References: bitsadmin.exe, cdb.exe, cdb.exe, cipher.exe, dsget.exe/dsquery.exe, finger.exe, forfiles.exe, ie4uinit.exe, mshta.exe, msxsl.exe, nltest.exe, rawcopy.exe, setspn.exe, SyncAppvPublishingServer, SystemSettingsAdminFlows.exe, UevAppMonitor.exe, winrs.exe [1] [2], winsw.exe [1] [2]
SPL:
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name IN ("bitsadmin.exe", "cdb.exe", "cipher.exe", "dsget.exe", "dsquery.exe", "finger.exe", "forfiles.exe", "mshta.exe", "msxsl.exe", "nltest.exe", "rawcopy.exe", "SystemSettingsAdminFlows.exe", "setspn.exe", "UevAppMonitor.exe", "winsw.exe", "winrs.exe", "winrshost.exe") OR (Processes.process_name="ie4uinit.exe" AND Processes.process="*basesetting*") OR Processes.process="*SyncAppvPublishingServer*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription