events with the EventId of 4616.

System Time Changed.kql

This query is used to monitor and identify the processes that are executed most frequently on a system for a specific day. It filters out any null values in the ProcessName and StartDateTime fields, then groups the processes by name and the date they were started. The results are then sorted in descending order based on the count of each process, and only the ProcessName and Count columns are displayed.

Track the Usage of Specific Applications and How Often They Are Started.kql

This query retrieves information about system processes such as their names, IDs, working directories, start times, and command lines. It filters out processes with null or empty working directories and sorts the results in chronological order based on the process name and start time.

Track the Working Directories of Processes.kql

The query is searching for specific events in the Windows security event logs that indicate group membership additions. These events are checked for the past week. The purpose is to identify any unauthorized access or privilege escalation.

User Added to Privileged Group.kql

The query is looking for security-related events in a Windows environment that occurred within the last 7 days. Specifically, it is filtering for events where a user's right to perform privileged tasks was enabled.

User Right Assigned.kql

This query helps identify the applications that crash the most frequently in a Windows environment. It also provides information about the versions of these applications. This information can be used for targeted troubleshooting and software updates.

Windows App Crash Events Grouped by the App and Its Version.kql

This query retrieves a list of Windows Quick Fix Engineering (QFE) updates installed on a system. The updates are sorted by their installation date, with the most recent updates appearing first.

Windows Quick Fix Engineering Hot Fixes.kql

The query is looking for system-related events with Event ID 19 that occurred within the last 7 days. It is used for IT security auditing purposes.

Device Query

Device Queries(72)

Analyze Start Times and Run Durations of Processes

Assess CPU Physical Characteristics

Assigned Primary Tokens

BIOS Details

Blue Screen of Death

Certificates That Will Expire in the Next 90 days

Check if Device Restart Is Required

Check if TPM 2.0 is available

Command Lines Used to Start Processes

Detect CPU Overclocking

Detect Processes That Are Reading or Writing Significantly to Disk

Determine Which Users Are Running Which Processes

Event Log was Cleared

Failed User Account Login

Find All System Processes Related to Defender, Sense or Security

Find Devices with BitLocker Not Enabled

Find Devices with Multiple Physical Disks

Find Disk Information

Find Drivers That Don’t Have Associated Inf Files

Find Processes With High Memory Usage

Find Processes With Unusually High Thread or Handle Counts

Find Windows 11 Compatible Tpms

Flag Processes With Disproportionately Large Virtual Memory Usage

Group Drivers by Their Provider Name

Identify CPU Architecture Distribution

Identify CPU Configuration

Identify Devices with Outdated BIOS

Identify Processes That Are Heavily Using Disk Space

Identify Programs Set to Auto-Run at Startup

Identify Top Disk IO Processes

Identify Unexpected or Unknown Processes Running From Unusual Paths

Impact of Processes Over Time by Looking at How Long They Run

Intune MDM Device Certificate

List All CA Certificates

List All Process That Running Under NT Authority

List of Applications Crashes

Lookup Registry Keys Wildcard

Monitor CPU Performance and Health

Monitor Hosts File

Most frequently running Processes

Number of Events per Provider

Number of Signed and Unsigned Drivers

Old BIOS Versions

Overview Event Level Types for Windows Applications Events

Query Recent Windows System Event Logs

Search Recently Created Files at a Location

Service Start Failure

Show All Application Events

Show All Certificates That Are Not Stored in Localmachine

Show All Drivers That Are Not Signed

Show All Insecure Certificates

Show All Local Drives

Show all Local Groups on Device

Show All Self-Signed Certificates

Show Application Crashes

Show Application Hangs

Show Expired Certificates on Device

Show Failed Licence Activations

Show Latest Application Installations

Show Services That Have Started

Show Services That Have Stopped

Show Valid Certificates on Device

Successful User Account Login

System Age and Update Status Analysis

System Time Changed

Track the Usage of Specific Applications and How Often They Are Started

Track the Working Directories of Processes

User Added to Privileged Group

User Right Assigned

Windows App Crash Events Grouped by the App and Its Version

Windows Quick Fix Engineering Hot Fixes

Windows Update Installations