Merge pull request #3447 from MicrosoftDocs/maccruz-uniqueprocess

Update screenshots and add Linux bit

Author: padmagit77

defender-xdr/advanced-hunting-best-practices.md

@@ -134,7 +134,7 @@ The [join operator](/azure/data-explorer/kusto/query/joinoperator) merges rows f
     | join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256
     ```
 
-- **Use hints for performance**—Use hints with the `join` operator to instruct the backend to distribute load when running resource-intensive operations. [Learn more about join hints](/azure/data-explorer/kusto/query/joinoperator#join-hints)
+- **Use hints for performance**—Use hints with the `join` operator to instruct the backend to distribute load when running resource-intensive operations. [Learn more about join hints](/azure/data-explorer/kusto/query/joinoperator#join-hints).
 
     For example, the **[shuffle hint](/azure/data-explorer/kusto/query/shufflequery)** helps improve query performance when joining tables using a key with high cardinality—a key with many unique values—such as the `AccountObjectId` in the query below:
 
@@ -193,15 +193,24 @@ The [summarize operator](/azure/data-explorer/kusto/query/summarizeoperator) agg
     | summarize hint.shufflekey = RecipientEmailAddress count() by Subject, RecipientEmailAddress
     ```
 
-
-
 ## Query scenarios
 
 ### Identify unique processes with process IDs
 
 Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes.
 
-Usually, the only way to uniquely identify a process on a specific device was by combining its process ID with its process creation time, along with the device identifier (either `DeviceId` or `DeviceName`). While this approach is still valid, there’s a more direct method using the `ProcessUniqueId` field. Both methods yield unique process instances, but as a best practice we recommend using `ProcessUniqueId` when available, as it simplifies queries and eliminates the need to handle PID reuse scenarios.
+Typically, the only way to uniquely identify a process on a specific device was by combining its process ID with its process creation time, along with the device identifier (either `DeviceId` or `DeviceName`). For instance, the following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
+
+```kusto
+DeviceNetworkEvents
+| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
+| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
+| where RemoteIPCount > 10
+```
+
+The above query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
+
+This approach is still valid, especially for non-Windows systems. However, in Windows, there’s a more direct method using the `ProcessUniqueId` field. While both the previous method and the one discussed below yield unique process instances, as a best practice we recommend using `ProcessUniqueId` when available, as it simplifies queries and eliminates the need to handle PID reuse scenarios.
 
 This query demonstrates how to use the `ProcessUniqueId` and `InitiatingProcessUniqueId` fields to link a specific parent process to its child processes. By matching each child’s `InitiatingProcessUniqueId` to the parent’s `ProcessUniqueId`, it isolates only those child processes launched by that exact parent instance, even if process IDs get reused over time.
 
@@ -232,7 +241,9 @@ DeviceProcessEvents
     Timestamp
 ```
 
-The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
+Likewise, the query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
+
+:::image type="content" source="/defender-xdr/media/best-practice-unique-processid-tb.png" alt-text="Screenshot of sample query results for getting unique processes in the Microsoft Defender portal." lightbox="/defender-xdr/media/best-practice-unique-processid.png":::
 
 ### Query command lines
 There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file without a path, without a file extension, using environment variables, or with quotes. The attacker could also change the order of parameters or add multiple quotes and spaces.