Antonlovesdnb

## WhiteChocolateMacademiaNut.xml
<Rule name="Chromium Incoming Network Connect" groupRelation="and">
	<Initiated condition="is">false</Initiated>
	<SourceIp condition="contains any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
</Rule>

<Rule groupRelation="and" name="Suspicous ImageLoad-umpdc">
	<!--https://strontic.github.io/xcyclopedia/library/umpdc.dll-EA034AD86D4E3364D11AC60C3DC8F78E.html -->
	<Image condition="excludes any">C:\Windows\;C:\Program</Image>
	<ImageLoaded condition="contains">umpdc.dll</ImageLoaded>
</Rule>

## queries.kql
//These are KQL queries that I'm playing with - not production ready, not tested in production, I am very new to KQL :)
//I am using the Sysmon parser here: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Sysmon/Sysmon-v11.0.txt
//Each query includes a description of what I was trying to accomplish

//I want to get a list of distinct process guids, and then based off that, list the DLL's loaded by each Process - I want to use ProcessGuid rather than Image to seperate out ImageLoads by instance of a process - to view this enable the "Group Columns" feature and drag the Image field into the grey area
Sysmon
| where EventID == 7
| summarize dc_processguid=make_set(tostring(ProcessGuid)) by tostring(ImageLoaded), tostring((Image))
| summarize make_list(tostring(ImageLoaded)) by tostring((dc_processguid)),tostring(Image)
| project Image, list_ImageLoaded
	<Rule name="Chromium Incoming Network Connect" groupRelation="and">
	<Initiated condition="is">false</Initiated>
	<SourceIp condition="contains any">127.0.0.1;0:0:0:0:0:0:0:1</SourceIp>
	</Rule>

	<Rule groupRelation="and" name="Suspicous ImageLoad-umpdc">
	<!--https://strontic.github.io/xcyclopedia/library/umpdc.dll-EA034AD86D4E3364D11AC60C3DC8F78E.html -->
	<Image condition="excludes any">C:\Windows\;C:\Program</Image>
	<ImageLoaded condition="contains">umpdc.dll</ImageLoaded>
	</Rule>
	//These are KQL queries that I'm playing with - not production ready, not tested in production, I am very new to KQL :)
	//I am using the Sysmon parser here: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Sysmon/Sysmon-v11.0.txt
	//Each query includes a description of what I was trying to accomplish

	//I want to get a list of distinct process guids, and then based off that, list the DLL's loaded by each Process - I want to use ProcessGuid rather than Image to seperate out ImageLoads by instance of a process - to view this enable the "Group Columns" feature and drag the Image field into the grey area
	Sysmon
	\| where EventID == 7
	\| summarize dc_processguid=make_set(tostring(ProcessGuid)) by tostring(ImageLoaded), tostring((Image))
	\| summarize make_list(tostring(ImageLoaded)) by tostring((dc_processguid)),tostring(Image)
	\| project Image, list_ImageLoaded