KQL Search

Query Details

HomeAI ToolsDevice Query

Anomalies Anomalous Volume Of Privileged Process Calls Of Commonly Seen Windows Attack Vectors On A Daily Basis

Query

Anomalies
| where RuleName endswith "Anomalous volume of privileged process calls of commonly seen windows attack vectors on a daily basis" and RuleStatus != "Flighting"
| extend
    Query = ExtendedLinks[0]["DetailBladeInputs"],
    ProcessCallCount = toint(AnomalyDetails["Observables"][0]["Value"])
| project
    TimeGenerated,
    RuleName,
    Description,
    Query,
    UserName,
    ProcessCallCount,
    Score,
    AnomalyDetails,
    Entities,
    Tactics,
    Techniques,
    ExtendedLinks

Explanation

This query is looking for anomalies related to a high volume of privileged process calls that are commonly seen in Windows attack vectors. It filters out any anomalies that are in "Flighting" status. It then extends the query with additional details and converts the process call count to an integer. Finally, it projects several fields including the time generated, rule name, description, query, username, process call count, score, anomaly details, entities, tactics, techniques, and extended links.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: December 15, 2022

Tables

Anomalies

Keywords

Anomalies,RuleName,RuleStatus,ExtendedLinks,DetailBladeInputs,ProcessCallCount,AnomalyDetails,Observables,Value,TimeGenerated,Description,Query,UserName,Score,Entities,Tactics,Techniques

Operators

whereendswith!=extendtointproject

Actions