event_simpleName IN (AsepValueUpdate, RegGenericValueUpdate) 
| search RegObjectName="*\\Software\\Microsoft\\Windows\\CurrentVersion*" AND AuthenticationId_decimal=999
| rename RegOperationType_decimal as RegOperationType
| lookup local=true RegOperation.csv RegOperationType OUTPUT RegOperationName 
| stats count by ComputerName RegObjectName RegValueName RegOperationName

event_simpleName=ImageHash
| rename FileName as Dll_Loaded FilePath as Dll_Path
| join TargetProcessId_decimal
    [search event_simpleName=ProcessRollup* FileName!=powershell.exe]
| search Dll_Loaded IN ("mscoree.dll", "clr.dll", "clrjit.dll", "mscorlib.ni.dll", "mscoreei.dll")
| table ComputerName FileName CommandLine Dll_Loaded Dll_Path

event_simpleName="NewExecutableRenamed"
| rename TargetFileName as ImageFileName
| join ImageFileName 
    [ search event_simpleName="ProcessRollup2" ]
| table ComputerName SourceFileName ImageFileName CommandLine

event_simpleName=DnsRequest
| rename ContextProcessId_decimal as TargetProcessId_decimal
| join TargetProcessId_decimal
    [search event_simpleName=ProcessRollup2 FileName IN ("powershell.exe", "certutil.exe", "regsvr32.exe", "rundll32.exe")]
| table ComputerName ImageFileName DomainName CommandLine

event_simpleName IN ("*ProcessRollup2*") OR event_simpleName IN ("*DnsRequest*") 
| eval PID=mvappend(ContextProcessId_decimal, TargetProcessId_decimal)
| lookup userinfo.csv UserSid_readable OUTPUT UserName
| stats values(ComputerName) values(UserName) as UserName values(event_simpleName) as event_simpleName  values(FileName) as ProcessName values(DomainName) as DomainName by PID
| search ProcessName IN ("*rundll32.exe*", "*powershell.exe*", "*MpCmdRun.exe*")
| where isnotnull(DomainName)