Query Details
Device Powershell Connectingto Internet
Query
//Find users that are connecting to internet endpoints via PowerShell commands
//Data connector required for this query - M365 Defender - Device* tables
DeviceNetworkEvents
| project
TimeGenerated,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
DeviceName,
LocalIPType,
LocalIP,
RemoteIPType,
RemotePort,
RemoteIP,
RemoteUrl
//Exclude system processes
| where InitiatingProcessAccountName != "system"
| where InitiatingProcessAccountName != "local service"
| where InitiatingProcessCommandLine contains "powershell"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| project
TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
LocalIP,
RemoteIP,
RemotePort,
RemoteUrl
| sort by TimeGenerated desc
Explanation
This query finds users who are connecting to internet endpoints using PowerShell commands. It retrieves information such as the time the event occurred, the user account name, the command line used, the device name, the local and remote IP addresses, the remote port, and the remote URL. It excludes system processes and filters for PowerShell commands, private local IP addresses, and public remote IP addresses. The results are sorted by the time the event occurred in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,TimeGenerated,InitiatingProcessAccountName,InitiatingProcessCommandLine,DeviceName,LocalIPType,LocalIP,RemoteIPType,RemotePort,RemoteIP,RemoteUrl
Operators
DeviceNetworkEventsprojectTimeGeneratedInitiatingProcessAccountNameInitiatingProcessCommandLineDeviceNameLocalIPTypeLocalIPRemoteIPTypeRemotePortRemoteIPRemoteUrlwhere!=contains==sort by