Query Details
Anomalies Rare Privileged Process Calls On A Daily Basis
Query
Anomalies
| where RuleName endswith "Rare privileged process calls on a daily basis" and RuleStatus != "Flighting"
| extend
Query = tostring(ExtendedLinks[0]["DetailBladeInputs"])
| summarize
TimeGenerated = min(TimeGenerated),
Description = make_set(Description),
take_any(Entities, Tactics, Techniques)
by RuleName, UserName, Query
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
Entities,
Tactics,
Techniques
Explanation
This query is looking for anomalies where the rule name ends with "Rare privileged process calls on a daily basis" and the rule status is not "Flighting". It then extends the query to include the detail blade inputs, summarizes the data by the minimum time generated, a set of descriptions, and any entities, tactics, and techniques. Finally, it projects the time generated, rule name, description, query, username, entities, tactics, and techniques.
Details
Jose Sebastián Canós
Released: March 27, 2023
Tables
Anomalies
Keywords
Anomalies,RuleName,RuleStatus,ExtendedLinks,DetailBladeInputs,TimeGenerated,Description,Entities,Tactics,Techniques,UserName,Query
Operators
whereendswith!=extendtostringsummarizeminmake_settake_anybyproject